Computer Drive User Manual
Table Of Contents
- Chapter 1. HPSS 7.1 Configuration Overview
- Chapter 2. Security and System Access
- Chapter 3. Using SSM
- 3.1. The SSM System Manager
- 3.2. Quick Startup of hpssgui
- 3.3. Configuration and Startup of hpssgui and hpssadm
- 3.4. Multiple SSM Sessions
- 3.5. SSM Window Conventions
- 3.6. Common Window Elements
- 3.7. Help Menu Overview
- 3.8. Monitor, Operations and Configure Menus Overview
- 3.9. SSM Specific Windows
- 3.10. SSM List Preferences
- Chapter 4. Global & Subsystem Configuration
- 4.1. Global Configuration Window
- 4.2. Storage Subsystems
- 4.2.1. Subsystems List Window
- 4.2.2. Creating a New Storage Subsystem
- 4.2.3. Storage Subsystem Configuration Window
- 4.2.3.1. Create Storage Subsystem Metadata
- 4.2.3.2. Create Storage Subsystem Configuration
- 4.2.3.3. Create Storage Subsystem Servers
- 4.2.3.4. Assign a Gatekeeper if Required
- 4.2.3.5. Assign Storage Resources to the Storage Subsystem
- 4.2.3.6. Create Storage Subsystem Fileset and Junction
- 4.2.3.7. Migration and Purge Policy Overrides
- 4.2.3.8. Storage Class Threshold Overrides
- 4.2.4. Modifying a Storage Subsystem
- 4.2.5. Deleting a Storage Subsystem
- Chapter 5. HPSS Servers
- 5.1. Server List
- 5.1. Server Configuration
- 5.1.1. Common Server Configuration
- 5.1.1. Core Server Specific Configuration
- 5.1.2. Gatekeeper Specific Configuration
- 5.1.3. Location Server Additional Configuration
- 5.1.4. Log Client Specific Configuration
- 5.1.1. Log Daemon Specific Configuration
- 5.1.2. Migration/Purge Server (MPS) Specific Configuration
- 5.1.3. Mover Specific Configuration
- 5.1.3.1. Mover Specific Configuration Window
- 5.1.3.1. Additional Mover Configuration
- 5.1.3.1.1. /etc/services, /etc/inetd.conf, and /etc/xinetd.d
- 5.1.3.1.2. The Mover Encryption Key Files
- 5.1.3.1.3. /var/hpss/etc Files Required for Remote Mover
- 5.1.3.1.1. System Configuration Parameters on IRIX, Solaris, and Linux
- 5.1.3.1.1. Setting Up Remote Movers with mkhpss
- 5.1.3.1.2. Mover Configuration to Support Local File Transfer
- 5.1.1. Physical Volume Repository (PVR) Specific Configuration
- 5.1.1. Deleting a Server Configuration
- 5.1. Monitoring Server Information
- 5.1.1. Basic Server Information
- 5.1.1. Specific Server Information
- 5.1.1.1. Core Server Information Window
- 5.1.1.1. Gatekeeper Information Window
- 5.1.1.1. Location Server Information Window
- 5.1.1.2. Migration/Purge Server Information Window
- 5.1.1.3. Mover Information Window
- 5.1.1.1. Physical Volume Library (PVL) Information Window
- 5.1.1.2. Physical Volume Repository (PVR) Information Windows
- 5.1. Real-Time Monitoring (RTM)
- 5.2. Starting HPSS
- 5.1. Stopping HPSS
- 5.2. Server Repair and Reinitialization
- 5.1. Forcing an SSM Connection
- Chapter 6. Storage Configuration
- 6.1. Storage Classes
- 6.2. Storage Hierarchies
- 6.3. Classes of Service
- 6.4. Migration Policies
- 6.5. Purge Policies
- 6.6. File Families
- Chapter 7. Device and Drive Management
- Chapter 8. Volume and Storage Management
- 8.1. Adding Storage Space
- 8.2. Removing Storage Space
- 8.3. Monitoring Storage Space
- 8.4. Dealing with a Space Shortage
- 8.5. Volume Management
- 8.6. Monitoring and Managing Volume Mounts
- 8.7. New Storage Technology Insertion
- Chapter 9. Logging and Status
- Chapter 10. Filesets and Junctions
- Chapter 11. Files, Directories and Objects by SOID
- Chapter 12. Tape Aggregation
- Chapter 13. User Accounts and Accounting
- Chapter 14. User Interfaces
- Chapter 15. Backup and Recovery
- Chapter 16. Management Tools
3.3.6.2. Solutions for Operating Through a Firewall
SSM can operate through a firewall in three different ways:
• The hpssgui and hpssadm can use ports exempted by the network administrator as firewall
exceptions. See the -n option described in the hpssgui and hpssadm man pages.
• The hpssgui and hpssadm can contact the System Manager across a Virtual Private Network
connection (VPN). See the -p and -h options described in the hpssgui and hpssadm man
pages.
• The hpssgui and hpssadm can contact the System Manager across an ssh tunnel. See the
instructions for tunneling in the hpssgui man page.
The firewall exception is the simplest of these. However, security organizations are not always willing to
grant exceptions.
The vpn option is usually simple and transparent regardless of how many ports are needed, but requires
the site to support vpn. The site must also allow the vpn users access to the ports listed in Section
3.3.6.1 The Firewall Problem on page 44; not all sites do.
The ssh tunneling option has the advantage that it can be used almost anywhere at no cost. It has the
disadvantage that the tunnel essentially creates its own firewall exception. Some security organizations
would rather know about any applications coming through the firewall and what ports they are using
rather than have users create exceptions themselves without the awareness of security personnel. A
second disadvantage of tunneling is that if a particular client machine is compromised, any tunnels open
on that client could also be compromised. The client machine may become a point of vulnerability and
access to the other machines behind the firewall. A third disadvantage is that tunneling can be complex
to set up, requiring slight or significant variations at every site.
The firewall and tunneling options both benefit from reducing the number of ports required:
• The need for port 111 can be eliminated by making the System Manager listen on a fixed port.
To do this, set the HPSS_SSM_SERVER_LISTEN_PORT environment variable to the
desired port and restart the System Manager. Then use the -n option with the hpssgui and
hpssadm startup scripts to specify this port.
• The need for port 88 can be eliminated only by avoiding Kerberos and using UNIX
authentication.
• There is no way to eliminate the need for the port on which the System Manager listens.
3.3.6.3. Example: Using hpssgui Through a Firewall
Here is an example of how a particular site set up their hpssgui SSM client sessions using krb5
authentication outside a firewall. Many of the items are site specific so modifications will need to be
made to suit each site's specific needs. Where this procedure would differ for a site using Unix
authentication, the Unix instructions are also included.
At this site, vpn users were not allowed access to all the ports listed in Section 3.3.6.1 The Firewall
Problem on page 44 so they had to use a combination of vpn and ssh tunneling.
• Create a directory on the client machine to hold the SSM client files. It is recommended that
a separate directory be created for each server hostname that the client will contact.
HPSS Management Guide November 2009
Release 7.3 (Revision 1.0) 45