EMC® Secure Remote Support Gateway for Linux Release 2.24 Operations Guide REV 02 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.EMC.
Copyright © 2005-2013 EMC Corporation. All rights reserved. Published September, 2013 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Contents Preface Chapter 1 Introduction Architecture ....................................................................................... 16 Customer site components ........................................................17 Communication to EMC ............................................................20 Responsibilities for the ESRS components .................................... 25 Customer.....................................................................................
Contents Install postfix.............................................................................. 51 Create directories and install CECT and Provisioning Tool (PvT) . 52 Post ESRS Client install and configure permissions and firewall for vsftpd and Postfix....................................................................... 58 Verify status of Gateway and services ...........................................
Contents Checking status and starting Gateway services ......................... 102 Cause of start up problem....................................................... 103 Operating system or hardware failures ................................ 103 Troubleshooting ESRSHTTPS listener service ............................ 103 Concepts .................................................................................... 103 Configuring the ESRSHTTPS listener ...................................
Contents 6 EMC Secure Remote Support Gateway for Linux Release 2.
Figures Title 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Page ESRS architecture ........................................................................................... Heartbeat communication............................................................................. Remote notification communication ........................................................... Remote access communication.....................................................................
Figures 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 8 Running gateway_status command with all arguments ......................... 57 Running setsebool for vsftpd ....................................................................... 58 Modifying selinux for Postfix....................................................................... 58 Installing audit2allow...............................................................................
Tables Title 1 2 3 4 5 6 Page Specifications for ESRS Gateway Client server........................................... Product use of ESRS........................................................................................ Configuration items ........................................................................................ Products supported by the Gateway Extract Utility (GWExt) ................. Valid Suffixes and Code Versions.................................................................
Tables 10 EMC Secure Remote Support Gateway for Linux Release 2.
Preface As part of an effort to improve and enhance the performance and capabilities of its product line, EMC from time to time releases revisions of its hardware and software. Therefore, some functions described in this guide may not be supported by all revisions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes.
Preface Note: A note presents information that is important, but not hazard-related. ! CAUTION A caution contains information essential to avoid data loss or damage to the system or equipment. The caution may apply to hardware or software.
Preface ... Where to get help Ellipsis for nonessential information omitted from the example. EMC support, product, and licensing information can be obtained as follows. Product Information—For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to the EMC Online Support Site (registration required) at: http://support.emc.com Technical support—For technical support, click Support on the EMC Online Support Site.
Preface 14 EMC Secure Remote Support Gateway for Linux Release 2.
1 Introduction You should become familiar with the EMC Secure Remote Support Site Planning Guide. It is important to understand system requirements and configurations before you execute any administrative tasks. This chapter introduces the EMC Secure Remote Support Gateway for Linux Client. Topics include: ◆ ◆ ◆ Architecture......................................................................................... 16 Responsibilities for the ESRS components .....................................
Introduction Architecture The EMC® Secure Remote Support (ESRS) application architecture consists of a secure, asynchronous messaging system designed to support the functions of secure encrypted file transfer, monitoring of device status, and remote execution of diagnostic activities. This distributed solution is designed to provide a scalable, fault-tolerant, and minimally intrusive extension to the customer’s system support environment.
Introduction Customer site components ESRS requires the following software and hardware at the customer site: Gateway Client(s) — This ESRS software component is installed on a customer-supplied dedicated server or Hyper-V/VMware instance. It can also be installed on multiple servers. The servers act as the single point of entry and exit for all IP-based remote support activities and most EMC connect home notifications.
Introduction Each Gateway Client acts as a proxy, carrying information to and from managed devices or to a Policy Manager. Gateway Clients can also queue session requests in the event of a temporary local network failure. The Gateway Clients do not have their own user interface, and are run as Linux services. All Gateway Client actions are logged to a local rolling runtime log file. Table 1 on page 19 shows the minimum configuration of the required hardware and the application software.
Introduction (disregarding the proxy path). If the Gateway Client successfully makes a direct connection, no error message will appear to notify the customer or EMC that there is a problem with the proxy communication path. Table 1 on page 19 shows the minimum configuration of the required Gateway Client hardware and the application software. Table 1 Specifications for ESRS Gateway Client server Type Requirements Gateway Client server Processor — One or more processors, each 2.
Introduction Communication to EMC All outbound communication between the customer’s site and EMC is initiated from the customer’s site by the Gateway Clients over port 443 and 8443. Using industry standard Secure Sockets Layer (SSL) encryption over the Internet and an EMC-signed digital certificate for authentication, the Gateway Client creates a secure communication tunnel.
Introduction the Gateway Client and provides the EMC enterprise with status information on the connectivity health of the EMC storage devices and the Gateway Client. EMC servers receive the data in XML format and acknowledge the receipt of data using SOAP (Simple Object Access Protocol) commands. Once this response is received, the Gateway Client terminates the connection. Figure 2 on page 21 provides an illustration of the heartbeat communication paths.
