Home
/
NetApp
/
AltaVault AVA400
/
Administration Manual

NetApp AltaVault AVA400, Administration Manual

Share

Page: 103 / 276

NetApp AltaVault AVA400 Administration Manual Download Page 103

NetApp AltaVault Cloud Integrated Storage Administration Guide

103

Beta Draft

CHAPTER 8

Configuring AltaVault appliances for
FIPS-compliant cryptography

This chapter includes the following sections:



“What is FIPS?” on page 103



“Understanding FIPS on AltaVault” on page 103



“Configuring AltaVault for FIPS compliance” on page 105



“Configuring AltaVault appliances for FIPS-compliant cryptography” on page 105



“Disabling FIPS mode” on page 111



“Verifying FIPS mode in system logs” on page 111



“FIPS CLI” on page 112

You configure and manage FIPS mode through the Command-Line Interface (CLI). For detailed information about the
CLI, see the

NetApp AltaVault Cloud Integrated Storage Command-Line Reference Guide

.

What is FIPS?

Federal Information Processing Standard (FIPS) is a publicly announced set of validation standards developed by the
United States National Institute of Standards and Technology (NIST) for use by government agencies and by
government contractors.

FIPS 140-2 details the U.S. and Canadian Government requirements for cryptographic modules. Protection of a
cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the
information protected by the module.

This standard specifies the security requirements satisfied by a cryptographic module utilized within a security system
protecting sensitive but unclassified data.

Understanding FIPS on AltaVault

This section describes the NetApp Cryptographic Security Module as well as the system features that are FIPS
compliant and those that are not.

AltaVault offers end-to-end security for data at rest and in flight using FIPS 140-2 level 1-compliant encryption with
the NetApp Cryptographic Security Module.

«
...
101
102
103
104
105
...
»

Summary of Contents for AltaVault AVA400

Page 1: ...orage 4 3 1 Administration Guide NetApp Inc 495 East Java Drive Sunnyvale CA 94089 U S Telephone 1 408 822 6000 Fax 1 408 822 4501 Support telephone 1 888 463 8277 Web www netapp com Feedback doccomments netapp com Part number 215 12049_B0 June 2017 ...

Page 2: ...Beta Draft ...

Page 3: ...7 Using the AltaVault appliance CLI configuration wizard 17 Using the Management Console 18 Connecting to the Management Console 18 Home page 19 Navigating in the Management Console 19 Getting help 20 Using the Wizard Dashboard 20 Accessing the wizard dashboard 21 Using the System Settings wizard 21 Using the Cloud Settings wizard 22 Using the import configuration wizard 33 Using the export config...

Page 4: ...ings 59 Setting announcements 59 Configuring alarm settings 59 Configuring date and time 65 Configuring SNMP basic settings 67 Configuring SNMP v3 69 SNMP authentication and access control 71 Configuring email settings 74 Configuring log settings 74 Chapter 7 Configuring security settings 79 Configuring general security settings 79 Managing user permissions 81 Configuring permissions for user role...

Page 5: ...uses FIPS compliant encryption 106 Working with features to maintain FIPS compliance 107 Account passwords 107 Cipher requirements 108 Key size requirements 108 NTP 109 RADIUS and TACACS 109 SNMP 109 SSH 109 Telnet server 110 Web proxy 110 Disabling FIPS mode 111 Verifying FIPS mode in system logs 111 Verifying that file transfers operate in FIPS mode 111 Verifying that NTP operates in FIPS mode 1...

Page 6: ...130 Viewing schedule reports 131 Viewing per share utilization reports 132 Viewing the alarm status report 133 Viewing the CPU utilization report 136 Viewing the memory paging report 137 Viewing the interface counters report 138 Viewing the disk throughput report 139 Viewing the disk IOPS report 140 Viewing the disk utilization report 141 Viewing logs 142 Viewing system logs 142 Viewing user logs ...

Page 7: ...IA or Amazon S3 IA to S3 migration 168 Chapter 13 Migrating data between appliances 169 Data migration overview 169 Data migration connection diagrams 170 Data migration process 172 Prerequisites 172 Prerequisites for the source appliance 173 Prerequisites for the target appliance 174 Performing appliance data migration 174 Post data migration procedure 176 Chapter 14 Disaster recovery 177 Disaste...

Page 8: ... Service Processor password 200 Configuring the Service Processor for remote management 200 Validating remote access via the Service Processor 202 Shutting down the AltaVault controller 203 Replacing controllers 203 Installing a controller in a chassis 206 Replacing a controller chassis 208 Hot swapping controller fan modules 209 Hot swapping controller power supplies 212 Changing the shelf ID for...

Page 9: ...Amazon Glacier 251 Recovering data from Amazon Glacier 252 Restoring data from the cloud using the prepopulation page 252 Restoring data from the cloud using the command line interface 254 Automatic prepopulation 258 AltaVault appliance best practices for EMC NetWorker for Amazon Glacier 258 AltaVault appliance best practices for IBM Spectrum Protect for Amazon Glacier 260 AltaVault appliance best...

Page 10: ...Beta Draft Contents ...

Page 11: ...teroperability Matrix Tool IMT on the NetApp Support site to validate that the product and versions that can be used to construct configurations that are supported by NetApp Specific results depend on each customer s installation in accordance with published specifications AutoSupport AltaVault supports user triggered and daily AutoSupports ASUPs as well as certain event based triggers ASUP functi...

Page 12: ...m requirements for cloud see the NetApp AltaVault Cloud Integrated Storage Installation and Service Guide for Cloud Appliances For system requirements for physical appliances see Chapter 15 System components AVA 400 AVA 800 Documentation and release notes To obtain the most current version of all NetApp documentation go to the NetApp Support site at https mysupport netapp com ...

Page 13: ... validate that the exact product and feature versions described in this document are supported for your specific environment The NetApp IMT defines the product components and versions that can be used to construct configurations that are supported by NetApp Specific results depend on each customer s installation in accordance with published specifications An AltaVault can only be pointed to one cl...

Page 14: ...HOSTNAME _ DATETIME tgz NetApp recommends that you store the configuration file in different physical locations The configuration file contains information about the configuration including the encryption key Alternatively you can just export the encryption key alone Note To access the encrypted data you need an encryption key If you lose the encryption key AltaVault cannot reconstitute the encryp...

Page 15: ...e CLI configuration wizard on page 17 3 Set the Service Processor password AV 400 AV 800 models only Setting the Service Processor password on page 200 4 Configure remote management AV 400 AV 800 models only Configuring the Service Processor for remote management on page 200 5 Connect to the Management Console and log in Using the Management Console on page 18 6 Configure the system settings from ...

Page 16: ...oud using the prepopulation page on page 252 Security settings Set authentication method Active Directory AD administration role based permissions for users Secure Vault web settings REST API access key management KMIP management ACLs Chapter 7 Configuring security settings Configure FIPS compliance Chapter 8 Configuring AltaVault appliances for FIPS compliant cryptography System administration se...

Page 17: ...ard steps on the client side and server side Wizard prompt Description Example Step 1 Admin password NetApp requires that you change the default administrator password password at this time The new password must be a minimum of eight characters and cannot be the word password Step 1 Admin password xxxxyyyy Step 2 Host name Enter the host name for the AltaVault appliance Step 2 Hostname amnesiac St...

Page 18: ...le To connect to the AltaVault Management Console 1 Enter the URL for the Management Console in the location box of your Web browser https host domain When you connect using HTTPS you are prompted to inspect and verify the SSL certificate The SSL certificate is a self signed certificate used to provide encrypted Web connections to the Management Console It is re created when the appliance hostname...

Page 19: ...time Appliance Information Provides the appliance hostname and its model number Replicated Data Displays the status of the process of copying data and metadata from the AltaVault to the cloud Storage Optimization Displays the expanded data deduplicated data and deduplication factor Expanded data is the data that has been backed up locally by the AltaVault Deduplicated data reflects data that has b...

Page 20: ...rt the service Printing pages and reports You can print Management Console pages and reports using the print option on your Web browser To print pages and reports Choose File Print in your Web browser to open the Print dialog box Getting help The Help page provides the following options Online Help View browser based online help Technical Support View links and contact information for NetApp Suppo...

Page 21: ...onfigure networking settings and time zone To use the System Settings wizard 1 From the management console choose Configure Setup Wizard 2 Select System Settings in the Wizard Dashboard The System Settings wizard displays the hostname and DNS server IP address for the AltaVault 3 In the System Settings wizard complete the configuration as described in this table Task Reference Configure networking...

Page 22: ...n Glacier see Configuring Amazon Glacier storage on page 24 Amazon S3 see Configuring Amazon S3 storage on page 26 AT T Synaptic Storage see Configuring Atmos based storage on page 26 Cleversafe Cloud Storage see Configuring S3 based storage on page 30 Cloudian Cloud Storage see Configuring S3 based storage on page 30 Cloudwatt Object Storage see Configuring SWIFT based storage on page 30 Dunkel C...

Page 23: ...page 26 Verizon Cloud Storage see Configuring S3 based storage on page 30 4 Configure Encryption Settings in the Wizard Dashboard This page is only available to users with Read Only Security Settings permissions or Read and Write Security Settings permissions Specify the following items 5 On the Confirmation page verify the information and click Save and Apply Note It is recommended to use a firew...

Page 24: ... retrieval option For more information see AWS documentation Standard authentication Note When S3 or Glacier is configured and Storage Optimization Service fails to start the logs may contain the error BucketAlreadyExists The requested bucket name is not available The bucket namespace is shared by all users of the system Please select a different name and try again This indicates that the chosen b...

Page 25: ...RL Specify the URL of the provider The identity provider is a server that performs two roles 1 authenticating users and machines wishing to access Amazon AWS services and 2 providing temporary security credentials with which to access those services AltaVault makes a call to the identity provider which in turn makes a call to Amazon STS using the AssumeRole API call to generate temporary security ...

Page 26: ...sword Specify the user s password Configuring Amazon S3 storage 1 Select yes or no to use keys from KMIP server from the drop down list When configuring the KMIP server you must Use the same username and password as created in KMS Upload the same certificate as downloaded from KMS after signing it Add a symmetric key KMIP key as the encryption key Add a secret data key KMIP key for each of the aut...

Page 27: ...r cloud service provider account You can use buckets to organize your data and control access to your data but they cannot be nested If the bucket name does not exist the bucket is created during initial AltaVault replication 6 Specify the port number 7 Enable Archiving Enable this option if you are using the AltaVault for cold storage mode For more information about cold storage mode see Deployme...

Page 28: ... it in a json file and upload that file when configuring AltaVault with Google Cloud Storage 7 Specify the hostname 8 Specify the bucket name associated with your cloud service provider account If Nearline is selected as Storage Class the bucket should not be created through Google Developers Console The Nearline bucket will automatically be created by AltaVault You can use buckets to organize you...

Page 29: ...t Name Specify the container name associated with your cloud service provider account You can use containers to organize your data and control access to your data but they cannot be nested If the container name does not exist the container is created during initial AltaVault replication For Azure the bucket names must be a valid DNS name conforming to the following naming rules Container names mus...

Page 30: ...t they cannot be nested If the bucket name does not exist the bucket is created during initial AltaVault replication 5 Specify the port number 6 Enable Archiving Enable this option if you are using the AltaVault for cold storage mode For more information about cold storage mode see Deployment guidelines on page 13 7 Enable Cloud Deduplication Enabling this option may improve deduplication rates fo...

