Wednesday, August 1, 2012

How To Configure EMC VSI with EMC SMI-S Integrated to Active Directory and Secure SYMAPI Connection - Part 1


In this example we'll go over installing EMC VSI with EMC SMI-S, as well as integrate SMI-s with MS Active Directory and make sure that our connections to our Solutions Enabler are secure. Since a procedure is a bit long, I have to break it up into couple of parts. I promise to try  not to bore you much :)

Install SMI-S


You must download Solutions Enabler which is bundled with SMI-S. Point your browser to powerlink.emc.com and navigate to Home > Support > Software Downloads and Licensing > Downloads S > SMI-S Provider . In our case, we'll be downloading -  se7400-WINDOWS-x64-SMI.exe






Once downloaded, double click executable to launch Solutions Enabler installation wizard. This will install SMI-S service as well.


Click Next

Select Array Provider


 Click Next



Click Install

Installation process will spawn:


Once finished, you’ll be presented with a successful install message:


 Click Finish

Configure SMI-S

 If you want to enable Windows authentication for the Array and Host providers, you need to modify default settings in the security_settings.xml file. 


On Windows hosts, modify file in c:\program files\emc\ecim\ecom\conf\security_settings.xml
For Linux modify file in /opt/emc/ECIM/ECOM/conf/security_settings.xml



To enable Windows authentication, do the following:

If ECOM is running, stop the service:



Modify the following default settings in security_settings.xml:

<ECOMSettingName="NonCIMRequest_AuthenticationEnabled
"Type="boolean" Value="false"/>
<ECOMSetting Name="HTTPChallengeMechanism"
Type="string" Value="Basic"/>

to:

<ECOMSetting Name="NonCIMRequest_AuthenticationEnabled
"Type="boolean" Value="true"/>
<ECOMSetting Name="HTTPChallengeMechanism"
Type="string" Value="Basic,WindowsAuth"/>

3. Restart ECOM.

Note: Changing the default setting of <ECOMSetting
Name="NonCIMRequest_AuthenticationEnabled"Type="boolean"
Value="true"/> prevents the VASA provider from working properly!!  As SMI-S documentations states: “To use the VASA provider with VMware vCenter™ 5.0, you must set up a separate SMI-S Provider installation to use with VMware vCenter 5.0. This issue will be resolved in a future release of SMI-S Provider.” As for me, I’d be more concerned about VASA working properly, and I’d leave the settings at default (i.e., “false”)

ECOM has a web server used to  administer user accounts, logs and security. It can also be used to deliver HTML content and other files, such as JAR files for Java client user interfaces. By default, the server
can be accessed from:

https://<ManagementIPAddress>:<port>/ecomconfig

where <port> is a secure port as defined in Port_settings.xml.

http://server01.test.testdomain.com:5988/ecomconfig

Here is the output of Port_settings.xml file:

<!--
************************************************************************************
Sample port setting format: 
In this sample, the following rules apply for port 80
HTTP_PUT traffic  - Rejected
CIM traffic       - Allowed 
All other traffic - Forwarded to PortYY

Possible values for traffic types are: CIM, HTTP_PUT, HTTP_GET, HTTP_MPOST, HTTP_POST, ALL_TRAFFIC.

<ECOMSetting Name="XXXX">
       <port>5988</port>
       <secure>false</secure>
       <slp>true</slp>

       <trafficlist>
             <traffic type="HTTP_PUT">
                <reject></reject>
             </traffic>

             <traffic type="CIM">
                <allow></allow>
             </traffic>

             <traffic type="ALL_TRAFFIC">
                <forward>PortYY</forward>
             </traffic>
       </trafficlist>
</ECOMSetting>

************************************************************************************
-->

<ECOMSettings>
<ECOMSetting Name="Port0">
<!--
       <portRange>5988</portRange>
-->
       <port>5988</port>
       <secure>false</secure>
       <slp>true</slp>
</ECOMSetting>

  
<ECOMSetting Name="Port1">
<!--
       <portRange>5989</portRange>
-->
       <port>5989</port>
       <secure>true</secure>
       <slp>true</slp>
</ECOMSetting>
<!--
 
<ECOMSetting Name="Port2">
       <portRange>5985</portRange>
    <port>5985</port>
    <secure>false</secure>
    <slp>true</slp>
</ECOMSetting>

<ECOMSetting Name="Port3">
       <portRange>5986</portRange>
    <port>5986</port>
    <secure>true</secure>
    <slp>true</slp>
</ECOMSetting>
-->

</ECOMSettings>

Note: The parameter ECOMConfigPageEnabled in ECOM_settings.xml must be set to true (the default) to enable access to the ECOM Administration Web Server.

ECOM keeps its configuration information in the following directory:

C:\Program Files\EMC\ECIM\ECOM\conf\cst\Config.xml

If you go with Windows Authentication (i.e., ,"Type="boolean" Value="true”) before you even hit the URL: http://server01.test.testdomain.com:5988/ecomconfig you’ll be presented with the Windows Authentication:


Once authenticated, you’ll be presented with EMCOM welcome screen, prompting you for an internal authentication:

The web server requires authentication. If you are accessing ECOM for the first time, you can login with the default credentials of:

Username: LocalDir/admin
Password: #1Password


Note: EMC recommends changing this user ID/password combination after initially starting ECOM.

Once authenticated, you’ll be presented with the following window:


Click on Change Password and set the new password:



You can login as admin and newly-set password. Next, we need to integrate our SMI-S server with the MS Active Directory. Click on Add LDAP Server


LDAP Server Information window will appear. Populate the values as displayed below:



Click on Add LDAP server.
LDAP Server Information

Use the fields below to configure ECOM access to your LDAP server.
Consult the ECOM Deployment and Configuration Guide for more information about these fields

LDAP Authority Name: TESTDOMAIN
Server Type:         ldap 
IP Address:          192.168.1.115
Port:                389
bindDn:              cn=serviceEMC,ou=User,ou=Accounts,dc=TESTDOMAIN,dc=test,dc=com
bindPassword:        *********
userSearchPath:      dc=TESTDOMAIN,dc=test,dc=com
groupSearchPath:     dc=TESTDOMAIN,dc=test,dc=com
userIDAttribute:     sAMAccountName
userNameAttribute:   cn
groupNameAttribute:  cn
userObjectClass:     user     
groupObjectClass:    group
groupMemberAttribute:uniqueMember
ldapTimeout:         30000
ldapDebugLevel:      0
Trusted Certs File:
Client Cert File:
Client Cert Key File:
Client Key File Password:

Next, we need to add LDAP Server Role Mapping:




Click on Add Role Map

Now that we’ve added our MS AD user to ECOM authentication, we need to test it. Go ahead and log off as ‘admin’ and try to login back using MS AD credentials.


Syntax: <DOMAIN>/<Username>


Screenshot below indicates that we’ve successfully logged on to ECOM using MS AD credentials:




Next, we need to install NaviCLI. We’ll go over this in Part 2
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)