Introduction uploads the file to the Gateway Client where it is received by one of the following local transport protocols: ◆ HTTPS, if a device is qualified to send files using HTTPS ◆ Passive FTP ◆ SMTP When an event file is received, the Gateway Client compresses the file, opens the SSL tunnel to the EMC servers, and posts the data file to EMC. At EMC, the file is decompressed and forwarded to the Customer Relationship Management (CRM) systems.
Introduction This secure session allows IP traffic from the EMC internal service person to be routed through the Gateway Client to the end device. IP socket traffic received by the Global Access Server for the session is established, wrapped in a SOAP message, and sent to the Gateway Client over the persisted SSL tunnel. The Gateway Client unwraps the SOAP object and forwards the traffic to the IP address and port of the end device for which the session was established.
Introduction Table 2 Product use of ESRS (page 2 of 2) Product EMC Connectrix® Remote notification to EMC via ESRS EMC remote access to device via ESRS Yes Yes Customer Management Station Device does not send Connect Homes via the Gateway Client Yes Data Domain Device does not send Connect Homes via the Gateway Client Yes DL3D Device does not send Connect Homes via the Gateway Client Yes DLm Yes Yes EDL Yes Yes EMC Greenplum DCA® Yes Yes EMC Invista® Yes Yes RecoverPoint Yes Y
Introduction Responsibilities for the ESRS components The following sections describe the installation, configuration, operation, and maintenance responsibilities of EMC customers and EMC Global Services.
Introduction ◆ Installing the ESRS software: • Gateway Client server software • Policy Manager software (customers may install this software) ◆ Configuring and deploying the EMC devices managed through ESRS ◆ Configuring ESRS High Availability Clusters ◆ Approval of the Deployment, Removal or Edits of Deployed Devices in ServiceLink Note: Note: If connect home is already set up, customer may use the If connect home is already set up, customer may use the Configuration CLI Commands to process device
Introduction There are no technical restrictions on the network location of the Gateway Client server, other than its connectivity to your devices and Policy Manager as well as to the EMC enterprise. EMC strongly recommends the use of a firewall to block network ports not required by ESRS. VMware/Hyper-V requirements VMware servers must be version ESX 2.52 and later. Minimum requirements: ◆ ◆ ◆ 15 GB partition 2.
Introduction Gateway Client servers, in a High Availability configuration, are active peers. Each Gateway Client in the cluster manages the same set of devices without awareness of, or contention with, the other Gateway Clients in the cluster. There is no direct communication between the Gateway Clients within the cluster.
Introduction The High Availability Gateway Cluster will take on the devices managed by the first Gateway Client enrolled into the cluster. When additional Gateway Clients are added to the cluster, they will begin managing the cluster’s devices. Note: The first Gateway Client used to create a High Availability Gateway Cluster may have managed devices. Any additional Gateway Clients enrolled in a High Availability Gateway Cluster must not be managing any devices at the time of enrollment.
Introduction Configuration CLI Commands The Configuration CLI Commands are automatically installed upon successful completion of your Gateway Client installation.
Introduction Configuration items Table 3 Table 3, “Configuration items,” describes the available configuration CLI commands. Configuration items Configuration item Description ./gateway status - - agent status Displays status information about the connection between the Gateway Client and EMC, including connectivity status, proxy server and Policy Manager enablement, and other status results. ./manage_device Enables viewing of managed devices.
Introduction Availability Gateway Cluster has been implemented, another Gateway Client within the cluster will handle these activities. In a High Availability Gateway Cluster, remote access session management is handled by the first Gateway Client to send a heartbeat to the EMC enterprise and receive the remote access request. Device management The Configuration CLI Commands enable you to request the addition or removal of a managed device.
Introduction enterprise for approval by an authorized EMC Global Services professional. Note: If you will be submitting device management, removal, or edit requests via the Configuration CLI Commands, be sure to inform your EMC Global Services professional so that the necessary approvals can be made via the EMC enterprise. Unmanaging a device If you want to un-manage a device, you use the manage_device -remove-device command to request the device’s removal from the list of managed devices.
Introduction Gateway Client for device registration, automating a large portion of the process. Table 4 Products supported by the Gateway Extract Utility (GWExt) Product supported by GWExt Operating system Additional notes Celerra Red Hat Enterprise Linux 5 NAS Code 6.0 Celerra Red Hat Enterprise Linux 4 NAS Code 5.6 CLARiiON Management Station Win32 Connectrix Win32 EMC Disk Library (EDL) SUSE Linux 9.3 32-bit v3.0 - v3.2 EMC Disk Library 3D (DL3D) SUSE Linux 10.2 32-bit v3.3, v4.
Introduction systems and data sources, Digital Certificate Management aids in programmatically generating and authenticating each certificate request, as well as issuing and installing each certificate on the Gateway Client. ESRS Digital Certificate Management provides proof-of-identity of your Gateway Client. This digital document binds the identity of the Gateway Client to a key pair that can be used to encrypt and authenticate communication back to EMC.
