A P P E N D I X  A

Console Administration

The administrator console is an alternative to using the Web Administrator graphical user interface (GUI) for managing the NAS appliance or gateway system. You can use a number of protocols, such as Telnet, SSH, and RLogin to connect to the console, as long as the application you use has an ANSI-compatible terminal emulator. This appendix uses Telnet, because it is readily available in the Windows operating system.

Note: Avoid simultaneous updates by Telnet/CLI and Web Administrator users.

This appendix includes the following sections:


Accessing the Administrator Console

This section describes how to access and get started with the administrator console, as follows:

The examples shown here use Windows Telnet to access the administrator console; however, you can use any protocol that has an ANSI-compatible terminal emulator.


Opening a telnet Session

Use the following procedure to controle the NAS server through an ANSI-compatible terminal emulator This procedure uses Windows Telnet as an example.

Note: You might have to alter the remote access security settings to enable access to the command-line interface. For details, see Setting Remote Access Options.

1. Click Start > Run from your Windows desktop.

2. In the Run window, type cmd and click OK.

3. At the command prompt, type the following command and press Enter:

telnet ip-address, 

where ip-address is the IP address of the server.

4. If administrative access is password-protected, enter the password. The following prompt is displayed:

connect to (? for list) ? [menu]

5. Press Enter to display the console menu. See Console Menu Basics.

To display the command line, type admin and then type the administrator password, if prompted. See Viewing Man Pages for an index of commands.

When using administrator console, you can press the Esc key at any time to dislay the prompt.

When using the command line, you can enter menu to display the administration console.


Console Menu Basics

The main console menu consists of the following sections:

To use the console menu:

1. Choose the menu item by entering the corresponding letter or number. For example, type 1 to choose Activity Monitor.

2. Press the spacebar to scroll through a list, for example, to view more options under the Extensions heading.

3. Press Enter or Tab to move to the next field, if the cursor does not advance.

4. Use the following keys to edit screen fields:


TABLE A-1 Console Menu Keyboard Functions

Keys

Action

Backspace, Delete, Ctrl+H

Deletes the previous character.

Ctrl+U

Deletes the entire field.

Enter, Ctrl+M, Ctrl+J, Ctrl+I, Tab

Completes the current entry and moves the cursor to the next field.

Esc

Returns to the menu without saving any changes.



Viewing Man Pages

You can view man pages from the command line. Enter the man command, followed by the name of the command, for example ads:

falcon125> man ads

You can also access the man pages using a web browser, using this URL:

http://host-name/man

Both operations display an index of man pages. Click a command to display the content for that command.


System Management

You can use the console administrator to perform system management tasks. This section describes the following tasks:


Configuring TCP/IP

To configure TCP/IP:

1. From the Configuration menu, choose Host Name & Network.

2. Choose 1, Edit fields.

3. Enter the server host name.

4. For the first NIC port, enter the Maximum Transfer Unit (MTU) or press Enter to use the default.

5. Enter the IP address for the NAS server.

6. Enter the IP subnet mask for the NAS server.

7. Enter the broadcast IP address, which specifies the IP address used to send broadcast messages to the subnet.

8. If the cursor stops on the IP Alias Info field, specify an alias IP address for the port. Choose 1, Setup, to configure one or more alias IP addresses.

Aliases are used to specify the IP addresses of obsolete systems that have been replaced by NAS storage.

You can have up to nine aliases per interface for single-server systems and up to four aliases for dual-server systems. To remove an alias from the list, delete its address. Changes are not saved until you click Apply.

9. Repeat Step 3 through Step 8 for each port, using the spacebar to scroll down if more than three ports are present.

10. Enter the gateway address.

11. Choose 7, Save changes.


Modifying the Administrator Password

To modify the administrator password:

1. From the Access Control menu, choose Admin Access.

2. Select Y (yes) to enable password protection, or N (no) to disable it.

Note: Always protect your system with a password.

3. If you select Yes, the system prompts you for a password. Enter the password and then enter it again to confirm.

4. Choose 7, Save changes to activate the new password.

In a cluster configuration, changes made to the administrator password on one server are propagated immediately to the other server.


Setting the Time and Date

Use the Timezone, Time, Date menu option to change time zone, time, and date set on the system. The real-time clock on the mainboard keeps track of local time.

Note: The first time you set the time and date on the system you also initialize the system's secure clock. This clock is used by the license management software and the Compliance Archiving Software to control time-sensitive operations.


Caution: After the secure clock has been initialized, it cannot be reset. Therefore, it is important that you set the time and date accurately.

To set the time zone, time, and date:

1. From the Configuration menu, choose Timezone, Time, Date.

2. Select the appropriate time zone and press Enter.

3. Enter the new date.

The format is YYYYMMDD, where YYYY is the year, MM is the month, and DD is the day. For example, 20070501 equals May 1, 2007.

4. Enter the current time, using a 24-hour clock (hh:mm).

5. Choose 7, Save changes.

Note: If this is the first time you have set the time and date on the system, this procedure also sets the secure clock to the same time and date. Make sure that you set the time and date accurately, because you can only set the secure clock once.


Setting Time Synchronization

You can configure the system to synchronize its time with either an NTP or RDATE server:

These options are discussed separately below.

Setting UP NTP for Time Synchronization

Follow these steps to synchronize the clocks of computers to a reference time source using NTP:

1. From the Extensions menu, choose NTP Configuration.

2. Choose 1, Edit fields to configure NTP settings.

3. Select Y (yes) to enable NTP.

4. Select Y (yes) to enable the first NTP server.

5. Enter the name or IP address of the first NTP server the appliance or gateway system polls for the current time.

6. Select the type of Authentication to use, either 0 (none) or 1 ((symmetric-key).

Symmetric key authentication support lets the appliance or gateway system verify that the NTP server is known and trusted by using a key and key ID. The NTP server, and the appliance or gateway system, must agree on the key and key ID to authenticate their messages.

7. If you select Symmetric Key as the authorization scheme in the previous field, enter the Key ID associated with the private key from the key file to be used with this NTP server.

The valid range for this value is 1 to 65534.

8. To configure a second NTP server, repeat Step 4 through Step 7 for Server 2.

9. In the Min. Polling Interval field, type the minimum polling rate for NTP messages.

This value, raised to the power of two, is the minimum number of seconds of the polling interval. For example, entering 4 results in 16 seconds between polls. The valid range for this field is 4 to 17.

10. In the Max. Polling Interval field, type the maximum polling rate for NTP messages.

This value, raised to the power of two, is the maximum number of seconds of the polling interval. For example, entering 4 results in 16 seconds between polls. The valid range for this field is 4 to 17, but must be larger than the minimum polling interval.

11. In the Broadcast Client Enabled field, select Y (yes) for the appliance or gateway system to respond to server broadcast messages received on any interface.

12. In the Require Server authentication field, select Y (yes) to require authentication for servers using the Broadcast client.

NTP servers not using authentication will not be accepted.

13. Choose 7, Save changes.

Setting Up the RDATE Server and Tolerance Window for Time Synchronization

To set up the RDATE server and tolerance window:

1. From the Extensions menu, choose RDATE time update.

2. Choose 1, Edit fields.

3. Enter the RDATE server name or IP address.

4. Enter the tolerance.

If the NAS server's system time is different than RDATE server time by less than this number of seconds (+ or -), the appliance or gateway-system time is synchronized with RDATE server time. This check occurs every day at 11:45p.m.

5. Choose 7, Save changes.


Enabling Antivirus Protection

If you have an antivirus scan engine running on your network, you can configure antivirus protection on the system. For more detail about antivirus protection, see About Virus Scanning.

