background image

18

Brocade SMI Agent User’s Guide

53-1001778-01

Access control

3

Access control

An SMI client uses a two-level login: one login to the SMI-A and another login to the proxy switch to 
gain access to a fabric. The SMI-A has a limitation of one connection per fabric, so all SMI clients 
share the same connection to a fabric even if they have different Role-Based Access Control (RBAC) 
roles.

To enable SMI clients to have different RBAC roles, you can map each SMI client to a different 
switch user. With this mapping, SMI clients can have different RBAC roles, even though they share 
the same connection to the fabric.

For additional information about RBAC roles, see the 

Brocade SMI Agent Developer’s Guide

.

The Brocade SMI Agent Configuration Tool has two Access Control options:

User Mapping

Default User Mapping

The User Mapping option allows you to map specific SMI-A users to specific switch user names. The 
Default User Mapping option allows you to set up the mapping for all other SMI-A users. Using 
these two options, you can restrict access to specific SMI-A users. For example, in the User 
Mapping section you can specify a few SMI-A users who have admin-level access and give all the 
other SMI-A users user-level access in the Default User Mapping section.

TABLE 1

Login failure status messages 

LoginAsUser Return Code

Status message in Proxies panel

Description

RT_NOT_SUPPORTED

Not supported

Access protocol is not supported.

RT_ALREADY_EXISTS

Duplicate Connection

Attempt to make an additional 
connection to an already connected 
switch, or an attempt to make a 
connection to a switch in a fabric that is 
already connected through another 
switch.

RT_PWD_EXPIRED

Password Expired

Login failed due to password expired.

RT_ACCOUNT_LOCKOUT

Account Lockout

Login account is locked out.

RT_ACCOUNT_DISABLED

Account Disabled

Login account is disabled.

RT_TIMEOUT

Connection Timed Out

Connection timed out.

RT_FAILED

Connection Failed

RT_SUCCESS

Connected

Login successful.

RT_INVALID_PARAMETER

Invalid Connection Parameter

Some connection parameters are invalid.

RT_INSUFFICIENT_VF_
MEMBERSHIP

Insufficient VF Membership

Login failed due to insufficient VF (user 
does not have admin/chassis access 
across VF) membership.

RT_INSUFFICIENT_USER_ROLE Insufficient User Role

Login failed due to insufficient user role.

RT_INVALID_PASSWORD

Invalid Password

Login failed due to invalid 
username/password.

RT_NOT_ENOUGH_RPC_
HANDLES

Not Enough RPC Handles

Login failed due to insufficient number of 
RPC handles (20 max).

Содержание 53-1001778-01

Страница 1: ...53 1001778 01 30 March 2010 Brocade SMI Agent User s Guide Supporting SMI Agent 120 11 0...

Страница 2: ...the open source software and obtain a copy of the programming source code please visit http www brocade com support oscd Brocade Communications Systems Incorporated Document History Corporate and Lat...

Страница 3: ...o support Fabric OS 6 1 2_cee and SMI A 120 9 0 March 2009 Brocade SMI Agent User s Guide 53 1001263 02 Updated the procedure for adding proxy connections April 2009 Brocade SMI Agent User s Guide 53...

Страница 4: ...iv Brocade SMI Agent User s Guide 53 1001778 01...

Страница 5: ...i Brocade resources xiii Other industry resources xiii Getting technical help xiv Brocade SMI Agent support xv Document feedback xvi Chapter 1 Overview In this chapter 1 Common Information Model CIM 1...

Страница 6: ...ovider xml on fabric segmentation 16 Including multiple switch connection entries from the same fabric in the provider xml 16 Adding proxy connections 16 Removing proxy connections 17 Login failure st...

Страница 7: ...7 Mutual authentication for clients 47 Enabling mutual authentication for clients 48 Mutual authentication for indications 48 Enabling mutual authentication for indications 48 Client configuration to...

Страница 8: ...Attributions In this chapter 57 Open source software used in SMI A 57 Sun Industry Standards Source License 58 IBM Common Public License 62 OpenSLP License 65 Bouncy Castle 66 GNU Library General Publ...

Страница 9: ...t contains the following components Chapter 1 Overview provides an overview of the CIM the Brocade SMI S initiative and the Brocade SMI Agent Chapter 2 Brocade SMI Agent explains how to start and stop...

Страница 10: ...atforms are supported by this release of Brocade SMI Agent 120 11 0 Brocade 200E switch Brocade 300 switch Brocade 3000 switch Brocade 3014 switch Brocade 3016 switch Brocade 3200 switch Brocade 3250...

Страница 11: ...on the Brocade DCX and DCX 4S Port blades FC8 16 FC8 32 FC8 48 FC8 64 FC4 port blades FC10 6 FC4 16IP FC4 48C FCoE10 24 FA4 18 FR4 18i FS8 18 FX8 24 What s new in this document New hardware platform...

