Documentation forAccess Rights Manager

Prepare NetApp clustered data ONTAP file servers

Collectors for NetApp file servers

Collectors for NetApp file servers are dedicated Windows servers with the collector service running.

We strongly recommend that you use a Collector server within the same network segment as the NetApp file server, otherwise performance and routing problems may occur.

The FS Logga for NetApp file servers does not require a filter driver installation like on Windows file servers.

 

Set NetApp file servers findable

In Active Directory registered NetApp file servers have a typical value set in the LDAP attribute operatingSystem. This property is used by the collector to detect NetApp file servers and mark it as NetApp file server type in the FS Logga configuration.

By default, the operatingSystem value of the NetApp file servers is set to OnTap or NetApp in the collector configuration file. If your NetApp file servers use different values for the operatingSystem property, you can adjust the search parameters.

If your NetApp file server is not registered in Active Directory, you must create a computer account and set the operatingSystem attribute accordingly.

 

Configuration file

pnCollector.config.xml

 

Computer

Collector server which is configured for the NetApp file server.

 

Path

%ProgramData%\Protected Networks\8MAN\cfg

If the file does not exist, copy the "template" from the following path:

old: %ProgramFiles%\Protected Networks\8MAN\etc

new: %ProgramFiles%\solarwinds\ARM\etc

 

Code

<?xml version="1.0" encoding="utf-8"?>

<config>

<tracer>

<netapp>

<NetappOperatingSystems>OnTap,NetApp</NetappOperatingSystems>

</netapp>

</tracer>

</config>

 

Possible Values

Add your operatingSystem values comma-separated.

If your NetApp file servers have different values for the property “operatingSystem” then insert all these values separated by comma.

If no or not all NetApp file servers register the property “operatingSystem” in the Active Directory leave the entry empty in the collectors configuration file. With an empty entry you will get all non-EMC or non-Windows computer accounts from Active Directory visible for the used account.

 

Set up encrypted data transfer on the collector

The following steps are only necessary if communication between NetApp and the collector is to be encrypted.

If you have configured encrypted data transfer (see chapter Creating the External Engine Configuration) you also have to adapt the pnTracer.config.xml file on the collector server. For each file server (CIFS server on the NetApp) to be monitored on this collector, the following entry have to be added under <tracer><netapp><ssl><cifsServers>:

<name of cifs server>

<switchOn type="System.Boolean">true</switchOn>

<protocol type="System.Int32">5</protocol>

<serverCertificateName>name of certificate from certificate store to use</serverCertificateName>

</name of cifs server>

 

The certificate must be installed in the computers certificate store.

For <protocol> the following values are possible: TLS = 1, TLS1.1 = 2, TLS1.2 = 3, SSL2 = 4, SSL3 = 5. Default is SSL3 (5).

Choose a protocol available on both collector and NetApp.

 

FPolicy feature

The FS-Logga for NetApp file server uses the NetApp FPolicy feature. Therefore it has to be activated and properly configured via CLI.

To configure the FPolicy feature you have to use an account of role admin or vsadmin on the NetApp.

 

In all following CLI commands the parameter “<vserver_name>” has to be replaced by the name of the SVM (Storage Virtual Machine).

 

Creating the event configuration

The event configuration determines:

  • which events will be monitored
  • which events will not be monitored
  • which protocol is used (only the CIFS protocol is supported by FS Logga)

Change only the parameter “<vserver_name>”. All other changes may lead to missing events in the reports or to higher load of collector and NetApp because of processing of not used events.

 

Command

fpolicy policy event create -vserver <vserver_name> -event-name event_8manlogga_cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -protocol cifs -filters first-read, first-write, open-with-delete-intent

 

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

 

With the following command you can check the result:

fpolicy policy event show

 

Creating the External Engine Configuration

The External Engine Configuration determines to which server (defined by IP address and port) the events has to be sent by the NetApp. The IP address has to be an address of the FS-Logga collector reachable by the NetApp. The port must be a free and reachable port on the collector.

 

Command

fpolicy policy external-engine create -vserver <vserver_name> -engine-name engine_8manlogga -primary-servers <collector-ip> -port 2002 -extern-engine-type asynchronous -ssl-option <ssl-option>

 

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<collector-ip> - IP address of the collector

<ssl-option>

  • "no-auth" - no encryption
  • "server-auth" - use encryption

If you want to use encryption, it must be configured on the collector and on the NetApp.

 

With the following command you can check the result:

fpolicy policy external-engine show

 

Creating the FPolicy Configuration

The FPolicy Configuration is the assembly of Event- and External Engine Configuration.

 

Command

fpolicy policy create -vserver <vserver_name> -policy-name 8manlogga -events event_8manlogga_cifs -engine engine_8manlogga -is-mandatory false

 

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

 

With the following command you can check the result:

fpolicy policy show

 

Creating the scope for the FPolicy

Use the following command to specify the volumes to be monitored, including their shares, directories, and files.

 

Command

fpolicy policy scope create -vserver <vserver_name> -policy-name 8manlogga -volumes-to-include "*"

 

Optional: Replace

"*"

If only certain volumes are to be monitored, we recommend specifying a comma-separated list of these volumes instead of the wildcard ("*"). This reduces the load on the NetApp file server and on the collector.

 

Enable FPolicy

If all of the above steps were successful, you need to activate the policy. Even if only one policy is defined, the system requires a sequence number.

 

Command

fpolicy enable -vserver <vserver_name> -policy-name 8manlogga -sequence-number 1

 

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

The sequence number must always be specified, even if there is only one FPolicy. It determines the order in which the FPolicies are processed.

 

With the following command you can check the result:

fpolicy show-enabled

 

Domain accounts

To read the shares local pathes an account is needed which is member of the local group "Power Users" on the NetApp SVM. With this account the Logga has to be configured later.

 

Command

vserver cifs users-and-groups local-group add-members -vserver <vserver_name> -group-name "BUILTIN\Power Users" -member-names <domain\user>

 

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<domain\user> - User account used to configure FS Logga within ARM

 

The Logga uses the ONTAP API to read FPolicy data and request the NetApp to start Logging for the external engine. For this the Logga needs an account with restricted access rights on the NetApp. Therefore a new role should be created and the rights of this role will be defined.

 

Commands

security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver fpolicy"

security login role create -role 8manrole -vserver <vserver_name> -cmd "volume" -access readonly

security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver" -access readonly

security login role create -role 8manrole -vserver <vserver_name> -cmd "version" -access readonly

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

 

With the following command you can check the result:

security login role show

 

Assign the new role to the account used by the Logga

security login create -username <domain\username> -application ontapi -authmethod domain -role 8manrole -vserver <vserver_name>

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<domain\username> - User account used to configure FS Logga within ARM

 

With the following command you can check the result:

security login show

 

Firewall configuration

The Logga uses the ONTAP API via https to read FPolicy data and to request the NetApp to start logging for the external engine. The service https must be configured on a LIF (Logical Interface) of the SVM. This LIF must be reachable by the collector.

Use the following command to see the service that is active on which SVM firewall policy:

system service firewall policy show

 

The assignment of firewall policies to LIF of a certain SVM can be checked with:

network interface show -vserver <vserver_name> -fields firewall-policy

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

 

If a firewall policy with the service https is already active on a LIF of the SVM, then you only need to change the 'allow-list':

system services firewall policy modify -vserver <vserver_name> -policy <current_firewall_policy> -service https -allow-list <collector-ip/32>

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<current_firewall_policy> - already activated firewall policy

<collector-ip/32> - IP address of the collector

 

If you do not want to change the current firewall policy, you can create a copy of this firewall policy, perform the necessary changes, and then assign this new firewall policy to the appropriate LIF:

system services firewall policy clone -vserver <vserver_name> -policy <current_firewall_policy> -destination-policy 8manlogga_fp

If the https service already exists in the cloned firewall policy:

system services firewall policy modify -vserver <vserver_name> -policy 8manlogga_fp -service https -allow-list <collector-ip/32>

If the https service is not present in the cloned firewall policy:

system services firewall policy create -vserver <vserver_name> -policy 8manlogga_fp -service https -allow-list <collector-ip/32>

network interface modify -vserver <vserver_name> -lif <lif> -firewall-policy 8manlogga_fp

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<current_firewall_policy> - already activated firewall policy

<collector-ip/32> - IP address of the collector

<lif> - Name of the Logical Interface

 

Certificate configuration for encrypted event data transfer

If you have configured encrypted event data transfer between NetApp and Logga (see “Creating the External Engine Configuration”) then the public certificate of certificate authority that is used to sign the collector certificate has to be installed on the SVM:

security certificate install -vserver <vserver_name> -type client-ca

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

 

Use the following command to verify that the certificate has been installed:

security certificate show