To enable antivirus protection:

1. From the Extensions menu, choose Anti-Virus Configuration.

2. Choose 1, Edit fields.

3. In the AVA Enable field, specify Y (yes) to enable antivirus protection.

4. In the Max Scan Size field, enter 1 to 1023 and KB, MB, or GB.

5. In the Access field, enter the action (Allow or Deny) to be taken if a file exceeds the maximum scan size.

6. For each of up to four scan-engine systems:

a. Specify the Internet Protocol (IP) address of the system that is running the scan engine software you want to use.

b. Identify the port on the scan-engine system, through which the scan engine listens for scan requests. This is typically port 1344.

c. Specify the maximum number of concurrent file scan operations (connections) the scan engine can handle from the NAS device. The defaults is two operations.

7. Choose 7, Save Changes.

To specify which file types are included or excluded from the virus scan, use the CLI command vscan. See the manpage for details.


Selecting a Language

You can specify the language for NFS and CIFS.

To select a language:

1. From the Extensions menu, choose Language Selection.

2. Enter the desired language.

The languages that are supported are listed at the top of the screen.


Managing Routes

The routing table contains a list of network paths by which the system sends network packets to specified destinations. Each route entry consists of a destination address and a path. The destination is either a network or a host. The path is the gateway device through which the packet reaches its destination.

To manage static routes in the local network:

1. From the Configuration menu, choose Host Name & Network.

2. Choose 2, Manage Routes.

3. Choose 1, Add route, then choose 1, Edit.

4. Select whether the route type is for a host, network, host through a gateway, or network through a gateway.

5. Enter the destination IP address.

6. Enter the path or gateway address used to connect the NAS appliance or gateway system with its destination. A gateway device must connect to the same subnet as the NAS appliance or gateway system.

7. Choose 7, Save Changes.


Name Services

The name, services, and functions available through the console interface vary from those available through the Web Administrator.


Setting Up DNS, Remote Log, and Local Log

The domain name system (DNS) is a hierarchical name system that translates domain names into IP addresses. Remote logging uses the syslogd utility to send all log messages to the specified server, creating a centralized record of all events from all servers into one log. You can enable remote logging only if you have a Unix system with the syslogd utility on the network that can receive the NAS system log. If you do not set up remote logging, set up the local log

To set up DNS, Dynamic DNS, remote logging or local logging:

1. From the Configuration menu, choose DNS & SYSLOGD.

2. Choose 1, Edit fields.

3. Select Y (yes) to enable DNS.

4. Enter the IP address for the DNS server to be consulted first for name resolution.

5. Enter the IP address of the server to be consulted second for name resolution.

If you do not have a secondary DNS server, leave this field blank.

6. Enter the domain name of the DNS server.

7. Enter the maximum number of times the system attempts a DNS query for each DNS server.

8. Enter the number of seconds of delay between attempts to query each DNS server.

9. Select Y (yes) to enable Dynamic DNS updates, which enable non-secure dynamic updates to occur during bootup. If you leave this as No, skip to Step 12

10. To enable secure updates, enter the name of a Windows user with whom the dynamic DNS client can verify updates. This user must have administrator rights.

11. Enter the password of the Dynamic DNS user.

12. Select Y (yes) to enable remote logging, which requests that the NAS appliance or gateway system send log messages to a remote syslogd server.

If there is no syslogd server on the network, select N (no) and skip to Step 16

13. Enter the syslogd server name or IP address.

14. Select the facility code that will be assigned to all NAS messages that are sent to the remote log, then press Enter.

15. For each type of system event you want to send to the log, type Y (yes) when prompted. Press Enter to move to the next event type without changing the setting. Each event type represents a different priority, or severity level, as described under About System Events.:

16. Type Y (yes) to enable local logging.

17. Type the log file path (directory) and file name in the Log File field.

Note: You cannot set up local logging to either the /cvol or /dvol directory.

18. Type the maximum number of archive files in the Archives field. The range is from 1 to 9.

19. Type the maximum file size in kilobytes for each archive file in the Archives field. The range is from 1000 to 999,999 kilobytes.

20. Choose 7, Save changes.


Setting Up a Name Service

To enable NIS or NIS+:

1. From the Configuration menu, choose NIS & NIS+.

2. Choose 1, Edit fields.

3. Select Y (yes) to enable the NAS appliance or gateway system to periodically update its hosts, users, and groups files through an NIS server.

4. Enter the NIS domain name.

5. Enter the NIS server name or IP address.

6. Select Y (yes) to update the hosts file through the NIS server.

7. Select Y (yes) to update the users file through the NIS server.

8. Select Y (yes) to update the groups file through the NIS server.

9. Select Y (yes) to update the netgroups file through the NIS server.

10. Enter the desired number of minutes between NIS updates, between 0 and 9.

11. Select Y (yes) to enable NIS+ for the NAS appliance or gateway system.

12. Enter the NIS+ home domain server address.

13. Enter the NIS+ home domain name.

14. Enter the secure RPC password for the NIS+ server.

15. Enter the search path as a list of domains, separated by colons. Leave this space empty to search only the home domain and its parents.

16. Choose 7, Save changes.

After NIS is set up, inspect the server to see if the master files have changed. When a file changes, it is copied from the NIS server to the local file. The Enable field allows you to disable NIS updates without losing the setup information, so it still exists when you re-enable it.


Setting Lookup Order for Name Service

You can specify which service is used first for user, group, and host lookup functions.

To set up lookup orders:

1. From the Configuration menu, choose Lookup orders.

2. Choose 1, Edit fields.

3. Select the order for resolving user information (between NIS and NIS+) and press Enter.

4. Select the order for resolving group information (between NIS and NIS+) and press Enter.

5. Select the first, second, third, and last services for resolving host information, then press Enter.

6. Choose 7, Save changes.


Managing the Server File System

There are several procedures available through the console that let you manage the Server File System (SFS) volumes. The most common are described in the following sections:


Configuring Drive Letters

Drive letters are assigned to file volumes available for sharing through SMB/CIFS. You can assign the drive letter mappings through the console, except for drive C:, which can only be assigned to \cvol. If no drive letters are available, the file system is created but the following log message is displayed:


No drive letter available

To assign a drive letter to the new file system, you must reassign an existing drive letter.

To manually lreassign a drive letter to a file volume:

1. From the Configuration menu, choose Drive Letters.

2. Enter the drive letter you want to change.

3. Enter the file volume name you want to assign to the new drive letter.

You can only assign existing file volumes to drive letters.

4. Press Esc to exit this screen.


Creating a New Disk Volume

To create a new disk volume:

1. From the Configuration menu, choose Disks & Volumes.

2. Type the letter of the drive you want to configure.

3. Choose 1, Edit.

4. Choose 1, Create partition.

5. Select the partition type for the drive.

Press Enter to accept the default (for example, sfs2 for the primary volume, or sfs2ext for a segment).

6. Enter the disk volume label.

7. If the system asks whether you want to enable Compliance Archiving on this volume and you have a license for the Compliance Archiving Software, type Y to create a compliance-enabled volume.

Note: Gateway configurations support advisory compliance but not mandatory compliance.


Caution:After you enable mandatory compliance archiving on a volume, that volume cannot be deleted, renamed, or have compliance archiving disabled or downgraded to advisory.

8. Enter the disk volume size in megabytes (MB).

9. Choose 7, Proceed with create.

Wait for the messages: Initialization OK and Mount OK, then press Esc to return to the Configure Disk menu.

10. When finished, press Esc until you are back at the main console menu.


Renaming a Partition

If you attempt to rename a volume during a write operation, CIFS and NFS clients behave differently. If you attempt to rename a Windows volume during a write operation, CIFS I/O stops after the volume is renamed. For NFS shares, I/O will continue after you rename a Unix volume.

To rename a partition:

1. From the Configuration menu, choose Disks & Volumes.

2. Type the letter of the drive you want to rename.

3. Choose 1, Edit.

4. Choose 3, Rename.

5. Enter the new name for the partition.

Note: Strict compliance-enabled volumes cannot be renamed.