Page 31: ...pecify the bucket name associated with your cloud service provider account You can use buckets to organize your data and control access to your data but they cannot be nested If the bucket name does not exist the bucket is created during initial AltaVault replication 6 Specify the port number 7 Enable Archiving Enable this option if you are using the AltaVault for cold storage mode For more inform...

Page 32: ... number 6 Enable Archiving Enable this option if you are using the AltaVault for cold storage mode For more information about cold storage mode see Deployment guidelines on page 13 7 Enable Cloud Deduplication Enabling this option may improve deduplication rates for repetitive backup datasets lowering cloud storage costs Disabling this option is recommended for Amazon Glacier to improve recovery o...

Page 33: ...will fail if the AltaVault already has an encryption key set It is recommended to set the time zone to the AltaVault prior to uploading the configuration To use the import configuration wizard 1 From the management console choose Configure Setup Wizard 2 Select Import Configuration in the Wizard Dashboard 3 Select one of the following options Select Local File and click Browse to select a local co...

Page 34: ...s option you must enter the same password when you import or export the encryption key 6 Click Import Configuration 7 Click Exit Using the export configuration wizard To use the export configuration wizard 1 From the management console choose Configure Setup Wizard 2 Select Export Configuration 3 Click Export Configuration to download the current AltaVault configuration file AltaVault_config_ HOST...

Page 35: ...re Host Settings page This section includes the following topics Configuring cloud provider settings on page 35 Configuring encryption on page 36 Configuring replication on page 36 Configuring bandwidth limits on page 36 To transition cloud credentials and the encryption key from the AltaVault to a Key Management Server KMS refer to the section Configuring KMIP on page 93 Configuring cloud provide...

Page 36: ...eplication 1 Choose Configure Cloud Settings 2 Select the Replication tab 3 Under Replication Settings complete the configuration as described in this table 4 Click Apply to complete your changes Configuring bandwidth limits You can limit the bandwidth that the AltaVault uses to replicate data and restore data in the bandwidth limit settings page Only users who have Read Only Replication Settings ...

Page 37: ... user to access the share on page 40 To edit local user permission to access the share on page 40 To add local SMB user on page 41 To edit SMB local user on page 41 Control Description Cloud Replication Interface Select a data interface to use for sending data to and restoring data from the cloud Select the interface in the drop down list and then specify the bandwidth limits and scheduling You mu...

Page 38: ...t to an AD domain go to the Domain section and specify 5 Click Show Advanced Settings to display Advanced Settings to optionally configure the domain Complete the configuration as described in this table 6 After you join a domain the Domain section of the SMB page changes to reflect the domain that the AltaVault has joined When you leave a domain specify Reboot all client machines that were used t...

Page 39: ...are can be a time consuming operation Unpinning a share does not result in erasing the previously pinned data After unpinning the previously pinned data becomes available for eviction You cannot remove a pinned share if it contains data Early Eviction Specify whether or not data from this share should be assigned a higher priority for eviction If you select yes data written to this share is eligib...

Page 40: ...ns for each user 1 Expand the user name to change permissions as described in the following table Control Description Add a User Displays the controls to add a user to the share User Select the user from the drop down list Access Select one of the following options from the drop down list Allow Allows the user read write and modify privileges to the share Deny Denies the user read write and modify...

Page 41: ...assword Confirm Re enter the new password for the new user Admin Select one of the following options from the drop down list Yes Provides Administrator privileges to user No Disables Administrator privileges to user Account Select one of the following options from the drop down list Enabled Enables local user account for accessing SMB share Disabled Disables local user account from accessing SMB s...

Page 42: ...ata that is available to the AltaVault locally without fetching it from the cloud 3 Optionally upload the Kerberos keytab file etc krb5 keytab then upload a valid Kerberos configuration file krb5 conf The keytab file is an encrypted local on disk copy of the host s key The configuration file contains Kerberos configuration information including the locations of KDCs Key Distribution Center and adm...

Page 43: ... Local Path Specify the internal pathname on the AltaVault to which this share writes data Comment Enter a comment about the NFS share You use only alphanumeric characters underscores hyphens and spaces in this field Export Asynchronously Select the check box to export the NFS share asynchronously Click the icon for the following information Exporting NFS asynchronously forces the server to drop a...

Page 44: ... NFS share asynchronously Click the icon for the following information Exporting NFS asynchronously forces the server to drop all fsync requests from the client This is a feature of the NFS protocol It is required to obtain good performance with NFS clients that issue frequent NFS COMMIT operations which might degrade the AltaVault performance significantly Many UNIX clients often execute NFS COMM...

Page 45: ...nformation slide the indicator along the bar to select the maximum bytes allowed for share pinning Share pinning instructs the share to always retain data locally on the AltaVault without fetching it from the cloud 3 Click Apply to apply your changes 4 To add an OST share click Add OST Share and specify Symptom Description User attempts to map an NFS share fail users are unable to connect to a sha...

Page 46: ... pinned unpinning of that share can be performed via CLI and requires optimization service to be offline Unpinning a share can be a time consuming operation Unpinning a share does not result in erasing the previously pinned data After unpinning the previously pinned data becomes available for eviction You cannot remove a pinned share if it contains data Early Eviction Specify whether or not data f...

Page 47: ...pshots on AltaVault on page 48 Enabling long term retention on page 49 Enabling SnapCenter access on page 50 Enabling SnapMirror service To enable SnapMirror service 1 Choose Configure SnapMirror in the Management Console 2 Under SnapMirror Service click Enable 3 If the Service restart required prompt appears click the Restart button that becomes enabled in the upper right portion of the AltaVault...

Page 48: ... the AltaVault is created in ONTAP or in SnapCenter Based on SnapMirror policies Snapshot copies of ONTAP volumes are backed up to the associated AltaVault share AltaVault provides global deduplication on all Snapshot backup streams prior to replication to the cloud Snapshots backed up to AltaVault shares are read only copies and can only be restored back to ONTAP using ONTAP commands or SnapCente...

Page 49: ...aximum of 3700 Snapshots which is equivalent to 10 years worth of daily Snapshots Long term retention allows AltaVault to continue storing Snapshots until it reaches the maximum If a share exceeds 3700 Snapshots AltaVault begins deleting the oldest Snapshot copies to make room for new ones When long term retention is turned off disabled AltaVault reverts to using the retention policy set up in ONT...

Page 50: ...nable SnapCenter access on AltaVault Additionally before you can use SnapCenter to manage backups on AltaVault you must configure a role based account on AltaVault for SnapCenter administrator access This account must have the read write permissions for the following user roles General Replication Storage To create a role based user account for SnapCenter on AltaVault 1 Choose Configure User permi...

Page 51: ...f controls on this page only if modifications or additional configuration is required Name Modify the hostname DNS Settings NetApp recommends that you use DNS resolution Hosts If you do not use DNS resolution or if the host does not have a DNS entry you can assign a host IP address resolution map Web FTP Proxy Configure proxy addresses for Web or FTP proxy access to the AltaVault The proxy setting...

Page 52: ...Primary DNS Server Specify the IP address for the primary name server Secondary DNS Server Optionally specify the IP address for the secondary name server Tertiary DNS Server Optionally specify the IP address for the tertiary name server DNS Domain List Specify an ordered list of domain names If you specify domains the system automatically finds the appropriate domain for each of the hosts that yo...

Page 53: ...se Configure Management Interfaces 2 Under Primary Interface complete the configuration as described in this table Port Optionally specify the port for the Web or FTP proxy The default port is 1080 Enable Authentication Optionally select to require user credentials for use with Web or FTP proxy traffic Specify the following settings to authenticate the users User Name Specify a username Password S...

Page 54: ...gure Data Interfaces Specify IPv4 Address Manually Specify this option to set a static IP address IPv4 Address Specify an IPv4 address IPv4 Subnet Mask Specify an IPv4 subnet mask Default IPv4 Gateway Specify the default primary gateway IPv4 address The primary gateway must be in the same network as the primary interface MTU Specify the Maximum Transmission Unit MTU value The default value is 1500...

Page 55: ...ngs IPv4 Address Specify an IPv4 address IPv4 Subnet Mask Specify a subnet mask IPv4 Gateway Specify the gateway IP address MTU Specify the MTU value The default value is 1500 Control Description Add a New Route Displays the controls for adding a new route Destination IP Address Specify the destination IP address for the appliance Subnet Mask Specify the subnet mask Gateway IP Address Specify the ...

Page 56: ...d complete the configuration as described in this table Control Description IP Configuration Displays the IP address of the network interface Enabled Displays the state of the interface Enable Interface Select the check box to enable the data interface and specify the following settings IPv4 Address Specify an IPv4 address IPv4 Subnet Mask Specify a subnet mask IPv4 Gateway Specify the gateway IP ...

Page 57: ...ive Load Balance Provides both transmit and receive load balancing Transmit Load Balance Provides adaptive transmit load balancing The AltaVault distributes the outgoing traffic based on the current load on each member interface One of the member interfaces of the VIF receives the incoming traffic Monitoring interval Specifies the Media Independent Interface MII link monitoring frequency in millis...

Page 58: ...58 NetApp AltaVault Cloud Integrated Storage Administation Guide Beta Draft Modifying networking settings Modifying VLANs ...

Page 59: ...modify a login message to be displayed in the Management Console Login page You can also post a message of the day to appears in the Home page and when you first log in to the CLI To set an announcement 1 Choose Configure Announcements 2 Use the controls to complete the configuration as described in this table 3 Click Apply to view the message before saving Configuring alarm settings You can set a...

Page 60: ...partitions If a specific partition is full the Disk Full parent alarm triggers and the System Status report displays more information regarding which partition caused the alarm to trigger Disabling a parent alarm disables its children You can enable a parent alarm and disable any of its child alarms You cannot enable a child alarm without first enabling its parent The child alarm of a disabled par...

Page 61: ...t is activated The default value is 95 Reset Threshold Specify the reset threshold When an alarm reaches the lowest or reset threshold it is reset After an alarm is triggered it is not triggered again until it has fallen below the reset threshold The default value is 70 Data Integrity Error Enables an alarm when inconsistency in the data stored on the disk is detected Datastore Eviction Indicates ...

Page 62: ...y after the service triggers the IPMI alarm To reset the alarm click Clear the IPMI alarm now Memory Error Enables an alarm when there is a memory error in one or more memory modules Unplug the power cords from the power supply and try reseating the memory Power Supply Enables an alarm when an inserted power supply cord does not have power as opposed to a power supply slot with no power supply cor...

Page 63: ... link names Link State Enables an alarm and sends an email notification if an Ethernet link is lost By default this alarm is disabled You can enable or disable the alarm for a specific interface To enable or disable an alarm choose Settings Alarms and select or clear the check box next to one or more link names Low Memory Enables an alarm when there is not enough memory in the system to start the ...

Page 64: ... for the condition The following conditions trigger this alarm Configuration errors examples include no encryption key set incorrect appliance time or incorrect cloud credentials An AltaVault appliance reboot for example during an appliance software update A system crash due to a power failure A Storage Optimization Service restart due to a cloud storage provider change A user enters the CLI comma...

