Admin

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-91031-508-435-1000www.EMC.com

EMC Data Protection AdvisorVersion 5.8

Product Guide300-012-560

REV 03

FOR ADMINISTRATORS SETTING UP DPA AFTER INSTALLATION

EMC Data Protection Advisor Version 5.8 Product Guide2

Copyright

Copyright 2005-2012 EMC Corporation. All rights reserved.

Published November, 2012

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

For more information

EMC support, product, and licensing information can be obtained as follows.

Product information For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to the EMC Powerlink website (registration required) at http://Powerlink.EMC.com.

Technical support For technical support, go to EMC Customer Service on Powerlink. To open a service request through Powerlink, you must have a valid support agreement. Please contact the EMC sales representative for details about obtaining a valid support agreement or to answer any questions about the account.

Your comments

Comments and suggestions about our product documentation are always welcome.

To provide feedback, please email [email protected]

http://powerlink.emc.comhttp://powerlink.emc.com

EMC Data Protection Advisor Version 5.8 Product Guide 3

Chapter 1 Overview DPA Overview .......................................................................................................... 8 Architecture overview.............................................................................................. 9 General Features ..................................................................................................... 11

Open XML Interfaces ....................................................................................... 11Database Abstraction ....................................................................................... 11Adaptive on-the-wire Compression .............................................................. 11The Datamine .................................................................................................... 11

What are the DPA processes?................................................................................ 12Controller ........................................................................................................... 12Listener............................................................................................................... 12Reporter ............................................................................................................. 13Collector ............................................................................................................. 13GUI...................................................................................................................... 13Predictive Analysis Engine ............................................................................. 14Publisher ............................................................................................................ 14Recoverability analysis .................................................................................... 15

The Collector ........................................................................................................... 16Connecting to the Listener .............................................................................. 16Collector modules............................................................................................. 16Remote monitoring........................................................................................... 17

Data Protection Advisor Integration.................................................................... 18Input Integration............................................................................................... 18Output Integration ........................................................................................... 18

Chapter 2 Getting Started Starting Data Protection Advisor ......................................................................... 22 Launching DPA from NetWorker......................................................................... 24 Creating user roles and users................................................................................ 25

Creating a new user.......................................................................................... 25Creating a new user role ................................................................................. 25Changing your own password ....................................................................... 26Resetting a users password............................................................................ 26Changing the way reports appear to users .................................................. 27Changing way the GUI looks for users ......................................................... 28Setting privileges for user roles ...................................................................... 28The default DPA users and roles .................................................................... 31

Expanding user definitions with attributes ........................................................ 32Creating a user attribute.................................................................................. 32

Contents


Contents

Assigning an attribute to a user ...................................................................... 32Deleting an attribute......................................................................................... 32Types of attributes ............................................................................................ 33

Chapter 3 Using external authentication systems Setting up LDAP authentication ........................................................................... 36 Setting up Kerberos authentication ..................................................................... 41

Chapter 4 Configuring Time Windows Working with time windows................................................................................. 44

Creating a new window .................................................................................. 44Creating a time definition ............................................................................... 44

Chapter 5 Configuring Schedules Using the schedule editors .................................................................................... 48 Using the basic editor ............................................................................................ 49

Window schedules............................................................................................ 49Point-in-time schedules.................................................................................... 49Using the advanced editor............................................................................... 50

Schedule component editor ................................................................................... 51Dates ................................................................................................................... 51Hours .................................................................................................................. 52Days .................................................................................................................... 52

Chapter 6 Configuring Menus Working with menus ............................................................................................. 58

To create a new menu....................................................................................... 58Adding a report to a menu .............................................................................. 58Adding a Control Panel to a menu................................................................. 59Adding a Command to a menu ...................................................................... 59Adding an Action to a menu........................................................................... 59Changing the order of items in a menu ......................................................... 60Limiting tree menus to specific node types .................................................. 60Restricting users from seeing menus ............................................................. 60

Chapter 7 Creating Views, Nodes, and Queries What are views and nodes? ................................................................................... 62

The Configuration view ................................................................................... 62 Working with views................................................................................................ 63

Creating a view ................................................................................................. 63Changing the view ........................................................................................... 63Deleting a view ................................................................................................. 63Restricting a user to a view ............................................................................. 64

Node overview ........................................................................................................ 65Node categories................................................................................................. 65Node types ......................................................................................................... 66

Working with nodes................................................................................................ 70Node aliases ....................................................................................................... 70Creating a node for monitoring ...................................................................... 70

EMC Data Protection Advisor Version 5.8 Product Guide 5

Contents

Creating a node for reporting ......................................................................... 70Assigning a node ............................................................................................. 73Unassigning a node ......................................................................................... 73Finding a nodes dependents ......................................................................... 73Searching for a node ........................................................................................ 73

Extending node information with attributes ...................................................... 74Creating a node attribute................................................................................. 74Assigning an attribute to a node .................................................................... 75Using the system attributes............................................................................. 76

Working with queries............................................................................................. 77Standard queries ............................................................................................... 77Advanced queries............................................................................................. 79Running queries................................................................................................ 80

Chapter 8 Database Maintenance iAnywhere maintenance........................................................................................ 82

Backing up the database .................................................................................. 82Restoring the database..................................................................................... 82Performance Tuning......................................................................................... 82

Implementing a Datamine Maintenance Plan .................................................... 83Creating a maintenance plan .......................................................................... 83Assigning a maintenance plan to a node ...................................................... 86

Chapter 9 System Settings Configuring system settings ................................................................................. 90

Modifying configuration parameters for processes ................................... 90 Configuring client reporting ................................................................................ 99 Configuring resolution fields ............................................................................. 100 Configuring advanced options .......................................................................... 102

Chapter 10 Policies Introduction ........................................................................................................... 106

Creating policies ............................................................................................. 106Default policy settings ................................................................................... 106Assigning a policy to a node......................................................................... 106

Auto-reconciliation policies ............................................................................... 107 Chargeback policies ............................................................................................. 110 Data protection policies ...................................................................................... 114 Recoverability policies ......................................................................................... 118 Recoverability checks ........................................................................................... 121

Chapter 11 Auditing, Reporting, and Request Histories Auditing ................................................................................................................. 124 Report history........................................................................................................ 126

Glossary 127

Index 131


Contents

Overview 7

1Overview

This overview explains the technical architecture of Data Protection Advisor. It provides a description of each component and its functions, and the underlying methods of communication between components and with external systems. This document includes the following sections:

DPA Overview................................................................................................................. 8 Architecture overview .................................................................................................... 9 General Features............................................................................................................. 11 What are the DPA processes? ...................................................................................... 12 The Collector.................................................................................................................. 16 Data Protection Advisor Integration .......................................................................... 18


Overview

DPA OverviewEMC Data Protection Advisor (DPA) is a sophisticated reporting and analytics platform that provides customers with full visibility into the effectiveness of their Data Protection strategy. It performs this by monitoring all of the technologies that a customer uses to protect their data including Backup Software, Storage Arrays, File Servers, and Tape Libraries.

DPA's sophisticated reporting engine provides highly customizable reports to highlight problems within the environment, and enables customers to perform Capacity Management, Service Level Reporting, Chargeback, Change Management, and Troubleshooting.

DPA's Predictive Analysis Engine provides customers with early warning of problems that might be about to occur, and generates alerts allowing customers to resolve problems sooner, reducing business impact.

DPA is designed to help users identify and fix performance and capacity management (PCM) issues within large enterprises. It consists of a number of loosely-coupled processes and data stores for holding configuration and gathered data. In addition, it has a number of interfaces to import and export information, to allow for integration with other aspects of a large enterprise and to provide a significant part of an overall distributed systems management strategy.

Architecture overview 9

Overview

Architecture overviewAn overview of the complete DPA architecture is provided in Figure 1 on page 9. This diagram shows all the major components within the architecture and their internal communications.

Figure 1 Data processing and output

In Figure 1 on page 9, the dotted lines represent binary communications. Solid lines represent XML communications. There are a number of important architectural points:

There are three layers within the product: data input, core server, and data output (the GUI). The core server is a combination of the three databases (datamine, configuration, illuminator), and the processes which interact with the databases.

The data input layer obtains information from systems, networks, storage, and applications. It passes this information on to the appropriate core server process for insertion into the datamine and illuminator databases. The open methodology of the DPA makes it possible to replicate, augment, or entirely replace the functionality of the data collection system provided by DPA with a proprietary or third-party product.

DatamineConfiguration Illuminator

Publisher

GUI

Predictive AnalysisEngine

ReporterController

Listener

Server

GUI

Data input

Illuminator

Collector

3741

25011(8090)


Overview

The data output layer takes information from the core server processes involved with datamine extraction and uses it to generate output for either human viewing (for example, graphs, e-mails, web pages) or for further processing (for example, SNMP trap, parameters to script, additional datamine information). As with the data input layer, proprietary, or third-party products can be used in addition to, or in place of, the processes provided.

All core server processes have XML entry points. These are interfaces with well-defined APIs that allow for DPA data processes to send information. These APIs also allow for third-party and proprietary applications to interoperate with DPA.

Although only one of each process is shown, most of the processes are able to run multiple times and still communicate with a single underlying datamine. This allows for larger environments to be able to run as functionally or geographically separate instances without any loss of functionality.

The processing of all data sources and operators occurs on the Server. Only the final results of a report are sent over the network to the user interface or Publisher. This results in significant performance improvements when running reports in the time it takes reports to run and the memory and CPU requirements on the machine on which the Graphical User Interface is running.

General Features 11

Overview

General FeaturesAs well as the specific features of each process, the Data Protection Advisor (DPA) processes share some common features. This shared functionality is critical in allowing the DPA processes to interoperate. Some of the major features are described in the following sections:

Open XML Interfaces on page 11

Database Abstraction on page 11

Adaptive on-the-wire Compression on page 11

The Datamine on page 11

Open XML Interfaces

Every DPA process has an XML interface, which is used as the primary method of communication with all other DPA processes. The interfaces are open and allow both programmatic and custom access to all features of DPA.

Database Abstraction

DPA processes run on top of a database abstraction layer. This allows DPA to work with information objects rather than database rows, and provides a single interface to store and retrieve persistent data. It allows for DPA to work with multiple databases and to expand its database support if required without requiring any changes in the main DPA code base.

Adaptive on-the-wire Compression

XML provides a system for data transfer that is both powerful and flexible; however, it is somewhat verbose. DPA processes compensate for this by switching from simple XML to a highly compressed format if the amount of data to send exceeds a certain threshold. The compressed format allows for large amounts of data to be sent between DPA processes without requiring the levels of bandwidth normally needed for XML transmission.

The combination of the benefits of XML data representation and the bandwidth-saving size of a compressed data format mean that DPA processes have the best of both worlds when it comes to data transfer and communications.

The Datamine DPA's core datamine is a database with a number of loosely connected tables that allow the core server processes to not only generate detailed reports, but also to route through the internal contents of the database and find mappings between items that can span multiple domains. The datamine is the heart of the DPA product, and contains all information gathered from remote sources. Due to the high performance requirements and massive amounts of stored data, the datamine is never accessed directly by client systems. All interaction goes through the core server processes.

The illuminator database is a separate datamine that stores data gathered by the recoverability agent.

The datamine uses a SQL database as its underlying storage system. Details on which databases are suitable to be used as a datamine are available in the Data Protection Advisor Installation Guide.


Overview

What are the DPA processes?This section provides more detail on the separate processes of which DPA is composed, focusing on the purpose of each process and any important implementation-level details. This section includes the following sections:

Controller on page 12

Listener on page 12

Reporter on page 13

Collector on page 13

GUI on page 13

Predictive Analysis Engine on page 14

Publisher on page 14

Recoverability analysis on page 15

Controller The Controller is a flexible data store that contains control and configuration information for DPA. It provides a hierarchical layout of assets, with multiple views to allow for different hierarchies of the same set of assets to suit separate areas of an enterprise. The Controller also allows extensions to the base system through user-defined attributes that allow any existing asset model to be transposed. Other configuration information held within the Controller includes security information, per-user customization of menus, and details for the operation of the Publisher and Predictive Analysis Engine.

One of the Controller's main functions is to provide the hierarchies of nodes that constitute an enterprise. These hierarchies are used for both data gathering and reporting, and they need to be flexible and easy to use. The Controller provides a unique multi-view hierarchical setup that gives each set of users the control that they need without compromising the ability of other groups to do the same. Each group or user can be assigned a view. Within this view, users can set up the assets they are concerned with in any way that makes sense to them. This setup is independent of all other views within DPA, providing each user with his or her own view into the global list of assets.

In addition to configuration information, the Controller contains data regarding the type and structure of information available within the datamine. The Controller is queried by all processes requiring information from the datamine.

The Controller uses a database as its back-end storage system. Details on the supported databases are available in the Data Protection Advisor 5.5 Installation Guide.

Listener The Listener is a high performance data gateway that carries out the job of taking data gathered by Collectors and other API-compliant systems and processing it prior to insertion to the datamine.

The Listener uses a sophisticated thread pooling model in combination with a highly efficient caching system to allow it to keep database accesses to a minimum while managing to keep up with the high processing loads that can occur in large environments.

What are the DPA processes? 13

Overview

Reporter The Reporter is a datamine extraction tool and expression system. It works from an XML input to gather data for one or more specific time periods from multiple tables within the datamine, and then carries out a number of mathematical, logical, and datamine-specific operations on the information before presenting it as XML output.

The Reporter is highly optimized for handling queries against the datamine by utilizing its understanding of the tables and their relationships. In addition, the large number of internal operations allow for the final data output to be considerably pared down in situations where very specific information is required.

Collector The Collector is a generic information-gathering infrastructure that obtains data from both local and remote sources. Data sources can be in one of the following domains:

System

Network

Application

Storage

The Collector has a highly modular design. Each separate data source has a specialized collection module as shown in Figure 2 on page 13.

Figure 2 Collector design

The modules are independent objects that link to the Collector dynamically at runtime and provide the core of the data gathering functions. The Collector overseer controls the actions of the modules, informing each module of what data to gather, and when. The overseer also provides all the interaction with the Controller and Listener. This separation of function allows the data gathering modules to be very lightweight as each module has a dedicated function. The separation of the overseer and the collection modules allows for the ability to upgrade or add new modules on the fly without requiring a complete upgrade of the Collector.

The Collector has a threadpool-based model that grants a high level of flexibility. This flexibility ranges from a simple local Collector that gathers a small amount of system information to a Collector that acts as a collection node and gathers data from a large number of remote assets through SNMP, WMI, and application-specific protocols, and forwards it to the Listener.

GUI The GUI is the primary front end to the DPA processes. This process runs on desktops either locally or through the Java WebStart system. The GUI is used for all user-driven configuration and reporting.

The GUI provides interactive access to a complete set of configuration functions for DPA and allows customization of every aspect of the following:

Data gathering

Collector Network Interface Network Switch Storage Array Backup Application


Overview

Reporting

Analysis abilities

In NetWorker environments, the GUI can be launched from NMC. In non-NetWorker environments, launch the Standard GUI using a web browser on the DPA server. The EMC Data Protection Advisor Version User Guide provides details on how to start the standard GUI.

Altering certain configuration settings can modify the behavior of the GUI. Chapter 9, System Settings, provides details on how to modify this setting.

Predictive Analysis Engine

The Predictive Analysis Engine (PAE) is an advanced analysis system and inference engine designed to look for correlations, connections, and trends within the datamine and draw conclusions that are useful to application administrators.

The PAE acts like a knowledgeable worker, looking at a number of different situations and attempting to recognize problems. When it finds a problem, it attempts to narrow down the cause by following a list of instructions in a program called a ruleset. Rulesets are based on a datamine-specific language that allows examination of the information in the datamine through standard reports, coupled with suitable mathematical, logical, and specialist operations. This ruleset enables the PAE to spot an initial problem and to provide information on the probable cause and possible resolution.

When the PAE finds a condition on which it has been programmed to alert, it automatically logs the information back to the datamine. The PAE can also send the alert to other systems defined by the user through mechanisms such as SNMP and e-mail.

Publisher The Publisher is a non-interactive process that allows you to automatically generate reports on a scheduled basis and publish them simultaneously in a variety of output formats. Reports can be sent as an e-mail attachment and saved to disk for later viewing using a web browser. If you save reports to disk, you can specify the format in which you would like to save the file. File types include HTML, JPEG, CSV, and XML.

It is not critical that the Publisher runs at all times, but if the Publisher is not running, scheduled reports will not be published.

If the DPA Server is restarted, or the Publisher otherwise stops working for a time, the Publisher automatically reschedules any reports that were in the Publisher queue at the time of failure to run immediately. Reports that were scheduled between the time the Publisher went offline and then restarted, but were not in the Publisher queue, will not automatically run when the Publisher resumes.

For example, the Publisher goes offline at 4:00 p.m. and resumes at 6:00 p.m. with two scheduled reports in progress and a third scheduled at 5:00 p.m. The two reports in the queue will run immediately, but the report scheduled for 5:00 p.m. will not.

Altering certain configuration settings can modify the behavior of the Publisher. Details on how to modify this setting are provided in Chapter 9, System Settings.

What are the DPA processes? 15

Overview

Recoverability analysis

The recoverability analysis engine of DPA discovers selected clients applications, databases, filesystems, and their mapping to physical storage devices. It maps all the copies (recovery points) of the primary data including snapshots, clones, and remote synchronous, and asynchronous replicas.

The Illuminator server process receives datamine data from the Collector, stores the data in the illuminator database, and provides data to the Reporter process. Data can be gathered remotely from the Illuminator server host.


Overview

The Collector The Collector process gathers data from applications, hosts, and devices. When the Collector starts, it communicates with the Controller process on the DPA server to determine what to monitor and how often to monitor it. The configuration information returns in the form of a series of data gathering requests. The Collector performs these requests and sends the collected data back to the Listener process on the DPA server. All communication to and from the Collector process is conducted through an XML-based API.

A Collector is installed automatically on the DPA server when the server component is installed. This provides the ability to monitor devices and applications remotely, although this may require the installation of additional software on the DPA server. Additional Collectors can be installed onto any other supported host in the environment. Installing Collectors on additional computers increases the amount and types of data that you can collect because you cannot collect all data types remotely.

The Collector process is split into a core component and a set of modules that implement data gathering routines. The core component communicates with the Controller process on the server to obtain its configuration and to schedule the data collection requests. When data is returned from a module, the core component formats the response into XML and sends it back to the Listener process on the server.

Connecting to the Listener

If a network interruption or server failure occurs, the Collector process stores module data in a local data store until the connection to the Listener is re-established. If the local data store becomes full, the Collector stops processing data gathering requests. When the connection is resumed or space becomes available in the data store, the Collector forwards the data in the data store to the Listener, collects data on any backup Jobs that have occurred since the connection was lost, and resumes normal data gathering.

Chapter 9, System Settings, contains information on the system settings, including the data store size, for the Collector.

Collector modules Each module in the Collector is implemented as either a shared library or DLL depending on the platform on which the Collector is running. This modular design means that new modules can be added to the Collector to enhance its data collection capabilities.

Each module has several functions that are used to gather different types of data. Structuring the data gathering in each module into a series of functions allows you to gather different types of data at different rates. For example, the memory module implements three functions:

The configuration function gathers information on the amount of memory that exists on the host. As this information does not change frequently, this information is gathered once a day.

The status function gathers information on the amount of memory that is currently being used. This information changes very frequently, thus it is gathered every 5 minutes.

The performance function gathers information on memory performance in terms of how much memory is being paged in and out of virtual memory stored on disk. Again, this information changes fairly frequently and is gathered every 5 minutes.

The Collector 17

Overview

Remote monitoring You can configure a Collector process to monitor certain types of data remotely. When performing remote monitoring, the computer on which the Collector is running is called the proxy host. To gather data, the Collector uses a remote protocol to communicate with the computer from which it is collecting data, then forwards that information back to the DPA server. The remote protocol type depends on the type of data that is being gathered.

Not all information can be gathered remotely from all applications and devices that are supported by DPA. The EMC Data Protection Advisor Administration Guide describes how to gather data remotely and how to configure DPA requests.


Overview

Data Protection Advisor IntegrationData Protection Advisor is designed to operate within an environment as part of the overall monitoring and management strategy. Because of this, its ability to interface with other software is an important part of its usability. The following sections describe the ways in which third-party and proprietary software can be integrated with DPA to provide a seamless enterprise monitoring system.

This section includes the following sections:

Input Integration on page 18

Output Integration on page 18

Input Integration Input integration consists of the following:

Configuration Feed on page 18

Enterprise-specific Application on page 18

Configuration Feed Under normal operation, the Controller does not receive a large number of requests because it is a configuration repository. It remains relatively static and is queried infrequently. However, many enterprises already have their own configuration databases which contain information on the company's assets. By building a configuration feed, it is possible for the Controller to populate the local configuration database, or the other way round, as required. This effectively links DPA with the company's own asset system and allows for reports on areas such as gap analysis. Gap analysis capabilities are generally not available in today's products.

Enterprise-specificApplication

All enterprises have a number of applications that are specific to them, their industry, or their own requirements. No commercial monitoring systems provide monitoring of these items as standard. However, because of the open XML API, it is possible for customers to write their own monitoring script and send the resulting information to the Listener. This simple method of integration allows custom applications to take advantage of the advanced DPA datamine, reporting, and analysis features with minimal development effort.

Output Integration Output configuration consists of the following:

Reports on page 18

On-going Processing on page 18

Alerts on page 19

Reports Reports produced either by the GUI or through the Publisher can be exported in a format suitable for offline viewing. All report types can be saved as JPEG images and suitable HTML representations of reports. Reports in either format can be sent by e-mail or published to a website. This allows the reports to be integrated into a larger reporting framework.

On-going Processing Sometimes the data held in the DPA datamine must be used as part of a report that is outside the scope of DPA operations. To provide for this, the results of a report can be exported in the format of comma-separated values (CSV) and saved to a file. CSV is commonly used by programs such as Microsoft Excel and can easily be imported to provide the information for further processing and final reports.

Data Protection Advisor Integration 19

Overview

Alerts A common requirement for integration into large environments is to be able to send alerts into an operations system. The standard format for transmitting such information is the Simple Network Management Protocol, or SNMP. All results from the PAE can be sent in the format of SNMP traps.

Another common method of notification is e-mail. The PAE allows for information regarding alerts to be sent to one or more e-mail addresses, and provides custom e-mail headers to allow for programmatic sorting and assignment of alerts by the receiving processes. E-mail transfer is through the industry standard SMTP mechanism and only requires an active mail hub to operate.

Finally, the PAE also has the ability to run an arbitrary script in an alert condition. The script can carry out any customized action required by the user, such as sending the alert to a trouble ticketing service or paging support personnel with the details of the problem.


Overview

Getting Started 21

2

Getting Started

This chapter describes how to log in to the DPA user interface, change the initial password, and load the license required to enable the software. It contains the following sections:

Starting Data Protection Advisor................................................................................. 22 Launching DPA from NetWorker ................................................................................ 24 Creating user roles and users ....................................................................................... 25


Getting Started

Starting Data Protection AdvisorThe following checklist describes the process of starting up and logging into DPA after an upgrade or new installation.

Table 1 First-time login checklist

Step Task Description

1. Start DPA If you have installed a GUI client on your machine, log in to DPA from the desktop by double-clicking the icon (Windows) or running the dpa_gui executable (UNIX).

Otherwise, log in to the DPA server from a web browser. Open a web browser, and type http:\\servername:9002 in the Address field and press Enter. The DPA launch page appears. Click Start to start the web client.

2. Log in If this is a new installation, use administrator for both the User Name and Password fields.

3. Synchronize the system and DPA clocks (if needed)

The following warning message may be displayed: 'User Authentication failed due to the times on the client and server not matching. Please ensure that the times are synchronized'To resolve this issue, ensure that the system clock times on the client and server are synchronized. As part of the User Authentication process, DPA relies on the system clock times on the client machine and the server differing by less than 1 minute.

4. Add the base enabler license and other licenses

If this is the first time you are running DPA, the license manager prompts to add a license. 1. Click Yes. The License List dialog box appears, showing all the current

licenses. Click Add. 2. Navigate to and select the license file or files that have been sent by

EMC. Press Ctrl and click to select multiple licenses.3. Click OK to confirm the license addition. The license file is added to the

system and displayed in the License List dialog box. You can open the License Manager from the DPA GUI by selecting Tools > License Manager.

5. Change the default passwords

If this is the first time you are running DPA, for security, the Initial Configuration Wizard prompts to change the default passwords for users, administrators, and engineers.

Starting Data Protection Advisor 23

Getting Started

6. Set the data protection terminology

The Initial Configuration Wizard will prompt for the preferred terminology to use in the DPA GUI: Selecting Networker indicates Save Set be used for an instance of a

data protection operation, and Storage Node used for a server or host with backup storage devices attached.

Selecting Generic indicates Job be used for an instance of a data protection operation, and Media Server be used for a server or host with backup storage devices attached.

The terminology used in the GUI can be changed after installation using a command line tool. The DPA command line tools are described in the EMC Data Protection Advisor Administration Guide.

7. Upgrade the Configuration view

If you are upgrading DPA from a previous version, the Configuration View Wizard will prompt whether to keep your current Configuration View setup, or convert it in to the format of the new DPA version: Merge by Group Name Creates a new Configuration view in the

current DPA version style, and imports the old Configuration view node groups based on matching group names.

Import new groups Keeps the current view structure, and imports only groups new to this DPA version.

Leave my configuration view as it is Make no changes to the current view.

The following apply: If any node groups in the old view could not be matched in the new

view, a "To be Reviewed" group is created containing those groups. Requests, analyses, database maintenance plans inherited by a node

are migrated into the new tree structure. If the validation process for these assignations fails, DPA prompts that the invalid assignations must be corrected manually.

The old view still exists as a reference, with all links and requests still assigned to nodes. However, it will not function as a view, and requests cannot be assigned to nodes in the old view.

No user-created views are affected, only the Configuration view.

8. Start the Data Collection Wizard

If this is the first time you are running DPA, the Data Collection Wizard automatically opens. Use the Wizard to create a node and start monitoring a data protection server or device. Chapter 2, "Data Monitoring", of the DPA Administration Guide describes the software and connection configuration required before the Data Collection Wizard should be run.

Table 1 First-time login checklist

Step Task Description


Getting Started

Launching DPA from NetWorkerIf you have DPA installed on a machine that also has the NetWorker server installed, you can also launch DPA from NetWorker. To log in to DPA in NetWorker environments:

1. Open a web browser, and type http://servername:9000 in the Address field, and press Enter. This opens the NetWorker Management Console (NMC) launch page.

2. Click Start. The login screen for NMC appears.

Note: The version of the Java Virtual Machine (JVM) required to launch Data Protection Advisor is 1.5.0_12. JVM 1.6 or later, which is not supported by NetWorker 7.4 or earlier. If you are launching Data Protection Advisor from NetWorker 7.4, you must have installed a 1.5.xx version of the JVM.

3. If this is the first time you are using DPA, log in to NMC as the NMC administrator user. The default password for the administrator user is administrator. Click OK.

4. The NMC user interface appears. Select Start > DPA from the menu.

Creating user roles and users 25

Getting Started

Creating user roles and usersA user role is a way to limit the functionality and GUI options granted to groups of DPA users, by assigning only specific privileges. A user can edit his or her own profile to customize their GUI.

Creating a new user1. Log in to DPA as a user with administrator privileges.

2. Select Tools > User Editor from the menu. The User List dialog box appears and shows all users defined in DPA.

3. Click New. The User Properties dialog box appears.

4. Click the User Properties tab and specify the fields described in Table 2 on page 25.

5. Click OK to save the user account.

Creating a new user role

1. Log in to DPA as a user with administrative privileges.

2. Select Tools > User Roles Editor. The User Role Editor displays a list of system and user-defined roles.

3. Click New. The User Role Properties dialog box appears.

Table 2 User Properties fields

Property Description

Logon name Name used to log in to DPA.

Full Name Full name of the user. This is a descriptive field that allows you to enter more information about the account being created.

External name Name used to log in to DPA from external systems. This field is only enabled if LDAP or Kerberos is selected in the Authenticationtype field.

Role Role of the user. Values include User, Administrator, Engineer, and user-defined roles.

Authentication type Authentication method for the user when logging in to the application. DPA supports authentication from external systems.Set this field to NMC in a NetWorker environment. In non-NetWorker environments, set this field to one of the following: Password, which specifies that the password is stored within the DPA

database in encrypted form. LDAP, which specifies that DPA authenticates the user against an LDAP

server in the environment. More information is available in Chapter 3, "Using external authentication systems,".

Kerberos, which specifies that DPA authenticates the user against a Kerberos server in the environment. More information is available in Chapter 3, "Using external authentication systems,".

Password The password to authenticate the user. This field is not required if launching the user interface from NMC. Users may change their own passwords from this dialog box.

Verify Type the password again to validate that the password is correct.


Getting Started

4. In the Name field, type a name for the role. Type a description in the Description field.

Select the appropriate tab in the User Role Properties dialog box to assign components to a user role. A user role has the following components:

Privileges, which are a set of options that define the actions a user can carry out within the User Interface (for example, Create Reports). Table 4 on page 28 describes all of the user role privileges.

Control Panels, which are a list of Control Panels that the user has the ability to select as an initial Control Panel when the GUI is first launched.

Menus, which are a list of reporting menus that the user can access when using the GUI.

Views, which are a list of views that the user can access when using the GUI.

5. Use the Select All and Deselect All buttons to clear all privileges. Use the arrow and double arrow buttons to allow other components.

Note: Only user-created Control Panels are available from the Home Control Panel list.

6. Select a component in the Default field to set the default view for the role. This value is overwritten by the value in the User Properties dialog box.

7. Click OK to save the role.

Changing your own password

1. Log in as the user.

2. Select File > Preferences from the menu bar. The Preferences dialog box appears.

3. Type the new password in both the Password and Verify fields and click OK.

Resetting a users password

If required, an administrator can reset a users password. This requires shutting down the DPA Server and running the controller with the username and password parameters.

To reset a users password:

1. Shut down the DPA Server.

2. Navigate to the DPA installation directory.

3. On UNIX platforms, source the dpa.config file.

4. Run the following command:

UNIXdpa_controller -m RESETUSER u -p

Windowsdpa_controller.exe -m RESETUSER u -p

If exists, the users password will be reset to and their system role changed to Administrator (if it is not already). If does not exist, a new DPA user account (with the Administrator system role) will be created.

5. The controller will immediately exit after the users password is changed.

6. Restart the DPA Server.


Getting Started

Changing the way reports appear to users

There are several reporting preferences that can be specified to control the behavior of DPA when running reports.

1. Select Tools > User Editor. The User List dialog box appears.

2. Select a user and click Edit.

3. Click the Preferences tab.

Table 3 on page 27 describes the user reporting preference fields.

Table 3 User reporting preferences

Field Description

Anchor axis Controls whether the y-axis is set between 0 and 100% or floats around the values returned in the data when displaying chart reports.

Smooth graph Controls whether an average operator is applied to trend charts.

Tooltip Controls whether tool tips appear on charts.

Confirm exit Controls whether DPA displays a confirmation dialog box upon exiting if there are reports open in the GUI.

Confirm save Controls whether DPA displays a save dialog box when saving an item in the application.

Always save Controls whether new or modified items are saved upon exiting.

Refresh reports Configures whether reports automatically refresh when displayed.

Refresh rate Controls how often, in seconds, reports refresh. This setting applies to Refresh mode only.

Maximum reports Maximum number of reports displayed simultaneously in the GUI. If the user opens more than this number of reports, the GUI closes the oldest report before opening the new one.

Number of points Maximum number of points returned in each chart series.

Minimum Trend Points The minimum number of points of historical data that is required to plot a forecast trend.

Minimum Trend Fitness The minimum data fitness requirement in order for a forecast trend to be shown.

Maximum table rows Maximum number of rows displayed in a table.

Report history count Number of reports stored in the report history.

Currency Default currency be used in chargeback reports. If not specified, this field defaults to the currency of the locale of the user.

Time zone Time zone to be used for running all reports. The default is the time zone on the current computer, but can be overridden if the user is reporting on information that occurred in a different time zone.

Home Control Panel Control Panel displayed when a user first logs in. If no Control Panel is specified, users are logged directly in to the main user interface.

Default view Initial view displayed when a user logs in to DPA.

Default menu Name of the menu displayed when the user clicks a node in the Navigation tree.


Getting Started

Changing way the GUI looks for users1. Click Appearance from the User Properties dialog box.

2. Change the default appearance of charts and tables displayed in reports.

The color of the background, foreground, title, axis, plot area, or grid can be changed.

To change the color of an object:

1. In the Appearance region, select Chart or Table from the list of values. Select a parameter from the list of values in the adjacent field.

2. Click Edit. The Color Properties dialog box appears.

3. Click the desired color on the color chart and click OK.

4. If you chose to edit the font parameters, the Font Properties dialog box appears.

5. Modify the Font and Size by selecting a value from the respective list boxes.

6. Modify the Style field by selecting either Italic or Bold.

7. Click OK.

Setting privileges for user roles

Table 4 on page 28 describes all of the privileges that appear in the User Role Properties dialog box. Assign or disallow privileges to limit the options available to DPA users.

Table 4 Role privileges (page 1 of 3)

Privilege Description

Assign Analyses Assign and unassign analyses and alerts within views to which users have access.

Assign Auto Reconciliation Policies Assign and unassign auto-reconciliation policies within views to which users have access.

Assign Chargeback Policies Assign and unassign chargeback policies within views to which users have access.

Assign Data Protection Policies Assign and unassign data protection policies within views to which users have access.

Assign Database Maintenance Plans Assign and unassign database maintenance plans from the views to which users have access.

Assign Nodes Assign, unassign, cut, copy, or and paste nodes to the view in which users are assigned.

Assign Recoverability Policies Assign and unassign recoverability policies within views to which users have access.

Assign Requests Assign and unassign requests and run Reload Collectors within the views to which users have access.

Edit Analyses Create, update, and delete analyses.

Edit Attributes Create, update, and delete attributes.

Edit Auto Reconciliation Policies Create, update, and delete auto-reconciliation policies.

Edit Chargeback Policies Create, update, and delete chargeback policies.

Edit Control Panels Create, update, and delete Control Panels.


Getting Started

Edit Credentials Create, update, and delete credentials.

Edit Data Protection Policies Create, update, and delete data protection policies.

Edit Database Maintenance Plans Create, update, and delete database maintenance plans.

Edit Excludes Exclude and include gaps from the SLM workspace and recoverability reports.

Edit Licenses Modify and add licenses.

Edit Menus Create, update, and delete menus.

Edit Nodes Create, update, and delete nodes.

Edit Reports Create, update, and delete reports.

Edit Requests Create, update, and delete requests.

Edit Resolutions Reasons Create, update, and delete resolutions reasons.

Edit Rulesets Create, update, and delete rulesets.

Edit Scheduled Reports Create, update, and delete scheduled reports.

Edit Schedules Create, update, and delete schedules.

Edit System Settings Advanced Edit the options in the Advanced tab of the System Settings dialog box.

Edit System Settings Auto Reconciliation Policy

Edit the system-wide Auto-Reconciliation Policy settings in the System Settings dialog.

Edit System Settings Chargeback Edit the system-wide Chargeback settings in the System Settings dialog.

Edit System Settings Client Reporting

Edit the options in the Client Reporting tab of the System Settings dialog box.

Edit System Settings Data Protection Policy

Edit the system-wide Data Protection Policy settings in the System Settings dialog.

Edit System Settings Kerberos Edit the system-wide settings in the Kerberos tab of the System Settings dialog.

Edit System Settings LDAP Edit the system-wide settings in the LDAP tab of the System Settings dialog.

Edit System Settings Processes Modify the settings for the DPA processes in the System Settings dialog, including adding and removing Collectors.

Edit System Settings Recoverability Checks

Enable and disable the recoverability checks in the System Settings dialog.

Edit System Settings Recoverability Policy

Edit the system-wide Recoverability Policy settings in the System Settings dialog.

Edit System Settings Resolution Customize Resolution fields in the System Settings dialog.

Edit User Attribute Values Create, update, and delete user attributes. Select user attributes in the User Preferences dialog box.

Edit User Preferences Modify user preferences.

Edit Views Create, update, and delete views.




Getting Started

Table 5 on page 30 lists the privileges necessary to perform certain procedures in the GUI.

Edit Windows Create, update, and delete windows.

E-mail Reports E-mail reports from the user interface.

Export Export metadata from DPA.

Import Import metadata into DPA.

Import Hosts from ECC Import hosts by EMC Control Center host from the Discovery Wizard.

Import Hosts from File Import hosts by CSV file from the Discovery Wizard.

Manage VMware Plug-in Register and unregister the VMware Plug in from the Navigation tree.

Print Reports Print reports from the user interface.

Run Request Run requests from the Node Properties dialog.

SLM Workspace Open the SLM Workspace from the Tools menu.

Save Reports Save reports to the filesystem.

View Data Protection Policies View the Data Protection Policy Properties dialog for a policy.

View Excludes View the excludes associated with a recovery point.

View Request History View the Request History for a node from the Node Properties dialog box.

View System Settings Recoverability Checks

View the available Recoverability Checks from the System Settings dialog box.



Table 5 User actions (page 1 of 2)

Action Required privileges

Add a new group Edit NodesAssign Nodes

Add a new node Edit NodesAssign Nodes

Use the Data Collection wizard Edit NodesAssign NodesAssign requests

Add a new query Edit NodesAssign Nodes

Unassign a node Assign Nodes


Getting Started

The default DPA users and roles

During first installation, DPA creates the following users:

Administrator (the default password is administrator)

Application owner (the default password is application owner)

Engineer (password is engineer)

User (the password is user)

During first installation, DPA create the following roles:

Administrator, who can perform all configuration and reporting functions.

Application Owner, who can perform all reporting functions and modify credential settings.

Engineer, who can perform all reporting functions and most configuration functions. Operators cannot create or modify Users or User Roles, or modify System Settings.

User, who can perform reporting functions only.

The administrator role only can create, update, and delete users.

Reload the Collectors Assign Requests

Make a node static Edit NodesAssign Nodes

The menu functions:Edit > CopyEdit > CutEdit > Paste

Assign Nodes

Table 5 User actions (page 2 of 2)

Action Required privileges


Getting Started

Expanding user definitions with attributesUser attributes supply information about a user in addition to that provided in the User Preferences dialog box (for example, phone numbers or preferred names). After a user attribute is created with the Attribute Editor, the attribute is added using the Attributes tab of the User Preferences dialog box.

Creating a user attribute1. Log in as an administrator with the Edit Attributes privilege.

2. Select Tools > Attribute Editor. The Attributes List dialog box appears.

3. Click New. The Attributes Properties dialog box appears.

4. In the Properties tab, type a Name and optional Description for the attribute.

5. Select User in the Scope field.

6. Select the user attribute Type. Available types are described in Table 6 on page 33.

After an attribute is saved, the data type cannot be changed. To change the data type, delete the attribute and create a new attribute.

7. If you selected a Type of Enumerated or Dynamic Enumerated, click the Add button to add a value to the Enumeration list. All the values in the list will be available from a list box from the Node Properties dialog box.

The list is automatically sorted as items are added, edited, and removed.

8. Select Value Required if the attribute must be assigned a value in a user definition.

9. Select Default Value to supply an optional default value in the field.

10. Click OK.

Assigning an attribute to a user1. Log in to DPA as an administrator with the Edit User Attribute Values privileges.

2. Select Tools > User Editor.

3. Click Attributes.

Note: The Attributes tab only appears if the user has the Edit User Attribute Values privilege and at least one non-hidden user attribute exists.

4. Clear No Value and select or type a value for the attribute. Possible values will depend on the data type of the attribute.

5. Click OK.

Users with the Edit User Attribute Values privilege can also modify their own attributes from the User Preferences dialog box.

Deleting an attributeTo delete an attribute:

1. Select Tools > Attribute Editor.

Expanding user definitions with attributes 33

Getting Started

2. Select the attribute to delete and click Delete

3. Click Yes to confirm the deletion.

Note: Deleting an attribute removes the extended information stored for each user relating to that attribute. Re-creating the attribute will not bring back the lost information.

Types of attributesTable 6 on page 33 lists the possible attribute types.

Table 6 Attributes properties fields

Field Description

Flag True or False only.

Text Any combination of alphanumeric characters.

Integer Value Integer (for example, 3).

Decimal Value Decimal number (for example, 3.14).

Window Schedule System or user-defined schedule.

Duration Time duration (available as seconds, minutes, hours, days, or weeks).

Enumeration A user-defined list of values. Enumerated lists cannot be edited when the attribute list appears in the Node or User Properties dialog boxes.

Dynamic Enumeration A user-defined list of values. Items in a dynamically enumerated list can be edited and added when the list appears in the Node or User Properties dialog boxes.


Getting Started

Using external authentication systems 35

3

Using externalauthentication systems

This chapter describes how to configure users to log in to DPA from LDAP and Kerberos:

Setting up LDAP authentication.................................................................................. 36 Setting up Kerberos authentication ............................................................................. 41


Using external authentication systems

Setting up LDAP authenticationDPA allows the integration of an Lightweight Directory Access Protocol (LDAP) server in the environment so that user passwords do not need to be stored in the DPA database. When a user logs in to DPA, the Controller service communicates with the LDAP server, verifies that the user exists, and authenticates the password against that user stored in LDAP.

DPA supports Microsoft Active Directory and OpenLDAP as LDAP servers. If you have installed DPA on a UNIX environment and are authenticating to a Microsoft Active Directory LDAP server, you cannot connect to the Windows machine using SSL.

Basic configuration To enable LDAP integration in the environment, a number of configuration parameters must be defined in the application. To configure LDAP:

1. Log in to the User Interface as an administrator.

2. Access the LDAP Configuration panel using the System Settings dialog box. Select File > System Settings and select the LDAP tab.

3. Specify the following parameters:

Server

The hostname of the LDAP server. The hostname must be resolvable from the DPA server.

Use SSL

If you want the Controller process to connect to the LDAP server using an SSL connection, select Use SSL. "Connecting to an LDAP server using SSL" on page 40 provides the requirements for connecting to an LDAP server using SSL.

Port

The port that the LDAP server listens on for requests. For non-SSL connections, this is typically port 389. For SSL connections, this is typically port 636.

LDAP Version

Version of LDAP that is used on the server. DPA supports version 2 and 3 of LDAP.

Base Name

The value entered must be the Distinguished Name of the base of the directory, for example, DC=eng,DC=company,DC=com. This location will be used as the starting point for all queries against the directory.

Identification Attribute

The attribute that is used to identify users in the directory. This is typically either CN (Active Directory) or uid (OpenLDAP).

The Controller process connects to the LDAP server to authenticate a user using the following methods:

"Anonymous bind" on page 37

"Non-anonymous bind" on page 37.

Each method has different benefits and implications on how to grant access to the application.

Setting up LDAP authentication 37


Anonymous bindWhen binding anonymously to the LDAP server, the Controller process connects to the LDAP server without having to connect as a specific named user. This allows basic user authentication.

When authenticating a user using an anonymous bind, the Controller must pass the Distinguished Name (DN) of the user to the LDAP server to authenticate it. The Controller must determine the full DN of the user when the user logs in.

An example of a DN for a user is:

CN=Mark,CN=Users,DC=eng,DC=company,DC=com

The DN must be specified when defining a user in the User Editor. This must be typed in the External Name field in the User Properties dialog box.

When the user attempts to log in to the application, they type the username in the Login dialog box, but the GUI forwards the value of the External Name field to the Controller for authentication against the LDAP server.

For example, if using anonymous bind to authenticate a user, create a user using the User Editor with the following values:

User Name: mark.

External Name: CN=Mark,CN=Users,DC=eng,DC=company,DC=com.

Authentication Type: LDAP.

When logging in to the application, the user types the value mark, and the External Name is passed to the LDAP server for authentication.

The disadvantage of using the anonymous bind method of authentication is that every user you want to log in must be predefined in the application along with the DN of each user. It is sometimes difficult to determine the DN of each user and it is possible to make typing mistakes that may cause authentication to fail. The alternative is to use a non-anonymous bind as discussed in "Non-anonymous bind" on page 37.

Non-anonymous bindIf a non-anonymous bind is used, the Controller process connects to the LDAP server as a named user before attempting to authenticate users who log in to the application. By logging in as a named user, the Controller has access to search the directory for users. This means that you do not need to specify the DN of each user who you want to have access to the application when creating user definitions.

This means that you do not need to know the full path to each user inside the directory. For example, you could type a value like: John Citizen

When the Controller authenticates, DPA searches the repository for users named John Citizen, and regardless of which Organization Unit (OU), they are in, it should find them.



To enable non-anonymous binding:

1. Clear Anonymous Bind in the LDAP settings dialog box to enable the Username and Password fields.

2. Type the DN of the user required to connect in the Username field. For example, CN=ldapadmin,CN=Users,DC=eng,DC=company,DC=com.

3. Set the password to correspond with that of the user.

4. Test the username and password by clicking Validate in the System Settings dialog box. A message displays whether or not connection to the LDAP occurred successfully.

5. If using a non-anonymous bind, grant a user access to the application by creating a new user. In the User Editor, specify the following fields:

User Name Type the DPA username.

Authentication Type Select LDAP.

External Name Type the name that is passed to the LDAP server. This allows you to have a different username in DPA than that used to authenticate to Active Directory.

When logging in to the application, the Controller attempts to connect to the LDAP server with the username and password specified in the LDAP settings, and searches the directory for that user. Upon finding the user, it attempts to authenticate with the password typed at login.

Testing authenticationTo test user authentication with the LDAP server:

1. Click Test User on the LDAP tab of the System Settings dialog box.

2. If using an anonymous bind, type the full DN of the user requiring authentication in the Username field. For example, CN=mark,DC=vm,DC=eng,DC=company,DC=com.

3. If using a non-anonymous bind, type the name that defines the users entry in LDAP (for example, mark).

Auto-Login Another advantage of using a non-anonymous bind to connect to an LDAP server is the ability to use a feature called Auto-Login. With Auto-Login, there is no need to define user entries in DPA for each user requiring access to the application. Access is granted based on the existence and group membership of a user in the LDAP directory.

IMPORTANT!The Auto-Login feature is only supported when connecting to a Microsoft Active Directory server. Do not attempt to use this feature with an LDAP server other than Microsoft Active Directory.

To enable Auto-Login:

1. Click Edit in the Auto-Login section of the LDAP tab on the System Settings dialog box. This is enabled if Anonymous Bind is not selected. The Auto Login dialog box appears.

2. Click Enable Auto Login.

Setting up LDAP authentication 39


In its simplest form, Auto-Login allows users defined in LDAP to access the application. If new users are added to LDAP, they are automatically able to log in to the application using their LDAP username and password.

3. To specify a role to assume when users are logged in to the application, select a role in the Default User Role field in the Auto Login dialog box.

The default value is None, which means that any users attempting to log in, who do not have an assigned role, cannot log in. If a role is selected, then all LDAP users attempting to log in will be logged in to the application if their username and password are valid.

Access can be limited to LDAP users who are only members of specific LDAP groups. For example, an LDAP administrator can create a group named DPA Users and allow access to specified DPA group members. Non-members are not able to log in. User administration can then be maintained using LDAP rather than DPA. Users can be added or removed from the group in LDAP and changes take effect the next time the user logs in.

4. To limit access to LDAP users who are members of specific groups, select Enable Group Mapping and complete the following fields:

Group Base

The Distinguished Name of the part of the directory that contains the group definitions (for example, CN=Users,DC=eng,DC=company,DC=com).

Group Attribute

The attribute name that is used to define a group in LDAP. For Active Directory implementations, this value is typically CN. For OpenLDAP implementations, it is typically uid.

Group Membership Attribute

The name of the attribute that specifies members of the group. This is queried to see whether a user is a member of a specific group. For Active Directory implementations of LDAP, this attribute is member.

Group Mapping

The Group mapping table. This allows you to enter a list of LDAP groups and associate a role with each group.

To add a new group mapping, click Add. A new row is added to the table. Double-click on the row in the LDAP Group Name column and type the name of the group that you want to have access to the application (for example, DPA Users). When entering a Group, specify a corresponding role for that group. Members of the group are automatically given a role as specified in the group mapping.

If there are members of multiple groups in LDAP, and multiple groups have been defined in the Group Mapping table, they are granted the role that is mapped to the first group in the list of which they are a member. The groups that map to a role with greater permissions should be highest in the list. Up and Down on the Group Mapping table can control the order of entries in the table.

If using the Auto-Login feature, do not create a user definition in the application before attempting to log in. The first time the user logs in, the Controller authenticates the username and password, and then attempts to determine the role that should be granted based on the values specified in the Default User Role and Group Mapping fields. If a Role cannot be determined, the user is not granted access to the



application. If the Role can be determined, the Controller automatically creates a user definition and the user is permitted to log in.

Users who are removed from LDAP are no longer granted access. If a users group membership is changed in LDAP, the role is re-evaluated at next login and is updated.

Connecting to an LDAP server using SSLDPA supports the ability to authenticate to an LDAP server using SSL in environments in which the LDAP implementation uses Microsoft Active Directory. In this configuration, Active Directory must be configured to accept connections using SSL, and the DPA server must be installed on a host that is a member of a domain configured on the Active Directory server. The DPA server must be installed on a Windows host.

Connecting to an LDAP Server using SSL is not supported on UNIX DPA servers, or if the LDAP implementation is something other than Microsoft Active Directory.

Setting up Kerberos authentication 41


Setting up Kerberos authentication DPA allows users who are authenticated against a Kerberos server to log in. If Kerberos authentication is used, DPA server must have a Kerberos configuration file installed to provide the server with information about the Kerberos server to which it will connect.

On Windows, this file is called krb5.ini and must be located in C:\Windows. On UNIX, this file is called krb5.conf and is located in /etc. An example of the syntax for this file is displayed below:

[realms]ENG.DPA.COM = {

kdc = kerbserver.eng.dpa.com:88admin_server = kerbserver.eng.dpa.comdefault_domain = eng.dpa.com

}

[domain_realm].eng.dpa.com = ENG.DPA.COM

To configure DPA for Kerberos authentication:

1. Log in to DPA as administrator.

2. Select File > System Settings. The System Settings dialog box appears.

3. Click the Kerberos tab.

4. In the Realm field, type the realm with which the authenticated user is associated (for example, eng.emcbackupadvisor.com).

To authenticate a user in different Kerberos realms, create the user in the User Editor, and set External Name to the desired name when logging in to DPA. Specify the External Name value as the fully qualified Kerberos name including the realm information (for example, [email protected]).

5. Click OK.

Configuring Time Windows 43

4

Configuring Time Windows

This chapter describes how to configure time windows (or windows) and contains the following sections:

Working with time windows........................................................................................ 44



Working with time windowsWhen you run a report or create a scheduled report, you must decide the period of time over which the report is run (for example, Last two weeks, or right now). This period is called a time window (or just window). DPA is installed with a number of time windows, and you can create your own.

Creating a new window 1. Log in as administrator.

2. Select Tools > Window Editor. The Window List dialog box appears, showing all defined time windows.

3. Click New. The Window Properties dialog box appears.

4. Specify the Windows Properties fields, which are described in Table 7 on page 44.

5. Click OK.

"Creating a time definition" on page 44 provides instructions on using Edit Times on the Window Properties dialog box.

Creating a time definition When creating a window, you must select a start time and end time. Several predefined time definitions are installed with DPA, or new time definitions can be created to customize windows.

1. Log in to DPA as administrator.

2. Select Tools > Window Editor.

Table 7 Window Properties fields

Field Definition

Name Name of the window.

Description Description that adds information about the window being created.

Start Time Time at which the window should start.

End Time Time at which window should end.

Set Interval Indicates if a window is subdivided into a fixed number of intervals when running chart reports.

Interval If Set Interval is selected, the Interval field is enabled, allowing you to set the size of each interval within the window.

Adjust for Time Zone If selected, global reporting across nodes in different time zones is enabled. Global reporting makes it possible to run a report across several nodes that are in different time zones and have the report include the data that is specific to the time zone in which the device or application is located.

Note: The Adjust for time Zone field is disabled for the time windows that are shipped with the DPA installation. Create copies of these time windows if global reporting is required.

Working with time windows 45


3. Click Edit Times in the Window Properties dialog box. The Time List dialog box appears.

4. Click New. Edit the new time window in the Time Properties dialog box.

5. Type a name and description in the Name and Description fields.

6. Select options from the Day of Week, Day of Month, Month, Year, Hour, and Minutes fields to configure the time definition.

Create times with relative or absolute times. For example, for the Month field, specify an absolute month such as July or August, or specify a relative month such as 1 month ago. Use combinations of relative and absolute times used for the different fields to build a more complex time definition. For example, specifying 1 day ago for the Day of Month along with 6 p.m. for the Hour field and 15 minutes past for the Minutes field results in a time of 6:15 yesterday. This is evaluated at the time the report runs to produce an absolute time that is used when generating the report.

Specify future dates in the Time Properties dialog box to better assist with capacity planning.

7. Click OK.

If a value for one of the time definition fields is not specified, the current time is used when the time is evaluated. For example, if 1 day ago is specified for the Day of Month, but no value for the Hour or Minutes fields are specified, then the time at which the report runs is substituted. If the report runs at 3:37 p.m. then the time is evaluated at 3:37 p.m. yesterday.

Note: An error message appears if the time definition is still assigned to other windows, preventing it from being deleted.

Configuring Schedules 47

5

Configuring Schedules

Schedules are used by the publisher and analysis engine processes to configure when reports are dispatched and when analysis engine rules run. This chapter describes how to configure schedules and contains the following sections:

Using the schedule editors............................................................................................ 48 Using the basic editor .................................................................................................... 49 Schedule component editor .......................................................................................... 51



Using the schedule editors A schedule is made up of components that define when each schedule produces certain results or runs certain reports. The Schedule Editor provides two ways to create schedules:

Basic editor, which allows you to configure schedules using a graphical editor.

Advanced editor, which allows you to create more complex schedules by manually editing the schedule parameters.

Schedules created in the basic editor can be edited using the advanced editor. However, schedules created and saved in the advanced editor cannot be edited in the basic editor.

To create a schedule:

1. Select Tools > Schedule Editor. The Schedule List dialog box appears.

The following schedules are available when you install DPA:

9 a.m., every day

Always

Default SLA schedule

2. To edit an existing schedule, click Edit. The Schedule Properties dialog box appears.

Note: Schedules installed with DPA cannot be edited. When clicking one of the preinstalled schedules, View replaces Edit. To modify one of the preinstalled schedules, click Copy to modify a copy of the schedule.

3. Type a name for the schedule in the Name field.

4. Type a description in the Description field.

5. Select Point-in-time or Time Window. A point-in-time schedule consists of point events (for example, something should happen at 8 a.m. each day). A time window schedule is a schedule that consists of time periods (for example between 8 a.m. and 9 a.m. every day).

When you create a new schedule, the Schedule Properties dialog box displays the Basic schedule editor.

Note: When creating schedules for data collection, time zones are not taken into account. "Creating a new window" on page 44 provides more information about time zones.

The remaining sections provide instructions for the following:

"Using the basic editor" on page 49

"Using the advanced editor" on page 50

Using the basic editor 49


Using the basic editor Use the basic schedule editor to create and edit schedules that last up to a week. These schedules repeat every week. Create both window schedules and point-in-time schedules in the basic schedule editor.

Window schedulesFor a window schedule, add schedule components to a schedule by clicking the Start Time for the component and dragging the mouse to the End Time:

1. To change the start and end times, select the window, and click Properties. The Schedule Component Properties dialog box appears.

2. To delete a window, select the window to remove and click Delete.

Point-in-time schedulesFor point-in-time schedules, add schedule components by clicking the mouse at the point in time to activate the schedule. Add multiple times by selecting additional times in the week as shown in Figure 3 on page 49.

Figure 3 Schedule Properties Point in time

To modify a point-in-time schedule component:

1. Select the desired schedule (the color changes to green), and click Properties. The Schedule Component Properties dialog box appears.

2. Modify the time at which the schedule component occurs by changing the values in this dialog box and click OK.

3. To remove a point-in-time schedule component, select it and click Remove.



Using the advanced editorTo use the advanced schedule editor, click Advanced in the Schedule Properties dialog box.

A schedule is composed of one or more schedule components. Each schedule component defines a period of time. Schedule components can either be inclusive or exclusive:

Inclusive.

Determines when a schedule runs.

Exclusive.

Defines times when a schedule does not run.

When exclusive schedule components are p

Documents

Admin