Adding an Extension Segment

To add an extension, you must first create an sfs2ext partition on that volume.

Note: After the extension volume is attached to the sfs file volume, it cannot be detached. This is an irreversible operation. The only way to separate them is to delete the sfs file volume.

To add an extension:

1. From the Configuration menu, choose Disks & Volumes.

2. Type the letter of the drive you want to configure.

Note: If you have more than 26 disk drives (disk volumes), press the spacebar to scan through them.

3. Type the number next to the partition you are changing.

4. Choose 5, Segments.

5. Choose 1, Add an extension segment.

6. Select the letter next to the extension drive you want.

7. Choose 7, Proceed.


Deleting a Disk Volume

Note: Strict compliance-enabled volumes cannot be deleted.


Caution: All data in the volume is lost when you delete a volume.

To delete a disk volume:

1. From the Configuration menu, choose Disks & Volumes.

2. Type the letter of the drive you want to configure. If you have more than 26 disk drives (disk volumes), press the spacebar to scan through them.

3. Choose 1, Edit.

4. Choose 8, Delete.

5. Enter the disk volume name.

6. Choose 7, Proceed with delete. Wait for the messages "Delete OK" and "Delpart OK."

7. Press Esc to return to the Configure Disk menu.

8. Press Esc until you are back at the main console menu.


Shares and Quotas

You can manage shares and quotas using the console.


SMB/CIFS Shares

Common Internet File System (CIFS) is a Windows file-sharing service that uses the Server Message Block (SMB) protocol. CIFS provides a mechanism for Windows client systems to access files on the NAS appliance or gateway system.

Setting Up SMB/CIFS Shares

To set up shares:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose A, Domain Configuration.

3. Type a workgroup or domain name in the Domain field.

4. Define the domain scope, if applicable.

5. Type a text description of the appliance or gateway-system server.

6. Type the IP address of the primary and secondary Windows Internet Naming Service (WINS) servers, if applicable.

7. Assign a Keep Alive parameter.

This is the number of seconds after which the system drops inactive connections.

8. Assign a Security Mode from Secure Share Level and NT Domain Auto UID.

9. If you are using NT Domain Auto UID mode, specify the administrative user name and password.

10. Choose 7, Save changes.

If you changed the security mode between Secure Share Level and NT Domain Auto UID, the NAS appliance or gateway system reboots.

Setting up SMB/CIFS Autohome Shares

Autohome shares are temporary shares created when a user logs on to the system and removed when the user logs off.

The autohome share feature requires two configuration parameters: state and autohome path, defined as follows:

If the feature is disabled, the autohome path parameter is not relevant and will not be validated.

If the feature is enabled and the path is a zero length string, the configuration will be ignored. Otherwise, the path will be validated. If the autohome path parameter does not represent an existing directory path, an informational message will be written to the system log. For example, if the specified base path was /vol1/home, the log message would be as follows:

SMB autohome: /vol1/home: no such directory

The log message is intended to inform the system administrator of the situation, but the configuration is still considered valid. The system will operate normally, but autohome shares will not be created. If the directory path is created at some later time, autohome shares will be added and removed, as required, from that point on.

To enable autohome shares:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose F, Autohome Setup.

3. Choose 1, Edit fields.

4. Select Y (yes) to enable autohome shares.

5. Type the autohome path.

The autohome path defines the base directory path for the shares. For example, if a user's home directory is /usr/home/john, then set the autohome path parameter to /usr/home. The temporary share is named john. The system assumes that the user's home directory name is the same as the user's log-in name.

6. Choose 7, Save changes.

Adding a Share

After the Server Message Block (SMB) Common Internet File System (CIFS) set up is complete, you must define SMB/CIFS shares. Shares allow Windows users to access directories in the NAS appliance or gateway system.

To add a share:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose E, Shares.

3. Choose 8, Add a share.

4. Type the share name. This is the name that users will see on the network. The share name can be up to 15 characters in length, and can include any alphanumeric characters except those listed below:
" / \ [ ] : | < > + ; , ? * =

5. Type the path to the volume, and optionally the directory, you wish to share.

6. Type a comment about this directory, if desired.

7. If Active Directory Service (ADS) is enabled for the share, as described under Configuring Windows Security, specify the location in the ADS directory where the share will be published.

Type the container information following LDAP DN (Lightweight Directory Access Protocol, distinguished name) notation. Objects, such as users and shares, are located in Active Directory domains according to a hierarchical path, which includes each level of "container" objects.

Type the path in terms of the cn (common name) folder or ou (organizational unit) of the share. Do not include the domain name in the path. The cn containers are default folders in the root folder. All other containers are ou folders. For example, if the share will reside in a shares organizational folder within an organizational parent folder called accounting, you would type the following:

ou=shares,ou=accounting

8. If your system is configured for Windows Workgroup mode, as described under Configuring Windows Security:

Together with the Group ID field, the UID provides the sole means of security for NAS file ownership and access by Windows Workgroup users.

9. Choose 7, Save changes.

Editing a Share

To edit a share:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose E, Shares.

3. Type the letter corresponding to the share you are editing.

4. Choose 1, Edit fields.

5. Modify the share name (as the new share name), and any of the other information shown. See Adding a Share for field details.

6. Choose 7, Save changes.

Deleting a Share

To delete a share:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose E, Shares.

3. Type the letter corresponding to the share you wish to delete.

4. Choose 8, Delete.


Setting Up Active Directory Service

When the Active Directory Service (ADS) is enabled and set up, the NAS appliance or gateway system performs ADS updates.

To enable ADS service:

1. From the Extensions menu, choose ADS Setup.

2. Choose 1, Edit fields.

3. Select Y (yes) to let the ADS client publish the appliance or gateway system shares to ADS.

4. Type the Windows domain on which ADS is running. The NAS appliance or gateway system must also belong to this domain.

5. Type the name of a Windows user with administrative rights. The ADS client verifies secure ADS updates with this user.

6. Type the Windows administrative user's password.

7. In the User Container field, specify the ADS path for the Windows administrative user in LDAP DN notation. For more information see Enabling ADS.

8. If the ADS domain uses sites, specify the appropriate site name in the Site field. Otherwise, leave the Site field blank. If specified, the Site will be included when selecting a domain controller.

9. Type, in uppercase letters, the Kerberos realm name used to identify ADS. This is normally the ADS domain.

10. Type the host name of the Kerberos Key Distribution Center (KDC) server. This is usually the host name of the main domain controller in the ADS domain. You can leave this field blank if the ADS client or dynamic DNS client can locate the KDC server through DNS.

11. Choose 7, Save changes.


Enabling and Disabling Quotas

Quotas track and limit the amount of disk space each user and group uses. You can turn the quota tracking function on and off. This function only enables and disables quotas. It does not set quota limits.

Note: Quota initialization takes several minutes, during which time the volume is locked and unavailable to users.

To enable or disable quotas:

1. From the Configuration menu, choose Disks & Volumes.

2. Select the drive for which you are enabling quotas.

3. Choose 1, Edit.

4. Choose 4, Quotas on/off.

5. Choose 1, Turn quotas on or 8, Turn quotas off.


Security

You can set up groups and credential mapping to ensure security. The tasks are described in the following sections:


Configuring User Groups

This section describes how to configure NAS user groups. The requirements for built-in local groups are different from those of a Windows NT system. For a complete description of user groups, see About Local Groups.

Note: In a cluster configuration, changes made to user groups on one server are propagated immediately to the other server.

Adding a Group

To add a group:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose B, Local Groups.

3. Choose 8, Add a Group to add a local group.

4. Enter in the name of the group.

5. Enter a description of the group, if applicable.

6. Choose 7, Save Changes to save the new group.

Adding a Member to a Group

To add a member to a group:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose B, Local Groups.

