EMC CX-300 Agent Issue, can not add Privileged user.

trying to successfully add a Privileged user to the Storage Processor and the server with the HBA, so that I can get the event monitoring to work
Format is User@Hostname, but all entries fail. Have read all available documentation available. Any help greatly appreciated, thanks.
leeroy13Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Duncan MeyersCommented:
The file you modify is c:\Program Files\EMC\Navisphere Agent\agent.config. Do not add your privileged user in Navisphere.

The simplest way to configure agent.config is to add two entries:

system@IP address of SPA
system@IP address of SPB

If you add additional users in the user@hostname, then you restrict access to management of the array; that is, if you're not listed in the privileged hosts, then you can't perform Navisphere CLI commands (bad if you've scripted SnapView operrations) or run Navisphere. Also, the last host to boot in the SAN will over-ride privileged host entries from other hosts - which is a pain.

I reccommend that you you should have the two entries as posted unless you have a very strong reason to restrict management access further.

What event monitoring are you trying to set up?
0
prof666Commented:
To add users/hosts to the priviledged list ON the clariion go to:

http://<SPA IP ADDRESS>/setup

Make sure you have more than one address listed.
0
leeroy13Author Commented:
meyersd,
Thanks, I have added the SP's in DNS. Edited the HBA server c:\Program Files\EMC\Navisphere Agent\agent.config

clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
dlbackadm@houafs01.sbibcorp.com
mdarbyadm@houafs01.sbibcorp.com
EMCAGENT@houafs01.SBIBCORP.COM
HOUCX300SPA@10.88.2.188
HOUCX300SPB@10.88.2.189

Also have a file called AgentId.txt, per Navisphere documentation.

HOUAFS01.SBIBCORP.COM

10.88.2.184

Still not working, trying to setup a global monitor template in Navisphere, Hosts folder. Right
Click host and select either Monitor options or select global template I get Two error messages
Agent denied request then (ERROR Applying Template) or Error saving configuration.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

leeroy13Author Commented:
prof666,
You are correct, I clearly pointed out that the users had been added. But they are being denied.
I do not understand what you are refering to when you state "Make sure you have more than one address
listed." ?
0
Duncan MeyersCommented:
Morning leeroy13,

You still need to add:

system@<IP address of SPA>
system@<IP address of SPB>

I'm guessing that these two entries are your CX300 SPs:
HOUCX300SPA@10.88.2.188
HOUCX300SPB@10.88.2.189


So you must change your agent.config file to read:

clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
system@10.88.2.188
system@10.88.2.189
dlbackadm@houafs01.sbibcorp.com
mdarbyadm@houafs01.sbibcorp.com
EMCAGENT@houafs01.SBIBCORP.COM

I'd also reccommend that you change the entries for:

dlbackadm@houafs01.sbibcorp.com
mdarbyadm@houafs01.sbibcorp.com
EMCAGENT@houafs01.SBIBCORP.COM
to
hostname@IP address

Note that the CX300 cannot perform any form of network name resolution (either DNS or NetBIOS)
But, as I posted earlier, you're better off leaving the host entries out. I'd suggest you try this agent.config as a test:

clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
system@10.88.2.188
system@10.88.2.189
# dlbackadm@houafs01.sbibcorp.com    --> note that these entries are commented out for testing purposes.
# mdarbyadm@houafs01.sbibcorp.com  --> note that these entries are commented out for testing purposes.
# EMCAGENT@houafs01.SBIBCORP.COM--> note that these entries are commented out for testing purposes.

You *must* then restart Navisphere Agent or reboot the server for the changes to be effective.  Then try again to set up the monitor template.

Are you trying to set up email home? If you CX300 was supplied from EMC then it should already be configured for dial-home or e-mail home. If it came from Dell, then Dell should have configured e-mail home already, in which case, it is a simplke matter to add e-mail addresses to the template.

The AgentID.txt is not necessary unless your server is multi-homed, is a cluster, or, for whatever reason, needs to use a different IP address than the server's promary IP address to expose to Navisphere. I'd delete it if you don't need it.
0
prof666Commented:
The list of users on the CX300 is a list of systems allowed to make API calls. I suggested you have more than one because if you loose that one host then you cannot make API call to the array without changing the list.
0
Duncan MeyersCommented:
With all due respect, it is not. It is a list of users on specific servers that are allowed to manage the array from Navisphere. If you are logged in to a workstation and you try to manage the array *even if* you have the array administrator user name and password, then you can't do squat if you aren't in the list of privileged users. It is a hang-over from older FC -series arrays and the much older Navisphere in which you couls only manage the array from a FC connected server. It is a PITA, quite frankly - which is why I just set up the SP addresses only when setting up an array. In my experience, the overhead of keeping track of privileged users is simply not worth the marginal (and debatable) security enhancement.

The fact that leeroy13 has defined users in his priviliged users list is the reason he's having problems setting up the Monitor templates.
0
leeroy13Author Commented:
meyersd
Let's keep trying.
One note the CX-300 does do some name resolution, I have three dell's w/dual nics.
I left the second nic uncabled on all three, found the teaming drivers on Intel.
Plugged in the nics to set up and got distracted, next thing I know I have DHCP addresses
assigned to the second nics, and the CX-300 picked up the new addresses ?


clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
system@10.88.2.188
system@10.88.2.189

Still does not work, stopped the agent service, waited fiftenn minutes and went back into Navisphere.
Neither DELL or EMC set it up, MTI sent over a Hard drive Jockey and after eight hours we ran him off,
Still argueing with MTI over proffessional services billed.
0
Duncan MeyersCommented:
agent.config has to be the same on all three SAN attached servers.

Next step is to fix your NIC teaming and get the server addressing sorted out.
 
