Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

EMC CX-300 Agent Issue, can not add Privileged user.

Posted on 2006-03-24
19
Medium Priority
?
9,382 Views
Last Modified: 2013-11-15
trying to successfully add a Privileged user to the Storage Processor and the server with the HBA, so that I can get the event monitoring to work
Format is User@Hostname, but all entries fail. Have read all available documentation available. Any help greatly appreciated, thanks.
0
Comment
Question by:leeroy13
  • 9
  • 8
  • 2
19 Comments
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16296039
The file you modify is c:\Program Files\EMC\Navisphere Agent\agent.config. Do not add your privileged user in Navisphere.

The simplest way to configure agent.config is to add two entries:

system@IP address of SPA
system@IP address of SPB

If you add additional users in the user@hostname, then you restrict access to management of the array; that is, if you're not listed in the privileged hosts, then you can't perform Navisphere CLI commands (bad if you've scripted SnapView operrations) or run Navisphere. Also, the last host to boot in the SAN will over-ride privileged host entries from other hosts - which is a pain.

I reccommend that you you should have the two entries as posted unless you have a very strong reason to restrict management access further.

What event monitoring are you trying to set up?
0
 
LVL 6

Expert Comment

by:prof666
ID: 16298226
To add users/hosts to the priviledged list ON the clariion go to:

http://<SPA IP ADDRESS>/setup

Make sure you have more than one address listed.
0
 

Author Comment

by:leeroy13
ID: 16304802
meyersd,
Thanks, I have added the SP's in DNS. Edited the HBA server c:\Program Files\EMC\Navisphere Agent\agent.config

clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
dlbackadm@houafs01.sbibcorp.com
mdarbyadm@houafs01.sbibcorp.com
EMCAGENT@houafs01.SBIBCORP.COM
HOUCX300SPA@10.88.2.188
HOUCX300SPB@10.88.2.189

Also have a file called AgentId.txt, per Navisphere documentation.

HOUAFS01.SBIBCORP.COM

10.88.2.184

Still not working, trying to setup a global monitor template in Navisphere, Hosts folder. Right
Click host and select either Monitor options or select global template I get Two error messages
Agent denied request then (ERROR Applying Template) or Error saving configuration.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:leeroy13
ID: 16304851
prof666,
You are correct, I clearly pointed out that the users had been added. But they are being denied.
I do not understand what you are refering to when you state "Make sure you have more than one address
listed." ?
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16305880
Morning leeroy13,

You still need to add:

system@<IP address of SPA>
system@<IP address of SPB>

I'm guessing that these two entries are your CX300 SPs:
HOUCX300SPA@10.88.2.188
HOUCX300SPB@10.88.2.189


So you must change your agent.config file to read:

clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
system@10.88.2.188
system@10.88.2.189
dlbackadm@houafs01.sbibcorp.com
mdarbyadm@houafs01.sbibcorp.com
EMCAGENT@houafs01.SBIBCORP.COM

I'd also reccommend that you change the entries for:

dlbackadm@houafs01.sbibcorp.com
mdarbyadm@houafs01.sbibcorp.com
EMCAGENT@houafs01.SBIBCORP.COM
to
hostname@IP address

Note that the CX300 cannot perform any form of network name resolution (either DNS or NetBIOS)
But, as I posted earlier, you're better off leaving the host entries out. I'd suggest you try this agent.config as a test:

clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
system@10.88.2.188
system@10.88.2.189
# dlbackadm@houafs01.sbibcorp.com    --> note that these entries are commented out for testing purposes.
# mdarbyadm@houafs01.sbibcorp.com  --> note that these entries are commented out for testing purposes.
# EMCAGENT@houafs01.SBIBCORP.COM--> note that these entries are commented out for testing purposes.

You *must* then restart Navisphere Agent or reboot the server for the changes to be effective.  Then try again to set up the monitor template.

Are you trying to set up email home? If you CX300 was supplied from EMC then it should already be configured for dial-home or e-mail home. If it came from Dell, then Dell should have configured e-mail home already, in which case, it is a simplke matter to add e-mail addresses to the template.