3. Select the letter of the group you want to modify.

4. Choose 2, Members to change the membership of the group.

5. Choose 8, Add to add a member.

6. Type in the domain and user name in the following format: domain\username

The domain identifies the domain where the user name can be authenticated. For example, typing BENCHLAB\john identifies the domain BENCHLAB where the user john can be authenticated.

7. Press Enter.

8. Choose 7, Save Changes to save the new member.

Removing a Member From a Group

To remove a member from a group:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose B, Local Groups.

3. Select the letter of the group you want to modify.

4. Choose 2, Members to change the membership of the group.

5. Select the letter corresponding to the group member you want to remove.

6. Select Y in response to the prompt.


Modifying Group Privileges

Follow the steps below to modify local group privileges. For a description of user group privileges, see About Configuring Privileges for Local Groups.

Note: In a cluster configuration, changes made to user privileges on one server are propagated immediately to the other server.

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose B, Local Groups.

3. Select the letter of the group you want to modify.

4. Choose 3, Privileges to change the privileges of the group members.

5. Select the letter of the privilege that you want to add or remove.

6. Choose 7, Save Changes to save the changes that you made.


User and Group Maps

For a complete description of user and group credentials, see About Mapping User and Group Credentials.

Note: In a cluster configuration, changes made to user and group maps on one server are propagated immediately to the other server.

Adding a User Map

To add a user map:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose C, User Mapping.

3. Choose 8, Add a map.

4. In the Account field, type the domain and name of the NT user that you want to map to a Unix user.

Use the format domain\username.

5. In the Name field, type the name of the Unix user that you want to map to the NT user.

6. Choose 7, Save Changes.

Editing a User Map

To edit a user map:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose C, User Mapping.

3. Select the letter of the map that you want to edit.

4. Choose 1, Edit Fields.

5. Enter your changes.

6. Choose 7, Save Changes.

Removing a User Map

To remove a user map:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose C, User Mapping.

3. Select the letter of the user map that you want to delete.

4. Choose 8, Delete.

Adding a Group Map

To add a group map:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose D, Group Mapping.

3. Choose 8, Add a map.

4. In the Account field, specify the domain and name of the NT group that you want to map to a Unix group. Use the format domain\username.

5. In the Name field, specify the name of the Unix group that you want to map to the NT group.

6. Choose 7, Save Changes.

Editing a Group Map

To edit a group map:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose D, Group Mapping.

3. Select the letter of the group map that you want to edit.

4. Choose 1, Edit Fields.

5. Enter your changes.

6. Choose 7, Save Changes.

Removing a Group Map

To remove a group map:

1. From the Extensions menu, choose CIFS/SMB Configuration.

2. Choose D, Group Mapping.

3. Select the letter of the group map that you want to delete.

4. Choose 8, Delete.


Mapping and Securable Objects

This section details the interaction between user or group credential mapping and the securable objects within the system, such as files and directories.

Objects residing on the system are classified according to the domain from which their security attributes were set:

No mapping is performed when a Windows user accesses a Windows object. Similarly, no mapping is performed when a Unix user accesses a Unix object. These are considered to be native access conditions. Also, because Windows objects have both Windows and Unix security attributes, no mapping is required when a Unix user accesses a Windows object, even though it is a nonnative access situation.

The only time mapping is required is when a Windows user accesses a Unix object. When a Windows user accesses a Unix object, the object's Unix security attributes are mapped to the Windows domain and the Windows security policy is applied.

Objects can migrate from either domain to the other as the security attributes are changed. By default, however, only the migration from Unix to Windows is allowed. Specifically, a Unix object becomes a Windows object when its security attributes are changed using SMB.

The security attributes of a Windows object cannot be changed by reassigning its security attributes using NFS, because this could potentially weaken the access control protecting the object. Windows security is based on security descriptors, which cannot always be accurately represented using Unix security attributes. The NAS OS provides two mechanisms that allow the attributes of a Windows object to be modified using NFS, however: the chsmb command and the acl.overwrite.allowed environment variable. These are described separately below.

Using the chsmb Command

The chsmb command can be used to remove a single Windows security descriptor, or the entire Windows security descriptor database for a volume. To apply the chsmb command to an individual file or directory, specify the absolute path to that object. chsmb does not preform recursive operations, so subdirectories or files contained within a directory are not affected if the command is applied to a directory.

The following examples illustrate how to use the chsmb command.

chsmb /vol1/shared/bin/file.doc
chsmb /vol1

The chsmb command affects file security, so be careful when using this command. When a volume is specified, the chsmb command will issue a warning and prompt for confirmation before any action is taken.

Using the acl.overwrite.allowed Environment Variable

If the acl.overwrite.allowed environment variable is not defined or is defined as NO, the default volume behavior is applied; that is, the attributes of a Windows object cannot be changed using NFS.

If the acl.overwrite.allowed environment variable is set to YES, Unix commands, such as chown, chgrp, and chmod are permitted. If the attributes of a Windows object are modified using NFS, the Windows security descriptor will be deleted and the object will become a Unix object.


Configuring the Host List

The console allows you to configure host information.

Note: In a cluster configuration, changes made to the host list on one server are propagated immediately to the other server.

Adding a Host

To add a host:

1. From the Configuration menu, choose Hosts.

2. Enter the new host name.

The system verifies that the host name does not already exist.

3. Press Enter to add the host.

4. Type the new host IP address.

5. Choose 7, Save changes.

Editing an Existing Host

To edit an existing host:

1. From the Configuration menu, choose Hosts.

2. Enter the name of the host you are editing.

3. Choose 1, Edit.

4. Type the new host name or IP address.

5. Choose 7, Save changes.

Deleting a Host

To delete a host:

1. From the Configuration menu, choose Hosts.

2. Enter the name of the host you are deleting.

3. Choose 8, Delete.


Managing Trusted Hosts

Use the Trusted Hosts menu option to manage hosts that have unrestricted access to all resources.

Note: In a cluster configuration, changes made to trusted hosts on one server are propagated immediately to the other server.

Adding a Trusted Host

To designate a trusted host:

1. From the Access Control menu, choose Trusted Hosts.

2. Enter a host name.

Note: To add a trusted host, the host must exist on the host list or NIS.

The system verifies that the trusted host name does not already exist. If the trusted host exists, the host information is displayed. If the host is not trusted, the system displays a warning.

3. Choose 7, Add to list.

The new trusted host is added, and the system displays the name at the top of the screen.

Deleting a Trusted Host

To delete a trusted host:

1. From the Access Control menu, choose Trusted Hosts.

2. Enter in the name of the trusted host to deleting.

3. Choose 8, Delete.

The trusted host is removed from the list.

4. If the removed trusted host loses access to any volumes currently mounted, unmount then remount those volumes. (exporting them first if necessary).


Managing Volume Access for NFS Clients

To manage volume access for NFS clients:

1. From the Access Control menu, choose Volume Access.

2. Type the letter corresponding to the volume for which you want to change its access.

3. Enter the number corresponding to the type of access you are assigning; read/write access, read-only access, or no access.

Note: Hosts on the trusted list are allowed read/write access regardless of the volume access parameters.

Note: Do not allow any access, either read or write, to the cvol volume.

4. Choose 7, Save changes. Any existing NFS mounts are updated to reflect the new parameters.

Any changes to volume access affect the currently mounted volumes. For example, changing the access from read/write to none, will cause any currently mounted NFS clients to lose their connections.

In a cluster environment, access changes are made through the server that owns the volume. During and/or after a reboot of that server, the partner server will own the volume, and will recognize the changed access levels. When the volume fails over to the partner head, changes to the volume access can be made again, if required.