Page 65: ... CPU returns to the reset threshold the critical alarm is cleared The default value for the rising threshold temperature is 80º C the default reset threshold temperature is 67º C Warning Temperature Enables an alarm and sends an email notification if the CPU temperature approaches the rising threshold When the CPU returns to the reset threshold the warning alarm is cleared Rising Threshold Specifi...

Page 66: ...5 is a widely used cryptographic hash function that produces a 128 bit 16 byte hash value NTP authentication is optional Configuring NTP authentication involves these steps that you can perform in any order Configure a key ID and a secret pair Configure the NTP server with the key ID NTP servers NetApp recommends synchronizing the AltaVault to an NTP server of your choice To add an NTP server 1 Ch...

Page 67: ...es sent by an SNMP entity that indicate the occurrence of an event The default system configuration does not include SNMP traps AltaVault supports the following SNMP Basic settings SNMP Version 1 SNMP Version 2c SNMP Version 3 which provides authentication through the User based Security Model USM View Based Access Control Mechanism VACM which provides richer access control Control Description Add...

Page 68: ...except for spaces Also the community strings cannot begin with and Control Description Add a New Trap Receiver Displays the controls to add a new trap receiver Receiver Specify the destination IP address or hostname for the SNMP trap Destination Port Specify the destination port Receiver Type Select SNMP version v1 v2c or v3 user based security model Note SNMP v1 and v2c are less secure v3 is reco...

Page 69: ...SNMP information 4 Configure the SNMP server access policies that contain a set of rules defining access rights Based on these rules the entity decides how to process a given request To create users for SNMP v3 1 Choose Configure SNMP v3 Security Level Appears only when you select v3 Determines whether a single atomic message exchange is authenticated Select one of the following settings from the ...

Page 70: ...ct either Supply a Password or Supply a Key to use while authenticating users Password Password Confirm Specify a password The password must have a minimum of eight characters Confirm the password in the Password Confirm text box The password cannot be password MD5 Key Appears only when you select Supply A Key Specify a unique authentication key The key is a MD5 or SHA 1 digest created using md5su...

Page 71: ...ple some users have access to critical read write control data while some users have access only to read only data Security Models A security model identifies the SNMP version associated with a user for the group in which the user resides Secure Access Policies Defines who gets access to which type of information An access policy contains group name security model security level read view name rea...

Page 72: ...rings do not allow printable 7 bit ASCII characters except for spaces Also the community strings cannot begin with and If you specify a read only community string located in the SNMP Basic page under SNMP Server Settings it takes precedence over this community name and allows users to access the entire MIB tree from any source host If this is not desired delete the read only community string To cr...

Page 73: ... any subtree or subtree branch You can specify an OID number or use its string form For example iso org dod internet private enterprises xxx products AltaVault system model Excludes Specify the OIDs to exclude in the view separated by commas By default the view excludes all OIDs Add Adds the view Remove Selected Select the check box next to the name and click Remove Selected Control Description Ad...

Page 74: ...ttom of the page click Rotate Logs After the logs are rotated the following message appears logs have been successfully rotated Control Description SMTP Server Specify the SMTP server You must have external DNS and external access for SMTP traffic for this feature to function Make sure you provide a valid SMTP server to ensure that the users you specify receive email notifications for events and f...

Page 75: ... Warning Conditions that could affect the functionality of the AltaVault such as authentication failures Notice Normal but significant conditions such as a configuration change Info Informational messages that provide general information about system operations This is the default setting This control applies to the system log only It does not apply to the user log Maximum Number of Log Files Spec...

Page 76: ...ging Minimum Severity Select the minimum severity level for the log messages The log contains all messages with this severity level or higher Select one of the following levels from the drop down list Emergency Emergency the system is unusable Alert Action must be taken immediately Critical Conditions that affect the functionality of the AltaVault Error Conditions that probably affect the function...

Page 77: ...ternal system daemons and keeps them running sched Process Scheduler that handles one time scheduled events statsd Statistics Collector that handles the statistics wdt Watchdog Timer the motherboard watchdog daemon webasd Web Application Process which handles the Web user interface Minimum Severity Select the minimum severity level for the log messages The log contains all messages with this sever...

Page 78: ...78 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Configuring system administrator settings Configuring log settings ...

Page 79: ...ess on page 100 Configuring general security settings You can prioritize local RADIUS and TACACS authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS authorization systems in the Configure General Settings page Make sure to put the authentication methods in the order in which you want authentication to occur If authorization fails on the fir...

Page 80: ...and have created an administrator user account For RADIUS TACACS fallback only when servers are unavailable Specifies that the AltaVault uses a RADIUS or TACACS server only when all other servers do not respond Enabled is the default setting Authorization Policy Appears only for some Authentication Methods Optionally select one of the following policies from the drop down list Remote First Checks ...

Page 81: ... roles a user is assigned to and what actions a user is permitted to perform on the appliance in each of those roles You can specify role based accounts for admin settings general settings prepopulation prepop settings replication settings report settings security settings and storage settings in the AltaVault A role based account cannot modify another role based or capability based account Only t...

Page 82: ...re the following Replication Settings Cloud configuration Replication settings Starting and stopping the Storage Optimization Service Report settings You can assign users permissions to configure the following read only Report Settings Interface statistics Alarm Status View report graphs and statistics Security settings You can assign users permissions to configure the following Security Settings ...

Page 83: ...ble the administrator or monitor account Change Password Select the check box to change password protection New Password Specify a password in the text box The password cannot be password or any case combination of password for any user including admin and root You will be prompted with the following message Password password and its case combinations are not allowed The password must be at least ...

Page 84: ...y Edit User section 4 Click Clear Login Failure Details to unlock the user account When you log in to your account successfully AltaVault resets the login failure count External Authentication Only If this option is selected then this user can only be authenticated via external authentication methods If Kerberos AD authentication is enabled the local password originally configured for a user is no...

Page 85: ...ld Click on a template to select it For new installations the password settings are prepopulated with basic security values 5 Specify values for each of the following settings default values shown Login attempts before lockout no limit Timeout for user login after lockout seconds 300 Days before password expires no limit Days to warn user of an expiring password no limit takes effect after setting...

Page 86: ...vers that can contact the domain controllers used by AltaVault The preferred domain controllers AltaVault can use are specified in the next steps 3 From the Management Console choose Configure SMB 4 If not already configured select Domain and complete the domain configuration as described in To configure an Active Directory domain then click Join Domain For Username you can enter any user that has...

Page 87: ...irectory login accessing AltaVault has the following behaviors Password authentication will be checked against Active Directory credentials not local passwords If the user password is changed in Active Directory that user must log in using the new Active Directory password If user is disabled or deleted in Active Directory that user will not be able to log in to the AltaVault To avoid losing acces...

Page 88: ... new RADIUS server Hostname or IP Address Specify the hostname or IP address Authentication Port Specify the port for the server Authentication Type Select one of these authentication types PAP Password authentication protocol PAP which validates users before allowing them access to the RADIUS server resources PAP is the most flexible protocol but is less secure than CHAP CHAP Challenge Handshake ...

Page 89: ...pecify the global server key Confirm Global Key Confirms the global server key Timeout seconds Specify the time out period in seconds 1 to 60 The default value is 3 Retries Specify the number of times you want to allow the user to retry authentication Valid values are 0 to 5 The default is 1 Control Description Add a TACACS Server Displays the controls for defining a new TACACS server Hostname or ...

Page 90: ...nder Change Password complete the configuration as described in this table Configuring Web settings You can modify Management Console Web user interface settings in the Configure Web Settings page For information on managing Web SSL certificates see Managing web SSL certificates on page 91 To modify web settings 1 Choose Configure Web Settings 2 Under Web Settings complete the configuration as des...

Page 91: ...eb Settings 2 Under Web Certificate select the Details tab The AltaVault identity certificate details appear as described in this table Web Inactivity Timeout minutes Specify the number of idle minutes before time out The default value is 15 A value of 0 disables time out Allow Session Timeouts When Viewing Auto Refreshing Pages By default session time out is enabled Clear the Allow box to disable...

Page 92: ... The private key for this certificate was created with a CSR generated on this appliance Separate Private Key Upload PEM or DER formats Select this option to upload the private key file The page displays a Private Key control for browsing to the key or a text box for copying and pasting the key Click Browse to navigate to the file Paste it here PEM only Select this option to paste the private key ...

Page 93: ...er sensitive information The need for centralized key management has led to development of key management servers KMS which operates as the KMIP server During setup the administrator specifies an external KMS to manage AltaVault s keys and cloud authentication parameters The datastore encryption key and or cloud authentication parameters will then be managed by the KMS If AltaVault uses KMIP the K...

Page 94: ...ltaVault The KMIP server displays in the table below Remove Selected Select a KMIP server and click Remove Selected to delete This will result in AltaVault not using the key any longer But the key will remain on the KMS Deleting the key from the KMS has to be done through the UI provided by the KMS Control Description Key Server Name Select the key server name that was added earlier from the drop ...

Page 95: ...on tab 3 Select yes from the drop down list 4 Select the symmetric key name that corresponds to the AES 256 key Using CLI to configure KMIP You can use CLI to configure KMIP For more information see the NetApp AltaVault Cloud Integrated Storage Command Line Reference Guide available on the NetApp Support at https mysupport netapp com under the Documentation tab Troubleshooting KMIP KMIP commands a...

Page 96: ...96 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Configuring security settings Configuring KMIP Example of a successful command ...

Page 97: ...tors peer AltaVaults The AltaVault uses REST APIs that you can access to set up peer appliance monitoring After you configure REST API access and add the API access code for the monitored appliance the Appliance Monitoring report enables you to view the health status disk space and cloud service status of the AltaVault The monitoring appliance probes the monitored peer appliances every 60 seconds ...

Page 98: ...tion of the monitoring appliance such as the hostname or IP address of the monitoring master appliance and a description such as monitoring appliance Generate New Access Code Generates the new access code Use Existing Access Code Select to use an existing REST API access code When you are monitoring multiple appliances you can use the same access code instead of creating a new one for each applian...

Page 99: ...rotects these services from disconnection For example if you specify protocol 6 TCP and port 22 the management ACL converts this port and protocol combination into SSH and protects it from denial It tracks changes to default service ports and automatically updates any references to changed ports in the access rules To set up a management ACL 1 Choose Configure Management ACL 2 Under Management ACL...

Page 100: ... 3 0 24 Destination Port Optionally specify the destination port of the inbound packet either a single port value or a port range of port1 port2 where port1 must be less than port2 Leave it blank to specify all ports Interface Optionally select an interface name from the drop down list Select All to specify all interfaces Description Optionally describe the rule to facilitate administration Rule N...

Page 101: ...rver user admin authorized key ssh rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ZCATT6tD3t5JmS276WzIJpVoPn 0ReCbRThpyh 2Glsv346 XV3Odz1954gd2n1kpeMckt7iSv6EgF2oGWMPE1h9tiCY5PKumZsT7bwQ94Y8IML ZsldggVDOqRXRyXsInAm0hLCOFp3Ux g4SUxjcTwJM82ZP6jTSMLVjxWJhZKqJLzQpsUgv0BuAaQWdeS6vyNmgxfm Fpv4Ov2o376sPSmnEPodkyGnXTnn1JoQPH0 ICrrwt8of6IxObKH9HEBUaO94qZ XLT 7SM6s9j4uR53KON8DnHNkntpGFDmR9hL6Krg9KWVCOb7Z0amNDk1p4y4bOk...