The AgentID.txt is not necessary unless your server is multi-homed, is a cluster, or, for whatever reason, needs to use a different IP address than the server's promary IP address to expose to Navisphere. I'd delete it if you don't need it.
0
 
LVL 6

Expert Comment

by:prof666
ID: 16306295
The list of users on the CX300 is a list of systems allowed to make API calls. I suggested you have more than one because if you loose that one host then you cannot make API call to the array without changing the list.
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16306340
With all due respect, it is not. It is a list of users on specific servers that are allowed to manage the array from Navisphere. If you are logged in to a workstation and you try to manage the array *even if* you have the array administrator user name and password, then you can't do squat if you aren't in the list of privileged users. It is a hang-over from older FC -series arrays and the much older Navisphere in which you couls only manage the array from a FC connected server. It is a PITA, quite frankly - which is why I just set up the SP addresses only when setting up an array. In my experience, the overhead of keeping track of privileged users is simply not worth the marginal (and debatable) security enhancement.

The fact that leeroy13 has defined users in his priviliged users list is the reason he's having problems setting up the Monitor templates.
0
 

Author Comment

by:leeroy13
ID: 16306506
meyersd
Let's keep trying.
One note the CX-300 does do some name resolution, I have three dell's w/dual nics.
I left the second nic uncabled on all three, found the teaming drivers on Intel.
Plugged in the nics to set up and got distracted, next thing I know I have DHCP addresses
assigned to the second nics, and the CX-300 picked up the new addresses ?


clarDescr
clarContact
poll 60
baud 9600
eventlog 2048
system@10.88.2.188
system@10.88.2.189

Still does not work, stopped the agent service, waited fiftenn minutes and went back into Navisphere.
Neither DELL or EMC set it up, MTI sent over a Hard drive Jockey and after eight hours we ran him off,
Still argueing with MTI over proffessional services billed.
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16306586
agent.config has to be the same on all three SAN attached servers.

Next step is to fix your NIC teaming and get the server addressing sorted out.
 
Then :

In Navisphere, under the Storage tab there is a list of all SAN attached hosts. You should see your three servers there. They should not have a brown U against them (which indicates unmanaged). The hosts will not appear in this section if they have no attcahed storage, but you should see them under the Hosts tab.

Right click on the top level under the Storage tab (usually shows the array serial number) and select Connectivity status. On the left hand side of the window, you'll see a small ico, then the  Fibre Channel WWN. You'll then have two columns, Logged In and Registered, and finally the host name.  The small icon should be green. If it is blue, then the hosts have not registered properly. Both Logged In and Registered should be Yes for all SAN connected hosts that are powered on with Navisphere Agent installed. Finally, the hostname should be the fully qualified hostname (assuming W2K or W2K3).

Next, close the Connectivity Status screen and right-click on the individual hosts under the Hosts tab. Select Properties. From the Properties screen, you'll see a tab for Storage and one that displays the properties of the host Agent. The host agent should display as managed and show only the entries for the SPs in the Privileged User list. If you have more than just system@SPA and system@SPB for any host, go to that host and fix agent.config and restart the agent on the host. Note that it can up to about 10 minutes for the change in agent.confg on the host to be reflected in Navisphere.
 
Is this what you see?
0
 

Author Comment

by:leeroy13
ID: 16306810
meyersd,
Nics were fixed immediately, just an FYI.
Yes, registered and logged in. The server icon is blue and the hba port icon (4) two hba's are green.

Host Tab, host agent is still not managed and does not show the entriees for the SP's.
The only test/change I have done is to enter
device auto auto, for the Device Configuration section.
This change is reflected in two of the three servers, removing the
entry also updates those two agents by removing the check in the box.
I can change the number of log entries and that updates, but still can not
add the SP's as Privileged Users.
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16306825
>I can change the number of log entries and that updates, but still can not
add the SP's as Privileged Users.