Locking and Unlocking the Console

You can disable or enable most of the main console menu options, preventing unauthorized use of those options. You must set the administrative password to secure the console.

In a cluster configuration, changes made to the lock/unlock status apply only to the server where you are logged in. Such changes do not propagate to the other server.

Locking the Console

To lock the console:

1. From the Operations menu, choose Lock Console.

2. Type the administrative password.

3. Select Y (Yes).

Unlocking the Console

To unlock the console:

1. From the main console menu, choose Unlock Console.

2. Type the administrative password.

3. Select Y (Yes).


Mirroring File Volumes

This section describes how to mirror file volumes from one NAS appliance (known as the active appliance) to another NAS appliance (the mirror appliance). It contains the following topics:

For more information on mirroring, see Chapter 9.

Note: When using file replication with a cluster configuration, do not perform mirror operations (such as change role) when the cluster is in a degraded state.


Configuring Active and Mirror Servers

After the primary IP addresses have been configured on the active and mirror servers, and you have designated the roles of the ports connecting the two servers with one another as Mirror, configure mirroring on the active and mirror servers.

Configuring a New Active Server With a New Mirror Server

Follow these steps first on the active server and then, using Telnet, on the mirror server.

To configure a new active server with a new mirror server

1. From the Configuration menu, choose Host Names and Network.

2. Choose 1, Edit Fields.

3. If you have not done so already, configure the ports connected to a local network or subnet.

For more information about configuring TCP/IP using the console, see Configuring TCP/IP. For more information on configuring ports, see Chapter 5.

4. Assign the server name and IP address for the port used for the connection between the active and mirror systems.

5. In the Role field of the port used for the connection between the active and mirror servers, select Mirror.

6. Choose Save to save changes and return to the main console menu.

7. Set up DNS and NIS/NIS+, if these services are available, and the name service lookup order.

For more information about setting up name services, see Name Services.

The network connections of the active and mirror systems are now configured. See the following section to continue.

Configuring an Existing Active Server With a New Mirror Server

To configure an existing active server with a new mirror server:

1. On the active server, from the Configuration menu, choose Host Names and Network.

2. Choose 1, Edit Fields.

3. Assign the server name and IP address for the port used for the connection between the active and mirror systems.

4. In the Role field of the port used for the connection between the active and mirror servers, select Mirror.

5. Open a Telnet window to the mirror system, and repeat Step 1 through Step 4.

6. In the Telnet window of the active server, press Esc until you reach the following command line:

connect to (? for list) ? [menu]

7. Log in as the administrator.

8. Type the following:

ping xxx.xxx.xx.xx

where xxx.xxx.xx.xx is the IP address of the mirror server.

9. On the mirror server, log in as administrator and type the IP address of the active server.

The network connections of the active and mirror systems are now configured. Continue by configuring file volumes for mirroring.


Configuring File Volumes

Mirroring is performed on a per-volume basis. You can mirror some or all of your volumes. You can only mirror file volumes equal to or larger than 1 gigabyte.

Note: After set up mirroring on a file volume, you cannot rename the file volume while maintaining the mirroring connection.

Setting Up a File Volume for Mirroring

Follow these steps to set up a file volume for mirroring, first on the active system and then on the mirror system:

1. Create a small (for example, 32-megabyte) file volume named SYS before creating any other volumes.

If you already have file volumes on the active system, this step is optional.

Do not create any other file volumes on the mirror system.

2. From the Configuration menu, choose Disks and Volumes.

3. Select the drive on which you want to create the new file volume.

4. Select Create & init partition. Then select 1, sfs2.

5. Type SYS for the name, and 64 for the size in megabytes (MB).

This forces residence of the /etc directory, and the configuration files it contains, on the SYS volume.

Mirroring File Volumes

To mirror file volumes:

1. Using Telnet, connect to the active system and access the main console menu.

2. From the Operations menu, choose Licenses.

3. Select the letter corresponding to Mirroring.

4. Type the activation key exactly as provided by Sun Microsystems.

5. Press Esc until you see the main console menu.

6. In the Extensions menu, choose Mirrors.

7. Choose Add mirror to create a new mirror.

8. Select the letter corresponding to the file volume to be mirrored.

The file volume must be equal to or larger than 1 gigabytes

9. Type the host name of the mirror system.

10. Type the private IP address, if necessary.

This is the IP address used for the mirroring connection with the mirror server.

11. Type the alternative IP addresses in the Alt IP Address fields.

12. If accessing the mirror server requires an administrative password, specify that password in the Remote admin password field.

13. Enter the size of the Transaction Buffer Reserve.

14. Choose 7, Proceed to add the mirrored file volume.

When the mirror volume reaches an in sync state (with the active volume), the mirror volume is mounted as read-only.

Note: There can be no I/O activity to the active server during initial mirror synchronization. The volume is taken offline to avoid transient file system errors and inconsistencies.

During and after the mirror creation process, the system displays the Mirror Creation screen.

15. To view the status of the mirror, choose A.

16. To edit the alternate IP addresses or administrator password, choose 1, Edit.


Setting Warning Thresholds

When the transaction buffer reserve fills and overruns, the mirror is cracked. This screen allows you to set the percentages at which warnings are issued. The default percentages are 70, 80, and 90 percent.

To set the threshold percentages at which warnings are issued:

1. From the Extensions menu on the active server, choose Mirrors.

2. Choose 3, Threshold Config.

3. Choose 1, Edit to edit the percentages shown on this screen.

4. Type the desired percentages.

5. Type the number of hours the system must wait before reissuing the same threshold warning in the Alert Silent Period field.

6. Choose 7, Proceed.


Breaking the Connection and Promoting a Mirrored File Volume

To promote a file volume on the mirror server, you must first break the mirror connection. This section describes how to break the connection and promote a file volume. It contains these discussions:

Breaking the Connection Between Mirror Servers

To promote a file volume on the mirror server (for example, if the file volume on the active server is unavailable), you must first break the mirror connection. Break the mirror connection on the active server rather than on the mirror server as described in the following procedure. However, if the active server is down and you cannot access it to break the connection, you can break the mirror connection from the mirror server instead.

To break a mirror connection between mirror servers:

1. On the mirror system, view the status of the file volume by choosing Disks & Volumes from the Configuration menu.

The "*" (asterisk) appearing after the name of the mirrored file volume indicates that the file volume is currently mirrored.

Break the mirrored file volume from the mirror system only if the active system is down. To promote a file volume when the active system is up, break the mirror from the active system (not the mirror system).

2. From the Extensions menu, choose Mirrors.

3. Select the letter corresponding to the mirrored file volume that you are breaking.

4. Choose 8, Break.

Note: If possible, break the mirror from the active system.

5. When prompted to confirm the break, select Y (yes) to continue.

6. Press Esc to return to the main Mirrors screen.

Promoting a Mirrored File Volume

In the event that the active server fails, the mirror server provides high availability for mirrored file volumes. To make a mirrored file volume available to network users, you must promote the file volume. You must first break the mirror connection, then promote the mirrored file volume and configure its access rights. After a mirror connection is broken and the mirrored file volume promoted, the original and mirrored file volumes are completely independent.

Note: There is no difference between promoting a compliance-enabled file volume and a non-compliance-enabled volume. The processing is identical.

To promote a file volume on the mirror server, you must first break the mirror connection. See Breaking the Connection Between Mirror Servers for instructions. Then:

1. From the Extensions menu, choose Mirrors.

2. Choose 1, Promote Volume.

3. Select the letter corresponding to the file volume that you want to promote.

4. Choose 7, Proceed to promote the file volume (or 0 to cancel the request).

5. Indicate whether you want to assign a new name to the volume while promoting it: y (yes) or n (no).

If you respond with yes above, type the new name for the file volume on the next screen.