Page 102: ...102 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Configuring security settings Configuring SSH Access ...

Page 103: ...S is a publicly announced set of validation standards developed by the United States National Institute of Standards and Technology NIST for use by government agencies and by government contractors FIPS 140 2 details the U S and Canadian Government requirements for cryptographic modules Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and i...

Page 104: ...tm Note Throughout this guide FIPS mode and FIPS compliance refers to use of the NetApp Cryptographic Security Module Compliant FIPS cryptography features The following features use FIPS compliant cryptography Web interface Apache Web server Local user passwords and local authentication using SHA256 based or SHA512 based hash Image integrity checks for AltaVault OS File transfers NTP with SHA auth...

Page 105: ...ased hash NTP with MD5 authentication RADIUS SNMP with users configured with MD5 or DES protocols TACACS Configuring AltaVault for FIPS compliance To achieve FIPS compliance on an AltaVault configure the system to run in FIPS operation mode and adjust the configuration of any features that are not FIPS compliant With FIPS mode enabled the system monitors configuration changes and provides warnings...

Page 106: ...r accounts use FIPS compliant encryption For details see Account passwords on page 107 Note Prior to enabling FIPS mode on the AltaVault appliance remove previously configured local SMB users FIPS mode does not support local SMB users To enable FIPS mode 1 Connect to the CLI 2 Enter configuration mode enable FIPS mode and restart the system At the system prompt enter the following set of commands ...

Page 107: ...w fips status command The following sections describe configurable features that can affect FIPS compliance and describe how to resolve the warnings The system does not prevent you from using noncompliant features in FIPS mode but the system does warn you that they are not FIPS compliant The exception is account passwords you cannot enable FIPS mode if all account passwords do not use compliant en...

Page 108: ...ree techniques for the generation and verification of digital signatures for the protection of data the Digital Signature Algorithm DSA the Elliptic Curve Digital Signature Algorithm ECDSA and the Rivest Shamir Adleman RSA Algorithm FIPS includes key size requirements when running in FIPS mode All imported and generated keys need to be the following sizes RSA based and DSA based certificates 2048 ...

Page 109: ...system logs on page 142 RADIUS and TACACS The RADIUS and TACACS protocols are not FIPS compliant These protocols use noncompliant hash algorithms The system displays a warning message if you configure these features in FIPS mode The following commands generate a configuration warning in FIPS mode aaa accounting per command default tacacs aaa authentication console login login default radius tacacs...

Page 110: ...server allowed ciphers aes128 cbc aes192 cbc aes256 cbc aes128 ctr aes192 ctr aes256 ctr To verify that SSH is running in FIPS mode look for entries similar to the following in the syslog when a user logs in Mar 18 15 00 30 amnesiac sshd FIPS_mode_set 1 Mar 18 15 00 30 amnesiac sshd 14594 FIPS mode initialized Telnet server Telnet functionality is not FIPS compliant Enabling this feature triggers ...

Page 111: ... amnesiac config write memory amnesiac config reload Rebooting amnesiac config When you disable FIPS mode the system is less restrictive and FIPS compliance configuration warnings no longer appear Any configuration changes that you made while in FIPS mode such as disabling certain features or setting specific ciphers are not modified Verifying FIPS mode in system logs You can review the system log...

Page 112: ...guration changes and ensure that FIPS mode is set Mar 18 16 05 10 amnesiac pm 4989 pm NOTICE Launched snmpd with pid 31709 Mar 18 16 05 10 amnesiac snmpd 31709 FIPS_mode_set 1 Mar 18 16 05 10 amnesiac snmpd 31709 NET SNMP version 5 3 1 Verifying that the web interface operates in FIPS mode The Apache web server for the AltaVault appliance always runs in FIPS mode To verify that the web server is i...

Page 113: ...ng operations when required You can start stop and restart AltaVault Storage Optimization Service in the Maintenance Service page You can also use this page to reset the service alarm after it has been triggered Restarting AltaVault service disrupts ingest sessions established with the AltaVault This has the following impact All shares SMB NFS OST and SnapMirror will be unavailable and cloud conne...

Page 114: ...go to Home Optimization Service You should see that Service is running and Status is ready To check the service status from the command line interface run the show service command Configuring scheduled jobs Jobs are commands that are scheduled to execute at a time you specify You can view completed pending and inactive jobs as well as jobs that were not completed because of an error in the Schedul...

Page 115: ...s running the following message will appear in the CLI Cannot configure license while optimization service is running Managing licenses includes the following sections Managing unlicensed AltaVault appliances on page 116 Managing licenses using the command line on page 116 Managing licenses using the Management Console on page 117 License limits on page 117 Model upgrades on the virtual AltaVault ...

Page 116: ...equirements for the new model will be checked and enforced after the reboot occurs Note Upgrading a virtual AltaVault 4 1 or earlier model that is unlicensed will result in the model being reset to an AVA v2 model Use the above command to change the model back to its previous configuration Managing licenses using the command line You can install delete or view an existing licenses using the comman...

Page 117: ...ation to the cloud during the over_capacity alarm You can find the pending data to be replicated in the Replication Optimization report by choosing Reports Replication Model upgrades on the virtual AltaVault appliances Upgrading an existing licensed AltaVault virtual appliance to a higher model requires removing the old license key and installing a new license key Only one license key can be prese...

Page 118: ...you must manually turn on the AltaVault Rebooting the AltaVault physical appliances does not reboot the attached add on shelves You do not need to power off the add on shelves even if the AltaVault is rebooting The add on shelves should always be powered on before the AltaVault boots and starts running the Storage Optimization Service To reboot or shut down the system 1 Choose Maintenance Reboot S...

Page 119: ...le across sessions on a per user basis They do not affect the configuration of the appliance Managing configuration files The admin account and users with admin role privileges can save and activate configurations in the Configure Configurations page Each AltaVault has an active running configuration and a written saved configuration The default configurations are as follows To manage configuratio...

Page 120: ...Maintenance Service page Click the configuration name to display the configuration settings in a new browser window Control Description Current Configuration configuration name View Running Config Displays the running configuration settings in a new browser window Save Saves settings that have been applied to the running configuration Revert Reverts your settings to the running configuration Save ...

Page 121: ...r share utilization reports on page 132 Viewing the alarm status report on page 133 Viewing the CPU utilization report on page 136 Viewing the memory paging report on page 137 Viewing the interface counters report on page 138 Viewing the disk throughput report on page 139 Viewing the disk IOPS report on page 140 Viewing the disk utilization report on page 141 Viewing logs on page 142 Downloading l...

Page 122: ... only makes data easily accessible but also enhances your ability to explore data in context An example of a typical report is shown in Figure 10 1 with the key areas labeled For details about individual reports see the report description Statistics used in generating reports are retained for one year Figure 10 1 Report layout The report sections going counter clockwise from the top left of the re...

Page 123: ...me The plot area colors the series names appropriately and the data values have their associated units The plot area also displays subtle shading to denote work hours white background and nonwork hours gray background The AltaVault defines work hours as 8 00 AM to 5 00 PM on weekdays are not configurable To pan the plot area 1 Place the mouse pointer over the plot area and then click and hold the ...

Page 124: ... link with the static text Showing newest data When the chart is showing newest data you can see new data points as the system adds them automatically to the chart every 10 seconds This can be very powerful when you launch a new configuration and need to analyze its impact quickly You cannot change the 10 second default When the chart window is not attached to the end of the chart the report repla...

Page 125: ...xplaining the user preferences might be overwritten Viewing the storage optimization report The Storage Optimization report is the same report that appears on the home page of the AltaVault Management Console It summarizes the percentage of the data storage optimized within the time period specified It includes the following statistics that describe the storage optimization activity for the time p...

Page 126: ... What is the average front end SMB NFS OST SnapMirror data that the backup server writes to the AltaVault What is the total amount of data transferred from the backup server to the AltaVault What is the average front end SMB NFS OST SnapMirror data read by the backup server What was the peak amount of data transmitted To view the Front End Throughput Optimization report 1 Choose Reports Front End ...

Page 127: ...the Back End Throughput Optimization report 1 Choose Reports Back End Throughput Control Description 5m 1h 1d 1w All Select one of the following report time intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data available for the past 30 days To type a custom time interval enter th...

Page 128: ...calculated using the date and time it was created leaving the AltaVault local storage disk To view the Eviction report 1 Choose Reports Eviction Control Description 5m 1h 1d 1w All Select one of the following report time intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data availa...

Page 129: ...ose Reports Replication Control Description 5m 1h 1d 1w All Select one of the following report time intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data available for the past 30 days To type a custom time interval enter the start time and end time using the format YYYY MM DD HH ...

Page 130: ...the following report time intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data available for the past 30 days To type a custom time interval enter the start time and end time using the format YYYY MM DD HH MM SS in the text field You can view the newest data and see data points a...

Page 131: ...hat is the AltaVault up time What is the expanded data in the AltaVault What is the AltaVault deduplicated data What is the deduplication factor ratio of the expanded data and the deduplicated data How much data is replicated to the cloud What is the time to complete replication What are the pending replication bytes How much disk storage is used How much disk storage is free Control Description 5...

Page 132: ...Utilization reports answer the following questions What is the hostname of the AltaVault What is the model name of the AltaVault What is the AltaVault serial number What is the AltaVault software version What is the date on which the report was sent What is the AltaVault up time What is the evicted percentage To configure and view Share Utilization report 1 Choose Configure Email The system sends ...

Page 133: ...cy in the data stored on disk Generates an AutoSupport message when AutoSupport is enabled Datastore Eviction Indicates that the system has detected an issue with datastore eviction The alarm triggers when the appliance has started evicting data from the local disk cache when the age of the evicted data is relatively young An AltaVault has disk space much smaller than the total addressable space o...

Page 134: ...e alarm appears only after the service triggers the IPMI alarm To reset the alarm click Clear the IPMI alarm now Inconsistent Cloud Connectivity Indicates that the connection to the cloud provider is inconsistent leading to a large number of connection errors Inconsistent Cloud Data Indicates that an inconsistency in the data stored in the cloud was detected Licensing Indicates that your appliance...

Page 135: ...and select or clear the check box next to the link name Low Memory Indicates that low memory exists Max inodes limit Indicates that the maximum number of files that can be stored has been reached Max Pinnable Limit Indicates that the maximum pinnable limit has been reached Memory Paging Indicates that the system has reached the memory paging threshold If 100 pages are swapped approximately every t...

Page 136: ...orrect appliance time or incorrect cloud credentials An AltaVault appliance reboot for example during an appliance software update A system crash for example due to a power failure A Storage Optimization Service restart for example due to a cloud storage provider change A user enters the CLI command no service enable or shuts down the Storage Optimization Service from the Management Console A user...

Page 137: ...ges per second utilized in the time period specified It includes the following data that describe memory paging activity for the time period you specify The Memory Paging report answers the following questions Control Description 5m 1h 1d 1w All Select one of the following report time intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day ...

Page 138: ...he past 30 days To type a custom time interval enter the start time and end time using the format YYYY MM DD HH MM SS in the text field You can view the newest data and see data points as they are added to the chart dynamically Show newest data Click this option to display only the latest data available The latest data available depends on the time interval that you specify For example if 1h is th...