It is best not to add entries manually to the list of Privileged Users in the Navisphere Manager host properties. The **only** place where these changes should be made is:
C:\Program Files\EMC\Navisphere Agent\agent.config
then restart Navisphere Agent or reboot the host.  Any changes should be made on all your SAN-attached servers
0
 

Author Comment

by:leeroy13
ID: 16306863
meyersd,
that is what is occuring, only changes are on the SAN-attached servers.
Just confirming the agent is able to update itself, except for privileged users.
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16307129
Change AgentID.txt to AgentID.txt-sav then restart Navisphere Agent on all SAN attached hosts.
0
 

Author Comment

by:leeroy13
ID: 16313519
deleted AgentID.txt, ran netmom and monitored both server agent and SP agent conversations.
See in the capture file that SP sends over SYSTEM and IP.
See in the capture file that host attempts to senf over monitor template.
Result still the same error expalining agent denied request by server agent.
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16316049
Can you post the precise error please? Right click on each SP in Navisphere, click on Event Log. The error will likely be in SPA's event log and may take some finding.

What version of FLARE code are you running? Please post it here. If the box is recently installed, then you should be on Release 19. You can get the FLARE code revision by going to the top level in Navisphere (the array serial number), right click, select Properties, then select the Software tab. FLARE code version is in the format 02.xx.300.5.xxx. The first xx is the major revision (likely to be 16 or 19 in your case, second xxx is the patch release version).

The symptoms suggest that you still have a privileged user set *somewhere*. It's just a matter of finding it...

Can you check each host under the Hosts tab in Navisphere, and check to see that each Agent shows as Managed, and that no entries other than system@xx.xx.xx.xx are in the Privileged Users field?

Also - this doesn't make sense: "Yes, registered and logged in. The server icon is blue and the hba port icon (4) two hba's are green."
Can you post excatly where you found these details?
0
 
LVL 30

Expert Comment

by:Duncan Meyers
ID: 16327161
Hi leeroy13,

Any news?

0
 

Author Comment

by:leeroy13
ID: 16337175
meyersd,
Tech Support finally webexed.
The Agent.Config file,
needed
user system@IP_SP

Then I had a zoning issue or lack of to the second SP,
deleted on of the two paths to SPA and added a zone to
SPB.

Next thing you know stopping the service and restarting and I am priviliged.

One issue, the HBA is registered to SPB now, but not logged in (connectivity status) how do I resolve
that issue ?
0
 
LVL 30

Accepted Solution

by:
Duncan Meyers earned 1600 total points
ID: 16337473
>user system@IP_SP

D'oh! D'oh! D'oh! Yes, of course (slaps forehead, kicks own backside)... I'm **extremely** embarrassed I missed the key word "user" there. I've been doing this stuff with Clariions day in, day out for more than 5 years now, and I should have spotted that...

>One issue, the HBA is registered to SPB now, but not logged in (connectivity status) how do I resolve that issue ?

If there is no Fibre Log In, then the switch zoning is wrong, or you have the wrong driver/firmware for the FC HBA.

To explain: the FC HBA registers itself with the FC switch when the HBA driver is loaded - this is a FLOGI (fabric log in). You'll notice that the lights on the HBA in the server are yellow until about halfway through the server boot, when they turn green once the HBA has logged in to the switch. During the FLOGI process, the HBA registers itself with the switch's name server and it get a 24 bit address which is used in all communications. The WWN is only really used in the initial registration process, and in providing a unique ID to the storage.

The next part of the process is a port log in, or PLOGI - whcih is an end to end log in. In this case, the server is logging into the CX300. No communications can begin until the PLOGI process completes. The server and storage negotiate communications parameters during the PLOGI process.

It is the PLOGI from server to CX300 that is failing in your case. This means that either the switch zoning is wrong or the HBA firmware or driver is wrong.

Can you post the following:

HBA make and model (QLogic or Emulex)
HBA firmware version
HBA driver version
Make and model of the FC switch
Can you post the relevant zone configuration too, please.
 

Finally, this article explains the fabric log ins pretty well: http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/tips0035.html?Open
0
 

Author Comment

by:leeroy13
ID: 16338478
Just needed to reboot after a zone change.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question