Then :

In Navisphere, under the Storage tab there is a list of all SAN attached hosts. You should see your three servers there. They should not have a brown U against them (which indicates unmanaged). The hosts will not appear in this section if they have no attcahed storage, but you should see them under the Hosts tab.

Right click on the top level under the Storage tab (usually shows the array serial number) and select Connectivity status. On the left hand side of the window, you'll see a small ico, then the  Fibre Channel WWN. You'll then have two columns, Logged In and Registered, and finally the host name.  The small icon should be green. If it is blue, then the hosts have not registered properly. Both Logged In and Registered should be Yes for all SAN connected hosts that are powered on with Navisphere Agent installed. Finally, the hostname should be the fully qualified hostname (assuming W2K or W2K3).

Next, close the Connectivity Status screen and right-click on the individual hosts under the Hosts tab. Select Properties. From the Properties screen, you'll see a tab for Storage and one that displays the properties of the host Agent. The host agent should display as managed and show only the entries for the SPs in the Privileged User list. If you have more than just system@SPA and system@SPB for any host, go to that host and fix agent.config and restart the agent on the host. Note that it can up to about 10 minutes for the change in agent.confg on the host to be reflected in Navisphere.
 
Is this what you see?
0
leeroy13Author Commented:
meyersd,
Nics were fixed immediately, just an FYI.
Yes, registered and logged in. The server icon is blue and the hba port icon (4) two hba's are green.

Host Tab, host agent is still not managed and does not show the entriees for the SP's.
The only test/change I have done is to enter
device auto auto, for the Device Configuration section.
This change is reflected in two of the three servers, removing the
entry also updates those two agents by removing the check in the box.
I can change the number of log entries and that updates, but still can not
add the SP's as Privileged Users.
0
Duncan MeyersCommented:
>I can change the number of log entries and that updates, but still can not
add the SP's as Privileged Users.

It is best not to add entries manually to the list of Privileged Users in the Navisphere Manager host properties. The **only** place where these changes should be made is:
C:\Program Files\EMC\Navisphere Agent\agent.config
then restart Navisphere Agent or reboot the host.  Any changes should be made on all your SAN-attached servers
0
leeroy13Author Commented:
meyersd,
that is what is occuring, only changes are on the SAN-attached servers.
Just confirming the agent is able to update itself, except for privileged users.
0
Duncan MeyersCommented:
Change AgentID.txt to AgentID.txt-sav then restart Navisphere Agent on all SAN attached hosts.
0
leeroy13Author Commented:
deleted AgentID.txt, ran netmom and monitored both server agent and SP agent conversations.
See in the capture file that SP sends over SYSTEM and IP.
See in the capture file that host attempts to senf over monitor template.
Result still the same error expalining agent denied request by server agent.
0
Duncan MeyersCommented:
Can you post the precise error please? Right click on each SP in Navisphere, click on Event Log. The error will likely be in SPA's event log and may take some finding.

What version of FLARE code are you running? Please post it here. If the box is recently installed, then you should be on Release 19. You can get the FLARE code revision by going to the top level in Navisphere (the array serial number), right click, select Properties, then select the Software tab. FLARE code version is in the format 02.xx.300.5.xxx. The first xx is the major revision (likely to be 16 or 19 in your case, second xxx is the patch release version).

The symptoms suggest that you still have a privileged user set *somewhere*. It's just a matter of finding it...

Can you check each host under the Hosts tab in Navisphere, and check to see that each Agent shows as Managed, and that no entries other than system@xx.xx.xx.xx are in the Privileged Users field?

Also - this doesn't make sense: "Yes, registered and logged in. The server icon is blue and the hba port icon (4) two hba's are green."
Can you post excatly where you found these details?
0
Duncan MeyersCommented:
Hi leeroy13,

Any news?

0
leeroy13Author Commented:
meyersd,
Tech Support finally webexed.
The Agent.Config file,
needed
user system@IP_SP

Then I had a zoning issue or lack of to the second SP,
deleted on of the two paths to SPA and added a zone to
SPB.

Next thing you know stopping the service and restarting and I am priviliged.

One issue, the HBA is registered to SPB now, but not logged in (connectivity status) how do I resolve
that issue ?
0
Duncan MeyersCommented:
>user system@IP_SP

D'oh! D'oh! D'oh! Yes, of course (slaps forehead, kicks own backside)... I'm **extremely** embarrassed I missed the key word "user" there. I've been doing this stuff with Clariions day in, day out for more than 5 years now, and I should have spotted that...

>One issue, the HBA is registered to SPB now, but not logged in (connectivity status) how do I resolve that issue ?

If there is no Fibre Log In, then the switch zoning is wrong, or you have the wrong driver/firmware for the FC HBA.

To explain: the FC HBA registers itself with the FC switch when the HBA driver is loaded - this is a FLOGI (fabric log in). You'll notice that the lights on the HBA in the server are yellow until about halfway through the server boot, when they turn green once the HBA has logged in to the switch. During the FLOGI process, the HBA registers itself with the switch's name server and it get a 24 bit address which is used in all communications. The WWN is only really used in the initial registration process, and in providing a unique ID to the storage.

The next part of the process is a port log in, or PLOGI - whcih is an end to end log in. In this case, the server is logging into the CX300. No communications can begin until the PLOGI process completes. The server and storage negotiate communications parameters during the PLOGI process.

It is the PLOGI from server to CX300 that is failing in your case. This means that either the switch zoning is wrong or the HBA firmware or driver is wrong.

Can you post the following:

HBA make and model (QLogic or Emulex)
HBA firmware version
HBA driver version
Make and model of the FC switch
Can you post the relevant zone configuration too, please.
 

Finally, this article explains the fabric log ins pretty well: http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/tips0035.html?Open
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leeroy13Author Commented:
Just needed to reboot after a zone change.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.