UPDATE: Information on configuring certificates for use with indications has been added at the bottom of this blog.
All providers have slightly different installation procedures and characteristics. This information should help you get started using the EMC provider which can be downloaded from Powerlink (you will need an account). Make sure you download the latest version (currently 4.6). This information applies for use with either the Windows Server 2012 (or R2) Windows Standards-Based Storage Management Service or System Center Virtual Machine Manager 2012 (or R2) and the provider supports EMC Symmetrix VMAX, Clariion CX4 and VNX arrays. Please consult the EMC documentation for the appropriate array firmware levels and also for what platform the provider can be installed on.
Note that an SMI-S provider is assumed to be running somewhere other than the Windows Standards-Based Storage Management Service (I’ll call it Storage Service for short). Providers are either standalone server applications (known as proxy providers) or embedded in the array firmware. For EMC, the provider being discussed is a proxy provider so it needs to be installed on a running system with a supported version of Windows or Linux installed. Since vendors have not yet certified their SMI-S Providers to run on Windows Server 2012, this blog will discuss getting the EMC Provider running on Win2k8R2.
Download the EMC provider
The EMC SMI-S provider is a part of the “Solutions Enabler with SMI” package which you can download from Powerlink (requires registration); search for “SMI-S Provider” once you log in. There are provider versions available for Windows and Linux, and either can be used. Make sure you select the latest 32-bit or 64-bit version, and Windows or Linux version, as appropriate.
Install the provider
Installation is straightforward, just run the installer you downloaded as an administrative user. Use all the defaults and make sure you only select the “Array provider” as Windows does not use the Host providers and installing it may create conflicts with other software. We assume throughout this document that the provider is running on a different system than the Storage Service. It may be possible to install it on the same system once vendors support the Windows Server 2012 platform. Be aware that installing multiple providers may not be supported or may require additional configuration and non-standard port numbers.
Add firewall rules
If the provider runs on a Windows Server, you will need to configure the firewall to allow SMI-S and SLP traffic. Please do not turn off the firewall. The general rules below can be made stricter by eliminating HTTP support (port 5988) and by specifying the specific CIM Server application (ECOM) for ports 5988-5989, and SLP server (SLPD.exe) for port 427 as the process for the rules. You can also limit which systems can manage through the provdier by limiting the firewall to passing only traffic from those IP addresses. I am assuming the firewall is in its default state (blocks incoming/allows outgoing traffic).
These command lines must be run from an administrative account and will work for Windows Server 2008 R2. You can also use the firewall control panel, or the equivalent PowerShell cmdlet if the provider was installed on a Windows Server 2012 system.
netsh advfirewall firewall add rule name="SLP-udp" dir=in protocol=UDP localport=427 action=allow
netsh advfirewall firewall add rule name="CIM-XML in" dir=in protocol=TCP localport=5988-5989 action=allow
Change the default password and add additional users, if required
The EMC provider security can be configured through a webpage; open https://localhost:5989/ecomconfig. This is what you will see first:
At this point you have several options, but first a word about “self-signed” certificates. All SMI-S providers create or copy self-signed certificates to the system when they are first installed which means the certificate is not issued by a trusted party such as VeriSign. These certificates can be used “as-is” if that is consistent with your company’s security policies AND you trust the host where you installed the provider. You have the option to use more formally signed certificates, that is, certificates that “chain” to a trusted Certificate Authority or a CA. A full discussion of this can be found on the web. If you stay with the self-signed certificate, your options right now are to a) “Continue to this website” or b) change to using the fully-qualified domain name (FQDN) of the server instead of localhost, and add the certificate to the local certificate store which tells IE that you trusted this site. This only affects the use of the configuration page below; the storage service will prompt you for action when you register the SMI-S provider the first time.
Login with the default account (admin) and password (see the EMC documentation) and proceed to change the password, add an additional user or make any other changes to the security. Note the user name and password since you will need this when you register the provider for use with the Storage Service.
While you are here, there is one more change that we will need to make. Click on the Dynamic Settings link from the ECOM Administration Page and locate the setting for SSLClientAuthentication. Select None, check the Persist box, then click on Apply – this avoids a potential problem with SSL negotiations without lowering the security level. You will not need to restart the ECOM service if you modify parameters on this page.
Provider configuration changes for VMM
We need to adjust some settings for the EMC provider in order for it to work best with System Center 2012 Virtual Machine Manager. Navigate to C:\Program Files\EMC\ECIM\ECOM\conf and open the file Security_settings.xml with Notepad or another text editor.
<ECOMSetting Name="ExternalConnectionLimit" Type="uint32" Value="100"/>
<ECOMSetting Name="ExternalConnectionLimit" Type="uint32" Value="600"/>
<ECOMSetting Name="ExternalConnectionLimitPerHost" Type="uint32" Value="100"/>
<ECOMSetting Name="ExternalConnectionLimitPerHost" Type="uint32" Value="600"/>
Save the file and restart the provider. You can use the Services control panel, or from a command prompt:
net stop ecom
net start ecom
I also modify my PATH environment variable to include the EMC command line utilities:
set PATH=%PATH%;”C:\Program Files\EMC\SYMCLI\bin;C:\Program Files\EMC\ECIM\ECOM\bin”
(Or use the Advanced System Settings property page so this takes effect every time you open a command prompt.)
Adding arrays to manage
Depending on which EMC arrays you have, the process for managing them with SMI-S will be slightly different. The Symmetrix product line requires a direct, in-band connection using either Fibre Channel or iSCSI. This also requires creating “gatekeeper” LUNs on the array and unmasking them to the system where the provider is running and for Fibre Channel, configuring the zoning as well. Clariion and VNX can be managed either in-band or out-of-band using an Ethernet connection.
The EMC Provider Release Notes contains full information for adding arrays including zoning when you use Fibre Channel for inband management. See their Post-Installation Tasks for more information.
Indications are asynchronous events that come from the provider, informing a “listener” such as the storage service of events that may be of interest. I discuss indication support in this blog post. You will need to follow the setup instructions there before the EMC provider can properly send indications. There is one more step though. The Storage Service certificate must be provided to the EMC CIMOM (ECOM) using the above administration website.
This time, you will select SSL Certificate Management. Depending on the age of the EMC provider (ALWAYS use the latest!!), there may be three or six different options. You want the third one. You will also need the exported Base-64 Encoded certificate that you exported if you followed my indications blog. This is a text file.
So select SSL Certificate Management, and pick Option #3: Import CA Certificate File
A text box will pop up and it may already have one or more certificates included. We want to paste the context of the .CER text file into that box at the bottom. So open that file with your favorite text editor (Notepad will do fine), select EVERYTHING including the BEGIN/END marker lines with all the dashes, copy, paste into the Submit CA Certificate box, then click on Submit the Certificate. That should do it and if you followed both of these blogs, indications will flow and keep everything up-to-date. (You still need to do the initial discovery operation since indications are only used to signal changes.)