6. Confirm the promotion after reviewing your request. This processing cannot be reversed.

It might take several minutes to complete this process. For a mirrored file volume to be promoted, it must have reached an In Sync state at least once.

7. When the system finishes promoting the file volume, press Esc to return to the main console menu.

If you want to configure NFS file volume access, continue with these steps:

8. Choose Volume Access from the Access Control menu.

9. Set the access rights to the file volume by selecting its corresponding letter.

10. Select Read/write, Read only, or None.

11. Choose 7, Save changes to continue.

The volume has now been promoted. From here:

Promoting iSCSI LUNs

After promoting a file volume that contains iSCSI logical unit numbers (LUNs), you must promote each iSCSI LUN on that file volume. To do this:

1. From the Extensions menu, choose iSCSI Configuration.

2. Choose A, Configure iSCSI LUN.

3. Choose 5, Promote a LUN.

4. Choose 1 to begin editing.

5. Enter the name of the file volume where the promoted iSCSI LUN resides (that is, the name of the file volume as it was just promoted).

6. Enter the iSCSI target IQN identifier for the LUN to be promoted.

The maximum size displays, along with a yes/no indication of whether the LUN is thin provisioned, and the alias (if available). The maximum size and thin-provisioned values are display-only and cannot be changed.

7. Enter (or modify) a brief description (alias) for the mirrored copy that you are promoting. For a cluster configuration, this might be filled in based on the original iSCSI LUN definition, but you can edit it.

8. Choose 7 to select the access list to be used with the promoted LUN. From the list that opens, either add a new access list for use with the LUN you are defining, or type the letter corresponding to the access list you want to use.

9. Choose 7 to save the current settings.

10. Press Esc to return to the main console menu.


Reestablishing a Mirror

This procedure describes how to reestablish a mirror when the active server has failed and you have promoted the file volume on the mirror server. The promoted file volume is now the most up-to-date version and functions completely independently of the out-of-date file volume on the active system. To recreate the mirror, mirror the up-to-date file volume back to the active server and then mirror the file volume back to the mirror server as it was originally.

If you have not promoted the mirrored file volume, do not follow these instructions. The active system brings the mirror back to an In Sync state when it is back online.

In the examples that follow, Server 1 is the active server and Server 2 is the mirror server.

Reestablishing a mirror includes the following steps:

1. Breaking the mirror on Server 1

2. Deleting the out-of-date file volume on Server 1

3. Mirroring the up-to-date file volume from Server 2 back to Server 1

4. Change roles, making Server 1 active again and Server 2 the mirror server

When the active server is brought online, it might attempt to reestablish the mirror. Therefore, you must break the mirror on Server 1.

Breaking the Mirror on Server 1

To break the mirror on Server 1:

1. On Server 1, in the Extensions menu, choose Mirrors.

2. Select the letter corresponding to the mirrored file volume.

3. Choose 8, Break.

4. Type Y (yes) to confirm breaking the mirror.

Deleting the Out-of-Date File Volume on Server 1

To delete the out-of-date file volume on Server 1:

1. Press Esc to return to the main console menu.

2. In the Configuration menu, choose Disks & Volumes.

3. Select the number corresponding to the mirrored file volume.


Caution: Before completing the following step, make sure you selected the out-of-date file volume on the active server (Server 1). Also make sure that the up-to-date file volume on the mirror server (Server 2) has been verified and promoted

4. Choose 8, Delete.

5. Type the file name of the out-of-date file volume.

6. Choose 7, Proceed with delete to delete the out-of-date file volume.

Mirroring the Up-to-Date File Volume on Server 2 Back to Server 1

To mirror the up-to-date file volume on Server 2 back to Server 1:

1. On Server 2, in the Extensions menu, choose Mirrors.

2. Choose 8, Add mirror.

3. Select the letter corresponding to the file volume that you are mirroring.

4. Type the private host name of Server 1.

5. Type the private IP address, if necessary, and the administrator password.

6. Type the transaction buffer reserve.

For more information, see To mirror file volumes:.

7. Choose 7, Proceed.

8. During the mirror creation process, select the letter corresponding to the new mirrored file volume.

When the mirror reaches an In Sync state, an identical copy of the file volume exists on both Server 1 and Server 2.

There can be no I/O activity to the mirror volume during synchronization. The volume is taken offline to avoid transient file system errors and inconsistencies while the mirror is being created.

You are now ready to change roles. See Changing Roles.

Changing Roles

To change roles:

1. From the main console menu, select the Mirror option on Server 1.

2. Select the letter corresponding to the desired volume.

3. From the Mirror Status menu, select the Change Role option.

Note: Make sure the volumes are 100 percent in sync before changing roles.

4. Select Yes to confirm.


Monitoring

You can use the console to perform monitoring functions. The following sections describe how to set up and access monitoring functions:


Configuring SNMP

The SNMP menu lets you send messages to a remote SNMP monitor, as well as modify the community string, contact information, and the location of the SNMP monitor.

To configure SNMP:

1. From the Extensions menu, choose SNMP Configuration.

Public is the default Community name. You can specify any name you want.

2. Make a selection as follows:

3. Select Y (yes) to save your changes.


Configuring Email Notification

When there is a problem with your system, the NAS appliance or gateway system sends email messages to specific recipients.

Note: You must configure DNS for email notification to function properly.

To configure email notification:

1. From the Extensions menu, choose EMAIL Configuration.

2. Choose 1, Edit fields.

3. Type the information requested for each field. Press Enter to move between fields.

Errors - Notifications sent only for errors

Errors and warnings - Notifications sent for errors and low priority warnings

None - No notifications sent

4. Type 7, Save Changes to save the current configuration.

5. Press Esc to return to the main console menu.


Configuring Diagnostic Logs

The diagnostic log feature enables you to save or send diagnostic information in one file. The single compressed file, diag.tar.gz, contains all of the following information:

To create a diagnostic file at any time:

1. From the Extensions menu, choose Diagnostics.

2. Choose 2, Save File.

3. Choose 2, Save Diagnostics File.

The compressed file is stored in the default directory, /dvol/diagnostic, up to a maximum of two files.

To change the default directory:

1. Create the directory on a file volume with the exception of those with the FSOLF_READONLY attribute, /cvol, /proc, or a checkpoint.

2. From the Extensions menu, choose Diagnostics.

3. Choose 2, Save File.

4. Choose 1, Edit Path

5. In the PATH field, enter the complete path specification without the file name.

This location is now the default directory for all saved diagnostic files.

You can send the diagnostic file as an email message. See Sending a Diagnostic Email Message.


Viewing System Information

You can view system information from the console.

Viewing Server Status

To view server status:

1. From the Operations menu, choose Activity Monitor.

The Activity Monitor screen lists the following information:.


Field

Description

Volume

First 22 file volumes.

Use%

Amount of space used on the volume.

Reqs

Number of requests processed for the volume in the last 10 seconds.

Device

Name of the device.

Load

Percentage of CPU load.

Peak

Highest usage per second in the last 10 minutes.

Client

Name or address of the user.


2. Press Esc to return to the main console menu.

Viewing the System Log

To view the system log, choose Show Log from the Operations menu. The log displays two types of entries:.


Type of Entry

Used to Report

System Startup Log Entries

Device configurations, volumes, and other pertinent information.

Normal Operation Log Entries

Device errors, security violations, and other routing status information. The version release number and software serial number are listed last.


Viewing Port Bonding

To view port bonding:

1. From the Configuration menu, choose Host Name & Network.

2. Press the spacebar to scroll to the next panel.

The bond1 column shows the first port bond. The input/output information in this column is the sum of the input/output information in the two ports that you bonded.