Страница 12: ...guidance or advice emphasizes important information or provides a reference to related information ATTENTION An Attention statement indicates potential damage to hardware or data Key terms For defini...

Страница 13: ...e on the My Brocade web site and are also bundled with the Fabric OS firmware Other industry resources For information about the Distributed Management Task Force DMTF including information about CIM...

Страница 14: ...and the results Serial console and Telnet session logs syslog message logs 2 Switch Serial Number The switch serial number and corresponding bar code are provided on the serial number label as illust...

Страница 15: ...ving the Brocade logo plate at the top of the nonport side of the chassis For the Brocade Multiprotocol Router Model AP7420 Provide the switch WWN Use the switchShow command to display the switch WWN...

Страница 16: ...s of this document However if you find an error or an omission or you think that a topic needs further development we want to hear from you Forward your feedback to documentation brocade com Provide t...

Страница 17: ...s The CIM Schema provides the actual model descriptions The CIM Schema supplies a set of classes with properties and associations that provide a well understood conceptual framework within which it is...

Страница 18: ...h the data path to an application running on a host The standard promises to remove much of the vendor specific issues associated with managing storage storage networks hosts and applications by provi...

Страница 19: ...ic profile Switch profile Extender profile discovery only FC HBA profile The Brocade SMI Agent Developer s Guide has additional information about the supported profiles and subprofiles Additional supp...

Страница 20: ...ric events Basic support for non Brocade switches switches ports topology information and so on HTTP and HTTPS protocols HTTP and HTTPS port configuration Mutual authentication for clients and indicat...

Страница 21: ...d removal on page 31 The following procedures describe how to start the SMI A without security and with security enabled By default security is disabled on all platforms In this case security is the a...

Страница 22: ...emon was started stop the daemon using the procedures described in Service Location Protocol SLP support on page 7 NOTE On Linux Solaris or AIX if security is enabled for the agent then the stop_serve...

Страница 23: ...s SMIAgent agent server jserver bin stop_agent_service bat On Windows you can also click Start Programs SMIAgent Stop SMI Agent Service Service Location Protocol SLP support The Brocade SMI Agent supp...

Страница 24: ...be different it should produce output similar to the following service service agent 127 0 0 1 65535 slptool findsrvs service wbem This command verifies that the SMI A SLP service is properly adverti...

Страница 25: ...ons that do not dynamically register themselves with SLP using SLPAPIs can instead register statically by modifying the following file SMIAgent agent cfg slp reg For more information about these files...

Страница 26: ...The specified service already exists 0x431 Starting SLP on Windows 1 Install the SLP service as described in Installing SLP on Windows 2 Open a command prompt via Start Programs Accessories Command P...

Страница 27: ...e SMI A Configuration Tool see Configuring HTTP access on page 24 Use the command line scripts packaged by the SMI A installer The SMI A installer packages the scripts DeleteXMLProtocolAdapter to perm...

Страница 28: ...found at server jserver bin with the following entry host address xxx xxx xxx xxx For example xml version 1 0 encoding ISO 8859 1 DOCTYPE agent_config SYSTEM SMIAgentConfig dtd agent_config dbserver...

Страница 29: ...options This tool is installed during SMI A installation and can be used after installation is complete You must install the Brocade SMI Agent before you can use the Configuration Tool The Configurat...

Страница 30: ...s disabled if the server is not running the Stop Server button is disabled Action buttons Apply Applies the changes you have made in the content pane without closing the window Cancel Cancels the chan...

Страница 31: ...inux Solaris and AIX 1 Navigate to the directory where the tool is located SMIAgent agent server jserver bin where SMIAgent is the directory where the Brocade SMI Agent is installed 2 Execute the foll...

Страница 32: ...ords are stored in encrypted format in the provider xml file Duplicate proxy IP addresses are not allowed The provider xml file is located in the SMIAgent agent server jserver bin directory Reloading...

Страница 33: ...the Brocade SMI Agent Configuration Tool if the status is Login Failed Removing proxy connections 1 Launch the Brocade SMI Agent Configuration Tool 2 Click Proxies in the menu tree see Figure 4 on pag...

Страница 34: ...dmin level access and give all the other SMI A users user level access in the Default User Mapping section TABLE 1 Login failure status messages LoginAsUser Return Code Status message in Proxies panel...

Страница 35: ...g This button is unavailable if the server is already stopped 4 Click Add 5 Fill out the User Mapping Configuration dialog box and click OK The Proxy IP SMIA User name and Switch User name fields are...