Introduction 36 Device access control ESRS achieves remote application access to a process running on an EMC storage device by using a strict IP and application port-mapping process. You have complete control over which ports and IP addresses are opened on your internal firewall to allow connectivity. The remote access session connections are initiated by an EMC Global Services request at the EMC Global Access Server and through a pull connection by the Gateway Client.
2 Invisible Body Tag Gateway Client Server Preparation This chapter provides information you will need to prepare the Gateway Client server for installing the ESRS software. Topics include: ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ Overview ............................................................................................. 38 Configure Operating System (Red Hat Enterprise Linux 6.2 (32-bit) 39 Activate the Ethernet Port.................................................................
Gateway Client Server Preparation Overview Before you install ESRS, you must prepare the Gateway Client server operating system to receive notification from your managed devices after they are deployed. As part of the preparation, the following software applications are required: 38 ◆ FTP server (vsftpd) — ESRS uses vsftpd to receive notification files sent through the FTP transport to the Gateway Client. You must install vsftpd before installing the Gateway Client.
Gateway Client Server Preparation Configure Operating System (Red Hat Enterprise Linux 6.2 (32-bit) Configure Network and firewall Use the setup command and the resulting menu process to configure the following items: ◆ Firewall ◆ IP address ◆ Broadcast address ◆ Netmask ◆ default Gateway ◆ DNS 1. To run the Red Hat configuration tools, type: [root@localhost ~]# setup 2. The Red Hat Setup Utility appears.
Gateway Client Server Preparation Figure 5 Firewall Configuration 3. Select Firewall configuration, then Run Tool. The Firewall Configuration tool appears. If the firewall is enabled, you need to disable it or configure it to pass the necessary traffic for the listener services per the EMC Secure Remote Support Port Requirements inbound to the Gateway. 40 EMC Secure Remote Support Gateway for Linux Release 2.
Gateway Client Server Preparation Figure 6 Disable Firewall 4. If the Firewall is enabled, use the space bar to remove the selection for Enabled, and select OK or configure it to pass the necessary traffic for the listener services per the EMC Secure Remote Support Port Requirements inbound to the Gateway. Configure Operating System (Red Hat Enterprise Linux 6.
Gateway Client Server Preparation Figure 7 Network Configuration 5. Select Network configuration, and select Run Tool. Figure 8 Device Configuration 6. Select Device configuration. The Select A Device screen appears. 42 EMC Secure Remote Support Gateway for Linux Release 2.
Gateway Client Server Preparation Figure 9 Select A Device 7. Select the device, and press Enter. The Network Configuration screen appears. Figure 10 Network Configuration Configure Operating System (Red Hat Enterprise Linux 6.
Gateway Client Server Preparation 8. To accept Network configuration changes, select OK. The Device and DNS configuration screen appears. Figure 11 DNS Configuration 9. Select DNS configuration. Figure 12 44 DNS Configuration EMC Secure Remote Support Gateway for Linux Release 2.
Gateway Client Server Preparation 10. To accept DNS configuration changes, select OK. The Device and DNS configuration screen appears. Figure 13 Saving Device and DNS Configuration 11. Select Save&Quit. The Red Hat Setup Utility main screen appears. 12. DNS configuration screen appears. Configure Operating System (Red Hat Enterprise Linux 6.
Gateway Client Server Preparation Figure 14 Quit Red Hat Setup Utility 13. Select Quit, and press Enter. 46 EMC Secure Remote Support Gateway for Linux Release 2.
Gateway Client Server Preparation Activate the Ethernet Port You need to bring the Ethernet port up and active, as follows: 1. Type: /sbin/ifup eth{x} 2. This command will permit you to shell in to the server over the network. Note: Refer to Red Hat Enterprise Linux (RHEL) documentation on starting SSHD server; it may not be started by default. You will not be able to use a shell without this server being started.
Gateway Client Server Preparation Create Users and Set Passwords You need to create users and set passwords, as follows: • The Password for onalert and ONALERT users is EMCCONNECT. • The Password for emailalert and emailalertesg can be anything you want as these accounts are to permit the receipt of email connect homes. • The Password for esrsconfig is esrsconfig. 1. Log in to the server as root or as a user and su. 2.
Gateway Client Server Preparation Install vsftpd for FTP and Email Note: The process below requires that the RHEL server be registered with Red Hat. FTP (vsftpd AND postfix will be reconfigured by the Gateways (Provisioning Tool) process. NO configuration is needed at this time. Install vsftpd 1. To install vsftpd, run: [root@localhost ~]# yum install vsftpd Loaded plugins: product-id, rhnplugin, security, subscription-manager Updating certificate-based repositories. rhel-i386-server-6 1.
Gateway Client Server Preparation Importing GPG key 0xFD431D51: Userid : Red Hat, Inc. (release key 2) Package: redhat-release-server-6Server-6.2.0.3.el6.i686 (@anaconda-RedHatEnterpriseLinux-201111171035.i386/6. 2) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Importing GPG key 0x2FA658E0: Userid : Red Hat, Inc. (auxiliary key) Package: redhat-release-server-6Server-6.2.0.3.el6.i686 (@anaconda-RedHatEnterpriseLinux-201111171035.i386/6.
Gateway Client Server Preparation Install postfix 1. To install postfix, run: [root@localhost ~]# yum install postfix Loaded plugins: product-id, rhnplugin, security, subscription-manager Updating certificate-based repositories. Setting up Install Process Package 2:postfix-2.6.6-2.2.el6_1.i686 already installed and latest version Nothing to do Figure 18 Installing postfix 2. Verify service is running by typing: cd /etc/init.
Gateway Client Server Preparation Create directories and install CECT and Provisioning Tool (PvT) This section describes how to create directories and install the Customer Environment Check Tool (CECE) and Provisioning Tool (PvT). 1. To create directories, run: [root@localhost [root@localhost [root@localhost [root@localhost [root@localhost Figure 20 home]# cd /opt/ opt]#mkdir emc opt]# mkdir emc/esrs2 opt]# mkdir emc/esrs2/PvT opt]# cd emc/esrs2 Creating Gateway install directories 2. Copy the CECT-2.
Gateway Client Server Preparation 5. Copy the esrs-pvt-2.24.00.06.tar.gz to the PvT directory and untar it: [root@localhost PvT]# tar –xvf esrs-pvt-2.24.00.06.tar.gz configuration.xml provision_agent [root@localhost PvT]# ls -l total 14376 -rw-r--r--. 1 root root 150 Jan 10 09:13 configuration.xml -rw-r--r--. 1 root root 7362560 Jan 10 21:07 esrs-pvt-2.24.00.06.tar.gz -rwxr-xr-x. 1 root root 7351475 Jan 10 09:13 provision_agent [root@localhost esrs2]# ls -l total 4592 drwxr-xr-x.
Gateway Client Server Preparation Example: Install gateway agent: provision_agent --user-name --emc-user --site-id Install DC agent: provision_agent --user-name --emc-user --reprovision Install gateway agent with proxy: provision_agent --user-name --emc-user --site-id --http --proxy-host proxy.abc.com --proxy-port 3128 Figure 25 provision_agent command syntax 8. To run the provision_agent command with arguments, run: [root@localhost PvT]# .
Gateway Client Server Preparation cache size : 2048 KB Finished downloading... Software bundle downloaded from server Installing software... Gateway Model Opening EmcDeployConfig.so... Loading symbol ... Closing library... 0 Software installed successfully. Figure 26 Running provision_agent command with arguments 9. To verify Gateway status, run the following command to view the syntax of the gateway_status command: [root@localhost Gateway]# .
Gateway Client Server Preparation Cluster Info: Standalone Figure 28 Viewing Gateway Status 11. To view Gateway service information, run: [root@localhost Gateway]# ./gateway_status --service-status Connect Home Services FTP Service: SMTP Service: HTTPS Service: Running Running Running ESRS-IP Dependent Service Status Gateway: Watchdog: Running Running ESRS-IP Gateway as Proxy Service Status Proxy Service: Figure 29 Running Viewing Gateway service information 12.
Gateway Client Server Preparation SSL: Enabled, strength 168 Certificate: Enabled, supported true Avg HB Response: 1.
Gateway Client Server Preparation Post ESRS Client install and configure permissions and firewall for vsftpd and Postfix 1. For vsftpd, run: Note: setsebool is an OS utility that changes the value of a given item.
Gateway Client Server Preparation 3. To install audit2allow, run: [root@localhost ~]# yum install policycoreutils-python Loaded plugins: product-id, rhnplugin, security, subscription-manager Updating certificate-based repositories. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package policycoreutils-python.i686 0:2.0.83-19.24.el6 will be installed --> Processing Dependency: policycoreutils = 2.0.83-19.24.el6 for package: polic ycoreutils-python-2.0.83-19.24.el6.
Gateway Client Server Preparation --> Processing Dependency: libsefs.so.4 for package: setools-libs-python-3.3.7-4 .el6.i686 --> Processing Dependency: libseaudit.so.4(VERS_4.2) for package: setools-libs-p ython-3.3.7-4.el6.i686 --> Processing Dependency: libseaudit.so.4(VERS_4.1) for package: setools-libs-p ython-3.3.7-4.el6.i686 --> Processing Dependency: libseaudit.so.4 for package: setools-libs-python-3.3. 7-4.el6.i686 --> Processing Dependency: libqpol.so.1(VERS_1.
Gateway Client Server Preparation --> Processing Dependency: libselinux = 2.0.94-5.2.el6 for package: libselinux-u tils-2.0.94-5.2.el6.i686 ---> Package libselinux.i686 0:2.0.94-5.3.el6 will be an update ---> Package setools-libs.i686 0:3.3.7-4.el6 will be installed --> Running transaction check ---> Package audit.i686 0:2.1.3-3.el6 will be updated ---> Package audit.i686 0:2.2-2.el6 will be an update ---> Package libselinux-utils.i686 0:2.0.94-5.2.el6 will be updated ---> Package libselinux-utils.
Gateway Client Server Preparation ===================================================== =========================== Install 6 Package(s) Upgrade 5 Package(s) Total download size: 2.4 M Is this ok [y/N]: y Downloading Packages: (1/11): audit-2.2-2.el6.i686.rpm | 225 kB 00:00 (2/11): audit-libs-2.2-2.el6.i686.rpm | 60 kB 00:00 (3/11): audit-libs-python-2.2-2.el6.i686.rpm | 57 kB 00:00 (4/11): libselinux-2.0.94-5.3.el6.i686.rpm | 108 kB 00:00 (5/11):libselinux-python-2.0.94-5.3.el6.i686.
Gateway Client Server Preparation Installing : setools-libs-3.3.7-4.el6.i686 7/16 Installing:setools-libs-python-3.3.7-4.el6.i686 8/16 Installing:libsemanage-python-2.0.43-4.1.el6.i686 9/16 Installing : policycoreutils-python-2.0.83-19.24.el6.i686 10/16 Updating : audit-2.2-2.el6.i686 11/16 Cleanup :policycoreutils-2.0.83-19.18.el6.i686 12/16 Cleanup :libselinux-utils-2.0.94-5.2.el6.i686 13/16 Cleanup : audit-2.1.3-3.el6.i686 14/16 Cleanup : audit-libs-2.1.3-3.el6.i686 15/16 Cleanup : libselinux-2.0.94-5.
Gateway Client Server Preparation 4. To stage the change to Postfix, run: [root@localhost audit]# cd /opt/emc/esrs2 [root@localhost esrs2]# grep local_t /var/log/audit/audit.log | audit2allow -m postfixlocal > postfixlocal.te Figure 35 Staging the change to Postfix 5. To create the selinux module, run: [root@localhost esrs2]# cat postfixlocal.te module postfixlocal 1.
Gateway Client Server Preparation 7. To install the semodule, run: [root@localhost esrs2]# semodule -i postfixlocal.pp Note: audit2allow generates rules from logs. Figure 38 Installing semodule 8. To verify that it installed, run: Note: semodule manages OS policy modules [root@localhost postfix 1.11.0 postfixlocal postgresql postgrey [root@localhost esrs2]# semodule -l |grep post 1.0 1.12.1 1.7.
Gateway Client Server Preparation Verify status of Gateway and services 1. To verify the status of the Gateway and services, run: [root@localhost Gateway]# ./gateway_status --agent-status ESRS-IP Client Connectivity to EMC Enterprise Client Version: 2.24.00.06 Serial Number: ESRSGW_11145366_13011508374403 Install Directory: /opt/emc/esrs2/ Connecting To: esrs-corestg.emc.com on port 443 Connection Status: Connected Proxy Server: Disabled Policy Manager: Disabled.
Gateway Client Server Preparation --add adds the agent policy manager configuration --remove removes the policy manager configuration --secure if specified, use HTTPS protocol to access the server --host the IP address of the policy manager host --port the port to use to access the policy manager --add-proxy adds the proxy configuration --remove-proxy removes the proxy configuration --http --socks use either of them to set the Proxy Type --proxy-host the IP or Host address. --proxy-port proxy port number.
Gateway Client Server Preparation Proxy Server Enabled: false [root@localhost Gateway]# Figure 42 Running the config_policy_manager.sh command with arguments 4. To check Policy Manager configuration, run: [root@localhost Gateway]# ./config_policy_manager.sh --list Policy Server Enabled: true Host: 10.241.172.13 Port: 8443 SSL Enabled: true SSL Strength: 128-bit Proxy Server Enabled: false [root@localhost Gateway]# Figure 43 Checking the Policy Manager configuration 5.
Gateway Client Server Preparation To configure the Gateway to use a Proxy server, edit the configuration, or remove the Proxy Server 1. To view syntax for the config_agent_proxy.sh command, run: [root@localhost Gateway]# ./config_agent_proxy.sh --help Usage : config_agent_proxy [args] --add-proxy To add the agent proxy configuration --remove-proxy To remove the proxy configuration --http --socks Use either of them to set the Proxy Type --proxy-host Proxy IP or Host address. --proxy-port Proxy port number.
Gateway Client Server Preparation 3. To verify status of proxy server configuration, run: [root@localhost Gateway]# --list ./config_agent_proxy.sh DRMProxy Server Enabled: true Proxy Type: HTTP Host: 10.241.172.13 Port: 8118 User name: Error : 0 Agent Proxy configuration Successful. Note: An Error code of 0 as above means successful; any other result (alpha or numeric) indicates some failure to complete successfully. Figure 47 Verifying proxy server status 4.
Gateway Client Server Preparation Manage Devices 1. To view the syntax for the manage_device command, run: [root@localhost Gateway]# .
Gateway Client Server Preparation Table 5 on page 72 lists the valid product, suffixes, and code versions for each product: Valid Suffixes and Code Versions Table 5 72 Explanation ESRS Gateway Code Version Product Suffix Atmos 1-16 2.08 Avamar None 2.08 Beta1 1-32 2.04 Beta2 1-32 2.04 Celerra PSA Centera 1-36 CLARiiON AB Connectrix CM, CLI 2.02 Customer Management Station 1-32 2.24 Data Domain None 2.14 DCA BP 2.12 DL3D 123 2.
Gateway Client Server Preparation Table 5 Valid Suffixes and Code Versions Explanation ESRS Gateway Code Version Product Suffix Symmetrix None VNX FileP, FileS, FileA, BlockA, BlockB Primary Control Station (CS0) Secondary Control Station (CS1) Control Station Alias, IP Block (SP A&B) 2.08 VMAX Cloud Edition (CE) H1, H2, COL, AE, SE, VC, CECV Host 1 (H1) Host 2 (H2) Collector (COL) Automation Engine (AE) Solutions Enabler (SE) vCenter (VC) ConnectEMC (CECV) 2.22 VNXe None 2.
Gateway Client Server Preparation ./manage_device --add-device --model DCA-GW --host 10.241.216.230 --serialnumber FNM00103500347 –suffix -P ./manage_device --add-device --model DLM3-GW --host 10.241.216.230 --serialnumber APM00113501268 –suffix –ACP-1 ./manage_device --add-device --model Switch-Brocade-B-GW --host 10.5.25.40 --serialnumber BRCDN000015159 ./manage_device --add-device --model Switch-Cisco-GW --host 10.241.216.230 --serialnumber FOX102100BD .
Gateway Client Server Preparation APM00084902090-A EDL-Engine-GW online 10.241.216.99 FCNHH050500031-P Celerra-GW online 10.241.168.84 APM00090601517-3 Centera-GW offline 10.241.185.127 03PS12345678-1 RecoverPoint-GW online 10.241.172.142 FNM00110300428 VNXe-GW online 10.241.168.200 APM00110100565-P DCA-GW online 10.241.164.253 APM00105101002-P DCA-GW offline 10.5.214.28 1298999529842B2B4989C0AVAMAR-GW offline 10.241.218.241 HK190309998 Symmetrix-GW offline 10.241.216.
Gateway Client Server Preparation 76 EMC Secure Remote Support Gateway for Linux Release 2.
3 Configuration CLI Commands The Configuration CLI Commands are used to view Gateway Client status, manage devices for a Gateway Client, and perform other tasks related to your ESRS configuration. This chapter includes the following topics: ◆ ◆ ◆ Configuration CLI Commands overview....................................... 78 Installing the Configuration CLI Commands ................................ 79 Using the Configuration CLI Commands ......................................
Configuration CLI Commands Configuration CLI Commands overview The ESRS Configuration CLI Commands are used to manage Gateway Client devices and view and modify settings related to managed devices and related services. Most of the Configuration CLI Commands are designed for access and use by authorized ESRS users. Some configuration activities, such as your device deployment requests or changes must be authorized by an EMC Global Services professional before they take effect.
Configuration CLI Commands Installing the Configuration CLI Commands Installing the Configuration CLI Commands When you install a Gateway Client using the Provisioning Tool, the Configuration CLI Commands will automatically install on your Gateway Client. Using the Configuration CLI Commands Using the Configuration CLI Commands, you can: gateway_status command options ◆ Check ESRS Gateway Client status (gateway_status) ◆ Manage Devices (manage_device) ◆ Proxy services (config_agent_proxy.
Configuration CLI Commands ESRS-IP Client Connectivity to EMC Enterprise Client Version: 2.24.00.06 Serial Number: ESRSGW_11145366_13011009472687 Install Directory: /opt/emc/esrs2/ Connecting To: esrs-corestg.emc.com on port 443 Connection Status: Connected Proxy Server: Disabled Policy Manager: Enabled IP:10.15.109.153, port 8443; HTTP Proxy IP:10.15.109.95, port 3128; connected, SSL Enabled SSL: Enabled, strength 168 Certificate: Enabled, supported true Avg HB Response: 0.
Configuration CLI Commands Certificate — Indicates whether a digital certificate is enabled. Average HB Response Time — Displays the average heartbeat (HB) response time from the Gateway Client to the EMC enterprise. Diagnostic — Displays the reason that the Gateway Client is not connected to the EMC enterprise (only displays if Connectivity Status is Not Connected).
Configuration CLI Commands modify-device — Change the IP address of a managed device. remove_device — Remove (unmanage) a device that is currently managed. history — View history of all requests that have not yet been approved by an authorized EMC Global Services professional.
Configuration CLI Commands Table 6 Managing devices manage_device error codes Error code Description 13 Device already exists 14 Gateway/Device Client service not running 14 Failed to connect to the Gateway/Device Client To manage or view devices, run the manage_device --list command as follows: [root@LinuxGW Gateway]# ./manage_device --list Serial Number Model Status IP Address FNM00104600112-BLOCKBVNX-GW online 10.241.216.231 FNM00104600112-BLOCKAVNX-GW online 10.241.216.
Configuration CLI Commands Adding a managed device To add a managed device, run the manage_device command as in the following example: ./manage_device --add-device --model CENTERA --host 10.241.185.59 --serialnumber APM00205030103-2 Error: 0 Note: An Error code of 0 as above means successful; any other result (alpha or numeric) indicates some failure to complete successfully. Figure 56 Adding a managed device 1.
Configuration CLI Commands Note: Please allow sufficient time for the approval and synchronization process to occur. Modifying the IP address of a managed device To modify the IP address of a managed device: 1. To modify the IP address of a managed device, run: [root@LinuxGW Gateway]# ./manage_device --modify-device --model Symmetrix-GW --host 168.159.16.12 --serialnumber HK192699998 Figure 57 manage_device --modify-device command 2.
Configuration CLI Commands 3. Once the request has been approved via the EMC enterprise, and the synchronization process completes, run the list command to see if it has been removed. Please allow sufficient time for the approval and synchronization process to occur. Submitting Managed Devices requests for approval Your manage, edit, or unmanage requests will be submitted to EMC for implementation.
Configuration CLI Commands Enabling proxy server communication To enable communication through a proxy server: 1. To enable proxy between the Client and EMC Enterprise, run: config_agent_proxy.sh --add-proxy --http --proxy-host proxy.abc.com --proxy-port 3128 Figure 60 config_agent_proxy.sh command 2.
Configuration CLI Commands The following procedure explains how use the Configuration CLI Commands to link a Gateway Client to a Policy Manager. To link a Gateway Client to a Policy Manager: 1. To link a Gateway Client to a Policy Manager, run: [root@185rhel62d Gateway]# ./config_policy_manager.sh --add --secure --medium --host 10.15.109.153 --port 8443 Checking Policy Manager Connectivity...
Configuration CLI Commands Note: The highest strength cipher that Policy Manager currently supports is the 3DES 168-bit cipher. However, the Policy Manager can be configured to use the AES 256-bit cipher. For more information, refer to the EMC Secure Remote Support Policy Manager Operations Guide. • add-proxy. If applicable, provide Proxy Server for Policy Manager only with the following parameters: – http or socks. The proxy will be used for Gateway Client to Policy Manager communication only.
Configuration CLI Commands Note: Disabling communication with the Policy Manager will result in all permission settings for the Gateway Client being set to Always Allow. Displaying the status of Services To check the status of services related to ESRS and connect homes, run the following command. [root@185rhel62d Gateway]# .
Configuration CLI Commands Displaying active remote sessions To display all active remote sessions to a managed device through the Gateway Client, run the following command: [root@LinuxGW Gateway]# ./gateway_status --remote-session Active Remote Sessions Remote Sessions: Symmetrix-GW HK187490033 RemotelyAnywhere 10.243.184.
Configuration CLI Commands Displaying the log files To display the xGate log that shows configuration and transaction activity: 1. Change to the /opt/emc/esrs2/Gateway folder. 2. Run the following command: cat xGate.log Figure 66 92 cat xGate.log command EMC Secure Remote Support Gateway for Linux Release 2.
4 Invisible Body Tag Server Maintenance This section includes a variety of server maintenance procedures, including backup procedures. EMC strongly recommends that you back up your data on the Gateway Client server. It is your responsibility to perform backups and ensure that the servers can be restored through the use of the backup data. Either image backup or data file backup is satisfactory. Topics in this section include: ◆ ◆ ◆ ◆ ◆ Power sequences .....................................................
Server Maintenance Power sequences EMC's customers routinely perform maintenance tasks that include powering down and powering up their data centers based on scheduled timeframes. While these powerdown/powerup sequences are defined by the customers' internal processes, the presence of the EMC Secure Remote Support Gateway in customer environments can affect the sequence in which powerdown/powerup actions are carried out. ! IMPORTANT Improper shutdown procedures generate service requests.
Server Maintenance Time Zone settings The server Time Zone must be set to the correct time zone for the location of Gateway Client and Policy Manager servers. Having the server Time Zone set to a setting other than the local time zone may adversely affect remote support tool performance. Note: When changing the time zone on existing server installations, you must reboot the Gateway Client server after changing the setting.
Server Maintenance Service preparation for Gateway Client This section describes steps that need to be taken prior to performing maintenance procedures on the Gateway Client server. Gateway Client server Logging preparation Follow the procedures in this section before performing maintenance on the Gateway Client server. The Gateway client regularly cycles (or rotates) log files by removing the oldest ones from your system and creating new log files.
Server Maintenance ! CAUTION If the server disk becomes full, the Gateway Client will fail to function properly for callhome messages, and possibly for support connections. If the problem is severe enough, the server operating will stop functioning. It is the customer’s responsibility to monitor and manage disk utilization on both the Gateway Client and Policy Manager servers.
Server Maintenance Backup guidelines and procedures You must prepare backup procedures to protect Gateway Client servers in case of hardware failure, software failure, or data corruption. Specific procedures depend on your: ◆ ESRS site architecture ◆ Backup software ◆ Existing procedures and possibly other conditions. Consult your system and network administrators. Backup Restoration Server image backup Initial setup 1.
Server Maintenance Restoration procedures Restoration procedures will differ depending on the method of backup you are using. Server image backup restoration For a Gateway Client server: Installation restoration This section provides details on installation restoration. Restore the disk drive by copying a backup image to that drive (use the most recent backup prior to the incident causing the problem).
Server Maintenance 100 EMC Secure Remote Support Gateway for Linux Release 2.
5 Invisible Body Tag Troubleshooting This appendix provides information about troubleshooting unexpected Gateway service events. It also explains how to troubleshoot the ESRSHTTPS listener, and describes how to perform configuration tasks such as install, remove, start, stop, and check status of the ESRS listener service. ◆ ◆ ◆ ◆ ◆ Troubleshooting unexpected Gateway service events................ Checking status and starting Gateway services ..........................
Troubleshooting Troubleshooting unexpected Gateway service events This section provides information about troubleshooting unexpected service events in the Gateway Client. Service malfunction If the Gateway Client service appears to malfunction, try to reboot and restart the service. Service does not start up If the Gateway Client service fails to manually start up from the Services window, refer to “Checking status and starting Gateway services” on page 102.
Troubleshooting Cause of start up problem A start up problem might be caused by files that have been inadvertently deleted or moved, as follows: 1. Examine the Gateway log file to confirm missing-file errors. 2. Attempt restoration from image backup. You may have to reinstall if image backup is not available. See “Restoration procedures” on page 99.
Troubleshooting HTTPS listener paths Files created 104 The ESRS HTTPS listener service uses the following relative paths for storing files it receives from ConnectEMC or the ESRS Gateway Extract Utility (GWExt): ◆ For files coming from the ConnectEMC service, the relative path is ./Gateway/work/httpsroot/incoming ◆ For files coming from GWExt, the relative path is ./Gateway/work/dmb/request The following files exist after configuring and starting the ESRSHTTPS listener: ◆ esrshttps_config.
Troubleshooting ESRSHTTPS listener service command line options The following command line scripts will provide the options to install, build, start, stop, and check status of the ESRS listener service. Installing ESRSHTTPS listener service To install the ESRSHTTPS listener service: 1. Extract esrshttps.tar to the install folder: tar -xvf esrshttps.tar 2. Build esrshttps binary from the install directory: Run 'make' or 'gmake' 3.
Troubleshooting Starting ESRSHTTPS listener service To start the ESRSHTTPS listener service: [root@185rhel62d ESRSHTTPS]# ./startup.sh esrshttps service is starting done starting esrshttps service Stopping ESRSHTTPS listener service To stop the ESRSHTTPS listener service: [root@185rhel62d ESRSHTTPS]# ./shutdown.
Troubleshooting ESRSHTTPS configuration The following configuration file sets the parameters for the ESRSHTTPS listener: ../Gateway/ESRSHTTPS/esrshttps_config.xml PAGE 108Troubleshooting rootdir — Takes rootdir parameter as a string specifying the rootdir to be added to the esrshttps_config.xml file. A root directory is the base directory to which the ESRSHTTPS listener is allowed access. The ESRSHTTPS listener will be allowed to create files from this directory. LogFileMaxSize — The maximum size of the log file. The default is 1024000. LogFileNumArchives — The maximum number of log files to retain before deleting the oldest file.
Index A access control device 36 device configuration 36 EMC Enterprise 36 architecture, ESRS 16 Atmos 23, 72 audit2allow 63, 65 Avamar 23, 72 B backup Gateway Client 98 image 98 procedure 98 restoration 98 Broadcast address 39 Brocade-B 24, 72 C Celerra 23, 34, 72 Centera 23, 72 Cisco 24, 72 CLARiiON 23, 72 CLARiiON Management Station 34 config_agent_proxy.sh 69, 70 config_policy_manager.
Index check status 106 checking start 106 checking status 106 checking stop 106 command line options 105 configuration file 107 installing 105 removing 105 starting 106 stopping 106 ESRSHTTPS listerner service troubleshooting 103 esrshttps_config.xml 104 parameters 107, 108 esrshttps.
Index semodule 64, 65 server maintenance 93 service events, unexpected 102 setsebool 58 Suffixes 72 Switch-Brocade-B 24, 72 Switch-Cisco 24, 72 Symmetrix 24, 34, 73 T tar -xvf 52 time zone 95 troubleshooting ESRSHTTPS 103 unexpected service events 102 U user authentication 17 Users 48 V VMAX Cloud Edition (CE) 24, 34, 73 VMware requirements 27 VNX 24, 34, 73 VNXe 24, 34, 73 VPLEX 24, 34, 73 vsftpd 38, 49, 50, 58 EMC Secure Remote Support Gateway for Linux Release 2.
Index 112 EMC Secure Remote Support Gateway for Linux Release 2.