Page 139: ...ng statistics The Disk Throughput report answers the following questions What is the average read throughput that the AltaVault is experiencing at the specified time What is the average write throughput that the AltaVault is experiencing at the specified time The average disk throughput is a measure of performance that help you to discover disk based bottlenecks The rate at which the AltaVault can...

Page 140: ...trol Description 5m 1h 1d 1w All Select one of the following report time intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data available for the past 30 days To type a custom time interval enter the start time and end time using the format YYYY MM DD HH MM SS in the text field You...

Page 141: ...me intervals to filter the display 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data available for the past 30 days To type a custom time interval enter the start time and end time using the format YYYY MM DD HH MM SS in the text field You can view the newest data and see data points as they are added to the...

Page 142: ...play 5m Displays five minutes of data 1h Displays one hour of data 1d Displays one day of data 1w Displays one week of data All Displays all data available for the past 30 days To type a custom time interval enter the start time and end time using the format YYYY MM DD HH MM SS in the text field You can view the newest data and see data points as they are added to the chart dynamically Show newest...

Page 143: ...and errors The most recent log events are listed first To view and customize user logs 1 Choose Maintenance User Logs 2 Use the controls to customize the log as described in this table Filter Select one of the following filtering options from the drop down list Regular expression Specify a regular expression on which to filter the log Error or higher Displays error level logs or higher Warning or ...

Page 144: ...igabyte uncompressed size You can change this to rotate every week or month Additionally you can rotate the files based on file size The automatic rotation of system logs deletes your oldest log file labeled as Archived log 10 pushes the current log to Archived log 1 and starts a new current day log file Downloading user log files You can download user logs in the Maintenance User Logs Download pa...

Page 145: ...e kernel data on the system System dump files can help you diagnose problems in the system To generate system dump files 1 Choose Maintenance System Dumps 2 Click the name of the system dump file and then click Download System Dump to download it 3 Optionally under Upload to NetApp Support type the support case number click Upload to upload the system dump to the NetApp Support site 4 Under Genera...

Page 146: ...r transmitted on the interface to help diagnose problems in the system The AltaVault provides an easy way to capture and retrieve multiple capture files from the Management Console You can create TCP dumps from multiple interfaces at the same time limit the size of the TCP dump and schedule a specific date and time to capture TCP information Scheduling and limiting a TCP capture file by time or si...

Page 147: ...s using commas You can enter IPv6 addresses separated by commas The default setting is all IP addresses Ports Specify ports on one side Separate multiple ports using commas The default setting is all ports and IPs Specify IP addresses of endpoints on the other side Separate multiple IP addresses using commas You can enter IPv6 addresses separated by commas The default setting is all IP addresses P...

Page 148: ...p or vlan and arp Capture Duration Seconds Specify a positive integer to set how long the capture runs in seconds The default value is 30 Specify 0 or continuous to initiate a continuous trace For continuous capture NetApp recommends specifying a maximum capture size and a nonzero rotate file number to limit the size of the TCP dump Maximum Capture Size Specify the maximum capture file size in meg...

Page 149: ...ude the and statement at the start of the custom flags field Do not use host src or dst statements in the custom flags field Although it is possible in trivial cases to get these to start without a syntax error they do not capture GRE encapsulated packets that some modes of AltaVault communications use such as WCCP deployments or Interceptor connection setup traffic NetApp recommends using bidirec...

Page 150: ...h The simplest regex is a word or a string of characters For example if you set the pattern to Limit the trigger matches the line Connection Limit Reached Notes Perl regular expressions are case sensitive Perl treats the space character space like any other character in a regex Perl reserves some characters called metacharacters for use in regex notation The metacharacters are You can match a meta...

Page 151: ...a typo the trigger might never find a match Only one instance of a trigger can run at one time Viewing a TCP dump The top of the TCP Dumps page displays a list of existing TCP trace dumps To view a capture file 1 Choose Maintenance TCP Dumps 2 Under Stored TCP Dumps select the trace dump name to open the file 3 Click Download to view a previously saved capture file 4 To remove a capture file selec...

Page 152: ...server it must have a trailing backslash For example ftp ftp netapp com incoming not ftp ftp netapp com incoming The filename as it exists on the appliance will then match the filename on the upload server For details see the NetApp AltaVault Cloud Integrated Storage Command Line Interface Reference Guide 4 Click Upload A a progress bar displays the percentage of the total upload completed the cas...

Page 153: ...ment related issue in a low priority order Degraded The appliance is optimizing storage but the system has detected an issue Address the issue that the system has detected Admission Control The appliance is optimizing storage but has entered the admission control state Admission control limits the number of connections made to the AltaVault so that you do not over consume resources on your system ...

Page 154: ...AltaVault Cloud Integrated Storage Installation and Service Guide for Physical Appliances The Shelf Details report provides the serial number and status of the AltaVault hardware disk array To identify physical location of a drive Use the following CLI CLI show hwraid disk information To view the shelf details 1 Choose Reports Shelf Details 2 Click the serial number of a shelf to obtain alarm info...

Page 155: ...ity of the local file system and provides the diagnosis You cannot run the Offline File System Check if the Storage Optimization Service is running Before you perform the Offline File System Check choose Maintenance Service and click Stop to stop the Storage Optimization Service To view the offline file system check page 1 Choose Maintenance Offline File System Check 2 Click the filename to open a...

Page 156: ...ation Service is running You can stop the check at any time To view the Online File System Check page 1 Choose Maintenance Online File System Check 2 Under Online File System Check Actions click Start Data Integrity Check to start the check or Click Stop Data Integrity Check to stop the check Control Description Status Displays the status of the Offline File System Check report such as running or ...

Page 157: ...e Verify page provides the diagnosis for checking cloud replication consistency Start the Verify operation only after all pending replication has completed successfully and the value of Replication Bytes Pending is zero You cannot run the Verify tool if the storage optimization service is running To view the Verify tool diagnostics 1 Choose Maintenance Replication Verify Check 2 Click the filename...

Page 158: ...158 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Viewing reports and logs Viewing the verify tool diagnostics ...

Page 159: ... must be configured to use the Amazon S3 cloud For AltaVault cloud configuration details see To use the Cloud Settings wizard on page 22 AltaVault replication must be suspended immediately after configuring AltaVault to use the S3 cloud so no data replication to S3 occurs over the Internet To suspend replication see Configuring replication on page 36 You must use the same AWS account to order Snow...

Page 160: ...ng operation the existing contents of the Snowball are overwritten with the latest copy Seeding data using Snowball The Snowball appliance is available through Amazon Web Services AWS This section covers the following topics Creating a Snowball job in AWS on page 160 Transferring data from AltaVault to Snowball on page 161 Managing data transfers on AltaVault on page 162 Verifying and completing d...

Page 161: ...ouch screen on Snowball select your network interface type and configure an IP address netmask and default gateway 3 From the AWS Job dashboard select the job name to view Job status for the Snowball appliance 4 Click Get credentials to access the job manifest and a 25 character unlock code Both the manifest file and the unlock code are required to start Snowball A separate unlock code and manifes...

Page 162: ... the Snowball from AVA A shipping label will appear on the E Ink display Ship the Snowball appliance s back to AWS for copying of the data to the cloud bucket 13 Enter the following command to delete the current manifest file from AltaVault hostname config seed snowball manifest file delete Note Do not start replication service on AltaVault at this time You must verify the data transfer on Amazon ...

Page 163: ... the Snowball is re used for a new seeding operation the existing contents of the Snowball are overwritten with the latest copy Verifying and completing data transfer After the Snowball appliance is returned Amazon copies the data to the S3 bucket created when you ordered Snowball If you set up job notifications Amazon emails you with status at each event When you are notified that the transfer is...

Page 164: ...the verification status hostname config show seed If the transfer to the cloud was successful the verification status changes to Completed For a list of status messages see Managing data transfers on AltaVault on page 162 4 After the verification is complete instruct AltaVault to end Snowball actions by entering the following command hostname config seed snowball stop After stopping the process Al...

Page 165: ...offers cloud migration to address this requirement For general cloud to cloud migration AltaVault acts as a data replicator during the migration As the data flows from the existing cloud through AltaVault and then on to the new cloud AltaVault does not reprocess the data Therefore no data is evicted from the AltaVault cache during this process the data simply flows through the networking component...

Page 166: ...procedures described in this chapter To migrate data to a new cloud use one of the following procedures Cloud to cloud migration on page 166 Amazon S3 or S3 IA to Glacier migration on page 167 Amazon S3 to S3 IA or Amazon S3 IA to S3 migration on page 168 Cloud to cloud migration Note If you are migrating between Amazon storage classes for the same security credentials see Amazon S3 or S3 IA to Gl...

Page 167: ...sed and service will be restarted Continue y n To delete the data in the new cloud and start the migration over again enter the following command CLI config replication migrate to format Data in new cloud will be deleted Do you want to continue y N Canceling cloud to cloud migration Use the following commands to cancel a migration that is already in progress 1 Cancel the migration CLI config repli...

Page 168: ... prefixes already enabled 5 Start the AltaVault Storage Optimization Service hostname config service enable Amazon S3 to S3 IA or Amazon S3 IA to S3 migration If you are migrating from Amazon S3 to S3 infrequent access storage classes or vice versa perform the following steps 1 Connect to the AltaVault command line interface using SSH 2 Enter the following commands to access configuration mode hos...

Page 169: ...s the cache size on the target appliance must be equal to or larger than the source Additionally for physical appliances the number of RAID groups on the target appliance must be equal to or larger than the source appliance Source appliance Target appliance Software requirements source target SteelStore physical or virtual appliance AltaVault physical appliance AVA 400 800 3 2 3 4 1 1 Note For Ste...

Page 170: ...ation both the source and target appliances will be unavailable for backup and recovery Data migration connection diagrams Below are the recommended data migration connectivity diagrams for physical and virtual appliances The connections you establish will depend on whether you have 1GbE or 10GbE connectivity in your network Connectivity can include switches but for best performance it is recommen...

Page 171: ...e Administration Guide 171 Beta Draft Data migration connection diagrams Migrating data between appliances SteelStore physical appliance to AltaVault physical appliance SteelStore or AltaVault virtual appliance to AltaVault physical appliance ...

Page 172: ...rsion of the NetApp AltaVault Cloud Integrated Storage Installation Guide for the Virtual Appliances or AltaVault System Installation and Setup Instructions poster Connect the source appliance to the target appliance For more information refer to the suggested network diagram configurations as shown in the Data migration connection diagrams on page 170 Run the migration tool to migrate data on to ...

Page 173: ...e is an AltaVault appliance both source and target must be running the same software version Appliance service Shut down the storage optimization service by navigating to Maintenance Service page To stop the service using the CLI open an SSH session to the source appliance and issue the following commands enable configure terminal no service enable Encryption key passphrase If an encryption key pa...

Page 174: ...n the number of source storage shelves including the source controller For example a SteelStore 3030 with 3 shelves would require an AltaVault appliance with at least 2 shelves which in turn supports 4 RAID groups To gather shelf information using the CLI open a SSH session to the source appliance and issue the following command enable configure terminal show shelves Time zone The time zone on the...

Page 175: ...ll be similar to the source appliance However the metadata only option is not optimized for data restore on the target appliance as it has not transferred the locally cached data One or more destination interface IP addresses can be provided as part of the data migration command If more than one destination interface IP address can be provided in comma separated form as part of the data migration ...

Page 176: ...ion 1 Disconnect the target appliance if it is connected directly to the source appliance and connect it to the network infrastructure 2 If required reconfigure the data interfaces on the target appliance for the new network 3 Issue the following CLI commands on the target appliance to complete data migration and return the appliance to production use target appliance config megastore guid reset t...

Page 177: ... your data For example consider a data center with AltaVault located at the Production Site site A The backup site is the DR Site B located in a different physical location such as different city country or continent If there is a disaster at Site A the data still resides in the cloud Site B contains a passive AltaVault that is not powered on You can also use AltaVault v at Site B depending on the...

Page 178: ...restoring data for disaster recovery testing you must first disable replication on AltaVault at site A and then restore your data at site B Suspending replication at the production site To suspend replication 5 On the original production AltaVault appliance suspend replication by selecting Configure Cloud Settings 6 Select the Replication tab 7 To suspend replication select the check box Suspend R...

Page 179: ...config service enable amnesiac config show service The recovery process for both testing and an actual recovery can take anywhere from a few seconds to a few hours depending on the backup s being restored During the recovery process the system communicates with the cloud provider and recovers all the namespace files that existed before the failure The duration of this process depends on how many f...

Page 180: ...ollowing commands amnesiac enable amnesiac configure terminal amnesiac config no service enable amnesiac config datastore format local amnesiac config reset factory Note The AltaVault appliance shuts down as the final action in the reset factory command 2 On the original production AltaVault appliance re enable replication by selecting Configure Cloud Settings 3 Select the Replication tab 4 To res...

Page 181: ...e in Site B uses the same cloud provider credentials bucket name and encryption key that Site A uses For more information on wizard related steps see Chapter 3 Using the AltaVault configuration wizards 9 To perform disaster recovery after a lost primary site connect to the CLI by logging in as admin using SSH and enter the following CLI commands amnesiac enable amnesiac configure terminal amnesiac...

Page 182: ...182 NetApp AltaVault Cloud Integrated Storage Administration Guide Disaster recovery Disaster recovery ...

Page 183: ...or a detailed list of system hardware components and specifications see NetApp Hardware Universe AltaVault appliance components The AltaVault AVA400 or AVA800 chassis contains the following components AVA400 or AVA800 controller Front panel with Power Warning and controller Activity LEDs Two field replaceable 1300W 100 240V AC auto ranging plug in power supply units Three field replaceable high sp...

Page 184: ...run a CLI command to add it to the RAID array For more information see NetApp AltaVault Cloud Integrated Storage User s Guide You must add a drive to the RAID controller using the Management Console or the command line interface New expansion shelves cannot be added when system is running Drives are not added to the RAID array automatically You must shut down the system add the drives and restart ...

Page 185: ...n the controller is active the system is halted or whether a fault has occurred in the chassis The image on the left displays a system bezel The diagram on the right displays the system LEDs on the bezel 2 Use the following table to understand the system LEDs Component Description 1 System LEDs When the bezel is in place the LEDs are arranged horizontally in the following left to right order Power...

Page 186: ... behind the bezel Remove the front bezel to see these LEDs The system LEDs and the LEDs visible when the bezel is installed are the same except that the bezel LEDs are aligned horizontally and the system LEDs are aligned vertically Both sets of LEDs provide the same information about the system Chassis handles The chassis has two handles on each side that assist with lifting the system The handles...

Page 187: ...s still powered Non hot swappableFRUs Component which cannot be replaced while the system is still powered Component Description 10GbE Ports Link LED Activity LED Displays green when the port is linked and displays white when there is no link Displays orange when the port is active and displays white when there is no activity PCM PCM Attention LED is used on the AltaVault controller for debugging ...

Page 188: ...he chassis has six slots on the chassis front and four slots on the chassis rear The bottom row of fan modules are replaced with a blank because these fan modules are not required To locate chassis components in an AltaVault system 1 You must remove the front bezel to see the slots that contain the fan modules in the chassis 2 Use the information that follows to locate the slots and the components...

Page 189: ...dle release latch and an attention LED that indicates the status of the fan module The image below displays the fan module component locations The following table displays the fan module components and descriptions To locate the fan modules and their LEDs 1 Remove the front bezel Component Description 1 Cam handle 2 Fan module 3 Cam handle release latch 4 Fan module attention LED ...

Page 190: ...ced within two minutes the system shuts down to avoid overheating For information on replacing fan modules see Hot swapping controller fan modules on page 209 Fan redundancy policy The AltaVault system fan redundancy policy enables the system to continue operating with a single fan failure one fan failure in any one fan module Each fan module has two fans The following events indicate fan failure ...

Page 191: ... Reports Alarms Status Power supplies and their LEDs AltaVault systems ship with two AC power supplies preinstalled in the chassis in the slots labeled 1 and 2 The AC power supplies are installed on the rear of the chassis The power supplies are fully redundant hot swappable field replaceable units FRUs The system remains operational even if one power supply fails Note When you remove a failed pow...

Page 192: ...behavior of the power supply LEDs These LEDs help monitor the status of the power supply The following table summarizes the specifications of the AC power supplies used in AltaVault systems Component Description 1 Power LED 2 Attention LED Icon LED Color Description Corrective action Power supply attention LED Amber Clear off The power supply module is not working properly No errors Remove the fau...

Page 193: ...ntroller Ports and LEDs on the AltaVault controller Internal FRUs and their LEDs Use the components in this table to help remove or install a controller in a chassis Controller LED behaviors The LEDs on the face plate of the controller display the status of its network or disk shelf connections and identifies the controller where a fault has occurred To aid in understanding the controller faceplat...

Page 194: ... The NVRAM is physically present but not used in the AltaVault software 8 Controller attention LED Port labels Port descriptions LED labels LED status LED descriptions e0a through e0d and 10 GbE ports Each controller has four 10Gb Ethernet 10GbE ports identified with labels e0a e0b e0c and e0d LNK Green Amber flashing Off A link is established between the port and some upstream device Traffic is f...

Page 195: ...s This section describes the ports and LEDs on the right side of the controller faceplate Component Description 1 1GbE port LEDs 2 1GbE ports 3 Management Ethernet port wrench icon LEDs 4 Management Ethernet port wrench icon 5 Private management Ethernet port wrench lock icon LEDs not used 6 Private management Ethernet port wrench lock icon not used 7 USB port not used 8 Console port ...

Page 196: ...h labels e0i e0j e0k and e0l LNK Left LED Activity Right LED Green Off Amber flashing Off A link is established between the port and some upstream device No link is established Traffic is flowing over the connection No traffic is flowing over the connection and Remote management The remote management port is labeled with a wrench symbol It is identified as primary e0M in the CLI commands and outpu...

Page 197: ...arts The attention LED is next to the boot device on the motherboard Not applicable System DIMM There are eight 32G DIMMs All eight DIMMs must be installed for the system to be fully functional Not applicable RAID Controller assemblies The RAID controller assemblies provide reliability high performance and fault tolerant disk subsystem management The RAID controller assemblies are installed in PCI...

Page 198: ...198 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft System components AVA 400 AVA 800 Internal FRUs ...

Page 199: ...power supplies on page 212 Changing the shelf ID for a disk shelf on page 215 Adding an additional RAID group to a configured appliance on page 216 Replacing internal FRUs on page 218 Replacing a boot device in a controller on page 219 Replacing system DIMMs on page 223 Replacing RAID controllers on page 227 Replacing the RTC clock coin battery on page 227 Replacing disk shelf power supplies and o...

Page 200: ...ller using the following CLI commands CLI enable CLI configure terminal CLI config sp password set 3 Use the new password when logging into the Service Processor Note After the AltaVault appliance is switched over to FIPS mode the service processor password cannot be set anymore because of FIPS compliance restrictions Set the service processor password prior to switching to FIPS mode If the sp pas...

Page 201: ...Network Configuration Ethernet Link up full duplex auto neg complete Mgmt MAC Address 00 A0 98 54 F9 F6 IPv4 Settings Using DHCP YES IP Address 172 16 33 154 Netmask 255 255 252 0 Gateway 172 16 33 1 IPv6 Disabled Note Make a note of the IP address It is used to validate remote access via the Service Processor If you do not want to enable DHCP enter the IP address netmask and gateway address from ...

Page 202: ...using one of the following methods Connect to the serial console port and log in to the AltaVault Press Ctrl G to get into Service Processor mode To exit service processor mode press Ctrl D SSH to the IP address of the Service Processor Log in using the password set previously 2 Obtain the Service Processor IP configuration and firmware version SP sp status Firmware Version 3 0 2 Debug Mode Enable...

Page 203: ... power supply has a on off switch turn the switch to the OFF O position 4 Unplug the power cords from the power supplies and the power source Pinch the tab on the locking mechanism of the cable retainer clip and open the retainer clip Slide the retainer clip off the cord Unplug the power cord from the power supply Then unplug the cord from the power source Repeat Step 4 for the second power supply...

Page 204: ...r you must export the controller s current configuration shut down the controller and remove it from the chassis To shut down the controller and remove it from the chassis 1 Ensure that the current configuration from the source appliance has been exported For details see the section Using the Export Configuration Wizard in the NetApp AltaVault Cloud Integrated Storage User s Guide Ensure that the ...

Page 205: ...em DIMMs to the replacement controller module For instructions on replacing the system DIMMs see Replacing system DIMMs on page 223 Install the eight DIMMs using the steps described in the procedure Installing system DIMMs on page 225 3 Move the boot device to the replacement controller module a For instructions on removing the boot media from the impaired module see Replacing a boot device in a c...

Page 206: ...viously saved configuration into the target AltaVault appliance using the Import Configuration Wizard 9 Reset the Megastore GUID by entering the following CLI commands at the command line CLI enable CLI configuration terminal CLI megastore guid reset The last command generates a new megastore GUID based on the serial number of the target AltaVault appliance It is important to perform this step bef...

Page 207: ...t damage the connectors on the rear of the module 4 Close the cam handle so that the latch clicks into the locked position and the controller module is fully seated in the chassis Tighten the thumbscrew 5 Identify components as described in this table 6 Reconnect the power cables to the power supplies and secure them using the cable retaining clips 7 Reconnect the power cables to the power source ...

Page 208: ...ntroller module from the old chassis remove the old chassis from the rack or cabinet install the new chassis and then reinstall the components in the new chassis Before you begin You must perform a clean system shutdown to ensure that all data has been written to the storage subsystems Use the reload halt command to shut down the system If you cannot gracefully shut down the system contact technic...

Page 209: ...described in the procedure Installing power supplies on a controller on page 214 Note Do not turn on the power supplies at this time 6 Reinstall the controller module in the chassis as described in Installing a controller in a chassis on page 206 AltaVault systems support only one controller per chassis Install the blank panel over the second slot 7 Turn the power switch on both power supplies and...

Page 210: ...f 2 With two hands grasp the openings on each side of the bezel and pull it toward you until the bezel releases from the four ball studs on the chassis frame 3 Identify the fan module that you must replace by checking the error messages and looking at the attention LED on each fan module cam handle Note If the fan attention LED is lit solid amber the fan module has failed 4 Press down the release ...

Page 211: ... module that you are installing is supported by your controller model To install a fan module 1 If you are not already grounded properly ground yourself 2 Insert the replacement fan module into the chassis by aligning it with the opening and sliding it into the chassis 3 Push firmly on the fan module housing to ensure that it is seated all the way into the chassis The cam handle raises slightly wh...

Page 212: ...raised The UI shows a degraded state with the appropriate alarm information and if configured an email is sent to the administrator Before you begin If you are replacing more than one power supply on a controller you must do so one at a time to prevent system downtime If you must remove all power supplies leaving the controller without any power you must first shut down and then power off the syst...

Page 213: ...tion 4 Remove the power cord from the power supply using the image below as a reference Pinch the tab on the locking mechanism of the power cord retainer clip and open the retainer clip Slide the retainer clip off the cord Unplug the power cord from the power supply and the power source 5 Press down the release latch on the power supply cam handle to unseat the power supply 6 Lower the cam handle ...

Page 214: ...ith the opening in the system chassis and gently push the power supply into the chassis until it is almost flush with the chassis as shown below Important Do not use excessive force when sliding the power supply into the chassis you can damage the connectors on the rear of the power supply 4 Identify power supply components as described in this table 5 Push on the power supply to seat it all the w...

Page 215: ... For instructions on installing the AVA10S shelves and for general safety guidelines see the guide SAS Disk Shelves Installation and Service Guide for DS4243 DS2246 DS4486 and DS4246 The AltaVault AVA10S shelf is identical to the DS4246 disk shelf Changing the shelf ID for a disk shelf If a change to a shelf ID is required such as when expanding existing AltaVault capacity with a new shelf additio...

Page 216: ...second number stops blinking Both numbers on the digital display should blink and the shelf fault LED illuminates within five seconds The fault LED stays lit until you power cycle the shelf 8 To power cycle the disk shelf to ensure the new disk shelf ID takes effect flip the Power Switch to the off position wait several seconds then flip it back to the on position 9 Replace the left ear cover 10 R...

Page 217: ... storage configurations support only homogeneous drive sizes the AVA400 supports 4TB and the AVA800 supports 6TB drives Ensure the controller and the shelf are powered off To shut down the controller follow the procedure in the section Shutting down the AltaVault controller on page 203 To add a 12 pack RAID group to a system 1 Place the 12 drives into the empty slots on the powered off disk shelf ...

Page 218: ...lf see Adding an additional RAID group to a configured appliance on page 216 Replacing internal FRUs To replace internal field replaceable units FRUs inside the AltaVault controller module you must perform a clean shutdown of the system remove the controller module from the chassis replace the faulty internal FRU then re install the controller module in the system chassis Before you begin ensure t...

Page 219: ... page 219 Replacing a controller chassis on page 208 Disposing of batteries on page 230 9 After you have completed replacing the internal FRU reinstall the controller module in the chassis using the steps described in the procedure Installing a controller in a chassis on page 206 Replacing a boot device in a controller The boot device stores a primary and secondary set of system files also called ...

Page 220: ...ou do a clean shutdown of the system for replacing the boot device The same system image should be installed after boot device replacement Note You must connect to the console port of the AltaVault controller to carry out the tasks in this procedure To remove the boot device from the controller 1 On the system console type the following commands to note details of the operating system image that i...

Page 221: ... remove it out of the holder Lifting the boot device at an angle can bend or break the connector pins in the boot device Note Do not remove the boot device holder from the controller it is not a FRU 9 Set the boot device aside Installing a boot device After you remove the faulty boot device from the controller you must copy system files and restore configuration information to the replacement boot...

Page 222: ...e FRU map on the controller module to help you locate the boot device holder 3 Open the boot device cover if applicable 4 Align the boot device with the boot device socket or connector and then firmly push the boot device straight down into the socket or connector 5 Identify boot device components as described in this table 6 Check the boot device to make sure that it is seated squarely and comple...

Page 223: ...s during the normal operation of the system With a uncorrectable memory errors the system reboots With correctable memory errors the system does not reboot the errors are recoverable and messages are recorded in the log Removing system DIMMs System DIMMs are not hot swappable FRUs To remove a system DIMM from the AltaVault controller shut down the system and remove the controller module from the c...

Page 224: ...the orientation of the DIMM in the socket so that you can insert the replacement DIMM in the proper orientation 6 Press down simultaneously on the two DIMM ejector tabs on either side of the DIMM to eject the DIMM from its slot and then carefully lift it out of the slot All system DIMMS have white ejector latches shown in the image below Component Description 1 CPU cover 2 DIMM 6 DIMM 5 DIMM 1 DIM...

Page 225: ...ll eight DIMMs are required for optimal system performance Before you begin verify that the system DIMM you are installing is supported by your controller model To install a system DIMM 1 If you are not already grounded properly ground yourself 2 Open the CPU cover in the AltaVault controller to access the slots for DIMMs 1 2 5 and 6 Loosen the thumbscrew on the appropriate side panel and remove t...

Page 226: ...venly aligned and fully inserted into the slot 8 Push carefully but firmly on the top edge of the DIMM until the latches snap into place over the notches at the ends of the DIMM displayed below An audible click sound indicates the DIMM is securely installed in the slot 9 Repeat the preceding steps to install additional DIMMs as needed 10 Close the CPU cover and close and lock the side panel 11 Rei...

Page 227: ...a faulty real time clock RTC coin battery in the controller module to ensure that your system s services and applications that depend on accurate time synchronization continue to function properly Removing an RTC battery Removing an RTC battery entails shutting down the system locating the battery in the controller module and removing the battery Before you begin Perform a clean system shutdown us...

Page 228: ...tery out of the holder Note The polarity of the battery as you remove it from the holder The battery is marked with a plus sign and must be positioned in the holder in the correct orientation when replaced A plus sign near the holder tells you how the battery should be positioned 4 Place the battery on an anti static surface Installing an RTC battery Before you begin verify that the RTC battery yo...

Page 229: ...he battery holder If it does not remove the battery and try again 5 Identify battery components as described in this table 6 Visually inspect the battery to make sure that it is completely installed into the holder and that the polarity is correct 7 Reinstall the controller module in the chassis connect power and reboot the system using the steps described in the procedure Installing a controller ...

Page 230: ...urning failed parts Return failed parts to NetApp as described in the RMA instructions shipped with the kit Contact technical support at mysupport netapp com 888 463 8277 North America Canada 00 800 44 638277 Europe EMEA or 800 800 80 800 Asia Pacific if you need the RMA number or additional help with the replacement procedure Disposing of batteries Dispose of batteries according to local regulati...

Page 231: ...d enable email notifications 1 7 Email address or alias for Notification of Events and Failures There are two groups of notifications Events Group and Failure Group 1 8 Domain name for the appliance This needs to be configured in DNS as well to resolve fqdn of the appliance 1 10 Time zone in which the appliance will be installed 2 Cloud provider credentials and storage configuration Notes 2 1 Name...

Page 232: ...rt of AD Domain Yes No If Yes Domain administrator credentials will be required to join the AD Domain 2 14 Preferred domain controllers specify up to three domain controllers 2 15 SMB Username s Groups to be given access to the share 2 16 NFS Export Name naming convention to be used 2 17 Is NFSv4 Kerberos required If yes Kerberos keytab and conf files are required 2 18 OST Share Name s naming conv...

Page 233: ... the Data Interfaces If so does the LAN switch support 802 3ad 3 6 1 Provide up to 4 x IP address Netmask Gateway for each 4x1Gbe port 2 Provide up to 4 x IP addresses NetMask Gateway for each 4x10Gbe port 3 7 Specify the type of SFP for 10Gbe Optical NICs 4 Advance features Notes 4 1 Bandwidth throttling for replication to cloud 4 2 Alarms Announcements Logging Scheduled Reports 4 3 SNMP 3 Networ...

Page 234: ...234 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Administrator s configuration worksheet Configuration worksheet ...

Page 235: ... AltaVault MIB NTAP MIB txt or AVA MIB txt from the Management Console and load it into any MIB browser utility Some utilities might expect a file type other than a text file If this occurs change the file type to the one expected Some utilities assume that the root is mib 2 by default If the utility sees a new node such as enterprises it might look under mib 2 enterprises If this occurs use iso o...

Page 236: ...P health systemHealth The AltaVault tracks key hardware and software metrics and alerts you of any potential problems so that you can quickly discover and diagnose issues Appliance health falls into one of the following states Healthy The AltaVault is functioning and optimizing storage Needs Attention The AltaVault is optimizing storage but there are management related issues Degraded The AltaVaul...

Page 237: ...cess exit If none exist Contact NetApp Support to determine the cause of this event No other action is required on the appliance because the crashed process is automatically restarted configChange 1 3 6 1 4 1 17163 1 102 4 0 3 A change has been made to the system s configuration A configuration change has been detected View the log files around the time of this trap to determine what changes were ...

Page 238: ...upport for an RMA replacement soon ipmi 1 3 6 1 4 1 17163 1 102 4 0 10 Degraded An IPMI event has been detected on the appliance Check the details in the alarm report on the Web UI not supported on all models An Intelligent Platform Management Interface IPMI event has been detected Check the Alarm Status page for more detail You can also view the IPMI events on the AltaVault by entering the CLI co...

Page 239: ...WBASE license is missing expired or invalid A license on AltaVault has been removed has expired or is invalid The alarm clears when a valid license is added or updated lowSpace 1 3 6 1 4 1 17163 1 102 4 0 22 The backup service is running out of space The AltaVault storage optimization service is running out of space Delete extra files and ensure that there is more space overCapacity 1 3 6 1 4 1 17...

Page 240: ...ppliance starts evicting data from the local disk cache and the age of the evicted data is relatively young An AltaVault has disk space much smaller than the total addressable space on the cloud and if disk space runs low the appliance starts evicting data from disk that has not been used recently This keeps only fresh and frequently accessed data in cache The AltaVault keeps statistics about how ...

Page 241: ...ror 1 3 6 1 4 1 17163 1 102 4 0 38 The appliance has detected an error with one or more disks One or more disks had has detected an error shelfPowerSupply 1 3 6 1 4 1 17163 1 102 4 0 39 One or more shelves have a power supply error One or more shelves have a power supply error hwraidBbuError 1 3 6 1 4 1 17163 1 102 4 0 40 The Storage Optimization Service is disabled because the RAID is degraded an...

Page 242: ... threshold but has now fallen back to an acceptable threshold If CPU utilization spikes are frequent it might be because the system is undersized Sustained CPU load can be symptomatic of more serious issues Consult the CPU Utilization report to gauge how long the system has been loaded and also monitor the amount of traffic currently going through the appliance A one time spike in CPU is normal bu...

Page 243: ...63 1 102 4 0 10021 The appliance is now properly licensed A license on the AltaVault was removed had expired or was invalid but the license has been installed correctly again lowSpaceClear 1 3 6 1 4 1 17163 1 102 4 0 10022 The appliance now has enough space for datastore The appliance did not have enough space for datastore earlier Now it has enough space and the alarm is cleared overCapacityClear...