Страница 36: ...fabric 1 Launch the Brocade SMI Agent Configuration Tool 2 Click Default User Mapping in the menu tree see Figure 8 FIGURE 8 Default user mapping 3 Click the Stop Server to stop the SMI A if it is ru...

Страница 37: ...d in User mapping and Default User mapping configurations should have access to at least one of the logical fabrics configured in the VF enabled chassis The SMI Agent does not restrict access based on...

Страница 38: ...certificate to the SMI A TrustStore and export the server certificate to a file where the client can access it If you enable mutual authentication you may choose to disable the CIM XML client protoco...

Страница 39: ...ge 24 The content pane displays the current setting which is selected and dimmed 3 To enable mutual authentication for indications click the Enable Indication Authentication radio button If this optio...

Страница 40: ...ck HTTP Access in the menu tree see Figure 11 The content pane displays the current setting which is selected and unavailable If the SMI A server is not running the Configuration Tool cannot determine...

Страница 41: ...is enabled NOTE You can import only certificates generated using Java Keytool or OpenSSL If mutual authentication is enabled and if you do not provide a security certificate then the Brocade provided...

Страница 42: ...porting server certificates If you enable mutual authentication for clients or mutual authentication for indications you can export the corresponding SMI A server certificate to a file so the client c...

Страница 43: ...icate used for mutual authentication for indications 5 Click Apply The changes take effect when you restart the server Click Start Server to restart the server Viewing or deleting client certificates...

Страница 44: ...ation You must have Administrator privileges Windows or root admin privileges Unix to configure user authentication This option is disabled if you do not have the appropriate privilege The SMI A serve...

Страница 45: ...ted to provide local user credentials This option is available only if you clicked Enable User Authentication or if user authentication is already enabled 5 Click Apply If you enabled user authenticat...

Страница 46: ...encoding setting click the button of the available option If encoding is already enabled the Disable Proxy Connection Details Encoding option is available If user authentication is already disabled t...

Страница 47: ...see Figure 17 The content pane displays the current setting which is selected and dimmed 3 To change the setting click the button of the available option If the SMI Agent is installed as a service th...

Страница 48: ...u must configure each SMI A to use different ports Refer to your operating system documentation for more information on whether a CIM agent is running When you choose values for the HTTP and HTTPS por...

Страница 49: ...ric will fail ARR and eventing ports are optional If you do not configure them or if you configure them with a value of 0 the SMI Agent dynamically allocates a port during server startup When you choo...

Страница 50: ...ting Brocade Fabric Manager server If your management application does not make use of historical port statistics you do not need to configure a connection to the Fabric Manager database The Fabric Ma...

Страница 51: ...database user Default DSN user name is dba Password Password for the database user Default DSN password is sql 4 Click Apply The changes take effect when you restart the server Click Start Server to r...

Страница 52: ...name and password with which to log in to the host File Path Type either the absolute or relative path to the software file Firmware Type Select either FOS or SAS from the drop down list FIGURE 22 Sof...

Страница 53: ...trace For example jserverlog_1017_1655 trace is the trace file for 4 55 p m on October 17 Whenever the CIMOM server is restarted a new trace file is generated with the timestamp of when the server st...

Страница 54: ...bug properties file If you update dynamically your changes are effective immediately but are not saved If you update the debug properties file your changes are saved but are not reflected until the se...

Страница 55: ...e Enable Debugging option check the debug options you want to log You can set the following debug options Exception Operation Event Configuration Switch Data Switch XML Data Threadlock d If you checke...

Страница 56: ...Update the changes take effect when you restart the server FIGURE 24 Configure debugging options for provider Logging options for the provider You can enable or disable console and file logging When y...

Страница 57: ...r the Enable File logging check box 5 Click Apply The changes take effect when you restart the server Click Start Server to restart the server FIGURE 25 Configure logging options Log file examples The...

Страница 58: ...an be logged connection cache configuration zoning cache The following procedure is the equivalent of the extrinsic method Brocade_Agent LogCacheData Capturing information from the provider cache 1 La...

Страница 59: ...s procedure to collect all support information in one file The required information is collected and zipped in a file named SMISupportFiles zip You can specify a location for this file or use the defa...

Страница 60: ...lasses that have a provider support within all the namespaces in the SMI A Classes that represent indications that have the Indication qualifier are not included The output is in CIM XML format This p...

Страница 61: ...e SMI Agent Configuration Tool 2 Click Server Configuration in the menu tree see Figure 29 on page 46 You must enable the stack before the SMI Agent can communicate using the IPv4 or IPv6 address 3 Cl...

Страница 62: ...gfiledir com wbemsolutions jserver log maxfilesize 5000000 com wbemsolutions jserver log numfiles 3 Replace mylogfiledir with the complete path of the log file directory Replace 5000000 with the maxim...