Viewing the Checkpoint Analysis

To view the checkpoint analysis:

1. From the Configuration menu, choose Disks & Volumes.

2. Type the letter corresponding to the drive that you are configuring.

3. Choose Change/Delete volume name.

4. Choose 6, Checkpoints.

5. Choose 3, Analysis. Scroll through the analysis using the spacebar.

6. Choose 0, End Analysis to exit this screen.

Viewing the Status of a Mirrored File Volume

To view the status of a mirrored file volume:

1. On the active system, choose Mirrors from the Extensions menu.

2. Select the mirrored file volume.

In the status screen,

The progress indicator displays a progress percentage of activity within each state. A status message also gives a short text message describing the mirror status.

On the active system, these fields have meaning as follows:.


Field

Description

next xid

Next Transaction ID - ID of the next transaction for the file system.

sync xid

Sync Transaction ID - Last (synchronizing) transaction that was transferred to the mirror system.

head xid

Head Transaction ID - Last transaction that was acknowledged by the mirror system.

In Sync percentage indicator

When this field is at 100 percent, the mirror system has a complete copy of the active system. If the In Sync percentage indicator displays 0 percent, then the mirror is cracked and the active server performs a block-by-block resync. While the mirror state is in the Out Of Sync state, the mirror volume is volatile until the mirror is back in sync.


On the mirror system, these fields have meaning as follows:.


Field

Description

next xid

Next Transaction ID - ID of the next transaction that is expected from the active system.

sync xid

Sync Transaction ID - Last transaction that was scheduled to be written to disk.

head xid

Head Transaction ID - Last transaction that was acknowledged on disk.

In Sync percentage indicator

When this field is at 100 percent, all mirror transactions have been written to disk, and the mirror system volume is an exact copy of the active system volume.


3. To edit the alternate IP addresses or administrator password, choose 1, Edit.

4. Edit the fields, then choose 7, Proceed to save your changes.

5. To see network statistics on the mirrored file volume, choose 2, Statistics.

The screen displays the statistics for the active system, including the number of transactions into the active file volume (IN) and out of the active system to the mirrored file volume (OUT). The screen shows the average, minimum, and maximum transactions per second (t/s) for each.

The system displays the amount of free space remaining in the transaction buffer reserve (Buffer), along with the fill rate. If the fill rate is greater than zero, check to make sure that all network links are functioning properly. A fill rate greater than zero indicates transactions are travelling into the active system faster than they are travelling into the mirror system, filling up the buffer. When the buffer overruns, the mirror is cracked.

Viewing Network Statistics for All Mirrored File Volumes

To view network statistics for all mirrored file volumes:

1. On the active system, choose Mirrors from the Extensions menu.

2. Choose 2, Network Statistics.

The screen displays the total number of RCBs (Request Control Blocks) sent, the number of RCBs sent per second, and the average size of the RCBs, as well as their average response time and transfer rate.

3. Choose 1, Reset to restart this display.


Configuring the NAS for iSCSI

Follow these steps to configure the NAS appliance or gateway system as an Internet Small Computer Systems Interface (iSCSI) target. This allows iSCSI initiators (host applications) to connect to, and access, iSCSI logical unit numbers (LUNs) on the NAS device:

1. Configure the iSCSI initiator client, referring to the documentation provided with the iSCSI initiator software.

2. Create one or more access lists, each comprising a list of iSCSI initiators that can access a specific set of iSCSI LUNs on the NAS device. Refer to Creating an iSCSI Access List for further details. You will associate the appropriate access list with each LUN during LUN definition.

3. Configure one or more iSCSI LUNs, each corresponding to an area of storage on the NAS device that will be accessible to iSCSI clients. Refer to Creating an iSCSI LUN for further details. Assign the appropriate access list to each LUN, to identify those iSCSI initiators that can access it.

4. If using the iSNS iSCSI target discovery method, configure an iSNS server, referring to Specifying an iSNS Server for further details.

This section contains the following topics:


Creating an iSCSI Access List

An Internet Small Computer Systems Interface (iSCSI) access list defines a set of iSCSI initiators that can access one or more iSCSI logical unit numbers (LUNs) on the NAS device.

Follow these steps to create or edit an iSCSI access list:

1. From the Extensions menu, choose iSCSI Configuration.

2. Choose B, Configure Access List.

3. Choose 7 to add a new access list (or type the letter corresponding to the list you want to edit).

4. Choose 1 to begin editing.

5. Enter the name of the access list, specified as any one or more characters.

6. Enter the full name of the Challenge Handshake Authentication Protocol (CHAP) initiator that is configured by the iSCSI initiator software (for example,
iqn.1991-05.com.microsoft:iscsi-winxp).

If you leave this field blank, CHAP authorization will not be required. Refer to the iSCSI initiator documentation for more information.

7. Enter the CHAP password (minimum of 12 characters).

8. Enter the iSCSI Qualified Name (IQN) name of each client initiator that belongs to the list. Specify each name as any one or more characters. When you are though, press Enter with no initiator name specified.

CHAP ensures that the incoming data is sent from an authentic iSCSI initiator. If you do not specify at least one initiator IQN name, any initiator can access the target.

9. Choose 7 to save the current settings.

10. Press Esc to return to the main console menu.


Creating an iSCSI LUN

In order to configure the NAS appliance or gateway system as an Internet Small Computer Systems Interface (iSCSI) target, you must configure one or more iSCSI logical unit number (LUNs) that will be accessible to iSCSI clients. Each iSCSI LUN uses a dedicated storage area (on a standard NAS file volume) to provide physical storage for data processed by iSCSI client applications.

Before adding or editing an iSCSI LUN, ensure that you have created the corresponding access list for the LUN. For more information, see Creating an iSCSI Access List.


Caution: You can configure more than one iSCSI initiator to access the same target LUN; however, the applications running on the iSCSI client server must ensure synchronized access to avoid data corruption.

Follow these steps to create an iSCSI LUN:

1. From the Extensions menu, choose iSCSI Configuration.

2. Choose A, Configure iSCSI LUN.

3. Choose 7 to add a new iSCSI LUN (or type the letter corresponding to the iSCSI LUN you want to edit).

4. Choose 1 to begin editing.

5. Enter the name of the iSCSI LUN, specified as one or more alphanumeric characters (a-z, A-Z, 0-9), periods (.), hyphens (-), or colons (:).

The target name you specify will be prefixed with the full iSCSI Qualified Name (IQN) name according to the following naming convention:

iqn.1986-03.com.sun:01:mac-address.timestamp.user-specified-name

For example, if you type the name lun1, the full name of the iSCSI target LUN is:

iqn.1986-03.com.sun:01:mac-address.timestamp.lun1

Note: The timestamp is a hexadecimal number representing the number of seconds after 1/1/1970.

6. Enter a brief description (or alias) for the target LUN. Press Enter without typing a value to leave this field blank.

7. Enter the name of the NAS file volume where the iSCSI LUN will be created.

8. Enter the maximum size for the LUN, in bytes (bytes format), kilobytes (bytesK format), megabytes (bytesM format), or gigabytes (bytesG format). The minimum is capacity is 100 megabytes; the maximum capacity is 2 terabytes (2000G).

9. Select Y (yes) to create a thin provisioned LUN. A thin provisioned LUN sets the file size attribute to the specified capacity, but the disk blocks are not allocated until data is written to the disk.

If you create a non-thin provisioned LUN, disk blocks will be allocated based on the capacity of the LUN you are creating. When creating non-thin provisioned iSCSI LUNs, allow approximately 10% extra space on the volume for file-system metadata. For example, a 100 gigabyte iSCSI LUN must reside on a 110 gigabyte volume to allow non-thin provisioned LUN creation.

For more information about deciding to use thin provisioned or non-thin provisioned LUNs, see About SCSI Thin-Provisioned LUNs.

10. Select 7 to select the access list to be used with this LUN. From the list that opens, either add a new access list for use with the LUN you are defining, or type the letter corresponding to the access list you want to use.