Page 244: ...up units are functioning properly All the battery backup units are functioning properly hwraidIntegrityCheckClear 1 3 6 1 4 1 17163 1 102 4 0 10041 RAID integrity check alarm cleared The RAID integrity check alarm cleared evalModeExpiryClear 1 3 6 1 4 1 17163 1 102 4 0 10042 The virtual appliance is no longer running in evaluation mode The virtual appliance is no longer running in evaluation mode ...

Page 245: ...Clear 1 3 6 1 4 1 17163 1 102 4 0 10050 All power supplies are now functioning normally All the power supplies are functioning controllerFanErrorClear 1 3 6 1 4 1 17163 1 102 4 0 10051 All controller fans are now functioning normally All the controller fans are functioning Trap and OID AltaVault Appliance State Text Description ...

Page 246: ...246 NetApp AltaVault Cloud Integrated Storage Administration Guide AltaVault appliance MIB SNMP traps ...

Page 247: ...guration One IAM user created exclusively for AltaVault Access keys are generated for the user and entered into the AltaVault cloud configuration AltaVault never requires access keys for the root AWS account It is recommended that access keys are not generated for the root account An IAM group is created with the AltaVault user A policy is set on the group that allows only the permissions used by ...

Page 248: ...ucketMultipartUploads GetLifecycleConfiguration PutLifecycleConfiguration On objects inside the configured cloud bucket AbortMultipartUpload DeleteObject GetObject ListMultipartUploadParts PutObject RestoreObject Sample of IAM policy Below is a sample of the IAM policy implementing the above permissions Version 2012 10 17 Statement Sid Stmt1394143726000 Effect Allow Action s3 ListAllMyBuckets Reso...

Page 249: ...ult management console under Configure Cloud Settings allows access by the IAM user configured for AltaVault No access by any other user is required AltaVault requires a set of permissions in the bucket policy similar to the set of permissions for an IAM policy with the exception of s3 ListAllMyBuckets and s3 CreateBucket which are not relevant at the bucket level Sample of bucket policy Below is ...

Page 250: ...d Storage Administration Guide Beta Draft Amazon AWS IAM and S3 bucket policies Bucket policies for AltaVault s3 PutObject s3 RestoreObject Effect Allow Resource arn aws s3 bucket_name Principal AWS arn aws iam 123456789012 user user_name ...

Page 251: ... data for immediate recovery needs For more information on the two appliance modes see the table in the section Deployment guidelines on page 13 Protecting data to Amazon Glacier Protecting backup and critical production servers using Glacier also adds additional considerations In most data protection scenarios backup servers would be protected the same way as any other production server backup da...

Page 252: ...from the cloud on demand In such cases you must first manually restore the files to be read from the cloud to the local cache on AltaVault using either the prepopulation GUI or CLI commands After the data is restored from the cloud it can be read from the local cache When recovering data from Amazon Glacier NetApp requires that all the data segments related to a restore or retrieve by the backup a...

Page 253: ...prepopulate the files nfs dir_1 test 1 txt and nfsv4 dir_1 dir_2 test 2 txt enter the following path names nfs dir_1 test 1 slab nfsv4 dir_1 dir_2 test 2 slab To prepopulate all the files under nfs enter the following path name nfs To prepopulate the files smb app_1 test_file txt and smb app_2 test_file txt enter the following path names smb app_1 test_file txt smb app_2 test_file txt To prepopula...

Page 254: ...tname config datastore prepop num days number of days start date end date pattern pattern retrieval type dryrun Status Retrieval operation status New No files have been identified for prepopulation Creating System is identifying files for prepopulation Enqueued The prepopulation task has been recorded The AltaVault has not started processing it Processing AltaVault is identifying data that must be...

Page 255: ...nd date Specifies the date on which the data retrieval should end Stop prepopulating files on or after this date Enter a date in the format yyyy mm dd pattern pattern Filters the data retrieved by the pattern you specify The pattern specified contains a required internal share name created on AltaVault one or more optional subfolder names from the external share name visible to the user and finall...

Page 256: ...n datastore prepop pattern smb f Populates only file1 and file2 using Standard retrieval default datastore prepop pattern smb retrieval type bulk Populates all of the files file1 through file7 with directory1 and directory2 using Bulk retrieval datastore prepop pattern smb directory1 retrieval type standard Populates only file3 and file4 using Standard retrieval datastore prepop pattern smb direct...

Page 257: ...mand hostname config datastore prepop pattern fulls hostA img start date 2017 01 01 end date 2017 01 02 retrieval type expedited To prepopulate all backups for Host A that occurred in the past 30 days from the current time using standard retrieval default enter the following command hostname config datastore prepop num days 30 pattern fulls hostA img retrieval type standard To prepopulate all back...

Page 258: ...s well as possible eviction of backup data in order to place the recovered data on cache Enable automatic prepopulation only after careful consideration To confirm the prepopulation status enter the following command hostname config show datastore prepop auto enable autoprepop enable true To disable automatic prepopulation 1 Connect to the AltaVault command line interface using SSH 2 In configurat...

Page 259: ...hare or mount Linux find AVAmntpointname name 8d5688a2 00000006 feba0a49 51ba0a49 0003 AVAmntpointname networker 66 76 notes 8d5688a2 00000006 feba0a49 51ba0a49 00030e00 a8d346b6 AVAmntpointname networker 66 76 8d5688a2 00000006 feba0a49 51ba0a49 00030e00 a8d346b6 Windows Map AltaVault share path as Windows mapped network drive Z in this example Z dir 8d5688a2 00000006 feba0a49 51ba0a49 00030e00 a...

Page 260: ..._VERSION TYPE FILE HL_NAME BACKUP SET2 LL_NAME MYFILE TXT OBJECT_ID 1062 BACKUP_DATE 2013 04 23 20 02 38 000000 DEACTIVATE_DATE OWNER CLASS_NAME DEFAULT NODE_NAME CLIENT1 FILESPACE_NAME CLIENT1 s FILESPACE_ID 1 STATE ACTIVE_VERSION TYPE FILE HL_NAME BACKUP SET3 LL_NAME MYFILE TXT OBJECT_ID 6786 BACKUP_DATE 2013 04 23 20 06 19 000000 DEACTIVATE_DATE OWNER CLASS_NAME DEFAULT 2 From the list of file ...

Page 261: ...he following Spectrum Protect administrative SELECT command using the appropriate storage pool name that points to AltaVault select volume_name from volumes where stgpool_name AVASTGPOOLNAME select volume_name from volumes where stgpool_name AVACOPYPOOL VOLUME_NAME AltaVault 01 TSM 00000002 BFS VOLUME_NAME AltaVault 01 TSM 00000003 BFS VOLUME_NAME AltaVault 01 TSM 00000004 BFS 2 Prepopulate the vo...

Page 262: ...e 252 and wait until the files migrate from Glacier to the AltaVault cache 5 Initiate your restore from the NetBackup GUI as you normally would to complete the recovery AltaVault appliance best practices for Veritas Backup Exec for Amazon Glacier The Backup Exec job activity page maintains inventory of the backups which can be used to identify which media volumes are required for restore Those vol...

Page 263: ...Glacier storage megastore keep bkf local enable 6 Prepopulate the file or files identified in Step 5 using the Prepopulation GUI as described in Restoring data from the cloud using the prepopulation page on page 252 and wait until the files migrate from Glacier to the AltaVault cache AltaVault appliance best practices for Veeam backup and replication for Amazon Glacier For Veeam Backup Replication...

Page 264: ...vbk file plus all subsequent vib files and the job metadata file with the vbm extension using the Prepopulation GUI as described in Restoring data from the cloud using the prepopulation page on page 252 and wait until the files migrated from Glacier to the AltaVault cache Note There is no need to prepopulate older backup chains Veeam time stamps the backup job files to make it easy to identify The...

Page 265: ... LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE NetApp reserves the right to change any products described herein...

Page 266: ...266 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Copyright Information ...

Page 267: ...ltiStore NetApp Insight OnCommand ONTAP ONTAPI RAID DP RAID TEC SANtricity SecureShare Simplicity Simulate ONTAP Snap Creator SnapCenter SnapCopy SnapDrive SnapIntegrator SnapLock SnapManager SnapMirror SnapMover SnapProtect SnapRestore Snapshot SnapValidator SnapVault StorageGRID Tech OnTap Unbound Cloud and WAFL and other names are trademarks or registered trademarks of NetApp Inc in the United ...

Page 268: ...268 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft Trademark Information ...

Page 269: ...vide the most accurate and high quality information If you have suggestions for improving this document send us your comments by email to doccomments netapp com To help us direct your comments to the correct division include in the subject line the product name version and operating system You can also contact us in the following ways NetApp Inc 495 East Java Drive Sunnyvale CA 94089 U S Telephone...

Page 270: ...270 NetApp AltaVault Cloud Integrated Storage Administration Guide Beta Draft How to Send Your Comments ...

Page 271: ... paging 135 process dump staging directory inaccessible 135 secure vault 135 software update available 135 system disk full 64 136 Alarm status link duplex error 134 link I O error 135 Alarm Status report definition of 133 viewing 136 Alarm thresholds setting 59 Alert 75 76 77 Allow All Clients 43 44 Allow Everyone Access 39 Allow Session Timeouts When Viewing Auto Refreshing Pages 91 Allow Specif...

Page 272: ...4 replacement 203 replacing chassis 208 shut down 203 CPU utilization 61 133 CPU Utilization report definition of 136 viewing 137 Created 115 Critical 75 76 77 Current Configuration 120 Current Password 90 D data preservation 204 restoration 178 restoration for disaster recovery 181 Data Integrity Error 133 Data interface routing configuring 55 Data interfaces modifying 54 data restoration disaste...

Page 273: ...wap fan module 209 PSUs 212 I Info 75 76 77 Install 118 install AVA10S Shelves 215 chassis 209 controller in chassis 206 fan module 211 Interface 53 100 management 53 interface primary 53 Interface Statistics report definition of 138 viewing 139 internal FRU replacement 218 Interval 115 IP Address 66 89 IP Configuration 55 56 IPMI 62 134 IPv4 address obtaining automatically 21 53 specifying manual...

Page 274: ...efinition of 155 Offline File System Check report viewing 155 Online File System Check 156 OpenStorage Technology OST 45 Optimization Service 19 OST 45 configuring 45 Override the Global Default Key 88 89 P Pages and reports printing 20 PAP 88 Password 90 password service processor 200 password policy 85 Path 39 Perl regular expression 150 Pin Export 43 Pin Share 39 Pinned Data 39 pinned data 45 P...

Page 275: ...ve Current Configuration 120 Scanning system logs 150 sched 77 Schedule Reports 131 Schedule Upgrade for Later 118 Scheduled Reports purpose 131 132 Scheduled reports configuring 132 Scheduling replication 36 Secret Text 67 Secret Key 28 30 Secure access by inbound IP address 99 Secure Access Policies 71 Secure Groups 71 Secure groups setting 72 Secure Vault 63 135 unlocking and changing the passw...

Page 276: ...hassis specifications 184 System Contact 68 system DIMM 188 install 225 removal 223 System Disk Full 64 136 System dump viewing 145 system LEDs behavior 186 description 186 System Location 68 System logs downloading 145 System logs viewing 142 system memory DIMMs 223 System Status 19 System logging out of 20 T TACACS authentication method setting 79 TCP dump 146 TCP trace dump 146 Temperature 65 T...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands