HP Management Integration Framework 1.6 Administrator Guide Abstract This document describes the use of HP Management Integration Framework interfaces and is intended for administrators involved in the installation, operation, management and security of HP P6000 EVA storage systems.
© Copyright 2010, 2012 Hewlett-Packard Development Company, L.P Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Introduction...............................................................................................6 Administrator guide..................................................................................................................6 What's new.............................................................................................................................6 Management Integration Framework software overview.................................................................
Unsecured web service port................................................................................................27 Web server connections......................................................................................................28 Web server port................................................................................................................28 Web service IP address (IPv4/IPv6)......................................................................................
Web services (Management Integration Framework specific)........................................................49 9 Support and other resources......................................................................50 Release history.......................................................................................................................50 Contacting HP........................................................................................................................51 Related information..
1 Introduction Administrator guide This administrator guide for HP Management Integration Framework software covers use of the following: • Configuration interface • Security interface • Single Pane of Glass interface What's new HP Management Integration Framework version 1.6 includes the following new or updated features compared to version 1.5. See the HP P6000 Enterprise Virtual Array Compatibility Reference for support and version details. Software support.
two HP P6000 EVA storage systems with array-based HP P6000 Command View (STOR02 and STOR05). The HP Management Integration Framework software on SVR01 and SVR07 was automatically installed as part of the installation of server-based HP P6000 Command View and HP P6000 Performance Advisor. The HP Management Integration Framework software on STOR02, and STOR05 was factory installed.
The basic organization of the Single Pane of Glass interface is: 1. Point of view selector 2. Navigation pane 3. Content pane 4. Aspect tabs 5. Session pane Point of view selector (1). Selects the point of view to be displayed. When the Settings point of view is selected, you can click the storage application resources in the navigation pane to view or change application settings.
Configuration interface – Details page quick tour The Configuration page allows you to view and change configuration settings. The main areas of the page are identified in the following illustration. Each of the configuration setting types: General, Discovery, Security and Tree Integrator are displayed in expandable panels. 1. Actions 2. Service state 3. Configuration status 4. Configuration details Configuration interface – Registry page quick tour The Registry page allows you to view registry entries.
Security interface – Administration page quick tour The Administration page allows you to view key characteristics of a Management Group, change authenticator states, and access the wizards. 1. Management Group state 2. Wizards 3. Authenticating OS security domains 4. Machines and authenticator Security interface – Import Machines wizard quick tour The Import Machines wizard guides you through the steps to import one or more machines in one or more Management Groups into another Management Group. 1.
Security interface – Manage OS Security Domains wizard quick tour The Manage OS Security Domains wizard guides you through steps to add, copy, edit, and delete an LDAP security domain from a machine in the currently viewed Management Group. 1.
Security interface – Single Sign-on page quick tour The Single Sign-on page allows you to enable or disable the Management Integration Framework single sign-on feature for a Management Group. 1. Management Group 2. Single Sign-on setting Searching online help Procedure 1. In online help, select Search. The search pane appears. 2. Enter a term to search for and click List Topics or press the Enter key. A list of topics that contains the term is displayed. 3. Click any topic in the list to display it.
2 Installing Management Group security certificates Management Group security certificate installation overview Each Management Group uses a unique self-signed Management Group security certificate to manage login access. When browsing to a Management Integration Framework interface, if there is no trusted certificate authority to attest to the certificate, then connection to the machine is blocked. This condition is indicated by an error message on the login dialog box.
2. Select Continue to this website. If the login dialog box displays a connection error, proceed with the following steps. 3. Click the link for installing the Management Group certificate. A File Download dialog box opens. Click Open. Click Install Certificate. The Certificate Import wizard opens. a. Click Next. b. Select Place all certificates in the following store and click Browse. c. Select Trusted Root Certification Authorities. d. Click Next, then click Finish.
3. The login dialog box opens and a connection error is displayed. 4. 5. Click the link for installing the Management Group certificate. A trust dialog box opens. Select Trust this CA to identify the web sites and click OK. The certificate for the Management Group is installed in the browser. Close the dialog boxes and refresh the browser. After the refresh, the connection error should no longer be displayed. 6.
3. 16 Select Off and click OK.
3 Configuring browsers for single sign-on Configuring Firefox for single sign-on Use the following procedure to prevent a Firefox browser from displaying a login dialog prior to initiating the single sign-on authentication with the Management Integration Framework web server. Considerations • The format for entering a URL is: https://:2374. • Multiple URLs should be separated with commas. Procedure 1. In Firefox, enter about:config in the address bar.
4 Troubleshooting Login issues (MIF) This topic includes messages that can appear when logging in (browsing) to HP Management Integration Framework interfaces (Configuration and Security) or logging in to the Single Pane of Glass interface in HP applications such as HP P6000 Command View. • Message: Failed to connect to Discovery. The Management Group (MG) certificate may not be installed. Please refer to help for more information.
security certificate as being invalid. If the date-time on the target machine is changed, the HP MIF service on that machine must be restarted. • ◦ Ensure that the Domain Name System for the environment is configured correctly to resolve names to IP addresses. ◦ Disable browser proxy settings. ◦ Clear the browser cache and restart the browser. ◦ Ensure that the firewall on the target machine is not preventing access. Message: Security Component encountered a server error.
typically cleared automatically in 30 seconds. The Tree Age Timeout setting in the Configuration interface controls the timing. • 20 Storage systems do not appear in the navigation pane. ◦ Some older models of HP P6000 EVA storage systems in the SAN may not be supported by the version of HP P6000 Command View. See the HP P6000 EVA Compatibility Reference for support details. ◦ Ensure that all instances of HP P6000 Command View in the Management Group are running.
5 Using the configuration interface Best practices • Avoid simultaneous configuration sessions for a given machine. Although Management Integration Framework software supports simultaneous browser sessions, communication errors can result when multiple sessions simultaneously attempt to configure the same machine. Example. Assume that two administrators simultaneously have sessions running to make changes for machine A.
5. After the change is saved, click Restart Service. The Management Integration Framework software will bind to the specified IP address. Logging in to the configuration interface Considerations • Viewing a Management Integration Framework interface requires a supported browser and Flash Player plug-in. Supported browsers and Flash Players are listed in the HP Enterprise Virtual Array Compatibility Reference. • HP recommends using qualified user names. See Login user names.
8. 9. 10. 11. Click Move Machine. Follow the instructions in the Move Machine wizard. Select the Management Group that you recorded before. Enter the user name, password, and OS security domain from the authenticator. Click Next > Finish > OK to finalize the Management Group settings. Restarting the Management Integration Framework service Considerations • Plan and coordinate restarting Management Integration Framework services.
Examples.
Interactive assistance example Viewing the configuration for a machine 1. 2. 3. Log in to the Management Integration Framework configuration interface for the machine. On the Configuration page, view the configuration settings. Example: Configuration page. On the Registry page, view the Management Integration Framework registry entries. Example: Registry page.
6 Configuration settings Configuration settings overview In most cases the default settings are adequate and should not be changed. Guidelines for settings are included in the online help, documentation, and in the interface. See Viewing configuration guidelines. Considerations The following considerations are common to all settings: • All Management Integration Framework web service port numbers must be unique, with the exception of the Discovery URI port.
Log file max size This general setting establishes the maximum size of a Management Integration Framework log file. A new log file is started when the maximum size is exceeded. • Typical use. To increase the size of the log file. This setting is used mostly by HP support personnel. • The default is 10 MB. • If you change the setting, it must be in the range of 1 to 100 MB. Logging level This general setting specifies the level of detail that is recorded in a Management Integration Framework log file.
Web server connections This general setting establishes the maximum number of concurrent connections for the Management Integration Framework web server. • Typical use. To increase the number of allowed connections. • The default is 2 concurrent connections. • If you change the setting, it must be in the range of 1 to 25 connections. Web server port This general setting establishes the port number for the Management Integration Framework web server.
• If you enter an IP address that is not on the machine, the Management Integration Framework will try an IP address that is valid. If no network is detected, Management Integration Framework will start with the non-specific (any) address. • When the Management Integration Framework is bound to a hostname, the hostname must be resolvable by the client, either by adding hostname mapping in the DNS or in an etc\hosts file.
• Subnet mask. A valid subnet mask for the IP address of this machine. The default is 255.255.255.240. • Example IPv4: 192.168.1.20/255.255.254.0:8080 Non-local registry entry time-out This discovery setting establishes how long Management Integration Framework software waits before it removes non-local entries from its registry. The entries are removed if they are not updated during the time-out period. • Typical use. Used in conjunction with a change in the Registry Table Update interval.
Available OS security domains This security setting establishes an administrator-specified list of OS security domains that Management Integration Framework software can use for authentication. • Typical use. When it is known that a machine has trust relationships with an OS security domain that Management Integration Framework software cannot automatically detect, you can add the domain to this list. This allows Management Integration Framework software to authenticate users with the specified domain.
• If you change the setting, it must be in the range of 1 to 300000 milliseconds (5 minutes). • Considerations. A short interval causes the Management Integration Framework software to check for trees more often, which increases interface responsiveness but also increases network traffic. A longer interval causes Management Integration Framework software to check for trees less often, which decreases network traffic but also decreases interface responsiveness.
7 Using the security interface Adding LDAP security domains to a machine You can use the Manage OS Security Groups wizard to add LDAP security domains to a machine and map LDAP security domains to Management Integration Framework roles. Procedure 1. Browse to the security interface for the machine. 2. Select the machine and click Manage OS Security Domains. The Manage OS Security Domains wizard opens. 3. Select Add LDAP Security Domain and follow the instructions in the wizard.
Creating a Management Group You cannot use the wizards to create an empty Management Group or to directly create a Management Group. Instead, you must use the Move Machine wizard and choose a machine to be the initial member of the new group. The following considerations are important when planning new groups. Considerations • Only the Move Machine wizard can be used to create a Management Group.
Procedure for Import Machines 1. Determine the Management Group to be deleted. 2. Identify a machine which is a member of a Management Group that will receive the machines being removed from the Management Group to be deleted. 3. Browse to the security interface for that machine. 4. Click Import Machines. The Import Machines wizard opens. 5. Select the machines to import and follow the instructions in the wizard pages, then click Finish.
Removing machines from a Management Group You can use the Move Machine or Import Machines wizards to remove machines from a Management Group. A brief comparison of the wizards follows. Summary Move Machine wizard Import Machines wizard Removes a single machine from one Management Group and adds the machine to another Management Group. Removes one or more machines from one or more Management Groups, then adds the machines to another Management Group.
desired new name. Second, use the Import Machines wizard to move the remaining machines into the new Management Group. Procedure 1. Identify the Management Group to rename. 2. Browse to the security interface on any member machine in the Management Group to rename. 3. Select the machine. Management Integration Framework software will determine if the machine's membership can be changed. If yes, the Move Machine button is enabled. 4. Click Move Machine. The Move Machine wizard opens. 5. Click Next. 6.
Troubleshooting Import Machines troubleshooting The following error messages and resolutions apply to the Import Machines, Import Progress and Results page: • Message: Failed import - operation canceled. Resolution: None; the user has cancelled the import. • Message: Failed import – communication error. Resolution: Verify that the local Management Integration Framework service is started and is configured properly.
• Message: Failed import – unknown MG. Resolution: Verify that the destination Management Group exists. Verify the status of the authenticating machines in the destination Management Group and ensure that at least one authenticating machine is running. Check for network problems that might prevent communication with the machines. This problem can occur when: • ◦ The destination Management Group is deleted before or during the import operation.
Management Group change troubleshooting The following error messages and resolutions apply to the Management Group change page: • Message: The current session has expired or the machine’s security token is no longer valid. Please re-login. Resolution: Log out of the Management Integration Framework security interface, then log back in. • Message: Invalid information was obtained from the destination Management Group. This may indicate a critical error - please contact HP.
destination Management is running and that there are no network problems. Resolution: Verify that the destination Management Group exists. Verify the status of the authenticating machines in the destination Management Group and ensure that the machines are running. Verify there are no network problems. • Message: The machine’s clock is significantly out of sync with the machines in the destination Management Group. Refer to help for more information.
8 Management Integration Framework concepts Applications (Management Integration Framework specific) The term Management Integration Framework application refers to an HP storage management product or software component that is Management Integration Framework capable, usually for the purposes of participating in Management Integration Framework security integration and Single Pane-of-Glass interface.
LDAP security domain mapping LDAP security domains can be mapped to Management Integration Framework roles. See Adding LDAP security domains to a machine. Log and audit files Log file. On a Management Integration Framework server which is running Windows, the Management Integration Framework log file is located in the folder C:\Program Files\Hewlett-Packard\XFROOT\log. The file naming format is xf-YYMMDD-number.log, for example: xf-090824-1.log.
Management Groups A Management Group is a set of Management Group machines. Management Groups allow you to: • Log in to any member of a Management Group, or to Management Integration Framework capable application, using a single credential (single sign-on). • Specify the machines and OS security domains to be used as authenticators for access. • Add or remove a machine from membership in a Management Group.
machine's Management Group, or you could create a new Management Group and make the two machines members of the new group, as shown below. Reorganized into fewer Management Groups Or, assume that you would like all of the machines to participate in single sign-on. You could make any three of the four machines members of another machine's Management Group, or you could create a new Management Group and make the four machines members of the new group, as shown below.
• At least one machine with Management Integration Framework software as a member. • At least one OS security domain designated as an authenticator. Best practices • In Management Groups that include multiple machines, configure more than one machine as an OS security domain authenticator. This practice prevents losing single sign-on functionality for the Management Group should an authenticator machine become unavailable.
This condition can be resolved by installing the Management Group self-signed certificate in the browser as a trusted certificate authority. See Management Group security certificate installation. • When an installed Management Group certificate is valid, the next time the browser connects to the Management Group member machine, the connections will be automatically authenticated. • When an installed Management Group certificate is not valid, then a message will appear for the user to make a decision.
Roles (Management Integration Framework specific) The HP Management Integration Framework software automatically establishes relationships between Management Integration Framework roles and OS user groups. Typical roles are shown in the following table.
Single Pane of Glass interface The Management Integration Framework user interface integration function allows multiple Management Integration Framework capable user interfaces to be displayed in a single browser-based interface. This function is implemented by various components and mechanisms, including: Management Integration Framework Single Pane of Glass (SPoG) component, Management Integration Framework tree integrator component, tree source, and tree decorator. Single Pane of Glass interface.
9 Support and other resources Release history HP Management Integration Framework software releases: Release Version New features 2012 (Oct) 1.6 See What's new 2012 (May) 1.5 Software support. Support is added for: • HP P6000 Command View 10.1 • HP P6000 Performance Advisor 10.1 • HP P6000 Control Panel 2.6 Other • Browser support. Mozilla Firefox 3.5 is no longer supported. . 2011 (Oct) 1.4 Configuration interface changes • Tree integrator settings. Tree Integrator settings are added.
Release Version New features 2010 (Aug) 1.2 • Software name. Renamed to HP Management Integration Framework software. 2010 (Feb) 1.0 Initial release Contacting HP HP technical support For worldwide technical support information, see the HP support website: http://www.hp.
Websites • HP.com http://www.hp.com • HP storage http://www.hp.com/go/storage • HP manuals http://www.hp.com/support/manuals • HP download drivers and software http://www.hp.com/support/downloads • HP software depot http://www.software.hp.
A HP MIF security environment overview This information is intended for customers who want to understand the level of protection that HP MIF security provides. See also the HP Management Integration Framework Maintenance & Service Guide. The guide includes information on using HP MIF command line utilities. HP MIF privilege mechanisms • Users of a group have access to the SPoG interface if the group has the View HP Storage privilege. See SPoG quick tour and SPoG interface.
HTTPS protocol HP MIF uses HTTPS protocol for: • Security related services, like having privilege mapping based on a file • LDAP communication • Security component services, like login • Management Group related operations, like join and privilege mapping operations • HP MIF configuration changes • Security services, like refresh of tokens • Webserver to serve HP MIF related pages Ciphers used internally • 54 HP MIF uses the XXTea encryption algorithm.
Glossary CIDR Classless Inter-domain Routing. DNS Domain Name System. IANA Internet Assigned Numbers Authority. MIF Management Integration Framework. HP software that provides storage-related security features and user interface capabilities for HP applications. SPoG Single Pane of Glass. The HP Management Integration Framework software component that displays one or more HP storage applications in a graphical interface. UDP User Datagram Protocol. URI Universal Resource Identifier.
Index providing feedback, 51 related documents, 51 A applications (MIF), 42 audit file max age, 26 audit file max size, 26 authenticators (MIF), 42 available OS security domains, 31 C cipher list, 31 configuration interface best practices, 21 changing a machine's configuration, 21 configuring a multi-home machine, 21 Details page quick tour, 9 discovery settings, 29 discovery interval, 29 discovery URI, 29 non-local registry entry time-out, 30 registry table updates, 30 Registry update address, 30 general
Management Group, change, 40 using keyboard navigation, 37 service (MIF), 48 Single Pane of Glass interface, 49 quick tour, 7 single sign-on Firefox, 17 IE, 17 Single sign-on (MIF), 49 SPoG session time-out, 32 Subscriber's Choice, HP, 51 support, HP, 51 T tree age time-out, 32 tree aggregation, 32 troubleshooting login (MIF), 18 login (other than MIF), 19 Single Pane of Glass tree errors, 19 U unsecured web service port, 27 W web server connections, 28 web server port, 28 web service IP address, 28 web