11. Choose 7 to save the current settings.

12. Press Esc to return to the main console menu.


Specifying an iSNS Server

An Internet Small Computer Systems Interface (iSCSI) initiator can locate its iSCSI NAS target using any of several methods, as detailed under About iSCSI Target Discovery Methods. One such method is through an Internet Storage Name Service (iSNS) server, which enables iSCSI initiators to discover the existence, location, and configuration of iSCSI targets.

Follow these steps to enable use of an Internet Storage Name Service (iSNS) server for iSCSI target discovery. The NAS iSNS client inter-operates with any standard iSNS server, such as Microsoft iSNS Server 3.0.

To specify the iSNS server:

1. From the Extensions menu, choose iSCSI Configuration.

2. Choose C, Configure iSNS Server.

3. Choose 1 to edit the field shown.

4. Enter the Internet Protocol (IP) address of the iSNS server.

5. Choose 7 to save the current setting.

6. Press Esc to return to the main console menu.


System Maintenance

This section describes the system maintenance and setup functions that can be performed from the console, as follows:


Configuring File Transfer Protocol (FTP) Access

FTP is an Internet protocol used to copy files between a client and a server. FTP requires that each client requesting access to the server must be identified with a username and password.

Types of Users

You can set up three types of users:

The administrator has root access to all volumes, directories, and files on the system. The administrator's home directory is defined as "/".

The user has access to all existing directories and files within the user's home directory. The home directory is defined as part of the user's account information and is retrieved by the name service.

Note: Guest users cannot rename, overwrite, or delete files; cannot create or remove directories; and cannot change permissions of existing files or directories.

Setting Up FTP Access

To set up FTP access:

1. From the Extensions menu, choose FTP Configuration.

2. Choose 1, Edit Fields.

3. Select Y (yes) to enable FTP or N (no) to disable it.

If FTP service is enabled, the FTP server will accept incoming connection requests.

4. In Allow guest access, select Yes to enable access to the FTP server by anonymous users or No to disable access.

5. In Allow user access, select Yes to enable access to the FTP server by all users or No to disable access.

This does not include the admin or root user.

Note: User names and passwords must be specified in the local password file or on a remote NIS or NIS+ name server.

6. In Allow admin access, select Yes to enable root access to those in possession of the Sun StorageTek administrative password (use with caution) or No to disable access.

Note: A root user has a user ID (UID) equal to 0, and the user name admin.

7. In Enable logging, select Yes to enable logging or No to disable logging.

8. If you enable logging, in Log filename specify the log file name.

9. Choose 7, Save changes.


Shutting Down the System

The NAS software is designed for continuous operation, but if you need to shut it down, you can do so from Web Administrator, the console, or the LCD panel.

To shut down the system:

1. From the Operations menu, choose Shutdown.

2. Select the desired option by typing the appropriate letter option.

If you reboot, halt, or boot with a previous software version, the server reboots or turns off after all the delayed writes to disks are completed.


Managing Head Failover

In the event of a server failure, failover causes the working server to take temporary ownership of the Internet Protocol (IP) addresses and logical unit numbers (LUNs) formerly managed by the failed server. Follow the directions below enable server failover, and to initiate failback (recover).

Configuring Failover

To configure failover:

1. From the Extensions menu, choose Failover/Move LUNs.

Note: Failover/Move LUNs is available only in cluster configurations. You cannot enable or disable logical unit number (LUN) failover for a single-server system.

2. If the option is available, choose 3, Edit Failover.

3. Select Y (yes) to enable head failover.

4. Then:

5. Choose 2, Modify to rearrange logical unit number (LUN) ownership by adapter. When the restore process occurs, this is the resulting configuration.

6. Select Y (yes) to save your changes.

Restoring the System, Initiating Failback

To restore the system, initiating failback:

1. Replace or repair the faulty component and make sure that it is online.

2. From the Extensions menu, choose Failover/Move LUNs.

Note: Failover/Move LUNs is available only in cluster configurations. You cannot enable or disable logical unit number (LUN) failover for a single-server system.

3. Choose 1, Restore.

4. Select Y (yes) to proceed with the restore process.


Configuring LUN Paths

See About Setting LUN Paths for more information on logical unit number (LUN) paths subject and the use of the GUI in setting them.

To edit a LUN path:

1. From the Extensions menu, choose LUN Ownership.

The LUN Ownership screen displays all LUNs whose paths can be changed. A LUN can be reassigned only if there are no file systems on that LUN. For a cluster configuration, only the server that "owns" a LUN can reassign it to another server.

Note: With a cluster configuration, when you first start the system, all LUNs are assigned to one server (Head 1). You must use that server to reassign some LUNs to the partner server for even distribution.

Note: LUNs that have no LUN path assigned might initially appear multiple times in the LUN Ownership screen, as their presence is advertised by multiple controllers over multiple paths. After a LUN has a path assigned, it is shown once, on its current path.

2. Select a LUN path by typing the letter to the left of the desired path.

3. Choose 1, Edit to edit the LUN path.

The Configure LUN Path screen displays all the available paths for the LUN. The current or active LUN path is marked as Active. If the primary path is set for the LUN, it is marked as Primary.

4. Enter the number of the LUN path to which you want to change.

Evenly divide the assignment of LUNs to the two available paths. For example, the first and third LUN to path 1, and the second and fourth LUN to path 2.

5. Select Y (yes) to save your changes.


Scheduling File Checkpoints

A checkpoint is a virtual read-only copy of a primary file volume. See About File-System Checkpoints for detailed information about checkpoints.

To schedule checkpoints:

1. From the Configuration menu, choose Disks & Volumes.

2. Select the drive for which you are scheduling checkpoints.

Note: If you have more than 26 drives (disk volumes), press the spacebar to scan through them.

3. Choose 1, Edit.

4. Choose 6, Checkpoints.

5. Follow the prompts at the bottom of the screen, pressing Enter to tab through the fields.

6. After specifying all of the checkpoint information, choose 7, Save changes.


Configuring NDMP Backup

The Network Data Management Protocol (NDMP) is an open protocol for network-based backup. NDMP architecture lets you use any NDMP-compliant backup administration application to back up your network-attached storage device.

By default, the current release uses V4 of NDMP, although V3 is supported. To verify the version, use the following command:

ndmp show version

To use V3, use the following command, but verify that no client systems use V4:

ndmp set version=3

To complete the configuration, you need to specify the complete paths to the devices. Use the following command to display the paths:

ndmp devices

To set up NDMP:

1. Configure the backup administration application to log in:

a. Enter the user name admin.

Note: In version 4.20, you specified the user name administrator.

b. Specify the same password used by the console administrator.

2. Configure the backup administration application to locate the devices on which the volumes reside. Specify the complete path to the device and the device's identifier, using the ndmp devices command.

Note: In version 4.20, you specified only the device's identifier.

3. For each file volume, verify that checkpoints are enabled and backup checkpoints are enabled. To view or set these settings, choose File Volume Operations > Edit Volume Properties

4. From the Extensions menu, choose NDMP Setup.

5. Select the network interface card (NIC) port adapter or bond port used to transfer data to the backup tape drive (typically an interface configured with independent role).

6. Press Enter.

7. Specify the full path, such as /vol_ndmp, for the directory used to store intermediate backup data and a permanent log of backup history. The directory must be independent from the volumes scheduled for backup, and at least 2 gigabytes in size.

8. Press Enter to save changes.


Configuring System Auditing

System auditing is a service that allows the administrator to audit particular system events by storing records of those events in log files. For more details about system auditing, refer to About System Auditing.

To configure system auditing:

1. From the Extensions menu, choose System Audit Configuration.

2. Choose 1, Edit fields.

3. Enable auditing and specify the path for the audit log and the maximum file size for the log file.

4. Choose 7, Save changes to save changes.