How it Works
NetApp
Loading...
AVA400
Administration Manual
276 pgs5.18 Mb0
Table of contents
Loading...

NetApp AVA400, AVA800 Administration Manual

Download
Beta Draft
NetApp® AltaVault™ Cloud Integrated Storage 4.3.1

Administration Guide

NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S.
Telephone: +1 (408) 822-6000 Fax: + 1 (408) 822-4501 Support telephone: +1(888) 463-8277 Web: www.netapp.com Feedback: doccomments@netapp.com
Part number: 215-12049_B0 June 2017
Beta Draft

Contents

Beta Draft
Contents
Chapter 1 - Introduction of NetApp AltaVault Cloud Integrated Storage ............................................ 11
Overview of AltaVault....................................................................................................................................11
Supported backup applications and cloud destinations ...........................................................................11
AutoSupport ............................................................................................................................................11
System requirements and specifications.........................................................................................................11
Documentation and release notes ...................................................................................................................12
Chapter 2 - Deploying the AltaVault appliance ...................................................................................... 13
Deployment guidelines ...................................................................................................................................13
Basic configuration.........................................................................................................................................15
Advanced configuration .................................................................................................................................16
Configuration recovery...................................................................................................................................16
Chapter 3 - Using the AltaVault configuration wizards.........................................................................17
Using the AltaVault appliance CLI configuration wizard ..............................................................................17
Using the Management Console.....................................................................................................................18
Connecting to the Management Console.................................................................................................18
Home page...............................................................................................................................................19
Navigating in the Management Console .................................................................................................19
Getting help .............................................................................................................................................20
Using the Wizard Dashboard..........................................................................................................................20
Accessing the wizard dashboard .............................................................................................................21
Using the System Settings wizard ...........................................................................................................21
Using the Cloud Settings wizard .............................................................................................................22
Using the import configuration wizard ...................................................................................................33
Using the export configuration wizard....................................................................................................34
Chapter 4 - Configuring storage settings...............................................................................................35
Configuring cloud settings..............................................................................................................................35
Configuring cloud provider settings........................................................................................................35
Configuring encryption ...........................................................................................................................36
Configuring replication ...........................................................................................................................36
Configuring bandwidth limits..................................................................................................................36
Configuring SMB ...........................................................................................................................................37
Configuring NFS ............................................................................................................................................42
Configuration tasks..................................................................................................................................42
Contents
Beta Draft
Editing an NFS configuration..................................................................................................................44
Troubleshooting NFS ..............................................................................................................................45
Configuring OST ............................................................................................................................................45
Configuring SnapMirror .................................................................................................................................47
Enabling SnapMirror service...................................................................................................................47
Monitoring and deleting SnapMirror shares and Snapshots on AltaVault ..............................................48
Enabling long-term retention...................................................................................................................49
Enabling SnapCenter access....................................................................................................................50
Chapter 5 - Modifying networking settings............................................................................................ 51
Modifying general host settings .....................................................................................................................51
Modifying management interfaces ................................................................................................................53
Modifying data interfaces ..............................................................................................................................54
Modifying virtual interfaces (VIFs) ...............................................................................................................56
Modifying VLANs .........................................................................................................................................57
Chapter 6 - Configuring system administrator settings .......................................................................59
Setting announcements ...................................................................................................................................59
Configuring alarm settings .............................................................................................................................59
Configuring date and time ..............................................................................................................................65
Configuring SNMP basic settings ..................................................................................................................67
Configuring SNMP v3 ............................................................................................................................69
SNMP authentication and access control ................................................................................................71
Configuring email settings .............................................................................................................................74
Configuring log settings .................................................................................................................................74
Chapter 7 - Configuring security settings.............................................................................................. 79
Configuring general security settings .............................................................................................................79
Managing user permissions ...........................................................................................................................81
Configuring permissions for user roles .........................
..........................................................................83
Unlocking an account..............................................................................................................................84
Configuring password policy settings ....................................................................................................85
Configuring management login from Active Directory domain ....................................................................86
Configuring login from AD.....................................................................................................................86
Login behavior using AD ........................................................................................................................87
Setting RADIUS servers.................................................................................................................................87
Configuring TACACS+ access .......................................................................................................................88
Unlocking the secure vault .............................................................................................................................89
Configuring Web settings ..............................................................................................................................90
Managing web SSL certificates...............................................................................................................91
Contents
Beta Draft
Configuring KMIP..........................................................................................................................................93
Using the Management Console to configure KMIP ..............................................................................93
Using CLI to configure KMIP.................................................................................................................95
Troubleshooting KMIP............................................................................................................................95
Configuring appliance monitoring..................................................................................................................97
Configuring a management ACL ...................................................................................................................99
Configuring SSH Access ..............................................................................................................................100
Chapter 8 - Configuring AltaVault appliances for FIPS-compliant cryptography............................. 103
What is FIPS? ...............................................................................................................................................103
Understanding FIPS on AltaVault ................................................................................................................103
NetApp Cryptographic Security Module...............................................................................................104
Compliant FIPS cryptography features .................................................................................................104
Noncompliant FIPS cryptography features ...........................................................................................104
Configuring AltaVault for FIPS compliance ................................................................................................105
Configuring AltaVault appliances for FIPS-compliant cryptography ..........................................................105
Enabling FIPS mode..............................................................................................................................106
Verifying that your system uses FIPS-compliant encryption ................................................................106
Working with features to maintain FIPS compliance............................................................................107
Account passwords................................................................................................................................107
Cipher requirements ..............................................................................................................................108
Key size requirements ...........................................................................................................................108
NTP........................................................................................................................................................109
RADIUS and TACACS+.......................................................................................................................109
SNMP ....................................................................................................................................................109
SSH........................................................................................................................................................109
Telnet server ..........................................................................................................................................110
Web proxy .............................................................................................................................................110
Disabling FIPS mode....................................................................................................................................111
Verifying FIPS mode in system logs ............................................................................................................ 111
Verifying that file transfers operate in FIPS mode .............
...................................................................111
Verifying that NTP operates in FIPS mode ...........................................................................................112
Verifying that secure vault operates in FIPS mode ...............................................................................112
Verifying that SNMP operates in FIPS mode........................................................................................112
Verifying that the web interface operates in FIPS mode .......................................................................112
FIPS CLI.......................................................................................................................................................112
Chapter 9 - Managing the AltaVault appliance..................................................................................... 113
Starting and stopping the AltaVault appliance..............................................................................................113
Configuring scheduled jobs .........................................................................................................................114
Managing licenses ........................................................................................................................................115
Managing unlicensed AltaVault appliances...........................................................................................116
Managing licenses using the command-line.......................................................................................... 116
Managing licenses using the Management Console..............................................................................117
Contents
Beta Draft
License limits.........................................................................................................................................117
Model upgrades on the virtual AltaVault appliances.............................................................................117
Upgrading your software ..............................................................................................................................117
Rebooting and shutting down AltaVault appliance ......................................................................................118
Viewing the current user settings..................................................................................................................119
Managing configuration files........................................................................................................................119
Chapter 10 - Viewing reports and logs ................................................................................................. 121
About reports ................................................................................................................................................122
Viewing the storage optimization report.......................................................................................................125
Viewing the front-end throughput report......................................................................................................126
Viewing the back-end throughput report ......................................................................................................127
Viewing the eviction report ..........................................................................................................................128
Viewing the replication report......................................................................................................................129
Viewing the cloud operations report.............................................................................................................130
Viewing schedule reports..............................................................................................................................131
Viewing per share utilization reports............................................................................................................132
Viewing the alarm status report....................................................................................................................133
Viewing the CPU utilization report ..............................................................................................................136
Viewing the memory paging report..............................................................................................................137
Viewing the interface counters report ...........................................................................................................138
Viewing the disk throughput report..............................................................................................................139
Viewing the disk IOPS report.......................................................................................................................140
Viewing the disk utilization report ...............................................................................................................141
Viewing logs.................................................................................................................................................142
Viewing system logs..............................................................................................................................142
Viewing user logs..................................................................................................................................143
Downloading log files ..................................................................................................................................144
Generating system dumps.............................................................................................................................145
Viewing process dumps................................................................................................................................146
Capturing and uploading TCP dumps .............................................................................................
.............146
Viewing a TCP dump ............................................................................................................................151
Viewing the appliance monitoring report.....................................................................................................152
Viewing the shelf details...............................................................................................................................154
Viewing the storage RAID group .................................................................................................................155
Viewing offline file system check page ........................................................................................................155
Viewing online file system check page ........................................................................................................156
Contents
Beta Draft
Viewing the verify tool diagnostics ..............................................................................................................157
Chapter 11 - Transferring data to the cloud using Amazon Snowball............................................... 159
Prerequisites..................................................................................................................................................159
Guidelines for using Snowball with AltaVault .............................................................................................159
Seeding data using Snowball........................................................................................................................160
Creating a Snowball job in AWS...........................................................................................................160
Transferring data from AltaVault to Snowball ......................................................................................161
Managing data transfers on AltaVault ...................................................................................................162
Verifying and completing data transfer .................................................................................................163
Chapter 12 - Migrating data to a new cloud .........................................................................................165
Cloud migration overview ............................................................................................................................165
Cloud-to-cloud migration .............................................................................................................................166
Canceling cloud-to-cloud migration .............................................................................................................167
Amazon S3 or S3-IA to Glacier migration...................................................................................................167
Amazon S3 to S3-IA or Amazon S3-IA to S3 migration.............................................................................168
Chapter 13 - Migrating data between appliances ................................................................................169
Data migration overview ..............................................................................................................................169
Data migration connection diagrams............................................................................................................170
Data migration process .................................................................................................................................172
Prerequisites..................................................................................................................................................172
Prerequisites for the source appliance ...................................................................................................173
Prerequisites for the target appliance ....................................................................................................174
Performing appliance data migration ...........................................................................................................174
Post-data migration procedure...............................................................................................................176
Chapter 14 - Disaster recovery..............................................................................................................177
Disaster recovery preparations .....................................................................................................................177
Exporting the configuration file ...............................
.............................................................................178
Disaster recovery testing ..............................................................................................................................178
Suspending replication at the production site........................................................................................178
Enabling AltaVault for a disaster recovery test .....................................................................................178
Data restoration for disaster recovery testing........................................................................................179
Performing post-DR testing activities ...................................................................................................180
Disaster recovery ..........................................................................................................................................180
Enabling AltaVault for disaster recovery ..............................................................................................181
Data restoration for disaster recovery....................................................................................................181
Contents
Beta Draft
Chapter 15 - System components AVA-400, AVA-800 ......................................................................... 183
AltaVault appliance components ..................................................................................................................183
System chassis specifications................................................................................................................184
What you need to know about expansion shelves .................................................................................184
Using LEDs to check the status of the system..............................................................................................185
Field replaceable units ..................................................................................................................................187
Slot numbering and associated components..........................................................................................188
Fan modules and their LEDs ........................................................................................................................188
Fan redundancy policy ..........................................................................................................................190
Power supplies and their LEDs ....................................................................................................................191
Power supply LED behaviors................................................................................................................191
Controller components and their LEDs ........................................................................................................193
Controller LED behaviors .....................................................................................................................193
Internal FRUs ...............................................................................................................................................196
Chapter 16 - System maintenance AVA-400, AVA-800 ........................................................................ 199
Accessing the Service Processor for remote management ...........................................................................200
Setting the Service Processor password ................................................................................................200
Configuring the Service Processor for remote management.................................................................200
Validating remote access via the Service Processor ..............................................................................202
Shutting down the AltaVault controller ........................................................................................................203
Replacing controllers....................................................................................................................................203
Installing a controller in a chassis.................................................................................................................206
Replacing a controller chassis ......................................................................................................................208
Hot-swapping controller fan modules ..........................................................................................................209
Hot-swapping controller power supplies ......................................................................................................212
Changing the shelf ID for a disk shelf..........................................................................................................215
Adding an additional RAID group to a configured appliance......................................................................216
Replacing a faulty hard disk drive on an AltaVault AVA400 or AVA800 appliance....................................218
Replacing internal FRUs .......................................................................................................
.......................218
Replacing a boot device in a controller ........................................................................................................219
Replacing system DIMMs ............................................................................................................................223
Replacing RAID controllers .........................................................................................................................227
Replacing the RTC clock coin battery..........................................................................................................227
Replacing disk shelf power supplies and other FRUs ..................................................................................230
Returning failed parts ...................................................................................................................................230
Disposing of batteries ...................................................................................................................................230
Contents
Beta Draft
Appendix A - Administrator’s configuration worksheet .....................................................................231
Configuration worksheet ..............................................................................................................................231
Appendix B - AltaVault appliance MIB..................................................................................................235
Accessing AltaVault appliance MIB.............................................................................................................235
SNMP traps...................................................................................................................................................235
Appendix C - Amazon AWS IAM and S3 bucket policies.................................................................... 247
Typical AltaVault setup.................................................................................................................................247
IAM policies for AltaVault ...........................................................................................................................247
Sample of IAM policy...........................................................................................................................248
Bucket policies for AltaVault .......................................................................................................................249
Sample of bucket policy ........................................................................................................................249
Appendix D - Best practices for Amazon Glacier ................................................................................251
Optimizing data movement to and from Amazon Glacier............................................................................251
Protecting data to Amazon Glacier...............................................................................................................251
Recovering data from Amazon Glacier ........................................................................................................252
Restoring data from the cloud using the prepopulation page ................................................................252
Restoring data from the cloud using the command-line interface.........................................................254
Automatic prepopulation ......................................................................................................................258
AltaVault appliance best practices for EMC NetWorker for Amazon Glacier .............................................258
AltaVault appliance best practices for IBM Spectrum Protect for Amazon Glacier....................................260
AltaVault appliance best practices for Veritas NetBackup for Amazon Glacier ..........................................261
AltaVault appliance best practices for Veritas Backup Exec for Amazon Glacier .......................................262
AltaVault appliance best practices for Veeam backup and replication for Amazon Glacier ........................263
Copyright Information............................................................................................................................ 265
Trademark Information........................................................................................................................... 267
How to Send Your Comments ...............................................................................................................269
Index ........................................................................................................................................................ 271
Contents
Beta Draft
Beta Draft
CHAPTER 1 Introduction of NetApp AltaVault
Cloud Integrated Storage

Overview of AltaVault

AltaVault appliance is a disk-to-disk data storage optimization system with unique cloud storage integration. There are three types of AltaVault deployments:
Physical hardware appliances, available in AVA400 and AVA800 models.
Virtual appliance, available in AVA-v2, AVA-v8, AVA-v16, and AVA-v32 models.
Cloud-based virtual appliance:
Amazon Machine Images (AMI), available in AVA-c4, AVA-c8, and AVA-c16 models.
Microsoft Azure Virtual Machine (AVM), available in the AVA-c4 model.

Supported backup applications and cloud destinations

Refer to the Interoperability Matrix Tool (IMT) on the NetApp Support site to validate that the product and versions that can be used to construct configurations that are supported by NetApp. Specific results depend on each customer's installation in accordance with published specifications.

AutoSupport

AltaVault supports user-triggered and daily AutoSupports (ASUPs) as well as certain event-based triggers. ASUP functionality is supported on all AltaVault models. For event-based triggers, see “Viewing the alarm status report” on
page 133.
For more information on ASUP CLI commands, see the NetApp AltaVault Cloud Integrated Storage Command-Line Interface Reference Guide.

System requirements and specifications

This section specifies the hardware and software requirements.
For system requirements for virtual appliances, see the NetApp AltaVault Cloud Integrated Storage Installation and
Service Guide for Virtual Appliances.
NetApp AltaVault Cloud Integrated Storage Administration Guide 11
Introduction of NetApp AltaVault Cloud Integrated Storage Documentation and release notes
Beta Draft
For system requirements for cloud, see the NetApp AltaVault Cloud Integrated Storage Installation and Service Guide for Cloud Appliances.
For system requirements for physical appliances, see Chapter 15, “System components AVA-400, AVA-800.”

Documentation and release notes

To obtain the most current version of all NetApp documentation, go to the NetApp Support site at https:/
mysupport.netapp.com.
12 NetApp AltaVault Cloud Integrated Storage Administration Guide
Beta Draft

CHAPTER 2 Deploying the AltaVault appliance

This chapter includes the following sections:
“Deployment guidelines” on page 13
“Basic configuration” on page 15
“Advanced configuration” on page 16
“Configuration recovery” on page 16

Deployment guidelines

AltaVault is supported with the backup applications and cloud storage providers identified by the IMT
(interoperability matrix tool)
Refer to the Interoperability Matrix Tool (IMT) feature versions described in this document are supported for your specific environment. The NetApp IMT defines the product components and versions that can be used to construct configurations that are supported by NetApp. Specific results depend on each customer's installation in accordance with published specifications.
An AltaVault can only be pointed to one cloud storage provider at a time.
If an existing AltaVault needs to be pointed to a different cloud storage provider than the one currently configured, you must clear the AltaVault cache before reconfiguring the new cloud storage provider credentials. All existing data associated with the previous cloud storage provider will remain.
on the NetApp Support site to validate that the exact product and
NetApp AltaVault Cloud Integrated Storage Administration Guide 13
Deploying the AltaVault appliance Deployment guidelines
Beta Draft
AltaVault can be deployed in one of two modes: Backup mode or Cold Storage mode. Once deployed, you cannot
change the mode. Use the following table to make a comparison of using AltaVault in backup mode versus cold storage mode:
Modes Pros Cons
Backup mode • Allows access to the most recent backups on cache.
• Allows global deduplication of all data received by AltaVault, leading to higher deduplication rates.
• Maximizes data movement efficiency of the WAN through deduplication of data.
• Cache expansion capability via add on shelves allows for growth as needed by the business.
• Higher ingest performance than Cold Storage mode.
Cold storage mode • Protects archive workloads for long periods of time,
typically to cool or cold cloud storage tiers.
• Allows access to far greater cloud capacity (Up to 10PB of storage, based on 1.333 billion files of 100MB average file size).
• Provides expansive long term storage in just one head controller unit.
You can configure AltaVault folder shares to help describe a policy target.
• Cloud capacity managed limited to a maximum of up to 5 times the usable space on the AltaVault’s disk cache.
• Minimal deduplication compared to backup mode.
• Limited network and WAN performance, dependent on average, file size of objects sent to AltaVault.
• Only available on AVA-400 48 TB and virtual models.
• No expansion capability with shelves.
• Restores are always from the cloud provider.
For example, you can configure a backup application to direct critical system backups to point to a specific folder on one AltaVault data connection, while noncritical backups might be directed by a backup application to point to another folder on another AltaVault data connection. This method helps balance priorities of data over the network and organize data for recovery in case of a disaster. If possible, organize your backup policies to drive similar data to the same AltaVault unit.
For example, if you are backing up a Windows server farm to multiple AltaVault appliances, operating system backups are likely to have the best deduplication rates when grouped together to the same AltaVault. File and application server backups obtain better deduplication when grouped together as well.
AltaVault exports its configuration to a file called altavault_config_(HOSTNAME)_(DATETIME).tgz.
NetApp recommends that you store the configuration file in different physical locations. The configuration file contains information about the configuration, including the encryption key. Alternatively, you can just export the encryption key alone.
Note: To access the encrypted data, you need an encryption key. If you lose the encryption key, AltaVault cannot reconstitute the encrypted data.
14 NetApp AltaVault Cloud Integrated Storage Administration Guide
Basic configuration Deploying the AltaVault appliance
Beta Draft

Basic configuration

This procedure assumes that you have already installed your AltaVault appliance as described in the respective installation guide:
AltaVault Model Installation Guide
AltaVault physical appliance (AVA-400, AVA-800) AltaVault System Installation and Setup Instructions (poster)
AltaVault virtual appliance (Microsoft Hyper-V, VMware ESXi, or Linux KVM
AltaVault cloud appliance (Amazon Machine Image or Microsoft Azure Virtual Machine)
NetApp AltaVault Cloud Integrated Storage Installation and Service Guide for Virtual Appliances
NetApp AltaVault Cloud Integrated Storage Installation and Service Guide for Cloud Appliances
After installing the appliance, use the following table to guide your initial AltaVault setup and deployment:
Step Configuration Reference
1 Gather configuration information Appendix A, “Administrator’s configuration worksheet.”
2 Provide the initial system configuration
using the CLI Wizard
3 Set the Service Processor password (AV-
400, AV-800 models only)
4 Configure remote management (AV-400,
AV-800 models only)
5 Connect to the Management Console
and log in
6 Configure the system settings from the
System Setup Wizard
7 Configure cloud service provider
settings using the Cloud Setup Wizard
8 Add the license information (virtual
appliance models only)
“Using the AltaVault appliance CLI configuration wizard” on page17
“Setting the Service Processor password” on page 200
“Configuring the Service Processor for remote management” on page 200
“Using the Management Console” on page 18
“Using the System Settings wizard” on page 21
“Using the Cloud Settings wizard” on page 22
“Managing licenses using the Management Console” on page 117
9 Configure data interfaces “Modifying data interfaces” on page 54
10 Optionally, configure virtual interfaces
(VIFS)
11 Optionally, configure VLAN interfaces “Modifying VLANs” on page 57
12 Optionally, join the domain (for SMB) “Configuring SMB” on page 37
14 Configure storage (select SMB, NFS,
OST, or SnapMirror)
15 Save your configuration to a safe
location using the Export Wizard
NetApp AltaVault Cloud Integrated Storage Administration Guide 15
“Modifying virtual interfaces (VIFs)” on page 56
“Configuring SMB” on page 37
“Configuring NFS” on page 42
“Configuring OST” on page 45
“Configuring SnapMirror” on page 47
“Using the export configuration wizard” on page 34
Deploying the AltaVault appliance Advanced configuration
Beta Draft

Advanced configuration

The following table summarizes AltaVault’s advanced configuration options.
Configuration option Setting Reference
Storage settings Advanced storage settings for
Security settings Set authentication method, Active
System administration settings
System monitoring Viewing reports and logs Chapter 10, “Viewing reports and logs”
SMB, NFS, OST, and SnapMirror
Configure data prepopulation “Restoring data from the cloud using the prepopulation page”
Directory (AD) administration, role-based permissions for users, Secure Vault, web settings, REST API access, key management (KMIP), management ACLs
Configure FIPS compliance Chapter 8, “Configuring AltaVault appliances for FIPS-
Set announcements, alarms, date and time, SNMP, email notifications, log settings
System monitoring
• Schedule jobs
• Schedule reports
• LEDs (AVA-400, AVA-800 only)
Peer monitoring “Configuring appliance monitoring” on page 97
Chapter 4, “Configuring storage settings”
on page 252
Chapter 7, “Configuring security settings”
compliant cryptography”
Chapter 6, “Configuring system administrator settings”
“Configuring scheduled jobs” on page 114
“Viewing schedule reports” on page 131
“Using LEDs to check the status of the system” on page 185

Configuration recovery

In the event of a catastrophic event, it might be necessary to recover your configuration if previously saved to another location using the Export Wizard. To recover a saved configuration, see
16 NetApp AltaVault Cloud Integrated Storage Administration Guide
Chapter 14, “Disaster recovery.” .
Beta Draft
CHAPTER 3 Using the AltaVault configuration
wizards
This chapter includes the following sections:
“Using the AltaVault appliance CLI configuration wizard” on page17
“Using the Management Console” on page 18
“Using the Wizard Dashboard” on page 20

Using the AltaVault appliance CLI configuration wizard

After installing the AltaVault appliance and logging in for the first time, you are prompted to enter initial system information using command-line interface (CLI).
To run the AltaVault appliance CLI configuration wizard
1. Complete the configuration wizard steps on the client side and server side.
Wizard prompt Description Example
Step 1: Admin password? NetApp requires that you change the default
administrator password ( The new password must be a minimum of eight characters and cannot be the word password.
Step 2: Host name? Enter the host name for the AltaVault appliance. Step 2: Hostname? amnesiac
Step 3: Use DHCP on the primary interface?
Step 4: Primary IP address? Enter the IP address. Step 4: Primary IP address?
Step 5: Netmask? Enter the netmask address. Step 5: Netmask? 255.255.0.0
Step 6: Default gateway? Enter the default gateway. St ep 6: D efau lt gateway?
For AltaVault virtual and physical appliances, DHCP is not recommended. For AltaVault cloud­based virtual appliances, DHCP is required.
password) at this time.
Step 1: Admin password? xxxxyyyy
Step 3: Use DHCP? yes
10.10.10.6
10.0.0.1
NetApp AltaVault Cloud Integrated Storage Administration Guide 17
Using the AltaVault configuration wizards Using the Management Console
Beta Draft
Wizard prompt Description Example
Step 7: Primary DNS server? Enter the primary DNS server IP address. If you do
not specify a valid DNS server, the system does not start.
Step 8: Domain name? Enter the domain name for the network that the
appliance is connected to.
If you set a domain name, you can enter host names in the system without the domain name.
Step 7: Primary DNS server?
10.0.0.2
Step 8: Domain name? example.com
2. To change an answer, enter the step number to return to. Otherwise press <enter> to save changes and exit. The AltaVault appliance configuration wizard automatically saves your configuration settings. The CLI prompt appears:
amnesiac>
If you chose to use DHCP, you can get the IP address of the appliance by running the following commands:
amnesiac > enable amnesiac # configure terminal amnesiac (config)# show interfaces primary
3. To log out of the system, enter exit at each of the command-level prompts.
You can now log in to the appliance using a web-based client to access the Management Console (user interface) and Wizard Dashboard for configuring system and cloud service provider (CSP) settings.

Using the Management Console

This section includes the following information:
“Connecting to the Management Console” on page 18
“Home page” on page 19
“Navigating in the Management Console” on page 19

Connecting to the Management Console

To connect to the AltaVault Management Console
1. Enter the URL for the Management Console in the location box of your Web browser:
https://<host>.<domain>
When you connect using HTTPS, you are prompted to inspect and verify the SSL certificate. The SSL certificate is a self-signed certificate used to provide encrypted Web connections to the Management Console. It is re­created when the appliance hostname is changed and when the certificate has expired.
The <host> variable is the hostname you assigned to the AltaVault primary interface in the configuration wizard. If your DNS server maps that IP address to a name, you can specify the DNS name.
The <domain> variable is the full domain name for the appliance.
You can also specify the IP address instead of the host and domain name.
2. In the Username text box, specify the user login. The default login is admin.
18 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Management Console Using the AltaVault configuration wizards
Beta Draft
3. In the Password text box, specify the password you assigned in the CLI configuration wizard of the AltaVault. The password cannot be “password.” To change your password, see
“Viewing the current user settings” on page 119.
4. Click Sign In to display the AltaVault configuration wizard (when you log in for the first time) or the Home page (for subsequent logins).

Home page

The Home page displays the following parameters:
Cloud and Disk Storage Allocation - The outer circle represents the cloud storage and the inner circle represents
the local AltaVault cache storage. This section also lists the used storage, free storage, and total storage on the cloud and the disk.
Optimization Service - Specifies whether the Storage Optimization Service is running or has stopped and the
status of the service:
Status Description
Ready Storage Optimization Service is ready to ingest and replicate data to the cloud.
Not ready Storage Optimization Service is unavailable. No data will be ingested or replicated.
Replaying Storage Optimization Service has been terminated during backup replication, either due to loss of power or
a crash. During this replay process, the AltaVault verifies data consistency from its transaction logs.
The amount of time it takes to replay process to complete will depend on the amount of data in flight at the time the AltaVault appliance was abnormally stopped.
Upgrading Storage Optimization Service is unavailable due to an in-progress upgrade. No data will be ingested or
replicated.
Cloud Storage Reclamation - Provides the completion percentage of the cloud storage reclamation service
(garbage collection). This service runs automatically when needed to clean up fragmented disk and cloud space.
Alarms Triggered - Displays the appliance health status and software update. To view the alarms triggered,
choose Reports > Alarm Status.
System Status - Displays details such as the AltaVault time, system up time, and optimization service up time.
Appliance Information - Provides the appliance hostname and its model number.
Replicated Data - Displays the status of the process of copying data and metadata from the AltaVault to the cloud.
Storage Optimization - Displays the expanded data, deduplicated data, and deduplication factor. Expanded data is
the data that has been backed up locally by the AltaVault. Deduplicated data reflects data that has been optimized through the use of deduplication and compression. Deduplication factor is the ratio of the expanded data and total optimized data. The total optimized data includes both deduplication and compression savings.
Cloud Information - Displays the status of the cloud connection that the appliance is configured to communicate
with.

Navigating in the Management Console

You navigate to the tools and reports available to you in the Management Console using cascading menus.
NetApp AltaVault Cloud Integrated Storage Administration Guide 19
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Saving your configuration
As you apply configuration settings, the values are applied to the running configuration. Most Management Console configuration pages include an Apply button for you to commit your changes. When you click Apply, the Management Console updates the running configuration.
NetApp recommends that you export your configuration after every change.
A red asterisk next to a control indicates that the field is required. You must specify a valid entry for all of the required controls on a page before saving the changes.
Restarting AltaVault appliance service
Some configuration settings require a restart the services in order for the changes to take effect.
To restart the service, click Restart to display the Service page or go to Storage Optimization Service page and restart the service.
Printing pages and reports
You can print Management Console pages and reports using the print option on your Web browser.
To print pages and reports
Choose File > Print in your Web browser to open the Print dialog box.

Getting help

The Help page provides the following options:
Online Help - View browser-based online help.
Technical Support - View links and contact information for NetApp Support.
Appliance Details - View appliance information such as the model number, hardware revision type, serial
number, and software version currently installed on the appliance.
Displaying online help
The Management Console provides page-level help for the appliance.
To display online help
Click the question mark icon next to the page title. The help for the page appears in a new browser window.
Logging out
In the menu bar, click Sign out to end your session.

Using the Wizard Dashboard

The AltaVault configuration wizard appears only after you log in to the appliance for the first time. It enables you to access other configuration wizards, so that you can configure your own system settings, configure cloud settings, and import and export settings.
20 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
This section includes the following topics:
“Accessing the wizard dashboard” on page 21
“Using the System Settings wizard” on page 21
“Using the Cloud Settings wizard” on page 22
“Using the import configuration wizard” on page 33
“Using the export configuration wizard” on page 34

Accessing the wizard dashboard

To access the AltaVault configuration wizard dashboard
1. From a web browser, enter the AltaVault IP address to log in to the Management Console.
2. If you are logging in to the Management Console for the first time, the wizard appears, displaying the Welcome
page. For subsequent logins, log in to AltaVault and choose Configure > Setup Wizard.
Based on your configuration requirements, you can use different wizards from the dashboard.
Task Reference
Configure networking settings and time zone, use the System Settings wizard.
Configure cloud settings, licenses, and encryption key, use the Cloud Settings wizard.
Import a previously saved configuration, use the Import Configuration wizard
Export the current Configuration wizard.
.
configuration from the system, use the Export
“Using the System Settings wizard” on page 21
“Using the Cloud Settings wizard” on page 22
“Using the import configuration wizard” on page 33
“Using the export configuration wizard” on page 34

Using the System Settings wizard

Use the System Settings wizard to configure networking settings and time zone.
To use the System Settings wizard
1. From the management console, choose Configure > Setup Wizard.
2. Select System Settings in the Wizard Dashboard.
The System Settings wizard displays the hostname and DNS server IP address for the AltaVault.
3. In the System Settings wizard, complete the configuration as described in this table.
Control Description
Obtain IPv4 Address Automatically Specify this option to automatically obtain the IPv4 address from a valid DHCP server.
Enable IPv4 Dynamic DNS Enable IPv4 Dynamic DNS - Select this option to enable IPv4 dynamic DNS on the
primary interface.
NetApp AltaVault Cloud Integrated Storage Administration Guide 21
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Control Description
Specify IPv4 Address Manually Specify this option if you do not use a DHCP server to set the IP address. Specify the
following settings:
• IPv4 Address - Specify an IPv4 address.
• IPv4 Subnet Mask
• Default IPv4 Gateway
- Specify an IPv4 subnet mask.
- Specify the default primary gateway IPv4 address. The
primary gateway must be in the same network as the primary interface. You must set the primary gateway for interface configurations.
Time Zone Specify the country and time zone in which the AltaVault is located.
Enable Analytics Enabling this feature will send daily informational AutoSupport (ASUP) messages to
NetApp.
4. Click Next to display the Confirmation page.
5. Click Save and Apply to display the System Settings Wizard Finish page.
6. Click Exit to close the System Settings Wizard and go back to the dashboard.

Using the Cloud Settings wizard

Use the Cloud Settings wizard to configure cloud settings, licensing, and the encryption key.
To use the Cloud Settings wizard
1. From the management console, choose Configure > Setup Wizard.
2. Select Cloud Settings in the Wizard Dashboard.
Note: Check that the datastore is empty. If the datastore is not empty, you cannot change the cloud provider, region, hostname, and
bucket name.
3. Under Provider, select and configure your preferred cloud service provider from the drop-down list:
Note: If you are configuring a private cloud, see “Customizing a private cloud” on page 32.
Amazon Glacier - see “Configuring Amazon Glacier storage” on page 24
Amazon S3 - see “Configuring Amazon S3 storage” on page 26
AT&T Synaptic Storage - see “Configuring Atmos-based storage” on page 26
Cleversafe Cloud Storage - see “Configuring S3-based storage” on page 30
Cloudian Cloud Storage - see “Configuring S3-based storage” on page 30
Cloudwatt Object Storage - see “Configuring SWIFT-based storage” on page 30
Dunkel Cloud Storage - see “Configuring S3-based storage” on page 30
EMC Atmos- see “Configuring Atmos-based storage” on page 26
22 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
Google Cloud Storage - see “Configuring Google Cloud Storage” on page 27
HGST Storage - see “Configuring S3-based storage” on page 30
Internet Initiative Japan (IIJ) - see “Configuring S3-based storage” on page 30
Microsoft Windows Azure Storage - see “Configuring Microsoft Windows Azure storage” on page 29
NetApp StorageGRID Webscale - see “Configuring S3-based storage” on page 30
OpenStack Object Storage (Swift) - see “Configuring SWIFT-based storage” on page 30
Oracle Storage Cloud Service - Object Storage - see “Configuring SWIFT-based storage” on page 30
Outscale On-Demand Storage - see “Configuring S3-based storage” on page 30
Rackspace Cloud Files - see “Configuring Swift-based storage with region-selection” on page 32
S3 Compliant Connector - see “Configuring S3-based storage” on page 30
Scality RING - see “Configuring S3-based storage” on page 30
SoftLayer Object Storage (Swift) - see “Configuring Swift-based storage with region-selection” on page 32
Swisscom Dynamic Storage- see “Configuring Atmos-based storage” on page 26
Verizon Cloud Storage - see “Configuring S3-based storage” on page 30
4. Configure Encryption Settings in the Wizard Dashboard. This page is only available to users with Read-Only Security Settings permissions or Read and Write Security Settings permissions. Specify the following items:
Control Description
Create New Datastore Encryption Key Select this option to establish a new AES-256 bit encryption key that
AltaVault uses to secure data.
Set Key Passphrase - Optionally, specify a passphrase that will be used to secure the encryption key on AltaVault. This passphrase will be required when importing the encryption key or AltaVault configuration onto a new AltaVault appliance. The passphrase is not stored within a configuration archive and must be kept in a secure location.
Confirm Key Passphrase - Confirm the passphrase.
Import Key from File Select this option to import the key from a file. Select the file to import it
onto the appliance. The key must be the key that was generated by an AltaVault appliance.
Import Key from Text Select this option to import the key from text. The key must be the key that
was generated or exported from an AltaVault appliance.
5. On the Confirmation page verify the information, and click Save and Apply.
Note: It is recommended to use a firewall to prevent unauthorized connections to the AltaVault.
NetApp AltaVault Cloud Integrated Storage Administration Guide 23
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Configuring Amazon Glacier storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. Specify the Region. You can choose to store your data in the Amazon Glacier Region that meets your regulatory, throughput, and geographic redundancy criteria.
When specifying US East (N. Virginia) or us-east-1 as the region, use US Standard.
3. Custom Region - Optionally, specify the custom region for your cloud service provider account.
4. Authentication Method - Specify one of the following:
Standard - Specify selections for the “Standard authentication” on page 24.
STS - Specify selections for the “STS authentication” on page 25.
Note: If user files are not cached on AltaVault, they should be pre-populated before reads are performed. This is because restores from Amazon Glacier have a latency of up to 12 hours depending on the retrieval option. For more information, see AWS documentation.
Standard authentication
Note: When S3 or Glacier is configured and Storage Optimization Service fails to start, the logs may contain the error “BucketAlreadyExists: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.” This indicates that the chosen bucket name is not available. You can resolve this by selecting a different bucket name. This error may also be encountered after a cloud migration or changing of the cloud settings. One possible reason may be that the cloud credentials do not belong to the account that owns the bucket. Double-check the credentials and ensure that the correct credentials are entered on the Cloud Settings page.
For the Standard authentication type, make selections for the following:
1. Access Key - Specify the access key for your Amazon S3 (AWS) account.
2. Secret Key - Specify the secret key for your cloud service provider account.
3. Hostname - Verify the hostname of the cloud provider on which AltaVault stores the replicated data.
4. Bucket Name - Specify the bucket name associated with your cloud service provider account. If the bucket name
does not exist, the bucket is created during initial more labels separated by a period
AltaVault replication. Bucket names must be a series of one or
5. Port - Specify the port through which replication occurs. Ports 80 or 443 are available.
24 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
6. Enable Archiving - Enable this option if you are using the AltaVault for cold storage mode. For more information about cold storage mode, see “Deployment guidelines” on page 13.
7. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
8. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
9. Enable Proxy - Select to enable proxy server settings. A proxy server acts as an intermediary for requests from clients seeking resources from other servers.
After you select the check box, specify the following settings:
Hostname/IP address - Specify the hostname or the IP address
Port - Specify the port numbers for access
Username - Specify the name of the user for access
Password - Specify the user’s password.
STS authentication
1. Identity Provider URL: Specify the URL of the provider.
The identity provider is a server that performs two roles: 1) authenticating users and machines wishing to access Amazon AWS services, and 2) providing temporary security credentials with which to access those services. AltaVault makes a call to the identity provider, which in turn makes a call to Amazon STS using the AssumeRole API call to generate temporary security credentials, and then passes these credentials back to AltaVault.
2. Parameters - Specify the parameters that the provider expects to authenticate the AltaVault appliance.
3. Response Type - JSON is the default.
4. Method - Select GET or POST.
5. CA Certificate - Specify the certificate that will be used to validate the server certificate of the identity provider.
Ensure that the file has the required .pem extension.
6. Select the Web Settings page link.
Select the Replace tab.
Certificate - Upload the client certificate.
Separate Private Key - Upload the Private Key.
To replace the certificate and private key, click Import Certificate and Key.
7. Hostname - Verify the hostname of the cloud provider on which AltaVault stores the replicated data.
8. Bucket Name - Specify the bucket name associated with your cloud service provider account. If the bucket name
does not exist, the bucket is created during initial
AltaVault replication. Bucket names must be a series of one or
more labels separated by a period.
9. Port - Specify the port through which replication occurs. Ports 80 or 443 are available.
NetApp AltaVault Cloud Integrated Storage Administration Guide 25
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
10. Enable Archiving - Enable this option if you are using the AltaVault for cold storage mode. For more information about cold storage mode, see “Deployment guidelines” on page 13.
11. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
12. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
13. Select the Enable Proxy check box to enable proxy server settings and specify:
Hostname/IP address - Specify the hostname or the IP address
Ports - Specify the port numbers for access
Username - Specify the name of the user for access
Password - Specify the user’s password
Configuring Amazon S3 storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. Specify the Region.You can choose an Amazon S3 region to optimize for latency, minimize costs, or address regulatory requirements.
3. Custom Region - Optionally, specify the custom region for your cloud service provider account.
4. Storage Class - Specify a storage class from the drop-down list:
Standard (Standard storage class)
Standard-IA (Standard Infrequent Access)
RRS (Reduced Redundancy Service)
5. Authentication Type - Specify one of the following:
Standard - Specify selections for the “Standard authentication” on page 24.
STS - Specify selections for the “STS authentication” on page 25.
Configuring Atmos-based storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
26 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. If your provider is AT&T, specify the following settings:
Storage Policy - Select one of the following storage policies from the drop-down list:
Local Replication - Stores data stored in one location and protects it using erasure coding.
Remote Replication - Stores data in two locations maintains a copy in one data center and replicates it to a
geographically remote data center.
3. Specify the following settings:
Subtenant ID - Specify the subtenant ID that EMC Atmos uses to authenticate each request.
UID - Specify the user ID that EMC Atmos uses to authenticate each request.
Shared Secret - Specify the shared secret that EMC Atmos uses to authenticate each request. When the client
application builds a Web service request, EMC Atmos uses the shared secret to create a signature entry as a part of the request. The shared secret must be associated with the subtenant ID and application ID created by the EMC Atmos-based storage provider.
4. Specify the hostname.
5. Specify the bucket name associated with your cloud service provider account. You can use buckets to organize
your data and control access to your data, but they cannot be nested. If the bucket name does not exist, the bucket is created during initial
AltaVault replication.
6. Specify the port number.
7. Enable Archiving - Enable this option if you are using the
AltaVault for cold storage mode. For more information
about cold storage mode, see “Deployment guidelines” on page 13.
8. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
9. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
10. Select the Enable Proxy check box to enable proxy server settings and specify:
Hostname/IP address - Specify the hostname or the IP address.
Ports - Specify the port numbers for access.
Username - Specify the name of the user for access.
Password - Specify the user’s password.
Configuring Google Cloud Storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
NetApp AltaVault Cloud Integrated Storage Administration Guide 27
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. Specify the Location from the drop-down list.
3. Storage Class - Specify the storage class from the drop-down list:
Standard (Standard storage class)
Nearline
4. Project ID - Specify the unique project ID associated with the bucket.
5. Client email - Specify the service account email address value from the API Manager > Credentials page of the
Google developers console.
6. Private Key - Select Browse to specify the private key for your Google Cloud Storage service provider account.
Google provides the private key in JSON and PKCS12 format. The AVA cloud credentials page requires a private key with a required extension of .pem or .json. You can read the client email and project ID from the .json file.
Note: When connecting to Google Cloud storage with FIPS enabled, AltaVault requires all imported and generated keys sizes for RSA-based and DSA-based certificates to be 2048 bits or higher. Connections to using 1024-bit certificates will not complete. It is recommended to generate a new private key (2048-bit or higher) for Google Cloud Storage, save it in a.json file, and upload that file when configuring AltaVault with Google Cloud Storage.
7. Specify the hostname.
8. Specify the bucket name associated with your cloud service provider account. If Nearline is selected as Storage
Class, the bucket should not be created through Google Developers Console. The Nearline bucket will automatically be created by AltaVault. You can use buckets to organize your data and control access to your data, but bucket cannot be nested.
For more information on bucket name restrictions, see Google documentation.
9. Specify the port number. Port 80 is not supported.
10. Enable Archiving - Enable this option if you are using the
AltaVault for cold storage mode. For more information
about cold storage mode, see “Deployment guidelines” on page 13.
11. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
12. Enable Cloud CA Certificate - Specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be a .pem or .json extension file.
13. Select the Enable Proxy check box to enable proxy server settings and specify:
Hostname/IP address - Specify the hostname or the IP address.
Ports - Specify the port numbers for access.
Username - Specify the name of the user for access.
28 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
Password - Specify the user’s password.
Configuring Microsoft Windows Azure storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. Specify the following settings:
Cloud Type - Select your option from the drop-down list. The options are Azure Government or Azure
Public. Use a storage account to access the Cool or Hot access tier.
Storage Account - Specify the Microsoft Azure Storage account name. The account type must be set to
Standard. AltaVault supports storage accounts belonging to either the Hot or Cool access tier.
Primary or Secondary Access Key - Specify the primary or secondary Microsoft Azure Storage access key
that you generated when you created your Microsoft Azure Storage account. The secondary key provides the same access as the primary key and is used for backup purposes.
3. Specify the hostname.
4. Bucket Name - Specify the container name associated with your cloud service provider account. You can use
containers to organize your data and control access to your data, but they cannot be nested. If the container name does not exist, the container is created during initial
AltaVault replication.
For Azure, the bucket names must be a valid DNS name, conforming to the following naming rules:
Container names must start with a letter or number and can contain only letters, numbers, and hyphens.
Every hyphen must be immediately preceded and followed by a letter or number. You cannot use consecutive
hyphens.
All letters in a bucket names must be lowercase.
Container names must be from 3 to 63 characters.
5. Specify the port number.
6. Enable Archiving - Enable this option if you are using the
AltaVault for cold storage mode. For more information
about cold storage mode, see “Deployment guidelines” on page 13.
7. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
8. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
9. Select the Enable Proxy check box to enable proxy server settings and specify:
NetApp AltaVault Cloud Integrated Storage Administration Guide 29
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Hostname/IP address - Specify the hostname or the IP address.
Ports - Specify the port numbers for access.
Username - Specify the name of the user for access.
Password - Specify the user’s password.
Configuring S3-based storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. Specify the following settings:
Access Key - Specify the access key (same as the username).
Secret Key - Specify the secret key (password).
3. Specify the hostname.
4. Specify the bucket name associated with your cloud service provider account. You can use buckets to organize
your data and control access to your data, but they cannot be nested. If the bucket name does not exist, the bucket is created during initial
AltaVault replication.
5. Specify the port number.
6. Enable Archiving - Enable this option if you are using the
AltaVault for cold storage mode. For more information
about cold storage mode, see “Deployment guidelines” on page 13.
7. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
8. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
9. Select the Enable Proxy check box to enable proxy server settings and specify:
Hostname/IP address - Specify the hostname or the IP address.
Ports - Specify the port numbers for access.
Username - Specify the name of the user for access.
Password - Specify the user’s password.
Configuring SWIFT-based storage
1. Select yes or no to use keys from KMIP server from the drop-down list. When configuring the KMIP server, you must:
30 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for each of the authentication fields.
2. If your cloud service provider is Oracle Storage Cloud Service - Object Storage, specify the following settings:
Storage Class - By default, Storage Class is set to Standard.
3. Specify the following settings:
Authentication - Specify the methods that is used to authenticate each request:
Access Key ID/Secret Key- Specify the access key ID, secret key, and tenant ID
Username/Password - Specify the username, password, and tenant ID
Username/API Access Key - Specify the username and the API Access key
Authentication URL Path - Specify the cloud server API URL for Cloudwatt Object Storage to authenticate
the request. For example, /auth/v1.0 or /auth/v2.0.
Web Protocol - Specify whether to use HTTP or HTTPS.
4. Specify the hostname.
5. Specify the bucket name associated with your cloud service provider account. You can use buckets to organize
your data and control access to your data, but they cannot be nested. If the bucket name does not exist, the bucket is created during initial
AltaVault replication.
6. Specify the port number.
7. Enable Archiving - Enable this option if you are using the
AltaVault for cold storage mode. For more information
about cold storage mode, see “Deployment guidelines” on page 13.
8. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
9. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
10. Select the Enable Proxy check box to enable proxy server settings and specify:
Hostname/IP address - Specify the hostname or the IP address,
Ports - Specify the port numbers for access.
Username - Specify the name of the user for access.
Password - Specify the user’s password.
11. Click Apply to apply your changes to the running configuration.
NetApp AltaVault Cloud Integrated Storage Administration Guide 31
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Configuring Swift-based storage with region-selection
1. Select yes or no to Use Keys from KMIP Server from the drop-down list. When configuring the KMIP server, you must:
Use the same username and password as created in KMS.
Upload the same certificate as downloaded from KMS after signing it.
Add a symmetric key (KMIP key) as the encryption key.
Add a secret data key (KMIP key) for the authentication fields.
2. Specify the following settings:
Region - Select the region from the drop-down list:
Username - Specify the username to authenticate each request.
API Access Key - Specify the API access key.
3. Specify the hostname.
4. Specify the bucket name associated with your cloud service provider account. You can use buckets to organize
your data and control access to your data, but they cannot be nested. If the bucket name does not exist, the bucket is created during initial
AltaVault replication.
5. Specify the port number.
6. Enable Archiving - Enable this option if you are using the
AltaVault for cold storage mode. For more information
about cold storage mode, see “Deployment guidelines” on page 13.
7. Enable Cloud Deduplication - Enabling this option may improve deduplication rates for repetitive backup datasets, lowering cloud storage costs. Disabling this option is recommended for Amazon Glacier to improve recovery of recently written data from cache, but can decrease deduplication rates and increase cloud storage costs.
8. Enable Cloud CA Certificate - Optionally, specify a cloud CA certificate that will be used to validate the server certificate of cloud provider. This must be .pem extension file.
9. Select the Enable Proxy check box to enable proxy server settings and specify:
Hostname/IP address - Specify the hostname or the IP address.
Ports - Specify the port numbers for access.
Username - Specify the name of the user for access.
Password - Specify the user’s password.
Customizing a private cloud
You need to contact NetApp technical support to configure a private cloud. After you configure a private cloud, the cloud appears as the cloud provider in the cloud settings page.
To customize a private cloud
1. Contact NetApp Support to convert a cloud to a private cloud.
32 NetApp AltaVault Cloud Integrated Storage Administration Guide
Using the Wizard Dashboard Using the AltaVault configuration wizards
Beta Draft
2. After you configure a private cloud using the CLI, it appears in the Cloud Settings page and the dashboard in the Cloud Information section as the Provider. For more information on CLI, see the NetApp AltaVault Cloud Integrated Storage Command-Line Interface Reference Guide.
3. Choose Configure > Cloud Settings.
4. Select the Cloud tab.
5. Under Cloud Provider Settings, complete the configuration as necessary. Refer to your private cloud configuration
for the required authentication credentials needed to communicate with this cloud.

Using the import configuration wizard

Use the Import Configuration wizard to import a previously saved configuration into the AltaVault. The Import Configuration Wizard will fail if the AltaVault already has an encryption key set.
It is recommended to set the time zone to the AltaVault prior to uploading the configuration.
To use the import configuration wizard
1. From the management console, choose Configure > Setup Wizard.
2. Select Import Configuration in the Wizard Dashboard.
3. Select one of the following options:
Select Local File and click Browse to select a local configuration file from your computer.
-or-
Select URL and specify the URL of an appliance whose configuration you want to import.
4. Leave the Import Shared Data Only check box selected to import only the following common settings:
Cloud settings
Email settings
Logging
NTP settings
SNMP settings
Statistics or Alarms settings
Time zone settings
Web and CLI preferences
SMB, NFS, OST, SnapMirror configuration
When you select the Import Shared Data Only check box, the following settings are not imported:
General Security Settings
Static host configuration
Appliance licenses
Interface configuration, IP configuration, static routes, and virtual interfaces.
NetApp AltaVault Cloud Integrated Storage Administration Guide 33
Using the AltaVault configuration wizards Using the Wizard Dashboard
Beta Draft
Radius protocol settings
Name server settings and domains
Scheduled Jobs
SSH server settings and public or private keys
Hostname, Message of the Day (MOTD), and Fully Qualified Domain Name (FQDN)
TACACS protocol settings
Telnet server settings
5. Select the Key Passphrase protect the Encryption Key check box to specify a password for the encryption key. If you select this option, you must enter the same password when you import or export the encryption key.
6. Click Import Configuration.
7. Click Exit.

Using the export configuration wizard

To use the export configuration wizard
1. From the management console, choose Configure > Setup Wizard.
2. Select Export Configuration.
3. Click Export Configuration to download the current AltaVault configuration file
AltaVault_config_(HOSTNAME)_(DATETIME).tgz.
If an encryption key passphrase is configured on AltaVault at the time you export the configuration, the configuration file will require this passphrase when imported to another AltaVault appliance. For more information about the encryption key passphrase, go to “Configuring encryption” on page 36.
34 NetApp AltaVault Cloud Integrated Storage Administration Guide
Beta Draft

CHAPTER 4 Configuring storage settings

This chapter includes the following sections:
“Configuring cloud settings” on page 35
“Configuring SMB” on page 37
“Configuring NFS” on page 42
“Configuring OST” on page 45
“Configuring SnapMirror” on page 47

Configuring cloud settings

You can specify cloud settings in the Configure > Cloud Settings page.
Before you configure cloud settings, you must configure DNS settings to access the cloud service provider host machine on the Configure > Host Settings page.
This section includes the following topics:
“Configuring cloud provider settings” on page 35
“Configuring encryption” on page 36
“Configuring replication” on page 36
“Configuring bandwidth limits” on page 36
To transition cloud credentials and the encryption key from the AltaVault to a Key Management Server (KMS), refer to the section “Configuring KMIP” on page 93.

Configuring cloud provider settings

This setting enables you to access the storage and software through the Internet. For more details on cloud provider settings, see “Using the Cloud Settings wizard” on page 22.
Only users who have Read-Only Replication Settings permission or Read and Write Replication Settings permission can access and configure the Cloud Settings Page.
NetApp AltaVault Cloud Integrated Storage Administration Guide 35
Configuring storage settings Configuring cloud settings
Beta Draft

Configuring encryption

The new datastore encryption key can be generated or imported from an existing one.
To secure the encryption key, protect it using a key passphrase. This passphrase will be used to encrypt the datastore encryption key and must be provided whenever importing this datastore encryption key, such as for disaster recovery. It is not stored within a configuration archive and must be kept in a secure location.
For more information on encryption, see “Using the Cloud Settings wizard” on page 22.

Configuring replication

Replication is the process of copying data and metadata from the AltaVault to the cloud. The AltaVault replicates data to the cloud asynchronously.
Only users who have Read-Only Replication Settings permission or Read and Write Replication Settings permission can access and configure the Replication Settings Page.
To configure replication
1. Choose Configure > Cloud Settings.
2. Select the Replication tab.
3. Under Replication Settings, complete the configuration as described in this table.
Control Description
Pause Replication at Specify the time (in HH:MM:SS format) at which you want replication to pause.
Resume Replication at Specify the time (in HH:MM:SS format) at which you want replication to resume.
Bytes pending replication alert limit Displays an alarm if the number of bytes pending replication to the cloud exceeds the
value you specify. The default value is 500 GiB.
Bytes pending replication clear limit Specify the lower limit at which the bytes pending replication alert limit notification is
Suspend Replication Click to temporarily stop replication.
4. Click Apply to complete your changes.
cleared. The default value is 450 GiB

Configuring bandwidth limits

You can limit the bandwidth that the AltaVault uses to replicate data and restore data in the bandwidth limit settings page.
Only users who have Read-Only Replication Settings permission or Read and Write Replication Settings permission can access and configure the Bandwidth Limit Settings Page.
To configure bandwidth limits
1. Choose Configure > Cloud Settings.
36 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SMB Configuring storage settings
Beta Draft
2. Select the Bandwidth tab and specify:
Control Description
Cloud Replication Interface Select a data interface to use for sending data to and restoring data from the cloud.
Replication Limit Rate Specify a rate to limit the data transmitted to the cloud storage provider in kilobits per
Restore Limit Rate Specify a rate to limit the data restored
Enable Bandwidth Limit Scheduling Before you select this option, you must specify the replication/restore options above.
Select the interface in the drop-down list and then specify the bandwidth limits and scheduling. You must first configure the data interfaces before they appear in the drop­down list.
Setting the replication interface to Primary/Default is not recommended as this is the management interface for the appliance.
seconds (kbps).
in kilobits per second (kbps).
Select the check box and specify:
• Start Time - the time at which the bandwidth limit should start.
• End Time - the time at which the bandwidth limit should end.
• Replication Limit Rate - the replication rate during the defined schedule. The bandwidth reverts to the normal replication limit rate outside the scheduled times.
• Restore Limit Rate - the restore rate during the defined schedule.
• Include Weekends - apply schedule to weekdays and weekends.
3. Click Apply to apply your changes to the running configuration.
After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports.

Configuring SMB

SMB is currently enabled in two versions: SMBv2 and SMBv3. SMBv2 is the default protocol that is used with Windows 2000 and Windows 2008 systems, and SMBv3 is the default protocol that is used with Windows 2012 systems. AltaVault supports SMB2 and SMB3. You can configure SMB access for Microsoft Windows based clients to the AltaVault in the Configure > SMB page.
Note: If you are upgrading to AVA4.2 or later releases, migration of your CIFS configuration from earlier AVA releases to AVA SMB is supported. For detailed SMB deployment information, see the NetApp AltaVault (Formerly SteelStore) Cloud-Integrated Storage Appliances SMB Deployment Guide (Technical Report 4511).
When configuring SMB, you perform the following tasks:
“To configure an Active Directory domain” on page 38
“To add an SMB share” on page 39
“To add a local user to access the share” on page 40
“To edit local user permission to access the share” on page 40
“To add local SMB user” on page 41
“To edit SMB local user” on page 41
NetApp AltaVault Cloud Integrated Storage Administration Guide 37
Configuring storage settings Configuring SMB
Beta Draft
“To edit multichannel settings” on page 41
To configure an Active Directory domain
If your network has an Active Directory (AD) domain, you can add the AltaVault to the domain and enable domain users to access AltaVault SMB shares. You can add the AltaVault only to one domain. Ensure that you have permissions to join appliances to the domain.
1. The SMB page does not appear until the Storage Optimization Service is started. If needed, choose Maintenance > Service and click Start to initialize the service.
2. Optionally, you can specify up to three preferred domain controllers. Under Preferred Domain Controllers, enter a fully qualified domain name or IPv4 address for each controller. AltaVault accesses preferred controllers in order, starting with Domain Controller 1.
If no controllers are specified, AltaVault uses DNS to discover domain controllers.
3. Click Apply.
4. To join the AltaVault to an AD domain, go to the Domain section and specify:.
Control Description
Domain Name Specify the fully qualified domain name of the AD that the AltaVault will join.
Username Specify the username of a user which has appropriate permissions to add computers to
the domain.
Password Specify the user’s domain password.
5. Click Show Advanced Settings to display Advanced Settings to (optionally) configure the domain. Complete the configuration as described in this table.
Control Description
Hostname Optionally, specify the hostname that the AltaVault will use as part of the domain.
Join Domain Attempt to join the AltaVault to your AD domain.
AltaVault then appears as the specified hostname in the AD.
6. After you join a domain, the Domain section of the SMB page changes to reflect the domain that the AltaVault has joined.
When you leave a domain, specify:.
Control Description
Username Optionally, specify the username of a user which has appropriate permissions to add
computers to the domain.
Password Optionally, specify the user’s domain password.
Leave Domain Attempt to remove AltaVault from the domain.
Reboot all client machines that were used to connect to the AltaVault to delete cached domain credentials.
38 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SMB Configuring storage settings
Beta Draft
To add an SMB share
1. The SMB page does not appear until the Storage Optimization Service is started. If needed, choose Maintenance > Service and click Start to initialize the service.
2. Optionally, under Pinned Data Information, slide the indicator along the bar to select the bytes allowed for share pinning. Share pinning instructs the share to always retain data on AltaVault locally without fetching it from the cloud.
3. To add an SMB share, complete the configuration as described in this table.
Control Description
Add SMB Share Displays the controls to add a new SMB share.
Share Name Specify the name of the share.
Pin Share Optionally, enable data pinning on the share. Select Yes or No from the drop-down list
to specify whether the SMB share should be pinned. Share pinning enables the share to always contain data that is available to the AltaVault locally without fetching it from the cloud. You can pin SMB shares only at the time of share creation. Existing unpinned shares cannot be pinned.
Once a share is pinned, unpinning of that share can be performed via CLI and requires optimization service to be offline. Unpinning a share can be a time-consuming operation. Unpinning a share does not result in erasing the previously pinned data. After unpinning, the previously pinned data becomes available for eviction.
You cannot remove a pinned share if it contains data.
Early Eviction Specify whether or not data from this share should be assigned a higher priority for
eviction.
If you select yes, data written to this share is eligible for eviction earlier than other data.
Disable Dedupe Specify whether or not data written to this share should be checked for duplication. If
Disable Compression Specify whether or not data written to this share should be compressed.
Local Path Specify the internal pathname on the AltaVault to which this SMB share writes data.
Comment Enter a comment about the share. You can use alphanumeric characters, underscores,
Read Only Configure the share to be a read-only.
Allow Everyone Access Enable global access to the SMB share.
you select yes, then the AltaVault will not perform duplication checks on data written to the share.
Select yes if your data set is already in a compressed format and will not benefit from further compression attempts.
Note: AltaVault does not support having two shares with the same local path. Do not create two shares with the same local path. Additionally, nesting shares (local path of a share is part of the local path of another share) is not recommended.
hyphens, and spaces.
Clear this check box if you want to enable individual authentication.
Add Share Adds the SMB share to the AltaVault.
Remove Selected Deletes the selected SMB share.
The share you configured appears in the list of shares on the page along with the option to add a local user.
NetApp AltaVault Cloud Integrated Storage Administration Guide 39
Configuring storage settings Configuring SMB
Beta Draft
To add a local user to access the share
SMB share security and access can be administered in AD domains via Windows Explorer. If AltaVault is not within an Active Directory domain, use a local user account to gain access to a share.
1. To add a local user to access the share that you created, expand the share name to complete the configuration as described in the following table.
Note: A local SMB user must first be created as described in the “To add local SMB user” on page 41 before you can add the user to a share.
Control Description
Add a User Displays the controls to add a user to the share.
User Select the user from the drop-down list.
Access Select one of the following options from the drop-down list:
Allow - Allows the user read, write, and modify privileges to the share.
Deny - Denies the user read, write, and modify privileges to the share.
Remove Selected Deletes the selected user from the SMB server.
Add User Adds the SMB user.
2. Click Apply Changes.
To edit local user permission to access the share
After adding local user access to the share, you can edit access permissions for each user.
1. Expand the user name to change permissions as described in the following table.
Control Description
Edit Permissions Select the following options:
Allow - Allows the user Read, Write, or Modify permission for the share.
Deny - Denies the user Read, Write, or Modify permission for the share.
Note: Permission settings are hierarchical; that is, Read permission provides read-only access to the share. Write permission provides read and write access to the share. Modify permission provides full control of the share.
Apply Applies the changes to the SMB share users.
40 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SMB Configuring storage settings
Beta Draft
To add local SMB user
1. To add SMB user to access the share that you created, complete the configuration as described in this table.
Control Description
Add SMB User Displays the controls to add a user to the SMB share.
User Name Specify the user name of a local user to access the SMB share. The user name is case
Password Specify the password for the new user.
Password Confirm Re-enter the new password for the new user.
Admin Select one of the following options from the drop-down list:
Account Select one of the following options from the drop-down list:
Remove Selected Removes local SMB user configuration.
Add Adds local SMB user.
sensitive.
• Yes - Provides Administrator privileges to user
• No - Disables Administrator privileges to user
• Enabled - Enables local user account for accessing SMB share
• Disabled - Disables local user account from accessing SMB share
To edit SMB local user
1. Extend the user name to complete the configuration as described in this table.
Control Description
Change Password Select the check box to change the password.
Password Specify the new password for the user.
Password Confirm Re-enter the new password for the user.
Admin Select one of the following options from the drop-down list:
• Yes - Provides Administrator privileges to user
• No - Disables Administrator privileges to user
Account Select one of the following options from the drop-down list:
• Enabled - Enables local user account for accessing SMB share
• Disabled - Disables local user account from accessing SMB share
Remove Selected Deletes the selected user from the SMB server.
Apply Applies the changes to the SMB share users.
To edit multichannel settings
SMB multichannel is a feature that allows SMBv3 shares to be accessed via multiple network interfaces from Windows hosts that support SMBv3.
1. Multichannel support is disabled for all interfaces by default. To enable an interface (e0a, e0b, e0c), select the checkbox for the interface and click Enable.
NetApp AltaVault Cloud Integrated Storage Administration Guide 41
Configuring storage settings Configuring NFS
Beta Draft

Configuring NFS

You can configure Network File System (NFS) for Unix and Linux based clients in the Configure > NFS page. Before you configure NFS, choose Maintenance > Service and click Stop to stop the Storage Optimization Service.
This section includes the following topics:
“Configuration tasks” on page 42
“Editing an NFS configuration” on page 44
“Troubleshooting NFS” on page 45

Configuration tasks

You can configure NFS on the Configure > NFS page.
To configure NFS protocol
1. The NFS page does not appear until the Storage Optimization Service is started. If needed, choose Maintenance > Service and click Start to initialize the service.
2. Optionally, under Pinned Data Information, slide the indicator along the bar to select the maximum bytes allowed for share pinning. Share pinning instructs the share to always contain data that is available to the AltaVault locally without fetching it from the cloud.
3. Optionally, upload the Kerberos keytab file (/etc/krb5.keytab), then upload a valid Kerberos configuration file (.krb5.conf).
The keytab file is an encrypted, local, on-disk copy of the host's key. The configuration file contains Kerberos configuration information, including the locations of KDCs (Key Distribution Center) and administration servers for the Kerberos realms, default parameters for the current realm and for Kerberos applications, and mappings of host names onto Kerberos realms.
4. Under Add an Export, complete the configuration as described in this table:
Control Description
Add an Export Displays the controls to export an NFS share.
Name Specify the name of the export share.
Export as NFSv4 Specify the type of NFS export. If you select yes, the export will be configured as
NFSv4 export. If you select no, the export will be configured as NFSv3 export.
Kerberos Authentication Kerberos authentication works only with NFSv4 exports. It is optional. If you are not
using Kerberos, AltaVault does not use any other means of authentication for NFSv4 exports.
42 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring NFS Configuring storage settings
Beta Draft
Control Description
Pin Export Optionally, enable data pinning on the share. Select Yes or No from the drop-down list
to specify whether the NFS export should be pinned. Share pinning enables the share to always contain data that is available to the AltaVault locally without fetching it from the cloud. You can pin NFS exports only at the time of share creation. Existing unpinned shares cannot be pinned.
Once a share is pinned, unpinning of that share can be performed via CLI and requires optimization service to be offline. Unpinning a share can be a time-consuming operation. Unpinning a share does not result in erasing the previously pinned data. After unpinning, the previously pinned data becomes available for eviction.
You cannot change this option after the NFS export is created.
Early Eviction Specify whether or not data from this share should be assigned a higher priority for
eviction.
If you select yes, data written to this share is eligible for eviction earlier than other data.
Disable Dedupe Specify whether or not data written to this share should be checked for de-duplication.
Disable Compression Specify whether or not data written to this share should be compressed.
Local Path Specify the internal pathname on the AltaVault to which this share writes data.
Comment Enter a comment about the NFS share. You use only alphanumeric characters,
Export Asynchronously Select the check box to export the NFS share asynchronously. Click the icon for the
Allow Specified Clients Specify which clients can connect to the NFS share.
If you select yes, then the AltaVault will not perform duplication checks on data written to the share.
Select yes if your data set is already in a compressed format and will not benefit from further compression attempts.
underscores, hyphens, and spaces in this field.
following information:
Exporting NFS asynchronously forces the server to drop all fsync requests from the client. It is required to obtain good performance with NFS clients that issue frequent NFS COMMIT operations, which might degrade the AltaVault performance significantly. Many UNIX clients often execute NFS COMMIT operations when low on memory. To understand the circumstances that cause this behavior and to detect and prevent it, contact your client operating system vendor. The AltaVault automatically synchronizes any file that is idle for a configurable amount of time. The default value is 10 seconds. Although there is a window of time (after the server responds with success for an fsync request, and before the data is written to disk), this window is small and performance benefits are large. NetApp recommends exporting NFS asynchronously.
To limit access, specify the client’s IP address and subnet mask.
By default, all clients can access the share, until the first client is client is entered. To revert to full access after adding a client, specify 0.0.0.0/0 in the Client IP/Network field IP/Network field.
Allow All Clients Enables all clients connected to the AltaVault system to access the NFS share.
WARNING: Enabling all clients to access the NFS share is not recommended.
Add Adds the export path and client IP address to the AltaVault NFS server.
Remove Selected Select the check box next to the name and click Remove Selected.
The share you configure and its parameters appear in the list of shares on the page.
5. Click Add to apply your changes to the running configuration.
NetApp AltaVault Cloud Integrated Storage Administration Guide 43
Configuring storage settings Configuring NFS
Beta Draft

Editing an NFS configuration

To edit an existing configuration
1. Choose Configure > NFS and click the share name at the bottom of the page.
2. Select the NFS share name and specify:
Control Description
Edit Export Select tab to edit the exported NFS share.
Local Path Change the export file pathname, which starts with a forward slash (/).
Comment Specify or change the comment about the NFS share.
Export as NFSv4 Not available for editing.
Kerberos Authentication Available for editing only when Export as NFSv4 is selected.
Pinned Not available for editing.
Early Eviction Select yes or no from the drop-down list to specify whether or not data from this share
Disable Dedupe Specify whether or not data written to this share should be checked for de-duplication.
Disable Compression Specify whether or not data written to this share should be compressed.
Export Asynchronously Select the check box to export the NFS share asynchronously. Click the icon for the
Allow All Clients Enables all clients connected to the AltaVault system to access the NFS share.
should be assigned a higher priority for eviction.
If you select yes, data written to this share is eligible for eviction earlier than other data. If you select no, data written to this share is evicted using the default method.
If you select yes, then the AltaVault will not perform duplication checks on data written to the share.
Select yes if your data set is already in a compressed format and will not benefit from further compression attempts.
following information:
Exporting NFS asynchronously forces the server to drop all fsync requests from the client. This is a feature of the NFS protocol. It is required to obtain good performance with NFS clients that issue frequent NFS COMMIT operations, which might degrade the AltaVault performance significantly. Many UNIX clients often execute NFS COMMIT operations when low on memory. To understand the circumstances that cause this behavior and to detect and prevent it, contact your client operating system vendor. The AltaVault automatically synchronizes any file that is idle for a configurable amount of time. The default value is 10 seconds. Although there is a window of time (after the server responds with success for an fsync request and before the data is written to disk), this window is small and performance benefits are large. NetApp recommends exporting NFS asynchronously.
Allow Specified Clients Enables only the clients that you specify to connect to the AltaVault system to access
the NFS share. If you select this option, you must specify the client’s IP address and subnet mask in the Client IP/Network text field below it. To enable all clients to access the NFS share, specify 0.0.0.0/0 in the Client IP/Network field.
Mount Commands Select this tab to display the Linux and UNIX NFS mount commands. You configure
the mount commands through the command-line. These commands are for your reference.
If the AltaVault is a secondary appliance, the mount commands enable only read permissions and not write permissions.
44 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring OST Configuring storage settings
Beta Draft
3. Click Apply to apply your changes to the running configuration.

Troubleshooting NFS

Use the following table to help resolve NFS issues.
Symptom Description
User attempts to map an NFS share fail; users are unable to connect to a share after a client or AltaVault reboot
Certain services, such as NFSv3, rely on RPC to assign a port number to services from a dynamic range. For AltaVault, this range is 32768 - 61000. Reboots of clients or AltaVault can cause a port re-negotiation, which is expected and normal for TCP/IP and UDP protocols. Your firewall must be configured to allow for a range of ports or the connection can be denied. Check your firewall configuration and update access policies as necessary.

Configuring OST

OpenStorage (OST) is a proprietary protocol created by Veritas for ingesting backup data streams to (third-party) disk­like storage devices. OST is implemented as a plug-in (shared object/DLL) running in NetBackup media server process address space and streaming data to the OST server running on the AltaVault.
You can perform the following tasks:
“To configure OST share” on page 45
“To add an OST user to access the share” on page 46
“To edit OST user” on page 47
For information on configuring up the AltaVault OST Plug-in for communication with AltaVault, see the NetApp AltaVault OST Plug-in Deployment Guide.
To configure OST share
1. The OST page does not appear until the Storage Optimization Service is started. If needed, choose Maintenance > Service and click Start to initialize the service
2. Optionally, under Pinned Data Information, slide the indicator along the bar to select the maximum bytes allowed for share pinning. Share pinning instructs the share to always retain data locally on the AltaVault without fetching it from the cloud.
3. Click Apply to apply your changes.
4. To add an OST share, click Add OST Share and specify:.
Control Description
Share Name Specify the name of the share.
Type Select regular or cloud.
Regular shares treat incoming data by AltaVault the same as traditional SMB shares or NFS exports by writing the data on cache, and replicating the data to the cloud.
Cloud shares are used to create an optimized duplicate of data in regular shares replicated in the cloud that are managed via NetBackup storage lifecycle policies (SLP).
NetApp AltaVault Cloud Integrated Storage Administration Guide 45
Configuring storage settings Configuring OST
Beta Draft
Control Description
Pin Share Optionally, enable data pinning on the share. Select Yes or No from the drop-down list
to specify whether the OST share should be pinned. Share pinning enables the share to always contain data that is available to the AltaVault locally without fetching it from the cloud. You can pin OST shares only at the time of share creation. Existing unpinned shares cannot be pinned.
Once a share is pinned, unpinning of that share can be performed via CLI and requires optimization service to be offline. Unpinning a share can be a time-consuming operation. Unpinning a share does not result in erasing the previously pinned data. After unpinning, the previously pinned data becomes available for eviction.
You cannot remove a pinned share if it contains data.
Early Eviction Specify whether or not data from this share should be assigned a higher priority for
eviction.
If you select yes, data written to this share is eligible for eviction earlier than other data.
Disable Dedupe Specify whether or not data written to this share should be checked for duplication. If
Disable Compression Specify whether or not data written to this share should be compressed.
Add Share Adds the OST share to the AltaVault.
you select yes, then the AltaVault will not perform duplication on data written to the share.
Select yes if your data set is already in a compressed format and will not benefit from further compression attempts.
5. Optionally, to remove an OST share, select the OST share from the table and click Remove Selected
6. Optionally, to enable SSL communication between the AltaVault OST Plug-in and the AltaVault, select the
checkbox, Enable SSL, in the Global OST Settings section, and click Apply. AltaVault will communicate with the AltaVault OST Plug-in using secured port 8085.
To add an OST user to access the share
1. To add a user to access the share that you created, select the share and specify:
Note: OST shares must have an associated user to be used by NetBackup storage server. Multiple users per OST share are allowed.
Control Description
Add OST User Displays the controls to add a user to the OST share.
User Name Type the user name that you would use for authenticating the share from NetBackup.
Password Specify the new password for the user.
Password confirm Re-enter the password.
Add User Adds the OST user.
46 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SnapMirror Configuring storage settings
Beta Draft
To edit OST user
1. Extend the user name to complete the configuration as described in this table.
Control Description
Change Password Select the check box to change the password.
Password Specify the new password.
Password Confirm Re-enter the new password.
Account Specify:
• Enabled - Enables local user account
• Disabled - Disables local user account
Apply Applies the changes to the OST share users.

Configuring SnapMirror

AltaVault supports backup and restore operations for ONTAP FlexVol volumes using the SnapMirror service. Backup relationships are created and managed from ONTAP using ONTAP commands or SnapCenter software. SnapMirror support is available on AltaVault physical and virtual appliance models. For more information about SnapMirror operation with ONTAP, see the
Data Fabric Solution for Cloud Backup resource page.
This section includes the following topics
“Enabling SnapMirror service” on page 47
“Monitoring and deleting SnapMirror shares and Snapshots on AltaVault” on page 48
“Enabling long-term retention” on page 49
“Enabling SnapCenter access” on page 50

Enabling SnapMirror service

To enable SnapMirror service
1. Choose Configure > SnapMirror in the Management Console.
2. Under SnapMirror Service, click Enable.
3. If the “Service restart required” prompt appears, click the Restart button that becomes enabled in the upper right
portion of the AltaVault Management Console.
4. Under Whitelist IP, click Add Whitelist IP.
The Whitelist specifies which addresses are authorized to communicate with AltaVault.
5. Enter the IP addresses of ONTAP intercluster LIFs from which AltaVault will accept connections for backup and restore operations, and click Add.
NetApp AltaVault Cloud Integrated Storage Administration Guide 47
Configuring storage settings Configuring SnapMirror
Beta Draft
The list of authorized IP addresses must be populated prior to initiating a connection from the ONTAP system or the connection will be rejected.
To remove an IP address, select the IP Address and click Remove Selected. Removing an IP address from the whitelist disables access to the AltaVault from that IP address.
Note: If you are using SnapCenter to manage backups, SnapCenter automatically creates the whitelist of approved IP addresses when you initiate a backup from SnapCenter. In this case, there is no need to create the IP whitelist.
To disable SnapMirror service
1. Choose Configure > SnapMirror in the Management Console.
2. Under SnapMirror Service, click Disable.
When SnapMirror service is disabled, the shares and Snapshots that exist on AltaVault are not deleted and are kept intact. Snapshots are not accessible while service is disabled. Snapshots can be restored only when SnapMirror service is enabled.
3. If the Service restart required prompt appears, click the Restart button that becomes enabled in the upper right of the console.

Monitoring and deleting SnapMirror shares and Snapshots on AltaVault

A SnapMirror share is created automatically when the SnapMirror relationship with the AltaVault is created in ONTAP or in SnapCenter. Based on SnapMirror policies, Snapshot copies of ONTAP volumes are backed up to the associated AltaVault share. AltaVault provides global deduplication on all Snapshot backup streams prior to replication to the cloud.
Snapshots backed up to AltaVault shares are read-only copies and can only be restored back to ONTAP using ONTAP commands or SnapCenter.
To view SnapMirror shares and Snapshots on AltaVault
1. Under SnapMirror Shares, review the information fields associated with a share:
Field Description
Name Specifies the name of the share created in ONTAP using the ONTAP CLI or by using
SnapCenter software. When the ONTAP administrator creates a SnapMirror relationship with AltaVault, a share is automatically created in AltaVault. Each share is associated with one ONTAP FlexVol volume. AltaVault supports up to 500 SnapMirror shares.
To view a list of Snapshots associated with each share, select a share name.
Peer Path Identifies the source volume in ONTAP that is being backed up to AltaVault.
UUID Lists the unique identifier associated with each SnapMirror share. The UUID value is
generated by AltaVault.
Size Specifies the size of the SnapMirror share. The size can grow or shrink as Snapshots are
48 NetApp AltaVault Cloud Integrated Storage Administration Guide
backed up or deleted from the share.
Shares on the AltaVault have no size limitation but are bound by the AltaVault’s cache capacity. The size of source volume, change rate, and number of Snapshots will impact the number and size of SnapMirror shares on the AltaVault.
Configuring SnapMirror Configuring storage settings
Beta Draft
2. To view the list of Snapshots for a share, select a share and review the Snapshot information:
Field Description
Name List Snapshot for a share. Snapshot backups can be triggered in ONTAP through
UUID Lists the unique identifier associated with each Snapshot copy. The UUID value is
Created Displays the date and time when the Snapshot was created in ONTAP.
Size Specifies the size of a Snapshot.
Status Identifies the status of Snapshot replication to the cloud. Replication status can be either
SnapMirror policies, by explicitly running the ONTAP update command, or through SnapCenter software.
generated by ONTAP.
During the lifetime of a share, there is only one baseline Snapshot. Any Snapshot after the baseline is always incremental. Baseline transfer can take a long time to complete depending on the size of the Snapshot.
During incremental Snapshot backups, only the changed blocks between two Snapshots are transferred.
Completed or Pending.
To delete SnapMirror shares and Snapshots on AltaVault
1. To remove a share or Snapshot, select the share or Snapshot and click Remove Selected.
Snapshots can be deleted on the AltaVault through ONTAP SnapMirror policies or SnapCenter policies, or by manual deletion on AltaVault. When a share is deleted, Snapshots belonging to that share are also deleted. AltaVault reclamation will recover the space occupied by the deleted Snapshot or Share asynchronously, and Share size may not immediately reflect available space from the operation.
Note: You cannot delete the latest Snapshot. Also, a Snapshot cannot be deleted while a restore is in progress.

Enabling long-term retention

AltaVault supports up to 500 SnapMirror shares in one of two modes: short-term retention (default) or long-term retention. For short-term retention, each share supports up to 251 Snapshots, and Snapshot retention is dependent upon the retention policy set up in ONTAP. For example, suppose a share has a two-tier retention policy supporting 50 hourly and 100 daily Snapshots. In this case, when the count of hourly Snapshots exceeds 50 or the daily count exceeds 100, the oldest snapshot of the respective tier is deleted.
For long-term retention, each share supports up to a maximum of 3700 Snapshots, which is equivalent to 10 years worth of daily Snapshots. Long-term retention allows AltaVault to continue storing Snapshots until it reaches the maximum. If a share exceeds 3700 Snapshots, AltaVault begins deleting the oldest Snapshot copies to make room for new ones.
When long-term retention is turned off (disabled), AltaVault reverts to using the retention policy set up in ONTAP, which supports a maximum 251 Snapshots per share. If there are large numbers of Snapshots (more than 251) when long-term retention is turned off, the number of snapshots will be reduced to match the count set in the retention policy.
The retention method used for Snapshot retention applies to all SnapMirror shares created on the AltaVault.
To enable long-term retention mode
1. Under Long Term Retention, click Enable.
NetApp AltaVault Cloud Integrated Storage Administration Guide 49
Configuring storage settings Configuring SnapMirror
Beta Draft
To disable long-term retention, click Disable.
Important: If SnapCenter is being used to manage backups, long-term retention will be enabled or disabled from SnapCenter. Do
not disable or enable long-term retention on the AltaVault appliance explicitly while SnapCenter is managing backups.

Enabling SnapCenter access

SnapCenter can be used to back up and delete Snapshots, and to perform single file restores. If you are using SnapCenter to manage backups, you must enable SnapCenter access on AltaVault.
Additionally, before you can use SnapCenter to manage backups on AltaVault, you must configure a role-based account on AltaVault for SnapCenter administrator access. This account must have the read/write permissions for the following user roles: General, Replication, Storage.
To create a role-based user account for SnapCenter on AltaVault
1. Choose Configure > User permissions in the Management Console.
2. Under role-based accounts, select Add a New User.
3. Enter an account name and password, and check Enable Account.
4. Select Read/Write permission for the following roles: General Settings, Replication Settings, Storage Settings.
5. Click Add.
To enable SnapCenter access to AltaVault
1. Under SnapCenter Access, click Enable.
To disable SnapCenter access, click Disable.
50 NetApp AltaVault Cloud Integrated Storage Administration Guide
Beta Draft

CHAPTER 5 Modifying networking settings

This chapter includes the following sections:
“Modifying general host settings” on page 51
“Modifying management interfaces” on page 53
“Modifying data interfaces” on page 54
“Modifying virtual interfaces (VIFs)” on page 56
“Modifying VLANs” on page 57

Modifying general host settings

You can view and modify general host settings in the Configure > Host Settings page.Use the following groups of controls on this page only if modifications or additional configuration is required:
Name - Modify the hostname.
DNS Settings - NetApp recommends that you use DNS resolution.
Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can assign a host-IP
address resolution map.
Web/FTP Proxy - Configure proxy addresses for Web or FTP proxy access to the AltaVault. The proxy settings do
not affect cloud connections originating from the AltaVault.
To view general host settings
Choose Configure > Host Settings.
To change the hostname
1. Choose Configure > Host Settings.
2. Under Name, modify the value in the Hostname field.
3. Click Apply to apply your changes to the running configuration.
NetApp AltaVault Cloud Integrated Storage Administation Guide 51
Modifying networking settings Modifying general host settings
Beta Draft
To specify DNS settings
1. Choose Configure > Host Settings.
2. Under DNS Settings, complete the configuration as described in this table.
Control Description
Primary DNS Server Specify the IP address for the primary name server.
Secondary DNS Server Optionally, specify the IP address for the secondary name server.
Tertiary DNS Server Optionally, specify the IP address for the tertiary name server.
DNS Domain List Specify an ordered list of domain names.
If you specify domains, the system automatically finds the appropriate domain for each of the hosts that you specify in the system.
3. Click Apply to apply your changes to the running configuration.
To add a new host
1. Choose Configure > Host Settings.
2. Under Hosts, complete the configuration as described in this table.
Control Description
Add a New Host Displays the controls for adding a new host.
IP Address Specify the IP address for the host.
Hostname Specify a hostname.
Add Adds the host.
Remove Selected Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
To set a Web/FTP proxy
1. Choose Configure > Host Settings.
2. Under Web/FTP Proxy, complete the configuration as described in this table.
Control Description
Enable Web Proxy Enables the appliance to use a Web proxy to contact NetApp.
Web proxy access is disabled by default.
Web/FTP Proxy Specify the IP address for the Web or FTP proxy.
52 NetApp AltaVault Cloud Integrated Storage Administation Guide
Modifying management interfaces Modifying networking settings
Beta Draft
Control Description
Port Optionally, specify the port for the Web or FTP proxy. The default port is 1080.
Enable Authentication Optionally, select to require user credentials for use with Web or FTP proxy traffic.
Specify the following settings to authenticate the users:
• User Name - Specify a username.
• Password - Specify a password.
• Authentication Type - Select an authentication method from the drop-down list:
– Basic - Authenticates user credentials by requesting a valid username and
password. This is the default setting.
– NTLM - Authenticates user credentials based on an authentication challenge and
response.
– Digest - Provides the same functionality as Basic authentication; however, Digest
authentication improves security because the system sends the user credentials across the network as a Message Digest 5 (MD5) hash.
3. Click Apply to apply your changes to the running configuration.
The proxy settings do not affect cloud connections originating from the AltaVault.

Modifying management interfaces

You can view and modify settings for the appliance interfaces in the Management Interfaces page. Use the following groups of controls on this page only if you require modifications or additional configuration:
Primary Interface - The primary interface is the interface used to manage the device. It is the interface utilized to
get to the Management Console and command-line interface (CLI). This is also the default port used for replication if no other interface is set up for replication traffic as described in “Configuring bandwidth limits” on
page 36.
Main IPv4 Routing Table - Displays a summary of the main routing table for the appliance. You can add static
routes that might be required for some subnets.
To display and modify the configuration for management interfaces
1. Choose Configure > Management Interfaces.
2. Under Primary Interface, complete the configuration as described in this table.
Control Description
Enable Primary Interface Enables a primary interface for the AltaVault.
If only one interface is set up, both appliance management and replication traffic will traverse it.
Obtain IPv4 Address Automatically Automatically obtain an IPv4 address from a DHCP server.
• Enable IPv4 Dynamic DNS - Select this option to enable IPv4 dynamic DNS on the primary interface.
NetApp AltaVault Cloud Integrated Storage Administation Guide 53
Modifying networking settings Modifying data interfaces
Beta Draft
Control Description
Specify IPv4 Address Manually Specify this option to set a static IP address.
• IPv4 Address
• IPv4 Subnet Mask
• Default IPv4 Gateway primary gateway must be in the same network as the primary interface.
MTU Specify the Maximum Transmission Unit (MTU) value. The default value is 1500.
- Specify an IPv4 address.
- Specify an IPv4 subnet mask.
- Specify the default primary gateway IPv4 address. The
3. Click Apply to apply your changes to the running configuration.
To modify main IPv4 routing table
1. Choose Configure > Management Interfaces.
2. Under Main IPv4 Routing Table, complete the configuration as described in following table.
.
Control Description
Add a New Route Displays the controls for adding a new route.
Destination IPv4 Address Specify the destination IPv4 address for the appliance.
IPv4 Subnet Mask Specify the IPv4 subnet mask.
Gateway IPv4 Address Specify the IPv4 address for the gateway.
Interface Select the interface from the drop-down list.
Add Adds the route to the table list.
Remove Selected Select the check box next to the name and click Remove Selected.
3. Click Apply.
You can verify whether changes have had the desired effect by reviewing related reports.

Modifying data interfaces

You can view and modify settings for the data interfaces in the Configure > Data Interfaces page.
To display and modify the configuration for data interfaces
1. Choose Configure > Data Interfaces.
54 NetApp AltaVault Cloud Integrated Storage Administation Guide
Modifying data interfaces Modifying networking settings
Beta Draft
2. Under Physical Interface, click the arrow next to the name of the interface and complete the configuration as described in this table.
.
Control Description
Enable Data Interface Select the check box to enable the data interface and specify the following settings:
• IPv4 Address
• IPv4 Subnet Mask
• IPv4 Gateway
- Specify an IPv4 address.
- Specify a subnet mask.
- Specify the gateway IP address.
• MTU - Specify the MTU value. The default value is 1500.
If a physical interface is a member of a virtual interface, it is owned by the virtual interface and you can only enable it by editing the virtual interface.
3. Under Routing Table for <physical interface>, you can configure static routes if your network requires them.
You can add or remove routes from the table as described in following table.
.
Control Description
Add a New Route Displays the controls for adding a new route.
Destination IP Address Specify the destination IP address for the appliance.
Subnet Mask Specify the subnet mask.
Gateway IP Address Specify the IP address for the gateway.
Add Adds the route to the table list.
Remove Selected Select the check box next to the name and click Remove Selected.
4. Under Virtual Interface, click the arrow next to the name of the interface to enable and configure the VIF networking configuration. Create virtual interfaces from the Configure > VIFs page.
.
Control Description
Virtual Interface Displays the controls to add a virtual network interface.
IP Configuration Displays the IP address of the network interface.
Enabled Displays the state of the interface.
Members Specify a comma-separated list of the data interfaces that are members of this VIF.
Enable Data Interface Select this check box to enable the data interface and specify the following settings:
• IPv4 Address
• IPv4 Subnet Mask
• IPv4 Gateway
• MTU - Specify the MTU value. The default value is 1500.
- Specify an IPv4 address.
- Specify a subnet mask.
- Specify the gateway IP address.
NetApp AltaVault Cloud Integrated Storage Administation Guide 55
Modifying networking settings Modifying virtual interfaces (VIFs)
Beta Draft
5. Under VLAN Interface, click the arrow next to the name of the interface to complete the configuration. Create virtual interfaces from the Configure > VLANs page.
.
Control Description
IP Configuration Displays the IP address of the network interface.
Enabled Displays the state of the interface.
Enable Interface Select the check box to enable the data interface and specify the following settings:
• IPv4 Address
• IPv4 Subnet Mask
• IPv4 Gateway
• MTU - Specify the MTU value. The default value is 1500.
- Specify an IPv4 address.
- Specify a subnet mask.
- Specify the gateway IP address.
If an interface is a member of a virtual interface, you can only enable it by editing the virtual interface.
6. Under Routing Table for <VLAN interface>, you can configure static routes if your network requires them.
You can add or remove routes from the table as described in following table.
.
Control Description
Add a New Route Displays the controls for adding a new route.
Destination IP Address Specify the destination IP address for the appliance.
Subnet Mask Specify the subnet mask.
Gateway IP Address Specify the IP address for the gateway. The gateway must be in the same network as the
network interface you are configuring.
Add Adds the route to the table list.
Remove Selected Select the check box next to the name and click Remove Selected.
7. Click Apply to save your changes.

Modifying virtual interfaces (VIFs)

You can view, add and modify virtual interfaces (VIFs) in the Configure > VIFs page. A VIF is a logical bonded interface created by aggregating multiple physical interfaces.
To display, add, and modify the VIF configuration
1. Choose Configure > VIFs.
2. Click Add a Virtual Interface and complete the configuration as described in this table.
Control Description
Enable VIF Enables VIF feature.
Virtual Interface Name Specify a name for the virtual interface.
Member Interfaces Specify a comma-separated list of the data interfaces that are members of this VIF.
56 NetApp AltaVault Cloud Integrated Storage Administation Guide
Modifying VLANs Modifying networking settings
Beta Draft
Control Description
Mode Select one of the following modes:
802.3ad - Enables IEEE 802.3ad Dynamic Link Aggregation. This mode enables you to bundle or aggregate multiple physical interfaces into a single VIF and enables load balancing between the interfaces.
Transmit/Receive Load Balance - Provides both transmit and receive load balancing.
Transmit Load Balance - Provides adaptive-transmit load balancing. The
AltaVault distributes the outgoing traffic based on the current load on each member
interface. One of the member interfaces of the VIF receives the incoming traffic.
Monitoring interval Specifies the Media Independent Interface (MII) link monitoring frequency in
milliseconds. This determines how often the link state of each slave is inspected for link failures. A value of zero disables MII link monitoring. A value of 50 is a good starting point.
Add Adds the VIF to your configuration.
Remove Selected Select the check box next to the existing VIF to remove, and click Remove Selected.
3. Choose Maintenance > Service and click Restart for the configuration changes to take effect.

Modifying VLANs

VLAN tagging enables AltaVault to direct network packets to specific virtual local area networks (VLANs) in order to segment data traffic.
To display, add, or modify a VLAN configuration
1. Stop the Storage Optimization Service before adding or removing a VLAN. If needed, choose Maintenance > Service and click Stop to terminate the service.
2. Choose Configure > VLANs.
3. Click Add a VLAN Interface and complete the configuration as described in this table.
Control Description
VLAN ID Specify the VLAN tag identifier. This can be an integer from 2 to 4094.
Interface Type Select from Data Interface or Virtual Interface (VIF).
Data Interfaces Select from the drop-down list.
VIFs Select from the drop-down list.
Add Adds the VLAN interface to your configuration.
Remove Selected Select the check box next to the name and click Remove Selected.
Note: A restart of AltaVault is required before performing any further networking changes.
4. Choose Maintenance > Service and click Start for the changes to take effect.
NetApp AltaVault Cloud Integrated Storage Administation Guide 57
Modifying networking settings Modifying VLANs
Beta Draft
58 NetApp AltaVault Cloud Integrated Storage Administation Guide
Beta Draft
CHAPTER 6 Configuring system administrator
settings
This chapter includes the following sections:
“Setting announcements” on page 59
“Configuring alarm settings” on page 59
“Configuring date and time” on page 65
“Configuring SNMP basic settings” on page 67
“Configuring email settings” on page 74
“Configuring log settings” on page 74

Setting announcements

You can create or modify a login message to be displayed in the Management Console Login page. You can also post a message of the day to appears in the Home page and when you first log in to the CLI.
To set an announcement
1. Choose Configure > Announcements.
2. Use the controls to complete the configuration as described in this table.
Control Description
Login Message Type a message in the text box to appear on the Login page.
MOTD Type a message in the text box to appear on the Home page as the message of the day.
3. Click Apply to view the message before saving.

Configuring alarm settings

You can set alarms in Configure > Alarms page.
Enabling alarms is optional.
NetApp AltaVault Cloud Integrated Storage Administration Guide 59
Configuring system administrator settings Configuring alarm settings
Beta Draft
AltaVault uses hierarchical alarms. The system groups certain alarms into top-level categories, such as the SSL Settings alarm. When an alarm triggers, its parent expands to provide more information. As an example, the Disk Full top-level parent alarm aggregates over multiple partitions. If a specific partition is full, the Disk Full parent alarm triggers, and the System Status report displays more information regarding which partition caused the alarm to trigger.
Disabling a parent alarm disables its children. You can enable a parent alarm and disable any of its child alarms. You cannot enable a child alarm without first enabling its parent.
The child alarm of a disabled parent appears on the System Status report with a suppressed status. Disabled children alarm of an enabled parent appears on the System Status report with a disabled status.
To set alarm parameters
1. Choose Configure > Alarms.
60 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring alarm settings Configuring system administrator settings
Beta Draft
2. Under Enable Alarms, complete the configuration as described in this table.
Alarm Description
Admission Control Enables an alarm if the AltaVault reaches the maximum number of connections that can be made to
the AltaVault.
By default, this alarm is enabled.
Cloud Bucket Consistency
Enables an alarm if there is data in the cloud, but the AltaVault data store is empty. To clear this alarm, enable replication and recovery to ensure that the cloud storage is synchronized with the data store.
This alarm occurs when you perform disaster recovery without specifying the correct parameters.
Cloud Bucket Disparity Enables an alarm when the cloud bucket that the AltaVault is trying to connect to is being used by
another AltaVault appliance. This alarm prevents corruption of the files in the cloud.
Cloud Bucket Over Capacity
Enables an alarm when the cloud bucket that the AltaVault connects to has exceeded the licensed cloud capacity.
CPU Utilization Enables an alarm if the average and peak thresholds for the CPU utilization are exceeded. When an
alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold.
If the CPU utilization alarm triggers when the AltaVault is under a heavy load, you can ignore it.
By default, this alarm is enabled.
Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. The default value is 95%.
Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 70%.
Data Integrity Error Enables an alarm when inconsistency in the data stored on the disk is detected.
Datastore Eviction Indicates that the system has detected an issue with datastore eviction.
The alarm triggers when the appliance starts evicting data from the local disk cache and the age of the evicted data is relatively young. If disk space runs low, the appliance starts evicting cached data that has not been used recently, keeping only the most recent data.
The AltaVault keeps statistics about how old the evicted data is (this is the average evicted age). Usually, only old data is evicted. However, the appliance might be experiencing a large workload where more recent data needs to be evicted from the appliance to make space for incoming data. This causes the average evicted age to decrease, and when it goes below a certain threshold, the average evicted age alarm triggers. This alarm is an anomalous event, signaling that the appliance is handling a much larger workload than expected.
This alarm is useful in detecting whether the appliance is undersized relative to your normal workload. If the alarm is constantly triggered, then you should consider increasing
AltaVault’s
disk cache.
Datastore Low Space Indicates that the local data store is running out of space and the eviction process on the AltaVault
is unable to run at a sufficient pace to create space on the disk cache.
This alarm might also trigger when replication is too slow.
View the Eviction Optimization report (choose Reports > Eviction) to determine how much disk cache is available.
NetApp AltaVault Cloud Integrated Storage Administration Guide 61
Configuring system administrator settings Configuring alarm settings
Beta Draft
Alarm Description
Disk Full Enables an alarm if the system partitions (not the AltaVault data store) are full or almost full. For
example, AltaVault monitors the available space used to hold logs, statistics, system dumps, and TCP dumps.
By default, this alarm is enabled.
This alarm monitors the following system partitions:
• /boot Full
• /bootmgr Full
• /config Full
• /tmp Full
•/var Full
Hardware Fan Error - Enables an alarm when an appliance fan error is detected (the fan is either missing or
running at a low speed).
Battery Backup Unit - Enables an alarm when battery backup unit is detected.
IPMI - Indicates that there has been a physical security intrusion, triggering an Intelligent Platform Management Interface (IPMI) error. The following events trigger the IPMI alarm:
• Chassis intrusion (physical opening and closing of the appliance case)
• Memory errors (ECC memory errors that can or cannot be corrected)
• Hard drive faults or predictive failures
• Power supply status or predictive failures
The option to reset the alarm appears only after the service triggers the IPMI alarm. To reset the alarm, click Clear the IPMI alarm now.
Memory Error - Enables an alarm when there is a memory error in one or more memory modules. Unplug the power cords from the power supply and try reseating the memory.
Power Supply - Enables an alarm when an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled.
RAID - Indicates that the system has encountered RAID errors.
For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete.
Important: Rebuilding a disk drive can take 12 hours or longer.
By default, this alarm is enabled.
You can enable or disable the alarm for a specific RAID disk. To enable or disable an alarm, choose Settings > Alarms and select or clear the check box next to the RAID disk name. This alarm monitors and displays the status of the RAID disks.
RAID Integrity Check - Enables an alarm when RAID integrity check is needed.
Shelf Power Supply - Enables an alarm when shelf power supply is needed.
Inconsistent Cloud Connectivity
Inconsistent Cloud Data Enables an alarm when inconsistency in t
62 NetApp AltaVault Cloud Integrated Storage Administration Guide
Enables an alarm when the connection to the cloud provider is inconsistent.
he data stored in the cloud is detected.
Configuring alarm settings Configuring system administrator settings
Beta Draft
Alarm Description
Licensing Enables an alarm and sends an email notification if a license on the AltaVault is removed, is about
to expire, has expired, or is invalid.
The licenses expiring and licenses expired alarms are triggered per feature. For example, if you install two license keys for a feature, AVA-FOO-xxx (expired) and AVA-FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license.
By default, this alarm is enabled.
Link Duplex Enables an alarm and sends an email notification when an interface is not configured for half-
duplex negotiation but has negotiated half-duplex mode. Half-duplex significantly limits the optimization service results.
The alarm displays which interface is triggering the duplex alarm.
By default, this alarm is enabled.
Link I/O Errors Enables an alarm and sends an email notification when the link error rate exceeds 0.1% while
Link State Enables an alarm and sends an email notification if an Ethernet link is lost.
Low Memory Enables an alarm when there is not enough memory in the system to start the Storage Optimization
Max inodes limit Enables an alarm when the maximum number of files that can be stored has been reached.
Max Pinnable Limit Enables an alarm when the share has reached the maximum pinnable limit. If you configure a share
Memory Paging Enables an alarm when the system has reached the memory paging threshold. If the AltaVault is
either sending or receiving packets. The alarm clears when the rate drops below 0.05%.
You can change the default alarm thresholds by entering the alarm link_errors err-threshold
xxxxx CLI command at the system prompt. For details, see the NetApp AltaVault Cloud Integrated Storage Command-Line Interface Reference Guide.
By default, this alarm is enabled.
You can enable or disable the alarm for a specific interface. For example, you can disable the alarm for a link where you have decided to tolerate the errors. To enable or disable an alarm, choose Settings > Alarms and select or clear the check box next to one or more of the link names.
By default, this alarm is disabled.
You can enable or disable the alarm for a specific interface. To enable or disable an alarm, choose Settings > Alarms and select or clear the check box next to one or more link names.
Service.
to be pinned, it always has data available locally in the AltaVault; data need not be fetched from the cloud.
exceeding 100 pages are swapped approximately every two hours, then reboot the AltaVault from the Maintenance > Reboot/Shutdown page to clear this alarm.
If the memory paging alarm triggers when the AltaVault is under a heavy load, you can ignore it.
Metadata Space Full Enables an alarm when the data reserved for storing system metadata has filled up and leading to
reduced deduplication.
Process Dump Creation Error
Secure Vault Enables an alarm and sends an email notification if the system encounters a problem with the
NetApp AltaVault Cloud Integrated Storage Administration Guide 63
Enables an alarm and sends an email notification if the system detects an error while trying to create a process dump. When the alarm is raised, the directory is blacklisted.
By default, this alarm is enabled.
secure vault:
• Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use data store encryption, the secure vault must be unlocked. Go to Configure > Secure Vault and unlock the secure vault.
Configuring system administrator settings Configuring alarm settings
Beta Draft
Alarm Description
SMB Enables an alarm when AltaVault detects the Domain Controller is not reachable.
• Domain Controller Network Status - Indicates the Domain Controller is unreachable. The alarm is cleared when network connectivity to the Domain Controller is restored. If the alarm is not cleared after the network connectivity is restored, you can clear the alarm manually using alarm smb_alarms clear command.
Software update available Enables an alarm when a new version of the software is available.
Shelf Error Shelf Missing - This alarm is applicable only to the AltaVault models. The AltaVault Expansion
Shelf is missing or cannot be accessed.
Shelf <shelf name>
• Shelf Inconsistent - The AltaVault Expansion Shelf is not consistent with the stored
configuration.
• Shelf Not Empty - You have added a new AltaVault Expansion Shelf that is not empty. A new
AltaVault Expansion Shelf must be empty before you add it to AltaVault appliance.
• Shelf Not Valid - The AltaVault Expansion Shelf is not a valid shelf. For details, choose
Reports > Storage RAID Groups and click the serial number of the shelf.
Storage Optimization Service
Storage Optimization Service Replication
• Storage Optimization Service Down - Enables an alarm and sends an email notification if the Storage Optimization Service encounters a service condition. By default, this alarm is enabled. The message indicates the reason for the condition. The following conditions trigger this alarm:
• Configuration errors: examples include no encryption key set, incorrect appliance time, or
incorrect cloud credentials.
• An AltaVault appliance reboot for example, during an appliance software update.
• A system crash due to a power failure
• A Storage Optimization Service restart due to a cloud storage provider change.
• A user enters the CLI command no service enable or shuts down the Storage Optimization
Service from the Management Console
• A user restarts the optimization service from either the Management Console or CLI
• Storage Optimization Service Error - Enables an alarm and sends an email notification if the Storage Optimization Service encounters a condition that might degrade optimization performance. By default, this alarm is enabled. Go to the Maintenance > Service page and restart the optimization service.
• Replication Error - Enables an alarm when the replication to the cloud encounters an error. Displays an error message that indicates the type of error such as, a file cannot be replicated to the cloud.
• Replication Paused - Enables an alarm when the replication to the cloud pauses, because there is a cloud connection error, or you entered the CLI command no replication enable, or because you are using replication scheduling (nonbandwidth limit type). This alarm warns you that the AltaVault is not replicating data in the cloud.
By default, this alarm is enabled.
System Reserved Space Full
64 NetApp AltaVault Cloud Integrated Storage Administration Guide
Indicates that the space used for internal data structures is full. De-duplication performance is impacted while the appliance is in this state.
Configuring date and time Configuring system administrator settings
Beta Draft
Alarm Description
Temperature • Critical Temperature - Enables an alarm and sends an email notification if the CPU temperature
exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 80º C; the default reset threshold temperature is 67º C.
• Warning Temperature - Enables an alarm and sends an email notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm is cleared.
• Rising Threshold - Specifies the rising threshold. The alarm activates when the temperature
exceeds the rising threshold. The default value is 80º C.
• Reset Threshold - Specifies the reset threshold. The alarm clears when the temperature falls
below the reset threshold. The default is 67º C.
After the alarm triggers, it cannot trigger again until after the temperature falls below the reset threshold and then exceeds the rising threshold again.
Upgrade Status Indicates the status of the upgrade. By default, this alarm is enabled.
3. Click Apply to apply your changes to the running configuration.

Configuring date and time

You set the system date and time in the Configure > Date and Time page.
You can either set the system date and time by entering it manually, or by assigning an NTP server to the AltaVault. By default, the appliance uses the NetApp-provided NTP server.
To set the date and time manually
1. Choose Configure > Date and Time.
2. Complete the configuration as described in this table.
Control Description
Time Zone Select a time zone from the drop-down list.
If you change the time zone, log messages retain the previous time zone until you reboot the AltaVault.
Set Time Manually Change Date - Specify the date in this format: YYYY/MM/DD.
Change Time - Specify military time in this format: HH:MM:SS.
3. Click Apply to apply your changes to the running configuration.
To use Network Time Protocol (NTP) time synchronization
1. Choose Configure > Date and Time.
2. Under Date and Time, select Use NTP Time Synchronization.
3. As a best practice, configure your own internal NTP servers.
NetApp AltaVault Cloud Integrated Storage Administration Guide 65
Configuring system administrator settings Configuring date and time
Beta Draft

Current NTP status

Brief status information appears just below the Use NTP Time Synchronization button. The label Current NTP server is followed by either a server name or nothing if no NTP server is active.
This information appears after an NTP server name:
Authentication information; “unauthenticated” appears after the server name when it is not using authentication.
When the system has no NTP information about the current server, nothing appears.
When you configure an NTP server pool, the current NTP server that appears after the label Current NTP server never matches the hostname of the server pool.

NTP MD5-based authentication

NTP authentication verifies the identity of the NTP server sending timing information to the AltaVault. The system supports MD5-based Message-Digest Algorithm symmetric keys for NTP authentication. MD5 is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value.
NTP authentication is optional.
Configuring NTP authentication involves these steps that you can perform in any order:
Configure a key ID and a secret pair.
Configure the NTP server with the key ID.

NTP servers

NetApp recommends synchronizing the AltaVault to an NTP server of your choice.
To add an NTP server
1. Choose Configure > Date and Time.
2. Under Requested NTP Servers, complete the configuration as described in this table.
Control Description
Add a New NTP Server Displays the controls to add a server.
Hostname or IP Address Specify the hostname or IP address for the NTP server.
Version Select the NTP server version from the drop-down list: 3 or 4.
Enabled/Disabled Select Enabled from the drop-down list to connect to the NTP server. Select Disabled
from the drop-down list to disconnect from the NTP server.
Key ID Specify the MD5 key identifier to use to authenticate the NTP server. The valid range is
1 to 65534. The key ID must appear on the trusted keys list.
Add Adds the NTP server to the server list.
Remove Selected Select the check box next to the name and click Remove Selected.
66 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SNMP basic settings Configuring system administrator settings
Beta Draft
NTP authentication keys
NTP authentication uses a key and a shared secret to verify the identity of the NTP server sending timing information to the
AltaVault. The system encrypts the shared secret text using MD5, and uses the authentication key to access the secret.
To add an NTP authentication key
1. Choose Configure > Date and Time.
2. Under NTP Authentication Keys, complete the configuration as described in this table.
Control Description
Add a New NTP Authentication Key Displays the controls to add an authentication key to the key list. Both trusted and
untrusted keys appear on the list.
Key ID Optionally, specify the secret MD5 key identifier for the NTP server. The valid range is
Key Type Select MD5 or SHA1 option.
Secret (Text) Specify the shared secret. You must configure the same shared secret for both the NTP
Add Adds the authentication key to the trusted keys list.
Remove Selected Select the check box next to the name and click Remove Selected.
1 to 65534.
server and the NTP client to use MD5-based cryptography.
The shared secret:
• is limited to 16 characters or fewer
• cannot include white space or #s
• cannot be empty
• is case sensitive
The secret appears in the key list as its MD5 hash value.
NTP key information
NTP keys appear in a list that includes the key ID, type, secret (displays as the MD5 hash value), and whether the system trusts the key for authentication.

Configuring SNMP basic settings

You configure Simple Network Management Protocol (SNMP) contact and trap receiver settings to enable event reporting to an SNMP entity in the Configure > SNMP Basic page.
Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The default system configuration does not include SNMP traps.
AltaVault supports the following SNMP Basic settings:
SNMP Version 1
SNMP Version 2c
SNMP Version 3, which provides authentication through the User-based Security Model (USM)
View-Based Access Control Mechanism (VACM), which provides richer access control
NetApp AltaVault Cloud Integrated Storage Administration Guide 67
Configuring system administrator settings Configuring SNMP basic settings
Beta Draft
Enterprise Management Information Base (MIB)
ACLs (Access Control Lists) for users (v1 and v2c only)
To set general SNMP basic parameters
1. Choose Configure > SNMP Basic.
2. Under SNMP Server Settings, complete the configuration as described in this table.
Control Description
Enable SNMP Traps Enables event reporting to an SNMP entity.
System Contact Specify the username for the SNMP contact.
System Location Specify the physical location of the SNMP system.
Read-Only Community String
Specify a password-like string to identify the read-only community. For example, public. This community string overrides any VACM settings.
Community strings do not allow non-printable 7-bit ASCII characters, except for spaces. Also, the community strings cannot begin with '#' and '-'.
3. Click Apply to apply your changes to the running configuration.
To add or remove a trap receiver
1. Under Trap Receivers, complete the configuration as described in this table.
Control Description
Add a New Trap Receiver Displays the controls to add a new trap receiver.
Receiver Specify the destination IP address or hostname for the SNMP trap.
Destination Port Specify the destination port.
Receiver Type Select SNMP version v1, v2c, or v3 (user-based security model).
Note: SNMP v1 and v2c are less secure, v3 is recommended.
Remote User (Appears only when you select v3). Specify a remote username.
Authentication (Appears only when you select v3). Optionally, select either Supply a Password or Supply a
Authentication Protocol (Appears only when you select v3). Select an authentication method from the drop-down
Key to use while authenticating users.
list:
• MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value.
• SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Password/Password Confirm (Appears only when you select v3 and Supply a Password). Specify a password. The
password must have a minimum of eight characters. Confirm the password in the Password Confirm text box.
68 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SNMP basic settings Configuring system administrator settings
Beta Draft
Control Description
Security Level (Appears only when you select v3).Determines whether a single atomic message exchange
is authenticated. Select one of the following settings from the drop-down list:
• No Auth - Does not authenticate packets and does not use privacy. This is the default setting.
• Auth - Authenticates packets but does not use privacy.
• AuthPriv - Authenticates packets using AES 128 and DES to encrypt messages for privacy.
A security level applies to a group, not to an individual user.
Community For v1 or v2 trap receivers, specify the SNMP community name. For example, public or
private v3 trap receivers need a remote user with an authentication protocol, a password, and a security level.
Enable Receiver Select to enable the new trap receiver. Clear to disable the receiver.
Add Adds a new trap receiver to the list.
Remove Selected Select the check box next to the name and click Remove Selected.
After upgrade, all previous traps and community string intact are visible.
To test an SNMP trap
1. Choose Configure > SNMP Basic.
2. Under SNMP Trap Test, click Run.

Configuring SNMP v3

SNMP v3 provides additional authentication and access control for message security. For example, you can verify the identity of the SNMP entity (manager or agent) sending the message.
Using SNMP v3 is more secure than SNMP v1 or v2; however, it requires more configuration steps to provide the additional security features.
Basic steps
1. Create the SNMP-server users. Users can be authenticated using either a password or a key.
2. Configure SNMP-server views to define which part of the SNMP MIB tree are visible.
3. Configure SNMP-server groups, which map users to views, allowing you to control who can view what SNMP
information.
4. Configure the SNMP-server access policies that contain a set of rules defining access rights. Based on these rules, the entity decides how to process a given request.
To create users for SNMP v3
1. Choose Configure > SNMP v3.
NetApp AltaVault Cloud Integrated Storage Administration Guide 69
Configuring system administrator settings Configuring SNMP basic settings
Beta Draft
2. Under Users, complete the configuration as described in this table.
.
Control Description
Add a New User Displays the controls to add a new user.
User Name Specify the username.
Authentication Protocol Select an authentication method from the drop-down list:
• MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value.
• SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Authentication Optionally, select either Supply a Password or Supply a Key to use while authenticating users.
Password/Password Confirm
Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box.
The password cannot be “password.”
MD5 Key (Appears only when you select Supply A Key). Specify a unique authentication key. The key is a
MD5 or SHA-1 digest created using md5sum or sha1sum.
Privacy MD5/SHA Key (Appears only when you select v3 and Privacy as Supply a Key). Specify the privacy
authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Use Privacy Option Privacy Protocol - Select the privacy protocol from the drop-down list. Choose AES or DES.
Privacy - Select the privacy option from the drop-down list. Choose Same as Authentication, Supply a Password, or Supply a Key.
Add Adds the user.
Remove Selected Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
70 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SNMP basic settings Configuring system administrator settings
Beta Draft

SNMP authentication and access control

The features on this page apply to SNMP v1, v2c, and v3 unless noted otherwise:
Security Names - Identify an individual user (v1 or v2c only).
Secure Groups - Identify a security-name, security model by a group, and referred to by a group-name.
Secure Views - Create a custom view using the View-based Access Control Model (VACM) that controls who
can access which MIB objects under agent management by including or excluding specific Object Identifiers (OIDs). For example, some users have access to critical read-write control data, while some users have access only to read-only data.
Security Models - A security model identifies the SNMP version associated with a user for the group in which the
user resides.
Secure Access Policies - Defines who gets access to which type of information. An access policy contains
<group-name, security-model, security-level, read-view-name>:
read-view-name is a preconfigured view that applies to read requests by this security-name.
write-view-name is a preconfigured view that applies to write requests by this security-name.
notify-view-name is a preconfigured view that applies to write requests to this security-name.
An access policy is the configurable set of rules, based on which the entity decides how to process a given request.
To set secure usernames
1. Choose Configure > SNMP ACLs.
NetApp AltaVault Cloud Integrated Storage Administration Guide 71
Configuring system administrator settings Configuring SNMP basic settings
Beta Draft
2. Under Security Names, complete the configuration as described in this table.
Control Description
Add a New Security
Displays the controls to add a security name.
Name
Security Name Specify a name to identify a requestor allowed to issue gets and sets (v1 and v2c only). The
specified requestor can make changes to the view-based access-control model (VACM) security name configuration.
Community strings do not allow printable 7-bit ASCII characters, except for spaces.
Also, community strings cannot begin with '#' or '-' (hash or hyphen).
This control does not apply to SNMPv3 queries. To restrict v3 USM users from polling a particular subnet, use the Management ACL feature.
Traps for v1 and v2c are independent of the security name.
Community String Specify the password-like community string to control access using a combination of uppercase,
lowercase, and numerical characters to reduce the chance of unauthorized access to the
AltaVault.
Community strings do not allow printable 7-bit ASCII characters, except for spaces. Also, the community strings cannot begin with '#' and '-'.
If you specify a read-only community string (located in the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string.
To create multiple SNMP community strings on a
AltaVault, leave the default public community
string and then create a second read-only community string with a different security name. Or, you can delete the default public string and create two new SNMP access control lists (ACLs) with unique names.
Source IP Address and Mask Bits
Specify the host IP address and mask bits to which you permit access using the security name and community string.
Add Adds the security name.
Remove Selected Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
To set secure groups
1. Choose Configure > SNMP ACLs.
2. Under Groups, complete the configuration as described in this table.
.
Control Description
Add a New Group Displays the controls to add a new group
Group Name Specify a group name.
Security Model and Name Pairs
Add Adds the group name and security model and name pairs.
Remove Selected Select the check box next to the name and click Remove Selected.
Click the + button and select a security model from the drop-down list:
• v1 or v2c - displays another drop-down list; select a security name.
• v3 (usm) - displays another drop-down list, select a user.
To add another Security Model and Name pair, click the plus sign (+).
72 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring SNMP basic settings Configuring system administrator settings
Beta Draft
3. Click Apply to apply your changes to the running configuration.
To set secure views
1. Choose Configure > SNMP ACLs.
2. Under Views, complete the configuration as described in this table.
.
Control Description
Add a New View Displays the controls to add a new view.
View Name Specify a descriptive view name to facilitate administration.
Includes Specify the object identifiers (OIDs) to include in the view, separated by commas. For example,
.1.3.6.1.4.1. By default, the view excludes all OIDs.
You can specify .iso or any subtree or subtree branch.
You can specify an OID number or use its string form. For example, .iso.org.dod.internet.private.enterprises.xxx.products.AltaVault.system.model
Excludes Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all
OIDs.
Add Adds the view.
Remove Selected Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
To add an access policy
1. Choose Configure > SNMP ACLs.
2. Under Access Policies, complete the configuration as described in this table.
.
Control Description
Add a New Access Policy Displays the controls to add a new access policy.
Group Name Select a group name from the drop-down list.
Security Level Determines whether a single atomic message exchange is authenticated. Select one of the
following from the drop-down list:
No Auth - Does not authenticate packets and does not use privacy. This is the default setting.
Auth - Authenticates packets but does not use privacy.
AuthPriv - Authenticates packets using AES or DES to encrypt messages for privacy.
A security level applies to a group, not to an individual user.
Read View Select a view from the drop-down list.
Add Adds the policy to the policy list.
Remove Selected Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
NetApp AltaVault Cloud Integrated Storage Administration Guide 73
Configuring system administrator settings Configuring email settings
Beta Draft

Configuring email settings

You can set email notification parameters for events and failures in the Configure > Email page.
By default, email addresses are not specified for event and failure notification.
To set event and failure email notification
1. Choose Configure > Email.
2. Under Email Notification, complete the configuration as described in this table.
Control Description
SMTP Server Specify the SMTP server. You must have external DNS and external access for SMTP traffic for
SMTP Port Specify the port number for the SMTP server.
Report Events via Email Specify this option to report events through email. Specify a list of email addresses to receive the
Report Failures via Email Specify this option to report failures through email. Specify a list of email addresses to receive the
Override Default Sender’s Address
this feature to function.
Make sure you provide a valid SMTP server to ensure that the users you specify receive email notifications for events and failures.
notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars.
notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars.
Select this option to configure the SMTP protocol for outgoing server messages for errors or events. Specify a list of email addresses to receive the notification messages. Separate addresses by commas.
You can also configure the outgoing email address sent to the client recipients. The default outgoing address is do-not-reply@hostname.domain. If you do not specify a domain the default outgoing email is do-not-reply@hostname.
3. Click Apply to apply your changes to the running configuration.

Configuring log settings

You set up local and remote logging in the Configure > Logging page.
By default, the system rotates each log file every 24-hours or if the file size reaches one Gigabyte uncompressed. You can change this to rotate every week or month and you can rotate the files based on file size.
The automatic rotation of system logs deletes your oldest log file, labeled as Archived log #10, pushes the current log to Archived log # 1, and starts a new current-day log file.
To set up logging
1. Choose Configure > Logging.
2. To rotate the logs immediately, under Log Actions at the bottom of the page, click Rotate Logs. After the logs are
rotated, the following message appears:
logs have been successfully rotated
74 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring log settings Configuring system administrator settings
Beta Draft
You can also schedule a log rotation based on time or the amount of disk space the log uses, described next.
3. Under Logging Configuration, complete the configuration as described in this table.
Control Description
Minimum Severity Select the minimum severity level for the system log messages. The log contains all messages with
this severity level or higher. Select one of the following levels from the drop-down list:
• Emergency - Emergency, the system is unusable.
• Alert - Action must be taken immediately.
• Critical - Conditions that affect the functionality of the AltaVault.
• Error - Conditions that probably affect the functionality of the AltaVault.
• Warning - Conditions that could affect the functionality of the AltaVault, such as authentication failures.
• Notice - Normal but significant conditions, such as a configuration change.
• Info - Informational messages that provide general information about system operations. This is the default setting.
This control applies to the system log only. It does not apply to the user log.
Maximum Number of
Specify the maximum number of logs to store. The default value is 10.
Log Files
Lines Per Log Page Specify the number of lines displayed per page when viewing the logs. The default value is 100.
Rotate Based On Specifies the rotation option:
• Time - Select Day, Week, or Month from the drop-down list. The default setting is Day.
• Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB.
The log file size is checked at 10-minute intervals. If there is an unusually large amount of logging activity, it is possible for a log file to grow larger than the set disk space limit in that period of time.
4. Click Apply to apply your changes to the running configuration.
To add or remove a log server
1. Under Remote Log Servers, complete the configuration as described in this table.
Control Description
Add a New Log Server Displays the controls for configuring new log servers.
Server IP Specify the server IP address.
NetApp AltaVault Cloud Integrated Storage Administration Guide 75
Configuring system administrator settings Configuring log settings
Beta Draft
Control Description
Minimum Severity Select the minimum severity level for the log messages. The log contains all messages with this
severity level or higher. Select one of the following levels from the drop-down list:
• Emergency - Emergency, the system is unusable.
• Alert - Action must be taken immediately.
• Critical - Conditions that affect the functionality of the AltaVault.
• Error - Conditions that probably affect the functionality of the AltaVault.
• Warning - Conditions that could affect the functionality of the AltaVault, such as authentication failures.
• Notice - Normal but significant conditions, such as a configuration change. This is the default setting.
• Info - Informational messages that provide general information about system operations.
Add Adds the server to the list.
Remove Selected Select the check box next to the name and click Remove Selected.
2. Click Apply to apply your changes to the running configuration.

Filtering logs by application or process

You can filter a log by one or more applications or one or more processes. This is particularly useful when capturing data at a lower severity level at which the AltaVault might not be able to sustain the flow of logging data that the service is committing to disk.
Log filters enable you to specify the logging level of individual processes independently.
To filter a log
1. Choose Configure > Logging.
76 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring log settings Configuring system administrator settings
Beta Draft
2. Under Per-Process Logging, complete the configuration as described in this table.
Control Description
Add a New Process Logging Filter
Process Select a process to include in the log from the drop-down list:
Minimum Severity Select the minimum severity level for the log messages. The log contains all messages with this
Displays the controls for adding a process-level logging filter.
• alarmd - Alarm Manager.
• cli - Command Line Interface.
• hald - Hardware abstraction daemon, which handles access to the hardware.
• Isiraidd - LSI raid daemon.
• mgmtd - Device control and management, which directs the entire device management system. It handles message passing between various management daemons, managing system configuration and general application of system configuration on the hardware underneath through the hardware abstraction layer daemon (HALD).
• pm - Process Manager, which handles launching of internal system daemons and keeps them running.
• sched - Process Scheduler that handles one-time scheduled events.
• statsd - Statistics Collector that handles the statistics.
• wdt - Watchdog Timer, the motherboard watchdog daemon.
• webasd - Web Application Process, which handles the Web user interface.
severity level or higher. Select one of the following levels from the drop-down list:
• Emergency - Emergency, the system is unusable. This is the default setting.
• Alert - Action must be taken immediately.
• Critical - Conditions that affect the functionality of the AltaVault.
• Error - Conditions that probably affect the functionality of the AltaVault.
• Warning - Conditions that could affect the functionality of the AltaVault, such authentication failures.
• Notice - Normal but significant conditions, such as a configuration change.
• Info - Informational messages that provide general information about system operations.
Add Adds the filter to the list, after which it logs at the selected severity and higher.
Remove Selected Select the check box next to the name and click Remove Selected to remove the filter.
3. Click Apply to apply your changes to the running configuration.
NetApp AltaVault Cloud Integrated Storage Administration Guide 77
Configuring system administrator settings Configuring log settings
Beta Draft
78 NetApp AltaVault Cloud Integrated Storage Administration Guide
Beta Draft

CHAPTER 7 Configuring security settings

This chapter includes the following sections:
“Configuring general security settings” on page 79
“Managing user permissions” on page 81
“Configuring management login from Active Directory domain” on page 86
“Setting RADIUS servers” on page 87
“Configuring TACACS+ access” on page 88
“Unlocking the secure vault” on page 89
“Configuring Web settings” on page 90
“Configuring KMIP” on page 93
“Configuring appliance monitoring” on page 97
“Configuring a management ACL” on page 99
“Configuring SSH Access” on page 100

Configuring general security settings

You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Configure > General Settings page.
Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted until all of the methods have been attempted.
To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server:
service = rbt-exec { local-user-name = “monitor” }
Replace monitor with admin for write access.
To set general security settings
1. Choose Configure > General Settings.
NetApp AltaVault Cloud Integrated Storage Administration Guide 79
Configuring security settings Configuring general security settings
Beta Draft
2. Under Authentication Methods, complete the configuration as described in this table.
Control Description
Authentication Methods Select an authentication method from the drop-down list. The methods are listed in the
order in which they occur. If authorization fails on the first method, the next method is attempted until all of the methods have been attempted.
Note: Prior to selecting the Kerberos/AD Only method, the AltaVault must have joined the AD domain and have created an administrator user account.
For RADIUS/TACACS+, fallback only when servers are unavailable
Specifies that the AltaVault uses a RADIUS or TACACS+ server only when all other servers do not respond. Enabled is the default setting.
Authorization Policy Appears only for some Authentication Methods. Optionally, select one of the following
policies from the drop-down list:
• Remote First - Checks for an authentication policy on the remote server first and only checks locally if the remote server does not have a policy set.
• Remote Only- Only check the remote server. This is the default.
• Local Only - Checks only the local server. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored.
Default User Optionally, select Admin or Monitor from the drop-down list to define the default
authentication policy.
3. Click Apply to apply your changes to the running configuration.
80 NetApp AltaVault Cloud Integrated Storage Administration Guide
Managing user permissions Configuring security settings
Beta Draft

Managing user permissions

You can change the administrator or monitor passwords and define role-based users in the Configure > User Permissions page.
There are two types of accounts:
“Capability-based accounts” on page 81
“Role-based accounts” on page 81

Capability-based accounts

The system has two built-in accounts, based on what actions you can take:
Admin - The administrator user has full privileges. For example, as an administrator you can set and modify
configuration settings, add and delete users, restart the AltaVault service, reboot the AltaVault, and create and view performance and system reports.
Monitor - Monitor users can view reports and user logs and change their own password. A monitor user cannot
make configuration changes.

Role-based accounts

Use the role-based management feature of AltaVault to specify what roles a user is assigned to, and what actions a user is permitted to perform on the appliance in each of those roles. You can specify role-based accounts for admin settings, general settings, prepopulation (prepop) settings, replication settings, report settings, security settings, and storage settings in the AltaVault.
A role-based account cannot modify another role-based or capability-based account. Only the Admin account and accounts with the admin settings role can create and modify role-based accounts.
This section describes the roles that you can assign for specific features.
Admin settings
You can assign users permissions to perform administrator activities, including creating and deleting other users. Users with the Admin role always have read/write permission for all other roles, even if those other roles explicitly indicate Deny for the user.
General settings
You can assign users permissions to configure the following General Settings:
Software upgrades
Licenses
Email, SNMP settings, and Web settings.
Hardware RAID settings
Shelf settings
Starting and stopping the Storage Optimization Service
All Networking Settings
All Maintenance Settings
NetApp AltaVault Cloud Integrated Storage Administration Guide 81
Configuring security settings Managing user permissions
Beta Draft
All System Settings
System logs
Accessing system dumps and process dumps
Debugging commands such as the alarm command
Tcpdumps
Prepop settings
You can assign users permissions to start a new prepopulation task and to view an existing prepopulation task.
Replication settings
You can assign users permissions to configure the following Replication Settings:
Cloud configuration
Replication settings
Starting and stopping the Storage Optimization Service
Report settings
You can assign users permissions to configure the following read-only Report Settings:
Interface statistics
Alarm Status
View report graphs and statistics
Security settings
You can assign users permissions to configure the following Security Settings:
Kerberos/AD
RADIUS
TACACS
FIPS
Secure vault
Import, export, generate, and reset encryption key
Import
Export
Reboot/Shutdown
Appliance Monitoring
Alarm
User Log
Storage settings
You can assign users permissions to configure the following Storage Settings:
82 NetApp AltaVault Cloud Integrated Storage Administration Guide
Managing user permissions Configuring security settings
Beta Draft
SMB
NFS
OST
SnapMirror

Configuring permissions for user roles

You can specify the following permissions for each role:
Deny - You cannot view settings or make configuration changes for a feature.
Read-Only - You can view current configuration settings but not change them.
Read/Write - You can view settings and make configuration changes for a feature.
To configure user permissions
1. Choose Configure > User Permissions.
2. Under Capability-Based Accounts, complete the configuration as described in this table.
Control Description
admin/monitor Click the magnifying glass icon to change the administrator or monitor password.
Enable Account - Click the check box to enable or disable the administrator or monitor account.
Change Password - Select the check box to change password protection.
• New Password - Specify a password in the text box. The password cannot be “password” or any case combination of “password” for any user including admin and root. You will be prompted with the following message: Password “password” and its case combinations are not allowed. The password must be at least 6 characters long.
• New Password Confirm - Confirm the new administrator password.
3. Under Role-Based Accounts, complete the configuration as described in this table.
Control Description
Add a New User Click to display the controls for creating a new role-based account.
Account Name Specify a name for the role-based account.
Note: If you are creating a user role for management login from the Active Directory domain, the name you enter must be the same as the user name in the Active Directory.
Password Specify the new password. The password cannot be “password” or any case combination of
“password” for any user including admin and root and must be at least 6 characters long.
This password can be different from the AD password.
New Password Confirm Confirm the new password.
NetApp AltaVault Cloud Integrated Storage Administration Guide 83
Configuring security settings Managing user permissions
Beta Draft
Control Description
External Authentication Only
Enable Account Select the check box to enable the new role-based account.
Roles and Permissions For the account being created, specify the desired permissions for each role. Click Select All to
Add Adds your settings to the system.
Remove Selected Users Select the check box next to the name and click Remove Selected.
If this option is selected, then this user can only be authenticated via external authentication methods. If Kerberos/AD authentication is enabled, the local password originally configured for a user is no longer retained by AltaVault. If you disable external authentication, you will need to create a new password.
choose the given access level for all feature settings.

Unlocking an account

AltaVault temporarily locks out an account after a user exceeds the configured number of login attempts. Account lockout information appears on the Configure > User Permissions page.
When an account is locked out, the lockout ends after:
The configured lockout time elapses.
or
The administrator unlocks the account. AltaVault never locks out the capability-based admin account.
To unlock an account
1. Log in as admin or any role-based user with read/write permission for the admin role.
2. Choose Configure > User Permissions.
3. Select the user to display Edit User section.
4. Click Clear Login Failure Details to unlock the user account.
When you log in to your account successfully, AltaVault resets the login failure count.
84 NetApp AltaVault Cloud Integrated Storage Administration Guide
Managing user permissions Configuring security settings
Beta Draft

Configuring password policy settings

You configure password complexity and lockout requirements for local management logins using Password Policy settings.
To configure password policy
1. Choose Configure > User Permissions.
2. Click Password Policy at the bottom of the page.
3. Select Enable Account Control.
4. Optionally, you can choose to populate the password settings with a predetermined set of values.
To see these values, move your cursor over each of the template options: Strong Security Template or Basic Security Template. The default values appear next to each field. Click on a template to select it.
For new installations, the password settings are prepopulated with basic security values.
5. Specify values for each of the following settings (default values shown):
Login attempts before lockout (no limit)
Timeout for user login after lockout (seconds) (300)
Days before password expires (no limit)
Days to warn user of an expiring password (no limit) - takes effect after setting Days before password expires
Days to keep account active after password expires (no limit)
Days between password changes (no limit)
Minimum Interval for password reuse (0)
Minimum password length (6)
Minimum uppercase characters (0)
Minimum lowercase characters (0)
Minimum numerical characters (0)
Minimum special characters (0)
Minimum character difference between passwords (0)
Maximum consecutively repeating characters (no limit)
Choose whether to prevent dictionary words (yes)
6. Click Apply to save your settings.
NetApp AltaVault Cloud Integrated Storage Administration Guide 85
Configuring security settings Configuring management login from Active Directory domain
Beta Draft

Configuring management login from Active Directory domain

AltaVault supports management login from either the Management Console (UI) or command-line interface (CLI) for domain users using their Active Directory (AD) credentials.
Note: The built-in AltaVault admin and monitor user accounts cannot be used for AD login. After AD login is enabled, you will not be able to log in using the built-in admin or monitor account. Management login from the AD domain requires you to add user accounts with the read/write permission for the Admin settings role.
This section covers the following information:
“Configuring login from AD” on page 86
“Login behavior using AD” on page 87

Configuring login from AD

To configure management login via Active Directory
1. From the Management Console, choose Configure > Host Settings.
2. In the DNS settings area, specify the DNS servers that can contact the domain controllers used by AltaVault. The
preferred domain controllers AltaVault can use are specified in the next steps.
3. From the Management Console, choose Configure > SMB.
4. If not already configured, select Domain and complete the domain configuration as described in “To configure an
Active Directory domain,” then click Join Domain.
For Username, you can enter any user that has administrator privileges to join the domain.
5. From the Management Console, choose Configure > User Permissions.
6. Under Role-based Accounts, select Add a New User and enter a user name and password. The user name must
map to that of an existing user in the AD domain. Do not qualify the user name with a domain name. For example, “user” is acceptable, but DOMAIN\user or user@DOMAIN is not.
7. Under Roles and Permissions, select the roles and permissions provided to the user.
To enable AD login, you must assign this user with the Admin role and read and write permissions. This user will then have privileges to add, delete or change permissions for other users.
8. Click Add to save user roles and permissions.
9. Repeat steps 6 through 8 to add additional users.
10. From the Management Console, choose Configure > General Settings.
86 NetApp AltaVault Cloud Integrated Storage Administration Guide
Setting RADIUS servers Configuring security settings
Beta Draft
11. Under Authentication Methods, select Kerberos/AD Only from the drop down menu and click Apply to save your settings and enable management login from AD.
Note: You must have joined the AD domain and have created an admin user account prior to setting the authentication method.
12. Optionally, if your security policy requires that user passwords cannot be stored locally, choose Configure > User permissions from the Management Console. Select the user you wish to edit, and check the box External Authentication Only.
When this box is checked, the local password for this user is deleted from AltaVault and you must log in using AD credentials.
13. Optionally, to further limit AltaVault logins to use AD credentials only, disable SSH public key authentication in the CLI:
no ssh server pub-key-auth

Login behavior using AD

After enabling Kerberos for Active Directory login, accessing AltaVault has the following behaviors:
Password authentication will be checked against Active Directory credentials, not local passwords.
If the user password is changed in Active Directory, that user must log in using the new Active Directory
password.
If user is disabled or deleted in Active Directory, that user will not be able to log in to the AltaVault. To avoid
losing access to the AltaVault, it is recommended that you configure more than one Admin user account for Active Directory access.
AltaVault supports only individual Active Directory user accounts.

Setting RADIUS servers

You can optionally configure Remote Authentication Dial-in User Server (RADIUS) server authentication in the Configure > RADIUS page.
RADIUS is an access control protocol that uses a challenge and response method for authenticating users.
To configure RADIUS server authentication
1. Choose Configure > RADIUS.
2. Under Default RADIUS Settings, complete the configuration as described in this table.
Control Description
Set a Global Default Key Enables a global server key for the RADIUS server.
Global Key Specify the global server key.
Confirm Global Key Confirm the global server key.
NetApp AltaVault Cloud Integrated Storage Administration Guide 87
Configuring security settings Configuring TACACS+ access
Beta Draft
Control Description
Timeout (seconds) Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries Specify the number of times that you want to allow the user to retry authentication. The default
value is 1.
3. Click Apply to apply your changes to the running configuration.
4. To add a new RADIUS server, complete the configuration as described in this table.
Control Description
Add a RADIUS Server Displays the controls for defining a new RADIUS server.
Hostname or IP Address Specify the hostname or IP address.
Authentication Port Specify the port for the server.
Authentication Type Select one of these authentication types:
• PAP - Password authentication protocol (PAP), which validates users before allowing them access to the RADIUS server resources. PAP is the most flexible protocol but is less secure than CHAP.
• CHAP - Challenge-Handshake Authentication Protocol (CHAP), which provides better security than PAP. CHAP validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This happens at the time of establishing the initial link and might happen again at any time afterwards. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server.
Override the Global Default Key
Timeout (seconds) Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries Specify the number of times that you want to allow the user to retry authentication. Valid values
Enabled Select the check box to enable the new server.
Add Adds the RADIUS server to the list.
Remove Selected Select the check box next to the name and click Remove Selected.
Select this check box to override the global server key for the server and specify the following:
• Server Key - Specify the override server key.
• Confirm Server Key - Confirm the override server key.
are 0 to 5. The default value is 1.
If you add a new server to your network and you do not specify these fields at that time, the global settings are applied automatically.

Configuring TACACS+ access

You can optionally set up TACACS+ (Terminal Access Controller Access-Control System) server authentication in the Configure > TACACS+ page.
TACACS+ is an authentication protocol that allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system.
You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the General Settings page.
88 NetApp AltaVault Cloud Integrated Storage Administration Guide
Unlocking the secure vault Configuring security settings
Beta Draft
To configure a TACACS+ server
1. Choose Configure > TACACS+.
2. Under Default TACACS+ Settings, complete the configuration as described in this table.
Control Description
Set a Global Default Key Enables a global server key for the server.
Global Key Specify the global server key.
Confirm Global Key Confirms the global server key.
Timeout (seconds) Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries Specify the number of times you want to allow the user to retry authentication. Valid values are 0
to 5. The default is 1.
3. Click Apply to apply your changes to the running configuration.
4. To add or remove a TACACS+ server, complete the configuration as described in this table.
Control Description
Add a TACACS+ Server Displays the controls for defining a new TACACS+ server.
Hostname or IP Address Specify the hostname or server IP address.
Authentication Port Specify the port for the server. The default value is 49.
Authentication Type Select either PAP or ASCII as the authentication type. The default value is PAP.
Override the Global Default Key
Server Key Specify the override server key.
Confirm Server Key Confirm the override server key.
Timeout (seconds) Specify the time-out period in seconds (1 to 60). The default is 3.
Retries Specify the number of times you want to allow the user to retry authentication. Valid values are
Enabled Enables the new server.
Add Adds the TACACS+ server to the list.
Remove Selected Select the check box next to the name and click Remove Selected.
Specify this option to override the global server key for the server.
0 to 5. The default is 1.
If you add a new server to your network and you do not specify these fields, the system automatically applies the default settings.

Unlocking the secure vault

The secure vault contains sensitive information from your AltaVault configuration, including the encryption key. These configuration settings are encrypted on the disk at all times, using 256-bit AES encryption.
You can unlock and change the password for the secure vault in the Secure Vault page.
NetApp AltaVault Cloud Integrated Storage Administration Guide 89
Configuring security settings Configuring Web settings
Beta Draft
Initially, the secure vault is keyed with a default password known only to the AltaVault software. This allows the AltaVault to automatically unlock the vault during system startup. You can change the password, but the secure vault does not automatically unlock on startup. If not using the default password, the user will need to provide the password to unlock secure vault. To use encryption, the secure vault must be unlocked.
If a password policy is enabled, the number of retries allowed for unlocking the secure vault is the same as the number of retries for locking out a user. The lockout duration is also the same as set in the password policy. To change the password policy, choose Configure > User Permissions and select Password Policy as the bottom of the page.
To unlock or change the password of the secure vault
1. Choose Configure > Secure Vault.
2. Under Unlock Secure Vault, complete the configuration as described in this table.
Control Description
Password Type a password and click Unlock Secure Vault.
Initially, the secure vault is keyed with a default password known only to the AltaVault software. This allows the system to automatically unlock the vault during system startup. You can change the password, but the secure vault does not automatically unlock on startup.
Unlock Secure Vault Unlocks the vault.
3. Under Change Password, complete the configuration as described in this table.
Control Description
Current Password Specify the current password. If you are changing the password that ships with the
New Password Specify a new password for the secure vault.
New Password Confirm Confirm the new password for the secure vault.
Change Password Changes the password for the secure vault.
product, leave the text box blank.

Configuring Web settings

You can modify Management Console Web user interface settings in the Configure > Web Settings page. For information on managing Web SSL certificates, see “Managing web SSL certificates” on page 91.
To modify web settings
1. Choose Configure > Web Settings.
2. Under Web Settings, complete the configuration as described in this table.
Control Description
Default Web Login ID Specify the username that appears in the authentication page. The default value is admin.
90 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring Web settings Configuring security settings
Beta Draft
Control Description
Web Inactivity Timeout (minutes)
Allow Session Timeouts When Viewing Auto­Refreshing Pages
Specify the number of idle minutes before time-out. The default value is 15. A value of 0 disables time-out.
By default, session time-out is enabled. Clear the Allow box to disable the session time-out and remain logged-in indefinitely.
Disabling this feature is not recommended and can pose a security risk.
3. Click Apply to apply your changes to the running configuration.

Managing web SSL certificates

The AltaVault provides the following additional security features to manage SSL certificates used by the AltaVault Management Console Web user interface using HTTPS.
Generate the certificate and key pairs on the AltaVault. This overwrites the existing certificate and key pair
regardless of whether the previous certificate and key pair was self-signed or user added. The new self-signed certificate lasts for one year (365 days).
Create certificate signing requests from the certificate and key pairs.
Replace a signed certificate with one created by an administrator or generated by a third-party certificate
authority.
To modify web SSL certificates
1. Choose Configure > Web Settings.
2. Under Web Certificate, select the Details tab.
The AltaVault identity certificate details appear, as described in this table.
Control Description
Issued To/Issued By Common Name - Specifies the common name of the certificate authority.
Email - Specifies the email address of the contact person.
Organization - Specifies the organization name (for example, the company).
Locality - Specifies the city.
State - Specifies the state.
Country - Specifies the country.
Validity Issued On - Specifies the date the certificate was issued.
Expires On - Specifies the date the certificate expires.
Fingerprint SHA1 - Specifies the SSL fingerprint.
Key Type - Specifies the key type.
Size - Specifies the size in bytes.
NetApp AltaVault Cloud Integrated Storage Administration Guide 91
Configuring security settings Configuring Web settings
Beta Draft
3. To import certificate and private key, under Web Certificate, select the Replace tab and complete the configuration as described in this table.
Control Description
Import Certificate and Private Key Select this option to import certificate and private key.
Upload (PKCS-12, PEM or DER formats) - Select this option to upload the CA-signed certificate file. The page displays a CA-Signed Public Certificate control for browsing to the key and certificate files or a text box for copying and pasting the key and certificate.
Paste it here (PEM only) - Select this option to paste the CA-signed certificate.
Private Key - Select an option from the following:
• This private key is in a separate file (below)
• This file includes the certificate and private key
• The private key for this certificate was created with a CSR generated on this appliance
Separate Private Key Upload (PEM or DER formats) - Select this option to upload the private key file. The
Import Certificate and Key Imports the new private key and certificate.
page displays a Private Key control for browsing to the key or a text box for copying and pasting the key. Click Browse to navigate to the file.
Paste it here (PEM only) - Select this option to paste the private key.
Decryption password - Specify the decryption password. It is required for PKCS-12 files.
4. To generate self-signed certificate and new private key, under Web Certificates, select the Replaces tab and complete the configuration as described in this table.
Control Description
Organization Name Specify the organization name (for example, the company).
Organization Unit Name Specify the organization unit name (for example, the section or department).
Locality Specify the city.
State Specify the state. Do not abbreviate.
Country Specify the country (2-letter code only).
Email Address Specify the email address of the contact person.
Validity Period Specify the validity period. You can select from 60 to 3650 days.
Cipher:RSA Select the cipher from the drop-down list.
Generate CSR Generates the Certificate Signing Request.
5. To generate a CSR, under Web Certificate, select the Generate CSR tab and complete the configuration as described in this table.
Control Description
Common Name Specify the common name.
Organization Name Specify the organization name (for example, the company).
Organization Unit Name Specify the organization unit name (for example, the section or department).
Locality Specify the city.
92 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring KMIP Configuring security settings
Beta Draft
Control Description
State Specify the state. Do not abbreviate.
Country Specify the country (2-letter code only).
Email Address Specify the email address of the contact person.
Generate CSR Generates the Certificate Signing Request.
6. Click Apply to apply your changes to the running configuration.
7. To view PEM information, under Web Certificate, select the PEM tab.

Configuring KMIP

Key Management Interoperability Protocol (KMIP) is a standard describing communication between key management servers and their clients. AltaVault manages several important pieces of information that must be kept secure. These pieces include the datastore encryption key that encrypts user data and cloud credentials (which allow AltaVault to authenticate itself to the cloud provider). Without KMIP, these pieces of information are stored on a disk in an encrypted partition of AltaVault called the Secure Vault. They can also be exported in configuration archives. It is up to the user to keep these archives secure.
A user’s environment may be running multiple AltaVault’s as well as other appliances or services which also require own encryption keys and other sensitive information. The need for centralized key management has led to development of key management servers (KMS), which operates as the KMIP server.
During setup, the administrator specifies an external KMS to manage AltaVault’s keys and cloud authentication parameters. The datastore encryption key and/or cloud authentication parameters will then be managed by the KMS.
If AltaVault uses KMIP, the KMS must be running nominally in order for AltaVault to be accessible.
AltaVault implements the following KMIP functionality:
Registering keys with a KMS
Fetching previously registered keys from a KMS
Note: Keys retrieved from a key server are never stored on a disk, only in memory. You cannot export fetched keys from a key server.
This section includes:
“Using the Management Console to configure KMIP”
“Using CLI to configure KMIP”
“Troubleshooting KMIP”

Using the Management Console to configure KMIP

This section includes the following information:
“To add a KMIP server” on page 94
“To add KMIP keys” on page 94
NetApp AltaVault Cloud Integrated Storage Administration Guide 93
Configuring security settings Configuring KMIP
Beta Draft
“To configure cloud settings” on page 95
“To configure the encryption key” on page 95
To add a KMIP server
Before you add a KMIP server, check Web Settings page to verify that you have a certificate under the PEM tab.
1. Choose Configure > KMIP.
2. Under KMIP Servers, select Add a New Server and complete as described in the table.
Control Description
Key Server Name Specify the key server name.
Hostname Specify the hostname of the server.
Port Specify the port number.
Protocol Version Select the protocol version from the drop-down list.
Username Specify the username.
Password Specify the password.
Upload CA Certificate Select Browse to navigate to the CA certificate. The certificate must be a .pem file.
Add Adds the KMIP server to the AltaVault. The KMIP server displays in the table below.
Remove Selected Select a KMIP server and click Remove Selected to delete.This will result in AltaVault
not using the key any longer. But the key will remain on the KMS. Deleting the key from the KMS has to be done through the UI provided by the KMS
To add KMIP keys
1. Under KMIP Keys, select Add a New Key and complete as described in the table.
Control Description
Key Server Name Select the key server name that was added earlier from the drop-down. If the server is
not available, you must add the KMIP server.
Key Name Specify the key name of the server.
Type Select the type from the drop-down.
Secret Data - Select this option to manage cloud authentication.
Symmetric Key - Select this option to manage datastore encryption key. The selected
key must be an AES-256 key.
Register Key Select yes or no from the drop-down list.
Note: Select yes only if this key does not exist on the KMIP server. Select no if the key already exists on the KMIP server.
Key Data Specify the cloud authentication parameters.
This field displays only when the Register Key is set to Yes, and the Type is set to Secret Data.
UUID Specify the UUID from your server.
The UUID field displays only if the Register Key is set to No.
94 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring KMIP Configuring security settings
Beta Draft
Control Description
Add Adds the KMIP keys to the AltaVault. The KMIP key displays in the table below.
Remove Selected Select a KMIP key and click Remove Selected to delete.
To configure cloud settings
1. Choose Configure > Cloud Settings.
2. Select Cloud tab.
3. Select your cloud provider.
4. Select Yes from the Use Keys from KMIP Server drop-down list.
5. Select the correct secret data object names for each cloud authentication parameter (Access Key and Secret Key).
6. Click Apply to save your settings.
7. Select Maintenance > Service, and select Start to start the Storage Optimization Service.
To configure the encryption key
1. Choose Configure > Cloud Settings.
2. Select Encryption tab.
3. Select yes from the drop-down list.
4. Select the symmetric key name that corresponds to the AES-256 key.

Using CLI to configure KMIP

You can use CLI to configure KMIP. For more information, see the NetApp AltaVault Cloud Integrated Storage Command-Line Reference Guide available on the NetApp Support at https://mysupport.netapp.com
Documentation tab.
under the

Troubleshooting KMIP

KMIP commands are normally used by the AltaVault to the KMIP server in two situations: when the service comes up (most common) and when an object is registered with the server. Activity from these actions are recorded by AltaVault in the Maintenance > System Logs page.
NetApp AltaVault Cloud Integrated Storage Administration Guide 95
Configuring security settings Configuring KMIP
Beta Draft
Example of a successful command
96 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring appliance monitoring Configuring security settings
Beta Draft
Example of an unsuccessful command
Example of an unsuccessful command (failure to connect)
Common Errors
An authentication error could be caused the following:
Incorrect username or password
Incorrect client certificate.
Misconfigured certificates.

Configuring appliance monitoring

You can set up any AltaVault as the monitoring master appliance that monitors peer AltaVaults. The AltaVault uses REST APIs that you can access to set up peer appliance monitoring.
After you configure REST API access and add the API access code for the monitored appliance, the Appliance Monitoring report enables you to view the health status, disk space, and cloud service status of the AltaVault.
The monitoring appliance probes the monitored peer appliances every 60 seconds by default.
To configure REST API Access
When you add an appliance to be monitored by the AltaVault, you must generate an API access code to enable authenticated communication between the monitoring master appliance and the monitored peer appliance.
1. Log in to the monitored AltaVault appliance.
NetApp AltaVault Cloud Integrated Storage Administration Guide 97
Configuring security settings Configuring appliance monitoring
Beta Draft
2. Choose Configure > REST API Access.
3. To enable access to the REST APIs, under REST API Access Settings, select the Enable REST API Access check
box.
4. Click Apply.
5. Complete the configuration as described in the table.
Control Description
Add Access Code Displays the controls to generate the API access code.
Description of Use Specify a clear description of the monitoring appliance such as the hostname or IP
address of the monitoring master appliance and a description such as “monitoring appliance.”
Generate New Access Code Generates the new access code.
Use Existing Access Code Select to use an existing REST API access code. When you are monitoring multiple
appliances, you can use the same access code instead of creating a new one for each appliance.
Add Adds the API access code to the AltaVault.
Remove Selected Select an access code description from the table below and click Remove Selected to
delete the selected REST API access code.
The added access code description appears in the Access Code Description table, along with the name of the user who created it.
6. Click the Access Code Description.
7. Copy the Access Code from the text field into a text editor, such as Notepad.
To specify the API access code in the monitoring appliance
1. Log in to the monitoring AltaVault appliance.
2. Choose Reports > Appliance Monitoring.
3. Complete the configuration as described in this table.
Control Description
Add Monitored Appliance Displays the controls to add a monitored appliance.
Hostname or IP address Specify a valid hostname or IP address for the monitored appliance.
API Access Code Specify the API access code that you obtained from the monitored appliance as
specified in “To configure REST API Access” on page 97.
Add Adds the API access code to the AltaVault appliance.
Remove Selected Appliances Select an access code from the table below and click Remove Selected Appliances to
delete the selected REST API access code.
98 NetApp AltaVault Cloud Integrated Storage Administration Guide
Configuring a management ACL Configuring security settings
Beta Draft

Configuring a management ACL

You can secure access to the AltaVault using an internal management Access Control List (ACL) in the Configure > Management ACL page. For information on the ACL rules, see “ACL Management Rules” on page 99.
Using an internal management ACL, you can:
restrict access to certain interfaces or protocols of an appliance.
restrict inbound IP access to the AltaVault, protecting it from access by hosts that do not have permission.
specify which hosts or groups of hosts can access and manage the AltaVault by IP address.
The Management ACL provides the following safeguards to prevent accidental disconnection from the AltaVault:
It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections
to that address.
It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP
into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.
It tracks changes to default service ports and automatically updates any references to changed ports in the access
rules.
To set up a management ACL
1. Choose Configure > Management ACL.
2. Under Management ACL Settings, complete the configuration as described in this table.
Control Description
Enable Management ACL Select the check box to secure access to a AltaVault using a management ACL.
3. Click Apply to apply your changes to the running configuration.
If you add, delete, or modify a rule that could disconnect connections to the AltaVault, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning.

ACL Management Rules

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a AltaVault, the destination specifies the AltaVault
To add an ACL management rule
itself, and the source specifies a remote host.
1. Choose Configure > Management ACL.
NetApp AltaVault Cloud Integrated Storage Administration Guide 99
Configuring security settings Configuring SSH Access
Beta Draft
2. Under Add a new rule, complete the configuration as described in this table.
Control Description
Add a New Rule Displays the controls for adding a new rule.
Action Select one of the following rule types from the drop-down list:
Allow - Allows access when packets match the specified criteria. This is the default action.
Deny - Denies access when packets match the specified criteria.
Service Optionally, select Specify Protocol, or HTTP, HTTPS, SOAP, SNMP, SSH, Telnet.
Protocol (Appears only when Service is set to Specify Protocol.) Optionally, select All, TCP,
Source Network Optionally, specify the source subnet of the inbound packet. For example, 1.2.3.0/24.
Destination Port Optionally, specify the destination port of the inbound packet, either a single port value
Interface Optionally, select an interface name from the drop-down list. Select All to specify all
Description Optionally, describe the rule to facilitate administration.
Rule Number Optionally, select a rule number from the drop-down list. By default, the rule goes to
Log Packets Tracks denied packets in the log. By default, packet logging is enabled.
When specified, the Destination Port is dimmed and unavailable.
UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Service and Destination Ports are dimmed and unavailable.
or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.
interfaces.
the end of the table (just above the default rule).
AltaVaults evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.
The default rule, Allow, which allows all remaining traffic from everywhere that has not been selected by another rule, cannot be removed and is always listed last.
Add Adds the rule to the list. The Management Console redisplays the Rules table and
applies your modifications to the running configuration, which is stored in memory.
Remove Selected Select the check box next to the name and click Remove Selected.
Move Selected Moves the selected rules. Click the arrow next to the desired rule position; the rule
moves to the new position.

Configuring SSH Access

AltaVault supports SSH access to the management port of the appliance. SSH access can be done using either user credentials (username/password) or the client public key. This section describes how to use AltaVault CLI commands to the configure SSH access using public keys.
To enable SSH access via public key
1. Log in to the AltaVault with the login name and password.
100 NetApp AltaVault Cloud Integrated Storage Administration Guide
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use