Страница 63: ...thentication are only private certificates that are generated by Brocade and are not verified by any certificate authority Clients cannot add their own certificates to the server trust stores NOTE Mut...

Страница 64: ...lient listener When mutual authentication for indications is enabled then only those clients whose certificates have been added to the SMI A Indications TrustStore can use SSL to receive indications f...

Страница 65: ...indications keyStore D smiagent agent client client ind keystore wbem indications keyStorePassword SSLindication wbem indications trustStore D smiagent agent client client ind truststore wbem indicat...

Страница 66: ...stem setProperty clientlistener TSPWD trustSSLindication Client configuration to use client certificates for default SSL indications When mutual authentication for indications is not enabled you can c...

Страница 67: ...ions using client listener program Set the required system properties within the client listener program For example public class clientlistener private static final String KS indication keyStore priv...

Страница 68: ...ore information on the client In this scenario the following error is issued on the client side XMLERROR enumerateInstances java net ConnectException javax net ssl SSLHandshakeException Received fatal...

Страница 69: ...stop_server scripts work if the agent is set to run as a daemon on Linux and Solaris Do these scripts work if the agent running as a service on Windows or do you have to use the Services window In us...

Страница 70: ...n portmapper port 111 All other calls to the switch are through RPC on ports 897 non secure and 898 secure The ARR and Eventing ports that you select are those on the Brocade SMI Agent host If there i...

Страница 71: ...ation Yes the SMI Agent supports HTTPS the combination of a normal HTTP interaction over an encrypted secure socket layer SSL or transport layer security TLS transport mechanism between the CIMClient...

Страница 72: ...Brocade SMI Agent hangs how do I capture the thread dump On Linux Type the following command kill 3 pid where pid is the process ID of the Brocade SMI Agent On Solaris Press CTRL key backslash key On...

Страница 73: ...from the WBEM Services open source project The license for WBEM Services is the Sun Industry Standards Source License SISSL section 13 1 For more information on WBEM Services see http wbemservices so...

Страница 74: ...ion from the substance or structure of either the Original Code or any previous Modifications A Modification is A Any addition to or deletion from the contents of a file containing Original Code or pr...

Страница 75: ...te must comply with all requirements set out by the Standards body in effect one hundred twenty 120 days before You ship the Contributor Version In the event that the Modifications do not meet such re...

Страница 76: ...a comply with the terms of this License to the maximum extent possible and b describe the limitations and the code they affect Such description must be included in the LEGAL file described in Section...

Страница 77: ...S GOVERNMENT END USERS U S Government If this Software is being acquired by or on behalf of the U S Government or by a U S Government prime contractor or subcontractor at any tier then the Government...

Страница 78: ...Common Public License v 1 0 THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC LICENSE AGREEMENT ANY USE REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT S ACC...

Страница 79: ...or otherwise As a condition to exercising the rights and licenses granted hereunder each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed if any For...

Страница 80: ...ntributor then makes performance claims or offers warranties related to Product X those performance claims and warranties are such Commercial Contributor s responsibility alone Under this section the...

Страница 81: ...assign the responsibility to serve as the Agreement Steward to a suitable separate entity Each new version of the Agreement will be given a distinguishing version number The Program including Contribu...

Страница 82: ...subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOU...

Страница 83: ...Platform Standard Edition J2SETM platform platform on Java enabled general purpose desktop computers and servers 2 LICENSE TO USE Subject to the terms and conditions of this Agreement including but no...

Страница 84: ...onditions for installation If additional terms and conditions are not presented on installation the Software Updates will be considered part of the Software and subject to the terms and conditions of...

Страница 85: ...party SUPPLEMENTAL LICENSE TERMS These Supplemental License Terms add to or modify the terms of the Binary Code License Agreement Capitalized terms not defined in these Supplemental Terms shall have...

Страница 86: ...y naming convention designation E Distribution by Publishers This section pertains to your distribution of the Software with your printed book or magazine as those terms are commonly used in the indus...

Страница 87: ...cle M S USCA12 110 Santa Clara California 95054 U S A Attention Contracts Administration F Source Code Software may contain source code that unless expressly licensed for other purposes is provided so...

Страница 88: ...72 Brocade SMI Agent User s Guide 53 1001778 01 Sun Binary Code License Agreement A...

Страница 89: ...ion entries 30 default user mapping 20 disabling HTTP 11 HTTP access 24 user authentication 28 Distributed Management Task Force DMTF xiii E enabling HTTP access 24 multi homed support 12 mutual authe...

Страница 90: ...roxy connections configuring 16 S security configuring 21 server configuring 45 SLP daemon starting 7 stopping 6 SLP service 8 slptool using 8 SMI A defined 2 features 3 starting 5 stopping 6 starting...

Отзывы: