Hitachi Automation Director Installation and Configuration

Hitachi Command Suite

Automation DirectorInstallation and Configuration Guide

MK-92HC204-07

© 2015, 2016 Hitachi, Ltd. All rights reserved

No part of this publication may be reproduced or transmitted in any form or by any means, electronicor mechanical, including copying and recording, or stored in a database or retrieval system forcommercial purposes without the express written permission of Hitachi, Ltd., or Hitachi Data SystemsCorporation (collectively “Hitachi”). Licensee may make copies of the Materials provided that any suchcopy is: (i) created as an essential step in utilization of the Software as licensed and is used in noother manner; or (ii) used for archival purposes. Licensee may not make any other copies of theMaterials. “Materials” mean text, data, photographs, graphics, audio, video and documents.

Hitachi reserves the right to make changes to this Material at any time without notice and assumesno responsibility for its use. The Materials contain the most current information available at the timeof publication.

Some of the features described in the Materials might not be currently available. Refer to the mostrecent product announcement for information about feature and product availability, or contactHitachi Data Systems Corporation at https://support.hds.com/en_us/contact-us.html.

Notice: Hitachi products and services can be ordered only under the terms and conditions of theapplicable Hitachi agreements. The use of Hitachi products is governed by the terms of youragreements with Hitachi Data Systems Corporation.

By using this software, you agree that you are responsible for:1. Acquiring the relevant consents as may be required under local privacy laws or otherwise from

authorized employees and other individuals to access relevant data; and2. Verifying that data continues to be held, retrieved, deleted, or otherwise processed in

accordance with relevant laws.

Notice on Export Controls. The technical data and technology inherent in this Document may besubject to U.S. export control laws, including the U.S. Export Administration Act and its associatedregulations, and may be subject to export or import regulations in other countries. Reader agrees tocomply strictly with all such regulations and acknowledges that Reader has the responsibility to obtainlicenses to export, re-export, or import the Document and any Compliant Products.

Hitachi is a registered trademark of Hitachi, Ltd., in the United States and other countries.

AIX, AS/400e, DB2, Domino, DS6000, DS8000, Enterprise Storage Server, eServer, FICON,FlashCopy, IBM, Lotus, MVS, OS/390, PowerPC, RS/6000, S/390, System z9, System z10, Tivoli,z/OS, z9, z10, z13, z/VM, and z/VSE are registered trademarks or trademarks of InternationalBusiness Machines Corporation.

Active Directory, ActiveX, Bing, Excel, Hyper-V, Internet Explorer, the Internet Explorer logo,Microsoft, the Microsoft Corporate Logo, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight,SmartScreen, SQL Server, Visual Basic, Visual C++, Visual Studio, Windows, the Windows logo,Windows Azure, Windows PowerShell, Windows Server, the Windows start button, and Windows Vistaare registered trademarks or trademarks of Microsoft Corporation. Microsoft product screen shots arereprinted with permission from Microsoft Corporation.

All other trademarks, service marks, and company names in this document or website are propertiesof their respective owners.

2Hitachi Automation Director Installation and Configuration Guide

https://support.hds.com/en_us/contact-us.html

Contents

Preface................................................................................................. 7Intended audience................................................................................................... 8Product version........................................................................................................8Release notes.......................................................................................................... 8Referenced documents.............................................................................................8Document conventions............................................................................................. 8Conventions for storage capacity values.....................................................................9Accessing product documentation........................................................................... 10Getting help...........................................................................................................10Comments.............................................................................................................11

1 Overview........................................................................................13Product overview................................................................................................... 14About related Hitachi Command Suite products........................................................ 14Hitachi Automation Director system configuration.....................................................15

Prerequisite Hitachi Command Suite products..................................................... 17Performance-based pool selection......................................................................17

Hitachi Automation Director installation and configuration workflow...........................18

2 Installing Hitachi Automation Director ..............................................21Installation prerequisites.........................................................................................22

Changing the server time.................................................................................. 22Changing the name resolution setting................................................................ 24Avoiding port conflicts.......................................................................................24

Installing Hitachi Automation Director......................................................................24Installing Hitachi Automation Director in a cluster environment..................................26

About using Automation Director in a cluster environment................................... 26Cluster installation workflow.............................................................................. 27Checking the cluster configuration using the cluster management software...........28Setting up Hitachi Automation Director clustering on an active node.....................28Setting up Hitachi Automation Director clustering on a standby node....................30Registering the services and initializing the cluster installation..............................32


Post-installation tasks............................................................................................. 33Verifying the installation....................................................................................34Registering a license......................................................................................... 34Changing the system account password............................................................. 34Stopping and starting Hitachi Command Suite and Automation Director services... 35

Stopping and starting all services from the Start menu...................................35Stopping and starting all services from a command prompt (Windows)........... 35Stopping and starting all services from a command prompt (Linux).................35Stopping and starting only the Automation Director services from the commandprompt (Windows)...................................................................................... 36Stopping and starting only the Automation Director services from the commandprompt (Linux)............................................................................................36

Enabling RMI communication.............................................................................36

3 Configuring Automation Director...................................................... 37Changing management server system settings......................................................... 38

Changing Automation Director port numbers...................................................... 38Changing the information of the server managing the user account......................38Changing the port number used by the task processing engine............................ 39

Hitachi Command Suite property updates for port number changes................ 39Changing the management server host name or IP address.................................40

Changing the management server host name................................................40Hitachi Command Suite property updates for management server host namechanges......................................................................................................41Hitachi Command Suite property updates for management server IP addresschanges......................................................................................................42

Changing the Automation Director URL.............................................................. 42Changing the management server URL......................................................... 42

Configuring secure communications.........................................................................43About Automation Director security settings........................................................44Configuring security for management clients.......................................................44

About secure communications for management clients.................................. 44Setting up SSL on the server for secure client communication (Windows)........45Setting up SSL on the server for secure client communication (Linux)............. 49Setting up SSL on web-based management clients........................................ 54

Setting up secure communication for an external authentication server................ 54Changing the port number of the authenticator connection for the primary HCSserver (Windows)............................................................................................. 54Changing the port number of the authenticator connection for the primary HCSserver (Linux)...................................................................................................55Importing VMware vCenter certificates............................................................... 55Importing the server certificate to a Device Manager agent trust store................. 56Importing the Device Manager server certificate................................................. 56Importing the server certificate of each Device Manager to the trust store of aHitachi Command Suite common component...................................................... 57Checking the server certificate expiration date.................................................... 58

Enabling RMI communication for Replication Manager...............................................59Moving a Hitachi Automation Director installation from one host to another................60Running Automation Director without an external network configuration.................... 62Changing the system configuration through the properties file (config_user.properties)............................................................................................................................ 62


Changing the port number for communicating with the HAD server through thecommand properties file (command_user.properties) ............................................... 73Changing the email notification definition.................................................................74Changing the password policy through the security definition file (security.conf) ........76Configuring information used to connect with the operation target machine............... 79Preconditions for an agentless connection place (Windows).......................................85Preconditions for an agentless connection place (SSH) .............................................87

Password authentication....................................................................................87Public key authentication...................................................................................87Keyboard interactive authentication....................................................................89

Using multiple Device Managers from one HAD sever................................................91

4 Removing Hitachi Automation Director..............................................93Removing Hitachi Automation Director (Windows).................................................... 94Removing Hitachi Automation Director (Linux)..........................................................94Removing Hitachi Automation Director software in a cluster environment................... 95Deleting authentication data................................................................................... 98

A Hitachi Automation Director file location and ports...........................101Automation Director file location............................................................................102Port settings........................................................................................................ 103

B Using the hcmds64keytool utility.................................................... 107

Glossary............................................................................................ 109

Index................................................................................................ 119



PrefaceThis document describes how to install and configure Hitachi AutomationDirector (HAD).

□ Intended audience

□ Product version

□ Release notes

□ Referenced documents

□ Document conventions

□ Conventions for storage capacity values

□ Accessing product documentation

□ Getting help

□ Comments

Preface 7Hitachi Automation Director Installation and Configuration Guide

Intended audienceThis document provides instructions for storage administrators, who areresponsible for storage, services, and applications within the storageenvironment.

Product versionThis document revision applies to Hitachi Automation Director v8.5.0 or later.

Release notesRead the release notes before installing and using this product. They maycontain requirements or restrictions that are not fully described in thisdocument or updates or corrections to this document. Release notes areavailable on Hitachi Data Systems Support Connect: https://knowledge.hds.com/Documents.

Referenced documents• Hitachi Automation Director User Guide, MK-92HC205

• Hitachi Automation Director Installation and Configuration Guide,MK-92HC204

• Hitachi Command Suite Automation Director REST API User and ReferenceGuide, MK-92HC217

• Hitachi Automation Director API Use Case Reference, MK- 92HC232

• Hitachi Automation Director Release Notes, RN-92HC206

• Hitachi Command Suite Automation Director Messages, MK-92HC221• Hitachi Command Suite System Requirements, MK-92HC209

Document conventionsThis document uses the following typographic conventions:

Convention Description

Bold • Indicates text in a window, including window titles, menus, menu options,buttons, fields, and labels. Example:Click OK.

8 PrefaceHitachi Automation Director Installation and Configuration Guide

https://knowledge.hds.com/Documents


Convention Description

• Indicates emphasized words in list items.

Italic • Indicates a document title or emphasized words in text.• Indicates a variable, which is a placeholder for actual text provided by the

user or for output by the system. Example:pairdisplay -g group(For exceptions to this convention for variables, see the entry for anglebrackets.)

Monospace Indicates text that is displayed on screen or entered by the user. Example:pairdisplay -g oradb

< > angle brackets Indicates variables in the following scenarios:• Variables are not clearly separated from the surrounding text or from

other variables. Example:Status-<report-name><file-version>.csv

• Variables in headings.

[ ] square brackets Indicates optional values. Example: [ a | b ] indicates that you can choose a,b, or nothing.

{ } braces Indicates required or expected values. Example: { a | b } indicates that youmust choose either a or b.

| vertical bar Indicates that you have a choice between two or more options or arguments.Examples:

[ a | b ] indicates that you can choose a, b, or nothing.

{ a | b } indicates that you must choose either a or b.

This document uses the following icons to draw attention to information:

Icon Label Description

Note Calls attention to important or additional information.

Tip Provides helpful information, guidelines, or suggestions for performingtasks more effectively.

Caution Warns the user of adverse conditions and/or consequences (forexample, disruptive operations, data loss, or a system crash).

WARNING Warns the user of a hazardous situation which, if not avoided, couldresult in death or serious injury.

Conventions for storage capacity valuesPhysical storage capacity values (for example, disk drive capacity) arecalculated based on the following values:


Physical capacity unit Value

1 kilobyte (KB) 1,000 (10 3) bytes

1 megabyte (MB) 1,000 KB or 1,0002 bytes

1 gigabyte (GB) 1,000 MB or 1,0003 bytes

1 terabyte (TB) 1,000 GB or 1,0004 bytes

1 petabyte (PB) 1,000 TB or 1,0005 bytes

1 exabyte (EB) 1,000 PB or 1,0006 bytes

Logical storage capacity values (for example, logical device capacity) arecalculated based on the following values:

Logical capacity unit Value

1 block 512 bytes

1 cylinder Mainframe: 870 KB

Open-systems:• OPEN-V: 960 KB• Others: 720 KB

1 KB 1,024 (210) bytes

1 MB 1,024 KB or 1,0242 bytes

1 GB 1,024 MB or 1,0243 bytes

1 TB 1,024 GB or 1,0244 bytes

1 PB 1,024 TB or 1,0245 bytes

1 EB 1,024 PB or 1,0246 bytes

Accessing product documentationProduct user documentation is available on Hitachi Data Systems SupportConnect: https://knowledge.hds.com/Documents. Check this site for themost current documentation, including important updates that may havebeen made after the release of the product.

Getting helpHitachi Data Systems Support Connect is the destination for technical supportof products and solutions sold by Hitachi Data Systems. To contact technicalsupport, log on to Hitachi Data Systems Support Connect for contactinformation: https://support.hds.com/en_us/contact-us.html.

Hitachi Data Systems Community is a global online community for HDScustomers, partners, independent software vendors, employees, andprospects. It is the destination to get answers, discover insights, and make



https://knowledge.hds.com/

https://support.hds.com/en_us/contact-us.html

https://community.hds.com/welcome

connections. Join the conversation today! Go to community.hds.com,register, and complete your profile.

CommentsPlease send us your comments on this document to [email protected] the document title and number, including the revision level (forexample, -07), and refer to specific sections and paragraphs wheneverpossible. All comments become the property of Hitachi Data SystemsCorporation.

Thank you!


https://community.hds.com/welcome

mailto:[email protected]


1Overview

This chapter provides the following information:

□ Product overview

□ About related Hitachi Command Suite products

□ Hitachi Automation Director system configuration

□ Hitachi Automation Director installation and configuration workflow

Overview 13Hitachi Automation Director Installation and Configuration Guide

Product overviewHitachi Automation Director is a software solution that provides tools toautomate and simplify the end-to-end storage provisioning process forstorage and data center administrators. The building blocks of the productare pre-packaged automation templates known as Service Templates. Thesepre-configured templates are customized to your specific environment andprocesses for creating services that automate complex tasks such as resourceprovisioning. When configured, Automation Director integrates with existingHitachi Command Suite applications to automate common infrastructuremanagement tasks by utilizing your existing infrastructure services.

Automation Director includes the following features:• Pre-configured service templates that help in creating automation services• Automation services for intelligent provisioning of volumes from different

storage classes• Role-based access to defined services• Performance-based pool selection that chooses the best performing pools

from infrastructure groups and provides pool information to each task forspecifying the volume usage details

• Common service management attributes that can be assigned and sharedacross all automation services

About related Hitachi Command Suite productsHitachi Automation Director is a part of Hitachi Command Suite, whichincludes the following components:• Hitachi Device Manager• Hitachi Tiered Storage Manager• Hitachi Dynamic Link Manager• Hitachi Replication Manager• Hitachi Tuning Manager• Hitachi Global Link Manager• Hitachi Compute Systems Manager

If you install Automation Director on the same server as other HitachiCommand Suite products, you can use common settings to manage usersand security. In addition, if Automation Director is installed on a serverrunning Device Manager, the host information managed by the two productsis automatically synchronized, which improves host management workefficiency.

Note: Only host information is synchronized when using both AutomationDirector and Device Manager, not information for other types of resources.

14 OverviewHitachi Automation Director Installation and Configuration Guide

Hitachi Automation Director system configurationThere are two ways to set up your Hitachi Automation Director environment.The following figure shows the basic system configurations.

The basic system configuration environment can be set up as one of thefollowing:• Hitachi Automation Director is installed as a standalone product without

any additional Hitachi Command Suite products.• Hitachi Automation Director and Hitachi Device Manager (HDVM) are

installed on the same server.

Note: You may also change from a same server configuration to astandalone setup by using the hcmds64prmset command.

Prerequisite Hitachi Command Suite products

The following table lists the supported Hitachi Command Suite products:

Product Version

Hitachi Device Manager 8.1.4


Product Version

Hitachi Tuning Manager* 8.1.1

Hitachi Replication Mananger** 8.1.4

* Tuning Manager is required if you want to leverage the Tuning Manager performance data to help

enable Automation Director to perform an intelligent selection of the pool when provisioning across

a set of pools or arrays.

** Hitachi Replication Manager is required only if you use Clone (Shadow Image), Snapshot (ThinImage), and Copy Topology services. If your configuration uses multiple Device Managers/Replication Managers, set up only one of the Replication Managers to run in Normal mode. The restof the Replication Managers must always operate in Maintenance mode.

Performance-based pool selection

You can use the performance-based pool selection of intelligent provisioningservice. To enable the performance-based pool selection, check the settingsof the following file.

Install location of HDvM\HicommandServer\config\tuningmanager.properties

This file contains properties for connecting to the Tuning Manager from theDevice Manager.

If the Device Manager server and the Tuning Manager server are installed onthe same machine, the system will run under the following settings:• htnm.servers=1• htnm.server.0.host=localhost• htnm.server.0.protocol=http• htnm.server.0.port=22015

For additional information, see the following sections in Hitachi CommandSuite Administrator Guide, MK-90HC175:• Chapter 6, Configuring Device Manager for use with related products -

Settings required to collect storage system performance information• Appendix A, Device Manager server properties - Properties for connecting

to Tuning Manager (tuningmanager.properties file)

Maximum number of Hitachi Device Manager servers supported byAutomation Director

The maximum number HDvM servers that Automation Director can support is50. For additional information see, Hitachi Command Suite SystemRequirements MK-92HC209.


Related tasks

• Changing the information of the server managing the user account onpage 38

Prerequisite Hitachi Command Suite products

The following table lists the supported Hitachi Command Suite products:

Product Version

Hitachi Device Manager 8.1.4

Hitachi Tuning Manager* 8.1.1

Hitachi Replication Mananger** 8.1.4

* Tuning Manager is required if you want to leverage the Tuning Manager performance data to help

enable Automation Director to perform an intelligent selection of the pool when provisioning across

a set of pools or arrays.

** Hitachi Replication Manager is required only if you use Clone (Shadow Image), Snapshot (ThinImage), and Copy Topology services. If your configuration uses multiple Device Managers/Replication Managers, set up only one of the Replication Managers to run in Normal mode. The restof the Replication Managers must always operate in Maintenance mode.

Performance-based pool selectionYou can use the performance-based pool selection of intelligent provisioningservice. To enable the performance-based pool selection, check the settingsof the following file.

Install location of HDvM\HicommandServer\config\tuningmanager.properties

This file contains properties for connecting to the Tuning Manager from theDevice Manager.

If the Device Manager server and the Tuning Manager server are installed onthe same machine, the system will run under the following settings:• htnm.servers=1• htnm.server.0.host=localhost• htnm.server.0.protocol=http• htnm.server.0.port=22015

For additional information, see the following sections in Hitachi CommandSuite Administrator Guide, MK-90HC175:• Chapter 6, Configuring Device Manager for use with related products -

Settings required to collect storage system performance information• Appendix A, Device Manager server properties - Properties for connecting

to Tuning Manager (tuningmanager.properties file)


Note: The maximum number HDvM servers that Automation Director cansupport is 50. For additional information see, Hitachi Command Suite SystemRequirements MK-92HC209.

Hitachi Automation Director installation and configurationworkflow

The following figure illustrates an overview workflow, which includes installingand configuring Hitachi Automation Director.


This guide includes system installation, setup, management, andmaintenance information. For details about using the management GUI tocreate, manage, and automate provisioning services, see the HitachiCommand Suite Automation Director User Guide.



2Installing Hitachi Automation Director

This chapter describes how to install Hitachi Automation Director forMicrosoft® Windows® in both cluster and non-cluster environments or RedHat Enterprise Linux (RHEL) in a non-cluster environment.

□ Installation prerequisites

□ Installing Hitachi Automation Director

□ Installing Hitachi Automation Director in a cluster environment

□ Post-installation tasks

Installing Hitachi Automation Director 21Hitachi Automation Director Installation and Configuration Guide

Installation prerequisitesBefore installing Hitachi Automation Director complete the following tasks:

• Verify that .NET Framework 3.5.1 is installed on the management server.To install it, follow the procedure for the operating system that is runningon the management server. Before installing the .NET Framework, verifythat the prerequisite version of IIS is installed on the server.

• Verify that the environment and the management server meet allhardware and software requirements. For details on the systemrequirements, see Hitachi Command Suite System Requirements,MK-92HC209. For details about hardware size and space requirements, seethe Hitachi Command Suite Automation Director Release Notes.

• Ensure the ports used by Automation Director are available. Verify that theports on the management server are not in use by other Hitachi CommandSuite products and no conflicts exist. If a port is in use by another HitachiCommand Suite product, neither product may operate correctly.

• Resolve the names for the related machines.• Ensure Windows administrator permissions are obtained to complete the

installation and configuration tasks included in this guide.• Disable any security monitoring, virus detection, or process monitoring

software on the server.• Close any Windows Services or open command prompts.• If the server is running any other Hitachi Command Suite products, stop

the services for those products.• Make sure the server system time is correct. If Hitachi Command Suite is

installed on a different server, synchronize the Automation Director servertime with the Hitachi Command Suite server.

• Manually re-add firewall exceptions as needed for Automation Directorinstallation in an RHEL environment. These exceptions do notautomatically get reconfigured during installation.

Related references

• Changing the name resolution setting on page 24• Changing the server time on page 22• Port settings on page 103

Changing the server timeIt is important to ensure the Automation Director server Operating Systemtime setting is synchronized with the Hitachi Command Suite managementserver.

The Automation Director task and alert occurrence times are based on themanagement server time setting. Therefore, it is important that you verifythe accuracy of the server Operating System time setting and reset it ifnecessary before installing Automation Director. If you change the

22 Installing Hitachi Automation DirectorHitachi Automation Director Installation and Configuration Guide

Automation Director server time while the Hitachi Command Suite CommonComponent and Hitachi Command Suite product services are running,Automation Director may not operate correctly.

If you plan to use a service such as NTP, which automatically adjusts theserver time, you must configure the service as follows:• Configure the settings so that the time is adjusted when the service

discovers a time discrepancy.• The service adjusts the time setting only as long as the time difference

remains within a certain range. Based on the maximum range value, setthe frequency so that the time difference never exceeds the fixed range.

An example of a service that can adjust the time as long as the timedifference does not exceed a fixed range is the Windows Time service.

Note: When running Automation Director in a U.S. or Canadian time zone,you must configure the management server Operating System so that itsupports the new Daylight Savings Time (DST) rules. Automation Directorcannot support the new DST rules unless the server provides support.

If you cannot use the functionality that adjusts the server time automatically,or if you want to manually change the system time, perform these steps:1. Stop the Hitachi Command Suite Common Component and all Hitachi

Command Suite product services, for example:• HBase 64 Storage Mgmt Web Service• HBase 64 Storage Mgmt Web SSO• HBase 64 Storage Mgmt SSO Service• HCS Device Manager Web Service• HBase 64 Storage Mgmt Comm Server• HiCommand Suite Tuning Manager• HiCommand Performance Reporter• HCS Tuning Manager REST Application• HAutomation Engine Web Service• Device Manager Server Service• Tiered Storage Manager Server

2. Record the current time of the management server, and then reset thetime.

3. Determine when to restart the services.

• If you set the time of the machine back (meaning that the server time wasahead), wait until the server clock shows the time you recorded (the timeon the server when you made the change) and then restart the machine.

• If you set the machine time forward, restart the machine now.

Verify that the Automation Director management server reflects the correcttime.


Changing the name resolution settingIf you install Automation Director and Hitachi Command Suite on twodifferent machines, you must resolve the name of the Automation Directorserver that connects to the client.

You must also resolve the name of the machine where Automation Director isinstalled.

If you install Automation Director on the same machine as Hitachi CommandSuite, you must resolve the names of the machine on which you want to runthe browser to access Automation Director.

Update your configuration settings so that the system can resolve the IPaddress from the management server host name that is set as theServerName property on the first line of the user.httpsd.conf file. To verifythat the IP address resolves to the host name, run the followingcommand:ping management-server-host-name.

Avoiding port conflictsBefore a new installation of Automation Director, verify that the ports thatAutomation Director will use on the management server are not in use byother products. If a port is being used by another product, neither productmay operate correctly.

To ensure that the necessary ports are not in use, use the netstatcommand.

Related tasks

• Changing Automation Director port numbers on page 38

Related references

• Port settings on page 103

Installing Hitachi Automation DirectorIf you are installing multiple Hitachi Command Suite products on a singlemanagement server, use the All-in-One installer to install multiple productssimultaneously with minimal input or tasks. If you do not want to use thedefault installation parameters or if you want to install in a clusterenvironment, use the product installer from the integrated installation media.

For details about the All-in-One installer, refer to the Hitachi Command SuiteInstallation and Configuration Guide. This document describes how to installHitachi Automation Director using the product installer from the integratedproduct media.


Note: If you want to install Automation Director with other Hitachi CommandSuite products, ensure that your system meets the installation requirementsfor all the products.

Windows environment

Procedure

1. Ensure that your system meets all management server prerequisites aslisted in the pre-installation checklist.

2. Verify that .NET Framework 3.5 SP1 (3.5.1) is installed.3. If the server is running any products that use the Hitachi Command Suite

Common Component, stop the following services:• HBase 64 Storage Mgmt Web Service• HBase 64 Storage Mgmt Web SSO• HBase 64 Storage Mgmt SSOService• HCS Device Manager Web Service• HBase 64 Storage Mgmt Common Server• HiCommand Suite Tuning Manager• HiCommand Suite Performance Reporter• HCS Tuning Manager REST Application• HAutomation Engine Web Service• Device Manager Server Service• Tiered Storage Manager Server Service

4. Insert the installation media into the DVD drive.If you are using the integrated media DVD and the installation programwindow does not open, double-click index.html.

5. Start the installation wizard by selecting Automation Director in theinstallation program window, and then clicking Install.

6. Follow the on-screen prompts and specify the required information.In most cases, accept the default installation selections.The Install Complete window opens.

7. Click Finish.

Note:• If Automation Director is installed in an environment in which

SSL communication is enabled or in which the port number forHitachi Command Suite Common Component has beenchanged, the graphical user interface might not start, even ifthe After the installation finishes, start the HitachiCommand Suite GUI check box is selected in the InstallComplete window.

• If this problem occurs, check the changed management serverinformation, and then enter the URL for Automation Director inthe address bar of the web browser to start the interface.


ResultAutomation Director is now installed.

Linux environment

Install Automation Director by running install.sh.

The default Automation Director installation directory for Linux is: /opt/HiCommand/Automation

Related references

• Post-installation tasks on page 33

Installing Hitachi Automation Director in a clusterenvironment

This module provides information about installing and configuring a newinstallation of Hitachi Automation Director in a cluster environment.

Note: Automation Director can only be installed in a Windows clusterenvironment. Automation Director with clustering is not supported in a Linuxenvironment.

About using Automation Director in a cluster environmentWhen using Hitachi Automation Director, you can increase reliability bysetting up a failover management server using Microsoft Windows ServerFailover Clustering.

When you use Automation Director in a cluster environment, you designateone Automation Director server as the active node and another as thestandby node as follows:• Active node

The active node is the host that is running services in a system that uses acluster.If a failure occurs, the cluster services implements a failover, and thestandby node takes over operation of the system resources so that there isno interruption of services.

• Standby nodeThe standby node is the host that takes over operation of systemresources from the active node if a failure occurs.

Note: If an active node fails over to the standby node, any tasks that arerunning fail and you must run the tasks again on the standby node.


Cluster installation workflowWhen installing Hitachi Automation Director in a cluster configuration, youmust follow a series of steps to prepare the executing node and standbynodes.

The following shows the general workflow for setting a up clusterenvironment:

Note: When installing Hitachi Automation Director to a cluster environmentfor the first time or when migrating from a non-cluster environment to acluster environment, make sure that every node in the cluster has the samedisk configuration, and all Hitachi Command Suite products are installed inthe same location (including drive letter, path, etc.) on each node.

Note: When performing an upgrade of Hitachi Automation Director that hasalready been installed in a cluster configuration, you must disable theresource script before performing the updated installation.


Related tasks

• Setting up Hitachi Automation Director clustering on an active node onpage 28

• Setting up Hitachi Automation Director clustering on a standby node onpage 30

Checking the cluster configuration using the cluster managementsoftware

When setting up Hitachi Automation Director in a cluster environment, youmust use the cluster management software to verify the current environmentsettings and to configure additional settings.

Use the cluster management software to check the following items beforesetting up Hitachi Automation Director in a cluster environment:• Check whether a group exists in which other Hitachi Command Suite

product services are registered.If a group in which Hitachi Command Suite services are registered alreadyexists, use that group. Verify that the group consists only of resourcesrelated to Hitachi Command Suite products.If no group in which Hitachi Command Suite services are registered exists,use the cluster management software to create a group in which you planto register the Hitachi Automation Director services.

Note: Group names cannot contain the following characters: ! " %& ) * ^ | ; = , < >

• Verify that the group in which you plan to register services includes theshared disk and client access point that can be inherited between theactive and standby nodes. The client access point is the clustermanagement IP address and the logical host name.

• Verify that you can allocate, delete, and monitor resources by using thecluster management software without any issues.

Services that are used in a cluster environment can be failed over togetherby registering them as a group in the cluster management software. Thesegroups might be referred to by different names, such as "resource groups" or"roles", depending on the versions of the cluster management software andthe OS.

Setting up Hitachi Automation Director clustering on an active nodeYou can complete a new installation of Hitachi Automation Director on themanagement server on an active node in a cluster configuration.


Procedure

1. Bring online the cluster management IP address and shared disk. Makesure that the resource group for the cluster installation is moved to theactive node.

2. If you created the cluster environment using another Hitachi CommandSuite product, use the following command to take offline and disablefailover for the cluster group in which Hitachi Command Suite productservices are registered:• From integrated installation media:

integrated-installation-media\HCS\ClusterSetup\hcmds64clustersrvstate /soff /r HCS-cluster-group-name

• From the installation directory of a Hitachi Command Suite productwith v8.2 or later:HCS-Common-Component-installation-directory\ClusterSetup\hcmds64clustersrvstate /soff /r HCS-cluster-group-namewherer - specifies the name of the group in which the Hitachi CommandSuite product services are registered. If the group name containsspaces, you must enclose the group name in quotation marks ("); forexample, if the group name is HCS cluster, you would specify "HCScluster".

3. Complete a new installation of Hitachi Automation Director on the activenode.If another Hitachi Command Suite product already exists in the clusterenvironment, verify the following before installing Automation Director:• Specify the IP address of the logical host as the IP address of the

management server.

If no other Hitachi Command Suite products exist in the clusterenvironment, verify the following before installing Automation Director:• Specify the IP address of the active node as the IP address of the

management server.

Note: If you are upgrading Hitachi Automation Director in anenvironment that has already been set up in a clusterconfiguration, you need to prevent failover of the script that isregistered to the resource group before performing the updatedinstallation. In the cluster management software, right-click on thescript which is registered to the resource group and, from the[property]-[policy] tab, set the resource so that it does notreboot.

4. Register the licenses for the products you plan to use. Access the IPaddress of the active node.


5. If you already have a Hitachi Command Suite product configured withinthe cluster, skip to the next step. If Automation Director is the firstHitachi Command Suite product in the cluster, do the following:a. Add the following information to a blank text file:

mode=onlinevirtualhost=logical-host-nameonlinehost=active-node-host-namestandbyhost=standby-node-host-name

Note: On an active node, you must specify online for mode.

Save the file as cluster.conf in HCS-Common-Component-installation-folder\conf.

6. Use the following command to ensure that the Hitachi Command Suiteproduct services are stopped:HCS-Common-Component-installation-folder\bin\hcmds64srv /stop/server AutomationWebService

7. Execute the setupcluster /exportpath ExportPath command wherethe ExportPath specifies the absolute or relative directory path.

Related tasks

• Setting up Hitachi Automation Director clustering on a standby node onpage 30

Setting up Hitachi Automation Director clustering on a standby nodeAfter setting up the clustering installation on an active node, you cancomplete installation of Hitachi Automation Director on the managementserver on a standby node in a cluster configuration.

Procedure

1. In the cluster management software, move the group containing theHitachi Automation Director resources to the standby node by right-clicking the group, selecting Move and then selecting either SelectNode or Move this service or application to another node.

2. If you created the cluster environment using another Hitachi CommandSuite product, use the following command to take offline and disablefailover for the cluster group in which Hitachi Command Suite productservices are registered:• From integrated installation media:


• From the installation directory of a Hitachi Command Suite productwith v8.2 or later:


HCS-Common-Component-installation-directory\ClusterSetup\hcmds64clustersrvstate /soff /r HCS-cluster-group-namewherer - specifies the name of the group in which the Hitachi CommandSuite product services are registered. If the group name containsspaces, you must enclose the group name in quotation marks ("); forexample, if the group name is HCS cluster, you would specify "HCScluster".

3. Complete a new installation of Hitachi Automation Director on thestandby node.

Before installing Hitachi Automation Director on the standby node, beaware of the following requirements:• You must install Hitachi Automation Director in the same location as

on the active node.• If other Hitachi Command Suite products already exist and are active

in the cluster environment, specify the logical host name (the virtualhost name allocated to the cluster management IP address) as the IPaddress of the management server. If there are no other HitachiCommand Suite products in the cluster environment, specify the IPaddress or the host name of the standby node.

Note: If you are upgrading Hitachi Automation Director in anenvironment that has already been set up in a clusterconfiguration, you need to prevent failover of the script that isregistered to the resource group before performing the updatedinstallation. In the cluster management software, right-click on thescript which is registered to the resource group and, from the[property]-[policy] tab, set the resource so that it does notreboot.

4. Register the licenses for the products you plan to use.5. If you already have a Hitachi Command Suite product configured within

the cluster, skip to the next step. If Hitachi Automation Director is thefirst Hitachi Command Suite product in the cluster, do the following:a. Add the following information to a blank text file:

mode=standbyvirtualhost=logical-host-nameonlinehost=active-node-host-namestandbyhost=standby-node-host-nameSave the file as cluster.conf in HCS-Common-Component-installation-folder\conf.

Note: On a standby node, you must specify standby for mode.


6. Use the following command to ensure that the Hitachi Command Suiteproduct services are stopped:hcmds64srv /stop /server AutomationWebService

7. Execute the setupcluster /exportpath command where theexportpath specifies the absolute or relative directory path.

Registering the services and initializing the cluster installationAfter installing Hitachi Automation Director on the active and standby nodesin a cluster configuration, you can register the services and scripts then bringthe clustering on line as described in the following steps:

Procedure

1. In the cluster management software, move the group containing theHitachi Automation Director resources to the active node by right-clickingthe group, selecting Move and then selecting either Select Node orMove this service or application to another node.

2. Register the Hitachi Automation Director services in the clustermanagement software group by using the following command:

HCS-Common-Component-installation-directory\ClusterSetup\hcmds64clustersrvupdate /sreg /r HCS-cluster-group-name /sddrive-letter-of-shared-disk /ap resource-name-for-client-access-point

where

r - specifies the name of the group in which the Hitachi Command Suiteproduct services including Hitachi Automation Director will be registered.If the group name contains spaces, you must enclose the group name inquotation marks ("); for example, if the group name is HAD cluster, youwould specify "HAD cluster".

sd - specifies the drive letter of the shared disk that is registered to thecluster management software. You cannot specify multiple drive lettersfor this option. If the database of Hitachi Command Suite products isdivided into multiple shared disks, run the hcmds64clustersrvupdatecommand for each shared disk.

ap - specifies the name of the resource for the client access point that isregistered to the cluster management software.

3. Register the following as a script resource to execute the stopclustercommand for the cluster software:• HAD-installation-folder\bin\stopcluster /prepare

The script resource name and the script name are arbitrary. Configurethe script so that the stopcluster command is executed only when theresource is offline. For more specific details, please consult thedocumentation for the cluster software you are using.


Note: If you are upgrading Hitachi Automation Director, it is notnecessary to register the script. However, you do need to enablefailover of the script which is registered to the resource group. Inthe cluster management software, right-click and select the scriptwhich is registered to the resource group and then, from the[property]-[policy] tab, set the resource so that it reboots.

4. In the cluster management software, right click to select the resourcescript and set its dependence from the [property]-[Dependencies]tab. In addition, you must specify [HAutomation Engine HCS-cluster-group-name] to the resources that must be brought online before thescript can be brought online.

5. On the active node, bring online and enable failover for the group inwhich Hitachi Command Suite services including Hitachi AutomationDirector are registered using the following command:

HCS-Common-Component-installation-folder\ClusterSetup\hcmds64clustersrvstate /son /r HCS-cluster-group-name

where

r - specifies the name of the group in which the Hitachi Command Suiteproduct services including Hitachi Automation Director are registered. Ifthe group name contains spaces, you must enclose the group name inquotation marks ("); for example, if the group name is HAD cluster, youwould specify "HAD cluster".

6. Change the status of the resource group to online in the clustersoftware.

Post-installation tasksAfter installing Automation Director, complete the following post-installationtasks:

1. If the server that manages the user account uses SSL communication,run the hcmds64prmset command to set the port number of the server(as needed).

2. Confirm the registered URL (recommended).3. Verify access to the Automation Director management server.4. Register the license.5. Change the System account password (recommended).6. Set an email address for the System account.7. Enable RMI communication.

Note: This step is required only if you use Device Manager v8.1.4.


8. Stop and restart HCS and HAD services (as needed).

Confirming the registered URL

Confirm the registered URL by using the following command:

HCS-Common-Component-installation-folder\bin\hcmds64chgurl /list

Check the host name in URL. In case of non-cluster environment, the hostname should be a physical host name. In case of the cluster environment,the host name should be a logical host name. If the registered URL isincorrect, change the URL by using the following command.

HCS-Common-Component-installation-folder\bin\hcmds64chgurl /change

http://incorrect-IP-address-or-host-name:port-number

http://correct-IP-address-or-host-name:port-number

Verifying the installationWhen installation is complete, verify that the installation was successful usinga web browser.

Procedure

1. Open a web browser that is supported by Automation Director.2. In the address bar, specify the URL for Automation Director in the

following format:http://HAD-server-address:22015/Automation/

The login window opens and verifies that you can access themanagement server.

Registering a licenseWhen you log on initially, you must specify a valid license key.

Procedure

1. From the login window, click Licenses.2. Enter the license key, or browse to the location of a license file, and then

click Save.

Changing the system account passwordThe System account is a default account that has user management andexecute permission for all Hitachi Command Suite products. When you installAutomation Director for the first time, it is recommended that you change theSystem account password.


Procedure

1. From a management client, log on using the following credentials:• User ID: system• Password (default): manager

2. On the Administration tab, click User Profile.3. Click Change Password, type the required passwords, and click OK.

ResultThe default password is changed.

Stopping and starting Hitachi Command Suite and AutomationDirector services

Hitachi Command Suite and Automation Director services from the commandprompt. You can also stop or start Hitachi Command Suite from the StartMenu as well.

Note: You cannot start HAD services from the Start Menu.

Stopping and starting all services from the Start menuThe following procedure stops and starts all Hitachi Command Suite services:

Procedure

1. Select Start > All Programs > Hitachi Command Suite > ManageServices.

2. Click Start - HCS or Stop - HCS.

Stopping and starting all services from a command prompt (Windows)The following procedure stops and starts all Hitachi Command Suite andAutomation Director services:

Procedure

1. At the command prompt, navigate to C:\Program Files\HiCommand\Base64\bin.

2. To stop the services, enter the following command:hcmds64srv.exe /stopTo start services, enter the following command:hcmds64srv.exe /start

Stopping and starting all services from a command prompt (Linux)The following procedure stops and starts all Hitachi Command Suite andAutomation Director services:


Procedure

1. At the command prompt, navigate to /opt/HiCommand/Base64/bin.2. To stop the services, enter the following command:

hcmds64srv -stopTo start services, enter the following command:hcmds64srv -start

Stopping and starting only the Automation Director services from the commandprompt (Windows)

Procedure

1. Navigate to C:\Program Files\HiCommand\Base64\bin.2. To stop services, enter the following command:

hcmds64srv.exe /stop /server AutomationWebServiceTo start services, enter the following command:hcmds64srv.exe /start /server AutomationWebService

Stopping and starting only the Automation Director services from the commandprompt (Linux)

Procedure

1. Navigate to /opt/HiCommand/Base64/bin.2. To stop services, enter the following command:

hcmds64srv -stop -server AutomationWebServiceTo start services, enter the following command:hcmds64srv -start -server AutomationWebService

Enabling RMI communication

You must configure RMI communication for Replication Manager before youcan use HAD services. This step is required regardless of whether you areusing Replication. If you do not enable RMI communication for ReplicationManager, the Device Manager connections do not function properly and theconnection status listed in the Administration Tab shows an error.

Related tasks

• Enabling RMI communication for Replication Manager on page 59


3Configuring Automation Director

This chapter provides information on how to configure Automation Director.

□ Changing management server system settings

□ Configuring secure communications

□ Enabling RMI communication for Replication Manager

□ Moving a Hitachi Automation Director installation from one host toanother

□ Running Automation Director without an external network configuration

□ Changing the system configuration through the properties file(config_user.properties)

□ Changing the port number for communicating with the HAD serverthrough the command properties file (command_user.properties)

□ Changing the email notification definition

□ Changing the password policy through the security definition file(security.conf)

□ Configuring information used to connect with the operation targetmachine

□ Preconditions for an agentless connection place (Windows)

□ Preconditions for an agentless connection place (SSH)

□ Using multiple Device Managers from one HAD sever

Configuring Automation Director 37Hitachi Automation Director Installation and Configuration Guide

Changing management server system settingsThis module provides information about changing Automation Directormanagement server system settings.

Changing Automation Director port numbersYou can change the port numbers used for Automation Director afterinstallation if necessary.

Procedure

1. Stop Automation Director.2. Edit the Automation Director properties.

a. Open Installation-folder-for-Hitachi-Command-Suite\Automation\conf\command_user.properties.

b. Change the value of command.http.port as required.3. Start Automation Director.4. If you changed the port that is used for communication between the

management server and management clients (by default, 22015/TCP or22016/TCP), change the URL for accessing Automation Director.

Related concepts

• Stopping and starting Hitachi Command Suite and Automation Directorservices on page 35

Changing the information of the server managing the user accountYou can change the information of the server managing the user account, ifnecessary.

Note: The user accounts are managed by the Common Component on thehost where the connection-target Device Manager is installed.

Procedure

1. (Windows) If SSL is not set for HBase 64 Storage Mgmt Web Service forDevice Manager, run this command:Common-Component-installation-folder\bin\hcmds64prmset /host Device-Manager-IP-address-or-host-name /port HBase-64-Storage-Mgmt-Web-Service-of-Device-Manager-non-SSLportnumber

2. (Windows) If SSL is set for HBase 64 Storage Mgmt Web Service forDevice Manager, run this command:Common-Component-installation-folder\bin\hcmds64prmset /host Device-Manager-host-name /sslport HBase-64-Storage-Mgmt-Web-Service-of-Device-Manager-SSL-port-number

38 Configuring Automation DirectorHitachi Automation Director Installation and Configuration Guide

3. (Linux) If SSL is not set for HBase 64 Storage Mgmt Web Service forDevice Manager, run this command:Common-Component-installation-folder/bin/hcmds64prmset -host Device-Manager-IP-address-or-host-name -port HBase-64-Storage-Mgmt-Web-Service-of-Device-Manager-non-SSLportnumber

4. (Linux) If SSL is set for HBase 64 Storage Mgmt Web Service for DeviceManager, run this command:Common-Component-installation-folder/bin/hcmds64prmset -host Device-Manager-host-name -sslport HBase-64-Storage-Mgmt-Web-Service-of-Device-Manager-SSL-port-number

Changing the port number used by the task processing engineIf necessary, you can change the port number used by the HitachiAutomation Director task processing engine. The task processing engine is aninternal component of Automation Director, which is responsible for runningtask processes. These separate processes require the use of communicationports.

Note: Before changing the port number, make sure that no tasks are runningby checking the Status column on the Tasks tab in the Hitachi AutomationDirector GUI. Make sure that tasks in the In Progress, Waiting, Long Runningstatus or processes that are stopped are not affected by the port numberchange.

Procedure

1. Stop Automation Director by running the hcmds64srv /stop command.2. With a text editor, open the %windir%\system32\drivers\etc\services

file, and change the value of the port number that is defined atjp1ajs3cdinetd.

3. In the Automation-Director-installation-folder\system\AJS3CD\conf\ directory, create a file named ajscd_DNA.properties and addthe following entry:ajscd.port_number=port-number-value-from-step-2

4. Start Automation Director by running the hcmds64srv /start command.

Hitachi Command Suite property updates for port number changesIf you change Automation Director port numbers, you must update theHitachi Command Suite Common Component properties that are listed in thefollowing table:

Port number(default)

Property file path (HCS Common Componentinstallation directory) Location

22015/TCP \uCPSB\httpsd\conf\user_httpsd.conf ListenListen [::]:


Port number(default)

Property file path (HCS Common Componentinstallation directory) Location

#Listen 127.0.0.1:

22016/TCP \uCPSB\httpsd\conf\user_httpsd.conf host-name:port-number in theVirtualHost tag

ListenListen [::]:

22031/TCP \uCPSB\httpsd\conf\user_hsso_httpsd.conf Listen22032/TCP \HDB\CONF\emb\HiRDB.ini PDNAMEPORT

\HDB\CONF\pdsys pd_name_port\database\work\def_pdsys pd_name_port

22033/TCP \uCPSB\CC\web\redirector\workers.properties

worker.HBase64StgMgmtSSOService.port

\uCPSB\CC\web\containers\HBase64StgMgmtSSOService\usrconf\usrconf.properties

webserver.connector.ajp13.port

22034/TCP \uCPSB\CC\web\containers\HBase64StgMgmtSSOService\usrconf\usrconf.properties

webserver.shutdown.port

Changing the management server host name or IP addressThis module provides information about changing the management serverhost name or IP address.

Changing the management server host nameYou can change the host name of the management server after installingHitachi Automation Director.

The management server host name cannot exceed 128 characters and iscase-sensitive.

Procedure

1. Make a note of the new management server host name and IP address.If you need to verify the host name on a Windows machine, use theipconfig /ALL command to display the host name.

2. Back up Automation Director on the source host.3. Delete all folders under backup_folder\Automation\base, but leave the

files located directly under backup_folder\Automation\base.4. Open the backup_folder\Automation\base\common_conf.txt file, delete

the contents, and then save the file.5. Change the host name of the management server. Then, restart the

server.6. Run chgcommonbasehostname.bat Revised host name to change the

host name configuration of the common base.


7. Restore the backed-up data in the management server.8. Stop Automation Director.9. Edit the Hitachi Command Suite Common Component properties.

10. If you are running other Hitachi Command Suite products, revise thesettings for those products as needed.

11. Verify that all Hitachi Command Suite services are running.12. Run chgenginehostname.bat Revised host name to change the host

name configuration of the automation engine.13. If you use the old host name or IP address to access the management

server from a browser, update the Hitachi Command Suite URL.14. Run the hcmds64srv /start command to start Automation Director and

verify that you can access the product using the new URL.

ResultThe management server host name or IP address is changed.

Related concepts

• Stopping and starting Hitachi Command Suite and Automation Directorservices on page 35

Hitachi Command Suite property updates for management server host namechanges

If you change the host name of the Automation Director management server,you must update the Hitachi Command Suite common properties that arelisted in the following table:

Property file path (HCS CommonComponent installation directory) Properties Required changes

\uCPSB\httpsd\conf\user_httpsd.conf ServerName Change the value tothe new host name.

VirtualHost tag If TLS or SSL is usedfor communicationbetween themanagement serverand managementclients and a host nameis specified, change thevalue to an asterisk(*).

Servername in theVirtualHost tag

If TLS or SSL is usedfor communicationbetween themanagement serverand managementclients, change thevalue to the new hostname.



\HDB\CONF\pdsys

\database\work\def_pdsys

the -x option of pdunit Change the value tothe loopback address127.0.0.1.

\HDB\CONF\pdutsys

\database\work\def_pdutsys

pd_hostname

\HDB\CONF\emb\HiRDB.ini PDHOST

Hitachi Command Suite property updates for management server IP addresschanges

If you change the IP address of the Automation Director management server,you must update the Hitachi Command Suite common properties that arelisted in the following table:


\uCPSB\httpsd\conf\user_httpsd.conf

ServerName Change the value to thenew host name or newIP address.

\HDB\CONF\pdsys

\database\work\def_pdsys

the -x option of pdunit If the old IP value isspecified, change thevalue to the loopbackaddress 127.0.0.1.\HDB\CONF\pdutsys

\database\work\def_pdutsys

pd_hostname

\HDB\CONF\emb\HiRDB.ini PDHOST

Changing the Automation Director URLThis module provides information about changing the management serverURL.

Changing the management server URLYou must change the Hitachi Automation Director management server URL ifyou change the management server host name or IP address, theAutomation Director ports, or any SSL settings. If Automation Director runson the same management server as other Hitachi Command Suite products,you can change all of the Hitachi Command Suite URLs with one command.

Note: You must use a complete URL, which includes a protocol and a portnumber, for example, http://HostA:22015.

Procedure

1. Verify the current URL using the following command:


HCS-Common-Component-installation-folder\bin\hcmds64chgurl /list

2. If Automation Director is installed on a standalone server, change onlythe Automation Director URL using the following command:HCS-Common-Component-installation-folder\bin\hcmds64chgurl /change new-URL /type Automation

3. If Automation Director is installed on the same server, change all HitachiCommand Suite URLs that are running on this management server usingthe following command:HCS-Common-Component-installation-folder\bin\hcmds64chgurl /change old-URL new-URL

4. Change the URL for the shortcut file:• For Windows Server 2008 R2:

Select Start > All Programs > Hitachi Command Suite >Automation Director, and then right-click HAD Login. SelectProperties, and on the Web Document tab, change the URL.

• For Windows Server 2012 and Windows Server 2012 R2:Select Start > All apps > Hitachi Command Suite > AutomationDirector, and then right-click HAD Login. Select Properties, and onthe Web Document tab, change the URL.

Use the following format for the URL:

Protocol://Management-server-IP-address-or-host-name:port-number/Automation/login.htm

Where:• Protocol is http for non-SSL communication and https for SSL

communication.• Management-server-IP-address-or-host-name is the IP address or

host name of the management server on which Hitachi AutomationDirector is installed.

• port-number is the port number that is set for Listen line in theuser_httpsd.conf file.For non-SSL communication, specify the port number for non-SSLcommunication (default: 22015).For SSL communication, specify the port number for SSLcommunication (default: 22016).The user_httpsd.conf file is in the HCS-Common-Component-installation-folder\uCPSB\httpsd\conf\ directory.

5. Verify that you can access Automation Director using the new URL.

Configuring secure communicationsThis module describes how to configure secure communications for HitachiAutomation Director.


About Automation Director security settingsYou can increase security by using secure communication for AutomationDirector. Secure communication enables Automation Director to increasesecurity by using Secure Sockets Layer (SSL) or Transport Layer Security(TLS) for Automation Director network communication. SSL or TLS enableAutomation Director to verify communication partners, enhanceauthentication for identifying partners, and detect falsified data within sentand received information. In addition, communication channels are encryptedso that data is protected from eavesdropping.

Automation Director can use secure communications using SSL or TLS for thefollowing types of communication:• Communication between the management server and management clients• Communication between the management server and the SMTP server• Communication between the management server and an external

authentication server (LDAP directory server)• Communication between the management server and management targets

In addition, you can restrict access so that only specific management clientscan access the management server.

Note: When you use Automation Director with security enabled, make surethat the server certificate is not expired. If the server certificate is expired,you need to register a valid certificate to Automation Director because usersmight not be able to connect to the server.

Configuring security for management clientsThis module provides information about setting up secure communicationbetween the management server and management clients.

About secure communications for management clientsImplement secure communication between the Automation Directormanagement server and management clients using SSL. To implement SSL,first set up SSL on the management server and then on the managementclients. The process for setting up SSL on a web-based interface clients isdifferent from CLI clients.

Note: If you plan to use the "Allocate Volumes and Create Datastore onVMware vSphere" or "Allocate Like Volumes and Create Datastore on VMwarevSphere" service templates, you must validate TLSv1.0 through SSL byupdating the Hitachi Command Suite setting as follows:1. Add "TLSv1" to the "ssl.protocol" property of the Hitachi Command Suite

installation folder/Base64/conf/init.conf file.2. Restart Hitachi Command Suite.


Setting up SSL on the server for secure client communication (Windows)To implement secure communication between the management server andmanagement clients, you must set up SSL on the management server.

Before you begin

Before setting up SSL on the server, verify the following prerequisites:• The Web browser version running on the management client is supported

by Automation Director.• The signature algorithm of the server certificates is supported by the

management client Web browser.• The location of the existing private key, certificate signing request, and the

self-signed certificate is confirmed (ensure that you check the locationwhen recreating them).

Verify the following information for the certificate authority that you areusing:• The certificate signing request you created by using the hcmds64ssltool

command is in PEM format, and the key size of the private key is 2048bits.

• The server certificate issued by the certificate authority uses X.509 PEMformat and supports the signature algorithm.

• The server certificate application process is understood.

In addition to a private key and a certificate signing request, the followingprocedure creates a self-signed certificate. We recommend that you use theself-signed certificate for testing purposes only.

Procedure

1. Start Automation Director.2. To create a private key (httpsdkey.pem), a certificate signing request

(httpsd.csr), and a self-signed certificate (httpsd.pem) for the HCSCommon Component, use the following command:

HCS-Common-Component-installation-folder\bin\hcmds64ssltool /key HCS-Common-Component-installation-folder\uCPSB\httpsd\sslc\bin\demoCA\httpsdkey.pem /csr HCS-Common-Component-installation-folder\uCPSB\httpsd\sslc\bin\demoCA\httpsd.csr /cert HCS-Common-Component-installation-folder\uCPSB\httpsd\sslc\bin\demoCA\httpsd.pem /certtext HCS-Common-Component-installation-folder\uCPSB\httpsd\sslc\bin\demoCA\httpsd.txt /validity 365

This command outputs the content of the self-signed certificate tohttpsd.txt. We recommend that you use the self-signed certificate fortesting purposes only.


When you run this command, the signature algorithm uses SHA256 withRSA and creates a self-signed certificate with an expiration day (basedon a 365 day time span) specified by the validity option.

You can specify the signature algorithm using the sigalg option. If youomit this option, SHA256 with RSA is used. In addition, you can alsospecify SHA1 with RSA or MD5 with RSA.

Note: If a file with the same name exists in the output destinationpath, running the hcmds64ssltool command overwrites the file.We recommend storing the file in a different destination when youre-create the file.

3. When prompted, enter the following information after the colon(:).• Server Name (management server host name) - for example,

HAD_SC1.• Organizational Unit (section) - for example, Automation Director.• Organization Name (company) - for example, Hitachi.• City or Locality Name - for example, Santa Clara.• State or Province Name (full name) - for example, California.• Country Name (2 letter code) - for example, US.

To leave a field blank, type a period (.). To select a default valuedisplayed within the brackets ([]), press Enter.

4. Send the certificate signing request (httpsd.csr) to the certificateauthority to apply for a server certificate.

Note: This step is not required if you plan to use a self-signedcertificate, but we recommend that you use a signed servercertificate in a production environment.

The server certificate issued by the certificate authority is usually sent byemail. Ensure that you save the email and the server certificate sent bythe certificate authority.

5. Stop Automation Director.6. Copy the private key (httpsdkey.pem) and the server certificate or the

self-signed certificate (httpsd.pem) to the following directory:

HCS-Common-Component-installation-folder\uCPSB\httpsd\conf\ssl\server

7. Open the user_httpsd.conf file from the following location:

HCS-Common-Component-installation-folder\uCPSB\httpsd\conf\user_httpsd.conf

8. Within the user_httpsd.conf file, do the following:


a. Uncomment the following lines by removing the hash [#] signs:

#Listen 22016#<VirtualHost *:22016>

through

#</VirtualHost>

with the exception of #SSLCACertificateFile, which must remaincommented out.

The following is an example of how to edit the user_httpsd.conf file.If you are using SSL ECC, also uncomment the following lines:

#SSLECCCertificateKeyFile#SSLECCCertificateFile

ServerName host-nameListen 22015Listen [::]:22015#Listen 127.0.0.1:22015SSLDisableListen 22016#Listen [::]:22016<VirtualHost *:22016>ServerName host-nameSSLEnableSSLProtocol TLSv1 TLSv11 TLSv12SSLRequiredCiphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHASSLRequireSSLSSLCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"SSLCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/httpsd.pem"#SSLECCCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem"#SSLECCCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsd.pem"# SSLCACertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/cacert/anycert.pem"</VirtualHost>#HWSLogSSLVerbose On

b. Edit the following lines as required:

ServerName in the first line


ServerName in the <VirtualHost> tag

SSLCertificateKeyFile

SSLCertificateFile

SSLECCCertificateKeyFile (if using ECC)

SSLECCCertificateFile (if using ECC)

#SSLCACertificateFile

When using a chained server certificate issued from a certificateauthority, delete the hash sign (#) from the line "#SSLCACertificateFile", and specify the chained certificate file (createdby certificate authority) by using an absolute path.

Note: To block non-SSL communication from external serversto the management server, comment out the lines Listen22015 and Listen [::]:22015 by adding a hash mark (#) tothe beginning of each line. After you comment out these lines,remove the hash mark (#) from the line #Listen127.0.0.1:22015.

For an IPv6 environment, remove the hash mark (#) at thebeginning of the lines #Listen [::]:22016.

To block non-SSL communication within the managementserver, close the HBase 64 Storage Mgmt Web Service port.

The following is an example of how to edit the user_httpsd.conf file.The numbers represent the default ports.

ServerName host-nameListen 22015Listen [::]:22015#Listen 127.0.0.1:22015SSLDisableListen 22016#Listen [::]:22016<VirtualHost *:22016>ServerName host-nameSSLEnableSSLProtocol TLSv1 TLSv11 TLSv12SSLRequiredCiphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHASSLRequireSSLSSLCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"


SSLCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/server-certificate-or-self-signed-certificate-file"#SSLECCCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem"#SSLECCCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsd.pem"SSLCACertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/cacert/certificate-file-from-certificate-authority"</VirtualHost>#HWSLogSSLVerbose On

9. Start Automation Director.10. Update the Automation Director URL by using the hcmds64chgurl

command as follows:• Change the protocol from http: to https:• Change the port number used for secure communication.

ResultSSL is now implemented on the Automation Director server.

Setting up SSL on the server for secure client communication (Linux)To implement secure communication between the management server andmanagement clients, you must set up SSL on the management server.

Before you begin

Before setting up SSL on the server, verify the following prerequisites:• The Web browser version running on the management client is supported

by Automation Director.• The signature algorithm of the server certificates is supported by the

management client Web browser.• The location of the existing private key, certificate signing request, and the

self-signed certificate is confirmed (ensure that you check the locationwhen recreating them).

Verify the following information for the certificate authority that you areusing:• The certificate signing request you created by using the hcmds64ssltool

command is in PEM format, and the key size of the private key is 2048bits.

• The server certificate issued by the certificate authority uses X.509 PEMformat and supports the signature algorithm.

• The server certificate application process is understood.


In addition to a private key and a certificate signing request, the followingprocedure creates a self-signed certificate. We recommend that you use theself-signed certificate for testing purposes only.

Procedure

1. Start Automation Director.2. To create a private key (httpsdkey.pem), a certificate signing request

(httpsd.csr), and a self-signed certificate (httpsd.pem) for the HCSCommon Component, use the following command:

HCS-Common-Component-installation-folder/bin/hcmds64ssltool -key HCS-Common-Component-installation-folder/uCPSB/httpsd/sslc/bin/demoCA/httpsdkey.pem -csr HCS-Common-Component-installation-folder/uCPSB/httpsd/sslc/bin/demoCA/httpsd.csr -cert HCS-Common-Component-installation-folder/uCPSB/httpsd/sslc/bin/demoCA/httpsd.pem -certtext HCS-Common-Component-installation-folder/uCPSB/httpsd/sslc/bin/demoCA/httpsd.txt -validity 365

This command outputs the content of the self-signed certificate tohttpsd.txt. We recommend that you use the self-signed certificate fortesting purposes only.

When you run this command, the signature algorithm uses SHA256 withRSA and creates a self-signed certificate with an expiration day (basedon a 365 day time span) specified by the validity option.

You can specify the signature algorithm using the sigalg option. If youomit this option, SHA256 with RSA is used. In addition, you can alsospecify SHA1 with RSA or MD5 with RSA.

Note: If a file with the same name exists in the output destinationpath, running the hcmds64ssltool command overwrites the file.We recommend storing the file in a different destination when youre-create the file.

3. When prompted, enter the following information after the colon(:).• Server Name (management server host name) - for example,

HAD_SC1.• Organizational Unit (section) - for example, Automation Director.• Organization Name (company) - for example, Hitachi.• City or Locality Name - for example, Santa Clara.• State or Province Name (full name) - for example, California.• Country Name (2 letter code) - for example, US.

To leave a field blank, type a period (.). To select a default valuedisplayed within the brackets ([]), press Enter.


4. Send the certificate signing request (httpsd.csr) to the certificateauthority to apply for a server certificate.

Note: This step is not required if you plan to use a self-signedcertificate, but we recommend that you use a signed servercertificate in a production environment.

The server certificate issued by the certificate authority is usually sent byemail. Ensure that you save the email and the server certificate sent bythe certificate authority.

5. Stop Automation Director.6. Copy the private key (httpsdkey.pem) and the server certificate or the

self-signed certificate (httpsd.pem) to the following directory:

HCS-Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server

7. Open the user_httpsd.conf file from the following location:

HCS-Common-Component-installation-folder/uCPSB/httpsd/conf/user_httpsd.conf

8. Within the user_httpsd.conf file, do the following:a. Uncomment the following lines by removing the hash [#] signs:

#Listen 22016#<VirtualHost *:22016>

through

#</VirtualHost>

with the exception of #SSLCACertificateFile, which must remaincommented out.

The following is an example of how to edit the user_httpsd.conf file.If you are using SSL ECC, also uncomment the following lines:

#SSLECCCertificateKeyFile#SSLECCCertificateFile

ServerName host-nameListen 22015Listen [::]:22015#Listen 127.0.0.1:22015SSLDisableListen 22016#Listen [::]:22016<VirtualHost *:22016>ServerName host-nameSSLEnable


SSLProtocol TLSv1 TLSv11 TLSv12SSLRequiredCiphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHASSLRequireSSLSSLCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"SSLCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/httpsd.pem"#SSLECCCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem"#SSLECCCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsd.pem"# SSLCACertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/cacert/anycert.pem"</VirtualHost>#HWSLogSSLVerbose On

b. Edit the following lines as required:

ServerName in the first line

ServerName in the <VirtualHost> tag

SSLCertificateKeyFile

SSLCertificateFile

SSLECCCertificateKeyFile (if using ECC)

SSLECCCertificateFile (if using ECC)

#SSLCACertificateFile

When using a chained server certificate issued from a certificateauthority, delete the hash sign (#) from the line "#SSLCACertificateFile", and specify the chained certificate file (createdby certificate authority) by using an absolute path.

Note: To block non-SSL communication from external serversto the management server, comment out the lines Listen22015 and Listen [::]:22015 by adding a hash mark (#) tothe beginning of each line. After you comment out these lines,remove the hash mark (#) from the line #Listen127.0.0.1:22015.

For an IPv6 environment, remove the hash mark (#) at thebeginning of the lines #Listen [::]:22016.


To block non-SSL communication within the managementserver, close the HBase 64 Storage Mgmt Web Service port.

The following is an example of how to edit the user_httpsd.conf file.The numbers represent the default ports.

ServerName host-nameListen 22015Listen [::]:22015#Listen 127.0.0.1:22015SSLDisableListen 22016#Listen [::]:22016<VirtualHost *:22016>ServerName host-nameSSLEnableSSLProtocol TLSv1 TLSv11 TLSv12SSLRequiredCiphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHASSLRequireSSLSSLCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"SSLCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/server-certificate-or-self-signed-certificate-file"#SSLECCCertificateKeyFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem"#SSLECCCertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/server/ecc-httpsd.pem"SSLCACertificateFile"HCS-Common-Component-installation-directory/uCPSB/httpsd/conf/ssl/cacert/certificate-file-from-certificate-authority"</VirtualHost>#HWSLogSSLVerbose On

9. Start Automation Director.10. Update the Automation Director URL by using the hcmds64chgurl

command as follows:• Change the protocol from http: to https:• Change the port number used for secure communication.

ResultSSL is now implemented on the Automation Director server.


Setting up SSL on web-based management clientsTo implement secure communications between the management server andmanagement clients, you must set up SSL on all Automation Directormanagement clients that access the Automation Director web-based userinterface. You must first set up SSL on the management server before settingup the management clients. You are only required to follow this procedurethe first time you access the management server from this client.

Before you begin

If the signature algorithm used is SHA256 with RSA, the Web browser in usemust support a server certificate that has an SHA256 with RSA signature.

Procedure

1. From the management web client, access the management server usingan SSL connection by using the following URL:https://HAD-management-server-name:port-number-for-SSL-communication/Automation/

2. Install the SSL certificate.

ResultThe SSL certificate is registered on the management client so it cancommunicate with the management server using SSL.

Setting up secure communication for an external authenticationserver

In a Windows environment, use the StartTLS protocol to implement securecommunication between the Automation Director management server andthe LDAP directory server. To implement StartTLS, you must update theproperties in the exauth.properties file and import the LDAP directoryserver certificate into the management server.

Note: If you specify an IPV6 address in a Linux environment, you arerequired to enclose the address with square brackets [ ].

Changing the port number of the authenticator connection for theprimary HCS server (Windows)

To change the port number:


Execute the hcmds64prmset command to change the port number of theauthenticator connection as follows:

HCS-Common-Component-installation-folder\bin\hcmds64prmset /hostname <the hostname of a primary server> /sslport <SSL port number>by:• Specifying the same name as Common Name (CN) for the credentials as

"hostname".• Specifying the SSL port number (sslport) of a common component. The

default is 22016.

Changing the port number of the authenticator connection for theprimary HCS server (Linux)

To change the port number:

Execute the hcmds64prmset command to change the port number of theauthenticator connection as follows:

HCS-Common-Component-installation-folder/bin/hcmds64prmset -hostname <the host name of a primary server> -sslport <SSL port number>by:• Specifying the same name as Common Name (CN) for the credentials as

"hostname".• Specifying the SSL port number (sslport) of a common component. The

default is 22016.

Importing VMware vCenter certificates

When using VMware service or VMware vCenter server certificates, you mustimport the certificates to the truststore of the Hitachi Command Suitecommon component.

You must also import the following certificates:• certificate authority• intermediate certificate authority• route certificate authority

In some cases, well-known certificate authority certificates may already beimported. In this case, this procedure is unnecessary.

In Windows, use the hcmds64keytool command. For Unix, use standardkeytool. To import the certificate in Java, ensure that the trust storepassword includes six or more characters. In addition, ensure that the newalias name does not conflict with an existing alias name.


For Windows:

HCS-Common-Component-installation-folder\bin\hcmds64keytool -import -alias <alias name> -keystore <Hitachi Command Suite The installation folder>\uCPSB\jdk\jre\lib\security\jssecacerts -storepass <trust store password> -file <certificate file>For Unix:

HCS-Common-Component-installation-folder/uCPSB/jre/jdk/bin/keytool -import -alias <alias name> -keystore HCS-Common-Component-installation-folder/uCPSB/jdk/jre/lib/security/jssecacerts -storepass <trust store password> -file <certificate file>Additional guidelines• For information on the security setting method of VMware vCenter, see the

VMware documentation.• To obtain vCenter server certificate, refer to the VMware documentation

for accessing server certificates.

Importing the server certificate to a Device Manager agent truststore

When using Clone (Shadow Image), Snapshot (Thin Image), and CopyTopology services, you must import the Hitachi Device Manager servercertificates to the Device Manager agent's trust store.

Refer to "Importing a server certificate into the truststore for the DeviceManager agent" in the Hitachi Command Suite Administrator Guide fordetails.

Importing the Device Manager server certificateIf the Add Host feature is enabled, you must obtain the server certificate ofeach Device Manager and import the self-signed server certificate or thecertificate authority certificate to the trust store that Automation Directorreferences.

Obtaining the Device Manager server certificate

To create, see "Configuring an SSL server (Device Manager server)" of"Hitachi Command Suite Administrator Guide".

Note: If using "Allocate Volumes for Symmetric Cluster Server from 2-Storage Systems" service, this is required regardless of enable/disable stateof the Add Host feature.

Importing the self-signed server certificate or the certificateauthority certificate


When using the certificate authority certificate, you also need to import thecertificates of intermediate certificate authority and route certificateauthority. In some cases, well-known certificate authority certificates mayalready be imported. In this case, this procedure is unnecessary.

Note: The HCS Common Component trust store on the Automation Directorserver is jssecacerts.

Follow these guidelines:

• If you are running a multiple Device Manager configuration, you mustobtain the server certificate of each Device Manager.

• When you use the self-signed certificate, import the self-signed certificateof each Device Manager server to the trust store.

• When you use the certificate authority certificate, import the certificate ofeach certificate authorities that issues the server certificate to the truststore.

Related references

• Importing the server certificate of each Device Manager to the trust storeof a Hitachi Command Suite common component on page 57

Importing the server certificate of each Device Manager to the truststore of a Hitachi Command Suite common component

After you obtain the server certificate from each Device Manager server, youmust import it to the trust store that Automation Director references.1. Downloading the Device Manager trust store file.

If the Device Manager uses a self-signing certificate, download the truststore from a web browser using either of the following URLs . This step isunnecessary if the Device Manager already uses the certificate ofcertificate authority.Set the port number to SSL:2443 and non-SSL:2001 by default.Refer to "Configuring an SSL client" in the Hitachi Command SuiteAdministrator Guide for details.https://<IP address or host name of Device Managerserver>:<SSL port number of Device Manager server>/service/HiCommandCertshttps://<IP address or host name of Device Managerserver>:<Non-SSL port number of Device Manager server>/service/HiCommandCerts

2. Exporting the certificate for each Device Manager.If the Device Manager uses a self-signing certificate, usehcmds64keytool for exporting the Device Manager server certificate from


the downloaded trust store. This step is unnecessary If the DeviceManager already uses the certificate of certificate authority.Specify the downloaded trust store as a trust store file.Refer to "Configuring an SSL client" in the Hitachi Command SuiteAdministrator Guide for details.For Windows:HCS-installation-folder\Base64\bin\hcmds64keytool -exportkeystore <trust-store-file> -alias <alias-name> -file<certificate-file>For Linux:HCS-installation-folder/Base64/uCPSB/jdk/bin/keytool -exportkeystore <trust-store-file> -alias <alias-name> -file<certificate-file>

3. Importing the certificate of each Device Manager to the trust store of aHitachi Command Suite common component.Import the exported server certificate of a self-signature or the certificateof certificate authority at a trust store.For Windows, use the hcmds64keytool. For Unix, use standard keytoolfor Java for an importing the certificate. To import the certificate in Java,ensure that the trust store password includes six or more characters. Inaddition, ensure that the new alias name does not conflict with anexisting alias name.If the Device Manager uses the certificate of certificate authority, thecertificate of an intermediate certificate authority and route certificateauthority (that also routes other certificate authorities), you must importthe certificate authority. In some cases, well-known certificate authoritycertificates may already be imported. In this case, this procedure isunnecessary.For Windows:HCS-Common-Component-installation-Folder\bin\hcmds64keytool -import -alias <alias-name> -keystore HCS-Common-Component-installation-directory\uCPSB\jdk\jre\lib\security\jssecacerts-storepass <trust-store-password> -file <certificate-file>For Unix:HCS-Common-Component-installation-Folder/jdk/bin/hcmds64keytool -import -alias <alias-name> -keystore HCS-Common-Component-installation-directory/uCPSB/jdk/jre/lib/security/jssecacerts -storepass <trust-store-password> -file<certificate-file>

Checking the server certificate expiration dateYou can check the expiration date for an SSL certificate to ensure that yourcertificate has not expired. You must ensure that the management server


certificate does not expire to maintain secure communication with managedservers.

To check the expiration of the Hitachi Command Suite Common Componentserver certificate, run the following command:

For Windows:

<Hitachi Command Suite InstallationFolder>\Base64\uCPSB\jdk\jre\bin\keytool -printcert -v -file<File name of certificate >For Linux:

<Hitachi Command Suite InstallationDirectory>/Base64/uCPSB/jdk/bin/keytool -printcert -v -file<File name of certificate>

Note: The expiration date of a self-signed server certificate is not checked atthe connection between servers. If you need to check the expiration date ofcertificate at the connection of the HAD server and Device Manager server,use the certificate issued by the certificate authority. Then, import thecertificates not only for the server, but also for the certificate authority, andintermediate certificate authority. Afterwards, route the certificate authorityto the HCS Common Component trust store.

Enabling RMI communication for Replication ManagerEnable RMI communication for Replication Manager on the managementserver as described in this section.

Before you begin

Log in to the Device Manager server as a user with Administrator permissions(for Windows) or as a root user (for Linux).

To enable RMI communication for Replication Manager:

Procedure

1. Stop the Hitachi Command Suite product services.2. Specify true for the base.rmi.enabled property in the

base.properties file of Replication Manager. The base.properties fileis stored in the following location:

In Windows:

Installation-folder-for-Hitachi-Command-Suite\ReplicationManager\conf

In Linux:


installation-directory-for-Hitachi-Command-Suite/ReplicationManager/conf

For details on the base.properties file and the base.rmi.enabledproperty of Replication Manager, see the Replication ManagerConfiguration Guide.

3. Set up the rpmlib.rpm.port property in the rpmlib.properties file ofthe Device Manager server.

Enter the port number that is set for the base.rmi.port property in thebase.properties file of Replication Manager. If you did not change thevalue for the base.rmi.port property (default: 25200), this operation isunnecessary.

The base.properties file is stored in the following location:

In Windows:

Installation-folder-for-Hitachi-Command-Suite\ReplicationManager\conf

In Linux:

installation-directory-for-Hitachi-Command-Suite/ReplicationManager/conf

For details on the base.properties file and the base.rmi.enabledproperty of Replication Manager, see the Replication ManagerConfiguration Guide.

4. Start the Hitachi Command Suite product services.See "Enabling RMI Communication for Replication Manager" in the HitachiCommand Suite Administrator Guide for additional information asrequired.

Moving a Hitachi Automation Director installation from onehost to another

If necessary, you can relocate an installation of Hitachi Automation Directorfrom one host to another.

Note: If the hostname or IP address of the replacement source andhostname or IP address of the replacement destination are different, youmust change the management server host name.

Before you begin

Make sure following settings are the same between the source host and thereplacement destination host:• The hostname and IP address.


• The character-code type.• The account of the Operating System user used by Hitachi Automation

Director• The HCS product environment (configuration, version, and revision).• The installation path of Automation Director.

You should also make sure that no tasks are currently being processed in the"Status" column of the Tasks tab of Hitachi Automation Director with theindication "In Progress", "Waiting for Response", "Abnormal Detection", "LongRunning", or "Terminated".

Procedure

1. Log into the management server using Administrator privilege.2. Perform a backup of Automation Director on the source host.

a. Stop the current services by running the hcmds64srv /stopcommand.

b. Run the backupsystem command to perform the backup.3. Transfer the archived backup file to the replacement destination host.4. Log on to the management server for the destination host.5. Perform a restore of Hitachi Automation Director on the replacement

destination host.a. Stop the services by running the hcmds64srv /stop command.b. Run the restoresystem command to restore the backup.c. Modify the appropriate settings in the following configuration files to

match the environment of the restore destination:• External authentication server integration config file

(exauth.properties).• Security definition file (security.conf).• Audit log definition file (auditlog.conf).• Setting of changing port number (user_httpsd.conf).• SSL environment build procedure (user_httpsd.conf).

These configuration files are located in the following directories:• Backup destination folder \HBase\base\conf• Backup destination folder \HBase\base\httpsd.conf

6. If the port number is changed, modify the necessary settings to reflectthe new port number.

7. Restart the services by running the hcmds64srv /start command.

Related tasks

• Changing the management server host name on page 40


Running Automation Director without an external networkconfiguration

To run Automation Director in an environment that uses a private, internalnetwork you need to disable to the Authenticode signature function.Authenticode verifies the integrity of the software as it is being downloadedor transferred over a network. Windows runs with the Authenticode signaturefunction by default.

In an environment that has no connection to an external network, it mighttake more than 20 seconds before the system is able to run a service plug-in.

To disable the Authenticode signature, you must reconfigure theMicrosoft.NET framework.

Procedure

1. Use a text editor to open the following files:a. <system-drive>:\Windows\Microsoft.NET\Framework

\v2.0.50727\aspnet.configb. <system-drive>:\Windows\Microsoft.NET\Framework

\v2.0.50727\CONFIG\machine.config2. Set 'generatePublisherEvidence enabled' to false as shown below

and save the file.

--------------------------------------------

<configuration><runtime><generatePublisherEvidence enabled="false"/></runtime></configuration>

---------------------------------------------

Changing the system configuration through the propertiesfile (config_user.properties)

The conf_user.properties file is the definition file for configuring variousHitachi Automation Director settings such as logs and tasks. Note thatchanging the properties file, restarts the Hitachi Automation Director engineweb service.

You can change the following configuration properties through this file:


• Log file configuration (specify the number of logs to store).• Task and history configuration (specify the number of tasks and task

histories to store).• Configuration regarding remote command execution (SSH/telnet port

number)• Configuration information for email notification.• Configuration information regarding Service Builder.• Connection timeout value setting.

Format

specification-key-name=setting

Installation folder

HAD-installation-folder\conf

Description

When editing the properties file, take note of the following:

• Lines that begin with # are treated as comments• Blank lines are ignored• The encoding is ISO 8859-1• The contents are case sensitive• To specify \ in a character string, it must be written \\.• If an invalid value is entered for a setting, it is set to its default value, and

message KNAE02022-W is output to the integrated trace log and public log• If the same specification key is entered multiple times in a file, the last

one that is specified will take effect

Settings in the properties file

Category Key name Setting ValuesDefaultvalues

Logs1 logger.sysloglevel

Specifies the threshold for

event log or syslog output.

• 0:Outputonlywhen theoutputlevel ofthemessageID is 0

• 10:Outputwhen theoutputlevel ofthe

0



messageID is 0or 10

logger.message.server.MaxBackupIndex

Specifies the maximum

number of log backup files

for a server.

1 - 16 7

logger.message.server.MaxFileSize

Specifies the maximum log

file size (in KBs) for a

server.

4 - 2097151 1024

logger.message.command.MaxBackupIndex


number of log backup files

for a command.

1 - 16 7

logger.message.command.MaxFileSize



command.

4 - 2097151 1024

logger.TA.MaxFileSize



task.

4 - 2097151 10240

Task management tasklist.autoarchive.taskRemainingPeriod

Specifies the period (in

days) for terminated tasks

to remain in the task list.

1 - 90 7

tasklist.autoarchive.executeTime

Specifies the time to run

the automatic archiving

task.

00:00:00 -

23:59:59

04:00:00

tasklist.autoarchive.maxTasks


number of tasks to keep in

the task list.

100 - 50000 5000

tasklist.autodelete.maxHistories


number of history entries

to retain.

100 - 50000 30000

task.details.jobnet.status.visible

Specifies whether the steplist in the Task Detailsdialog box displays thestatus in the task-processing engine or thestatus of steps.

true: Display the status inthe task-processing engine

false: Display the status ofsteps

true/false false



Service

management

packagemanager.extraPresets.maxFiles

Specified the maximum

number of preset property

definition files per 1

service template which can

be placed in the extra

preset folder.

5 - 100 5

Repeats foreach.max_value


number of concurrent

tasks that can be executed

by the Repeated Execution

Plug-in.

1 - 99 3

Remote connection

port number

ssh.port.number Specifies the SSH port

number of the operation

target device.

0 - 65535 22

telnet.port.number

Specifies the Telnet port

number of the operation

target device

0 - 65535

General command,

Remote command,

File-forwarding,

Terminal

connection

plugin.stdoutSize.wmi

If the total size of thestandard output and thestandard error exceeds theproperty value, a plug-inerror occurs.

Note: The property valueunit is in kilobytes (KB).

This property is appliedduring plug-in operation,when the followingconditions are met.

- Connection target host isWindows

- Execution target plug-inis either a GeneralCommand Plug-in orContents plug-in

In Windows, the plug-incan continue to run, evenif the number of linefeedsexceeds 65535 or more.To take advantage of thisfeature, you must to setthe property valueaccordingly. For example,if this property is set to100 KB (default value),the plug-in cannot process



the maximum number oflinefeeds of 65535 ormore. The plug-in stopsrunning once it reachesthe 100 KB limit.

plugin.stdoutSize.ssh



This property is appliedduring plug-in operationwhen the following twomajor conditions are met.

[Condition (1) (Note: Thefollowing target-basedconditions must be met). ]

- Connection target host isLinux/UNIX.

- Execution target plug-inis a General CommandPlug-in or Contents plug-in.

[Condition (2) (Note: Thefollowing protocol andplug-in conditions must bemet.)]

- Connection protocol isSSH.

- Execution target plug-inis Terminal Connect Plug-in or Terminal CommandPlug-in.

plugin.stdoutSize.telnet



This property is appliedduring plug-in operationwhen the followingconditions are met.



- Connection protocol isTelnet.

- The target plug-in iseither Terminal ConnectPlug-in or TerminalCommand Plug-in.

plugin.remoteFileAccess.retry.times

Specifies the number ofretries for a filemanipulation commandexecuted internally by acontent plug-in or file-forwarding plug-in. Theretry interval is fixed at100 ms.

If a temporary file accesserror occurs, retrying thecommand might result insuccessful operation.However, if the file accesserror is not recovered,extra time is required forretries until the plug-interminates. Specify thisproperty in anenvironment in which fileaccess errors occur even ifthere are no problemswith disks.

0 - 100 0

ssh.privateKeyFile

Specifies the absolute path

of the private key file if

public key authentication

is used for SSH

connections.

0 - 255

plugin.localMode

Specifies whether toenable or disable localexecution mode.

true: enabled

false: disabled

true/false true

Remote file

operation retry

plugin.remoteFileAccess.retry.times

Specifies the retry count ofthe command whichoperates the file runinternally by the contentsplug-in and file transferplug-in. The interval of theretry is fixed as 100 ms.

Even if the temporary fileaccess error occurs, it maybe successful byperforming a retry.

0 - 100 0



However, if the file accesserror is not recovered, ittakes extra time toperform a retry until theend of the plug-in. Set thisproperty in theenvironment where the fileaccess error occurs even ifthere is no problem withthe disk, etc.

Terminal

connection

plugin.terminal.prompt.account

Specifies the regularexpression used to detectthe user ID waiting state.

If the standard output andstandard error outputmatch the specifiedregular expression, theterminal connect plug-in(Telnet is specified for theprotocol) determines thata user ID must beentered, and then it entersa user ID.

1 - 1024 login|Login

Name|

Username|

UserName

plugin.terminal.prompt.password

Specifies the regularexpression used to detectthe password waitingstate.

If the standard output andstandard error outputmatch the specifiedregular expression, theterminal connect plug-in(Telnet is specified for theprotocol) determines thata password must beentered, and then it entersa password.

1 - 1024 password|

Password|

PassWord

telnet.connect.wait

Specifies the waiting time

(in seconds) until the

standard output is

returned after an SSH

connection is established

with the operation target

device.

1 - 600 60

Remote command plugin.remoteCommand.executionDirectory.wmi

Specifies the path of theexecution directory thatcontains the contentsplug-in to run if the targethost is running Windows.The execution directory

0 - 256



must be created inadvance.

If the "Execution Mode" ofthe contents plug-in is"Script", the total stringlength of the specifiedvalue and the script filename do not exceed 140characters. If the lengthexceeds 140 characters,transferring the scriptmight fail. In addition,because the script filename must be specified in90 characters or less, thisvalue specified should bewithin 50 characters.

plugin.remoteCommand.executionDirectory.ssh

Specifies the path of the

execution directory to

execute the contents plug-

in if the OS of the

operation target host is

UNIX. The execution

directory is required to be

created in advance.

0 - 128

plugin.remoteCommand.workDirectory.ssh

Specifies the working

folder used when the file

transfer plug-in or the

contents plug-in is

executed if the OS of the

operation target host is

UNIX. Enter a folder or a

symbolic link as an

absolute path (1 - 128

characters). In addition,

the symbolic link can be

included as the layer of

the path.

1 - 128 /tmp/

Hitachi_AO

Retry remote host

connection

ssh.connect.retry.times

Specifies the number of

retries in the event of a

failed SSH connection to

the operation target

device.

0 - 100 3

ssh.connect.retry.interval

Specifies the interval (in

seconds) between retries

1 - 600 10



in the event of a failed

SSH connection to the

operation target device.

wmi.connect.retry.times



failed WMI connection to


device.

0 - 100 3

wmi.connect.retry.interval




WMI connection to the


1 - 600 10

telnet.connect.retry.times



failed Telnet connection to


device.

0 - 100 3

telnet.connect.retry.interval




Telnet connection to the


1 - 600 10

Retry email

notification

mail.notify.retry.times



failure of the notification

function to send an email.

0 - 100 3

mail.notify.retry.interval



in the event of a failure of

the notification function to

send an email.

1 - 600 10

mail.plugin.retry.times


retries in case of failure to

send email in the Email

Notification Plugin.

0 - 100 3

mail.plugin.retry.interval



in the event of a failure of

1 - 600 10



the Email Notification

Plugin to send an email.

Audit Log logger.Audit.command.useLoginUserID

Specifies whether to

output the HAD login user

ID, in place of the user ID,

to the subject

identification information

for the audit log when a

command is executed.

true/false false

Window refresh client.events.refreshinterval

Specifies the refresh

interval (in seconds) for

events.

0 - 65535 5

Editor client.editor.upload.maxfilesize

Specifies the maximum file

size (in MB) that can be

uploaded to the server

from the terminal used for

operating Automation

Director by using the

Editor window.

1 - 10 3

client.editor.canvas.maxwidth


size (in px) of the width of

Flow Editor view.

3600 -

10000

3600

client.editor.canvas.maxhigh


size (in px) of the height

of Flow Editor view.

2400 -

30000

2400

server.editor.step.perTemplate.maxnum


number of steps per 1

service template.

320 - 40000 320

server.editor.step.perLayer.maxnum


number of steps per 1

layer.

80 - 10000 80

server.editor.publicProperty.perTemplate.maxnum


number of service

properties per service

template.

100 - 2000 100

server.editor.propertyGroup.perTemplate.maxnum


number of property groups

per service template.

5 - 1000 500



Debugger tasklist.debugger.autodelete.taskRemainingPeriod


number of property groups

per service template.

1 - 90 7

client.debugger.tasklog.maxfilesize

Specifies the size of task

logs (KB) displayed in the

Task Log tab.

4 - 10240 1024

logger.debugger.TA.MaxFileSize


file size (KB) for a debug

task.

4 - 2097151 10240

Task Monitor client.monitor.tasklog.maxfilesize

Specifies the size of task

logs (KB) displayed in the

Task Log dialog box.

4 - 10240 1024

client.monitor.tasklog.refresh.interval

Specifies the automatic

refresh interval (seconds)

of the Task Log dialog box.

30 - 300 30

client.monitor.status.interval

Specifies the automatic

refresh interval (seconds)

of the task monitor.

30 - 300 30

LongRunningTask

check interval

threshold

server.longRunning.check.interval

LongRunningTask check

interval threshold (in

minutes)

0 - 20160 2880

LongRunning

Monitor interval

server.longRunning.monitor.interval

LongRunning monitor

interval (in seconds)

1 - 3600 60

Web Client plugin.http.read.timeout

Specifies the timeout value

(in seconds) when the

HTTP/HTTPS connection is

established. If 0 is

specified, timeout does not

occur.

0 - 3600 60

plugin.http.read.timeout

Specifies the timeout value

(in seconds) when the

HTTP/HTTPS connection is

established. If 0 is

specified, timeout does not

occur.

0 - 86400 600

1 The log output threshold for tasks can be set in Service Share Properties.


Example

logger.sysloglevel = 0

logger.message.server.MaxBackupIndex = 7

logger.message.server.MaxFileSize = 1024

logger.message.command.MaxBackupIndex = 7

logger.message.command.MaxFileSize = 1024

logger.TA.MaxFileSize = 1024

tasklist.autoarchive.taskRemainingPeriod = 7

tasklist.autoarchive.executeTime = 04:00:00

tasklist.autoarchive.maxTasks = 5000

tasklist.autodelete.maxHistories = 30000

mail.notify.retry.times = 3

mail.notify.retry.interval = 10

mail.plugin.retry.times = 3

mail.plugin.retry.interval = 10

client.events.refreshinterval = 5

Changing the port number for communicating with the HADserver through the command properties file(command_user.properties)

This is the definition file for setting the http port that is used when runningcommands. If you change the port number used for communications betweenAutomation Director and the web browser, you must also change the httpport used when executing commands to the same number. This is requiredfor updating the definition file.

Format


Installation folder



Description

One specification key and setting are specified per line. When editing thecommand properties file, take note of the following:

• Lines that begin with # are treated as comments.• Blank lines are ignored.• The encoding is ISO8859-1.• The entries are case sensitive.• To specify \ in a character string, it must be written \\.• If an invalid value is entered for a setting, it is set to its default value, and

message KNAE02022-W is output to the integrated trace log and publiclog.

• If the same specification key is entered multiple times in a file, the lastone that is entered will take effect.

Setting

Key name Setting Values Default value

command.http.port Specifies the http portused when executingcommands.

1–65535 22015

Example definitions

command.http.port = 22015

Changing the email notification definitionThis is the definition file for email notification in the event of a failure or if anabnormality is detected in a task.

Format

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><mail xmlns="http://www.hitachi.com/products/it/software/xml/automation/conf/mailDefinition"><title>email-title</title><body>email-body</body> </mail>

Installation folder


Description

The definition file for email notification is in XML format. The locations to editare the email-title and email-body sections.


When editing the file, take note of the following:

• A read error occurs if the definition file for email notification is missing, oris not well-formed XML. In this case, the email is sent with the default titleand body.

• If you specify tags outside of <mail>, <title>, and <body>, even if thetags are well-formed XML, the tags and their content are ignored.

• An empty string will be specified for the value of a <title> or <body> tagthat is omitted.

• The <mail> tag cannot be omitted. If it is omitted, the format is invalidand a read error occurs.

• The entries are case sensitive.

Settings in the definition file for email notification

Setting XML elementCharacter stringlength

Default value

Title of email to be

used in email

notifications

<title> Character string of

0-9,999 bytes

[HCS Automation]

$TASK_NAME$ has

changed to

$TASK_STATUS$

Body of email to be

used in email

notifications

<body> Character string of

0-9,999 bytes

Service Group Name:

$SERVICE_GROUP_NA

ME$ Task Name:

$TASK_NAME$ User

Name: $USER_NAME$

Task Detail:

$TASK_DETAIL_ URL$

XML entity references

Character you want in the email Character string to be entered

& &

< <

> >

" "

' '


Embedded characters in the definition file for email notification

Embedded characters Item Remarks

$SERVICE_GROUP_NAME$ Service group name Set to the character string

representing the resource

group name.

$TASK_NAME$ Task name Set according to the format in

the task properties.

$TASK_ID$ Task ID

$TASK_KIND$ Task type

$SERVICE_NAME$ Service name

$TASK_TAGS$ Tag of the task

$TASK_STATUS$ Task status

$EXECUTION_DATE$ Date and time the operation

was executed

$PLANNED_START_DATE$ Planned date and time of start

$START_DATE$ Actual date and time of start

$END_DATE$ Date and time of end

$USER_NAME$ User who executes the

operation

$TASK_DETAIL_URL$ URL of the Task Detail window Set to a URL starting with http.

Changing the password policy through the securitydefinition file (security.conf)

This is the definition file for settings related to user password conditions andlocks. Users can modify the HCS password policy through this file tocustomize the security settings as required.

Format


Installation folder

Common-Component-installation-folder\conf\sec

Description

One specification key and setting are specified per line. The default state ofthe security definition file is as follows.


# This is the minimum length of the password# (minimum: 1 -256 characters)password.min.length=4

# This is the minimum number of uppercase characters included inthe password# (minimum: 0-256 characters, character type: A-Z)password.min.uppercase=0

# This is the minimum number of lowercase characters included inthe password# (minimum: 0-256 characters, character type: a-z)password.min.lowercase=0

# This is the minimum number of numeric characters included inthe password# (minimum: 0-256 characters, character type: 0-9)password.min.numeric=0

# This is the minimum number of symbolic characters included inthe password# (minimum: 0-256 characters, character type: ! # $ % & ' ( ) * +- . = @ \ ^ _ |)password.min.symbol=0

# This specifies whether the user ID can be used for the password# (true = cannot use the user ID, false = can use the user ID)password.check.userID=false

# This is the minimum number of login failures before an accountis locked# (minimum: 0-10 times)account.lock.num=0

Settings

Key name Setting Settable values Default value

password.min.length Specifies the minimum

number of characters in

a password.

1 - 256 4

password.min.uppercase

Specifies the minimum

number of uppercase

letters that must be

included in the

password. If 0 is

specified, there are no

constraints on the

0 - 256 0


Key name Setting Settable values Default value

number of uppercase

letters.

password.min.lowercase


number of lowercase

letters that must be

included in the

password. If 0 is


constraints on the

number of lowercase

letters.

0 - 256 0

password.min.numeric


number of numeric

characters that must

be included in the

password. If 0 is


constraints on the

number of numeric

characters.

0 - 256 0

password.min.symbol Specifies the minimum

number of symbols that

must be included in the

password. If 0 is


constraints on the

number of symbols.

0 - 256 0

password.check.userID

Specifies whether or

not to prevent the

password from being

the same as the user

ID.

• true: prevent this• false: allow this

false

account.lock.num Specifies the number of

consecutive failed login

attempts before the

account is

automatically locked. If

0 is specified, the

account is not

automatically locked

after failed login

attempts.

0 - 10 0


Configuring information used to connect with the operationtarget machine

Before you begin:• All the files located in the following path are regarded as destination

properties files.Path: <HAD-installation-folder>\Automation\conf\plugin\destinations

• The file name must use following format:<Host name>.properties, <IPv4 address>.properties, <IPv6address>.properties

Note: Because the colon ":" within an IPv6 address cannot be usedas it is in the file name, replace it with a dash (-); for example:2001::234:abcd -> 2001--234-abcd.properties.

• By default, the file named #sample.properties is located here: <HAD-installation-folder>\Automation\conf\plugin\destinations

When editing the properties file, take note of the following:• Lines that begin with # are treated as comments.• Blank lines are ignored.• Encoding is ISO 8859-1.• Contents are case sensitive• To specify a forward slash (\) in a character string, you must use a double

forward slash (\\).• If you specify an invalid value in the destination properties file, an

execution error occurs in the plug-in that references the destinationproperties file.

• If you enter the same specification key multiple times in a file, the last oneyou specify takes effect.

Use the following configuration information to connect with the targetmachine.

Configuration guidelines if the target machine is part of a clusterenvironment

Observe the following:• If the OS of the operation target machine is Windows Server 2012 or

Windows Server 2012 R2 cluster environment, the working directories(wmi.workDirectory.sharedName and wmi.workDirectory.sharedPath)


are required to be set. If it is not set, the plug-in will cause a connectionerror.

• If you execute the script with the contents plug-in, the execution directory(common.executionDirectory) is also required to be specified. If it is notset, the script file will fail to be forwarded.

Key name Setting Specifiablevalues

Smallest value Largest value

terminal.charset Specifies the

character set used

for

communication.

EUC-JP

eucjp

ibm-943C

ISO-8859-1

MS932

PCK

Shift_JIS

UTF-8

windows-31j

1 64

telnet.port Specifies the port

number used for a

Telnet connection

by using the

terminal connect

plug-in. This

setting has

priority over the

telnet.port.numbe

r setting in the

property file

(config_user.prope

rties).

0-65535 0 65535

ssh.port "Specifies the port

number used for

an SSH connection

by using one of

the following plug-

ins: - General

command plug-in-

File-forwarding

plug-in- Terminal

connect plug-in-

Content plug-

inThis setting has

0-65535 0 65535


priority over the

ssh.port.number

setting in the

property file

(config_user.prope

rties). "

telnet.prompt.acc

ount

Specifies a regular

expression pattern

used to detect the

character string

that is output for

prompting the

user to enter a

user ID to

establish a

connection with

the target device

by using the

terminal connect

plug-in. You can

use 1 to 1,024

characters. For

example, specify

Username:.

Character string

that can be used

in regular

expression

patterns.

One character 1024 characters

telnet.prompt.pas

sword

Specifies a regular

expression pattern

used to detect the

character string

that is output for

prompting the

user to enter a

password to

establish a

connection with

the target device

by using the

terminal connect

plug-in. You can

use 1 to 1,024

characters. For

example, specify

Password:.

Character string

that can be used

in regular

expression

patterns.


telnet.noStdout.p

ort.list

Specifies the port

number of the

service that does

0-65535, and

commas (,)



not return the

standard output

after a connection

is established by

using the terminal

connect plug-in.

You can use 1 to

1,024 characters.

To specify multiple

port numbers, use

a comma as a

separator.

wmi.workDirector

y.sharedName

"This is a property

valid if OS of the

operation target

machine is

Windows.Specifies

the shared folder

name of the

shared folder on

which the file

transmitted when

executing a

command on the

operation target is

put. The folder is

required to be the

same as

wmi.workDirector

y.sharedPath. If

using this

property, the

administrative

shared setting of

an operation

target is

unnecessary.

Specify the

character string of

0-80 characters."

Single-byte

alphanumeric

characters, "-",

"_", and ".".

Zero character 80 characters

wmi.workDirector

y.sharedPath

"This is a property

valid if OS of the

operation target

machine is

Windows.Specifies

Single-byte

alphanumeric

characters, ":",

"\", "-", "_", and

".".



the absolute path

of the shared

folder on which

the file

transmitted when

executing a

command on the

operation target is

put. If executing

General Command

Plug-in, the

execution

directory becomes

"\Hitachi\CMALib

\HAD\home"

under the path

which this

property

shows.The folder

is required to be

the same as

wmi.workDirector

y.sharedName. If

using this

property, the

administrative

shared setting of

an operation

target is

unnecessary.

Specify the

character string of

0-80 characters."

ssh.workDirectory "This is a property

valid if OS of the

operation target

machine is Linux/

Unix.Specifies the

absolute path of

the directory on

which the file for a

transmission is

put with File-

Forwarding Plug-in

or Contents plug-

Single-byte

alphanumeric

characters, "/",

"-", "_", and ".".



in. Neither the

path specified with

the this property

nor the path of

the parent

directory can be

specified as the

destination and

the receiver of

File-Forwarding

Plug-in. For the

working folder,

read privilege,

write privilege,

and execute

privilege to the

connected user

are required. If

the path specified

with this property

does not exist

when File-

Forwarding Plug-in

or Contents plug-

in is executed, it

is created when

the plug-in is

executed. If the

directory cannot

be created, the

plug-in execution

terminated

abnormally. It is

not concerned

with whether a

directory is newly

created, but

change the access

permission of the

specified directory

into 777. Priority

is given over the

value of

plugin.remoteCom

mand.workDirecto

ry.ssh defined at


config_user.proper

ties. Specify the

character string of

0-128 characters."

common.executio

nDirectory

"Specifies the

execution

directory at the

time of executing

Contents plug-in

on the operation

target.If the value

of the execution

directory defined

at the plug-in

definition is not

set, the value of

this property is

applied. Priority is

given over the

value of

plugin.remoteCom

mand.executionDi

rectory.wmi and

plugin.remoteCom

mand.executionDi

rectory.ssh

defined at

config_user.proper

ties. Specify the

character string of

0-128 characters.

"


Preconditions for an agentless connection place (Windows)

This module describes preconditions for an agentless connection place.

Supported users

The following users can be used in an agentless connection place:• Built-in administrator• A user belonging to an administrators group (1) (2)• Built-in administrator of Active Directory• A user belonging to the Domain Admin group of Active Directory (1) (2)


(1) UAC (User Access Control) elevation cannot be carried out at the time ofcommand execution.

(2) If the OS of a connection place satisfies one of the following conditions,you must perform a registry setting:• UAC feature is enabled on Windows Server 2008• UAC feature is enabled on Windows Server 2008 R2• OS is Windows Server 2012• OS is Windows Server 2012 R2

Using a registry editor, set an entry under the key of the following registry.

Note: An OS reboot is not necessary.

Item Value

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Registry entry LocalAccountTokenFilterPolicy

The value set as a registry entry 1 (DWORD)

As an option, you can enter the following command in a command prompt:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /vLocalAccountTokenFilterPolicy /t REG_DWORD /d 0x1 /f

Administrative share setting

Using administrative share, set an entry under the key of the followingregistry using a registry editor, and reboot OS.

Item Value

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\parameters

Registry entry AutoShareServer

The value set as a registry entry 1 (DWORD)

Enter the following command in a command prompt:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\parameters /v AutoShareServer /t REG_DWORD /d 1


Preconditions for an agentless connection place (SSH)This module describes the preconditions in the case of using a SSH protocolwith the following plug-ins:• Contents plug-in• General Command plug-in• File-Forwarding plug-in• Terminal Connect Plug-in• Terminal Command Plug-in• Terminal Disconnect Plug-in

Note: SSH must support version 2.

Password authentication

You must set up password authentication to an SSH server as follows:1. Log in to a remote operation target host as root.2. Open the sshd_config file.

For HP-UX: /opt/ssh/etc/sshd_config.For other OS: /etc/ssh/sshd_config

3. Set the value of PubkeyAuthentication to "yes". If thePubkeyAuthentication line is commented out, remove the comment outhash sign (#).

4. Run the following command and restart sshd service.For RHEL/CentOS/SUSE Linux/Oracle Linux (example - RHEL 6.4): /etc/rc.d/init.d/sshd restartFor Solaris (example - Solaris 10): /usr/sbin/svcadm restart sshFor AIX (example - AIX 6.1): kill -HUP [Process ID of sshd]For HP-UX (the example of HP-UX 11i V3): /sbin/init.d/secshstop; /sbin/init.d/secsh start

Note: These commands may change with different versions of theOS. Refer to the OS documentation for additional information.

Public key authentication

This module describes how to authenticate a public key that connects to anSSH server.

Setting up an SSH server


To use a public key authentication, it is necessary to set a public keyauthentication to a SSH server.1. Log into a remote operation target host as root.2. Open sshd_config.

HP-UX: /opt/ssh/etc/sshd_configOther than HP-UX: /etc/ssh/sshd_config

3. Set the value of PubkeyAuthentication to "yes". If thePubkeyAuthentication line is commented out, remove the comment outhash sign (#).

4. Run the following command and restart the sshd service.For RHEL/CentOS/SUSE Linux/Oracle Linux (example - RHEL 6.4): /etc/rc.d/init.d/sshd restartFor Solaris (example - Solaris 10): /usr/sbin/svcadm restart sshFor AIX (example - AIX 6.1): kill -HUP [Process ID of sshd]For HP-UX (the example of HP-UX 11i V3): /sbin/init.d/secshstop; /sbin/init.d/secsh start

Note: These commands may change with different versions of theOS. Refer to the OS documentation for additional information.

Creating a key (for the first time)

Create a public key and a secret key. It is strongly recommended that youcreate the keys on an OS where HAD is installed.

Note: If you are moving a secret key to another OS, there is a possibilitythat a secret key will leak and pose a security risk, as a result. However, it isalso possible to use the key created on another OS.

As a reference, the following procedure creates a key on RHEL6.4 (Linux).1. Run the ssh-keygen command.

If creating RSA key: ssh-keygen -t rsaIf creating DSA key: ssh-keygen -t dsa

2. Decide the location and name of a secret key.Specify a path and filename that does not contain multibyte characters.As for a default, ~/.ssh/id_rsa is set (if creating RSA key). A secret keyis set as the filename specified to a selected path. A public key is set tothe same directory as a secret key with the file extension ".pub" attachedto the name of the secret key.

3. Enter a pass phrase.You will be asked to enter the pass phrase and to press the return key.You will be then asked to enter the pass phrase again. If you choose notto set a pass phrase to a secret key, press only the return key to bypassthe pass phrase.


Arrange a secret key to HAD

Arrange a secret key on the OS where HAD is installed. Arrange at arbitraryplaces and set a path to ssh.privateKeyFile of a property file(config_user.properties).

Arranging a public key to a remote operation target host1. Redirect the output of the cat command and add the contents of the

generated public key file to the public key file (authorized_keys) used foran authentication. (Example: cat id_rsa.pub >> authorized_keys)

2. Execute the chmod command and change the attribute ofauthorized_keys to 600 (give write and read privilege only to theowner). If the attribute is not 600, an authentication may fail at the timeof plug-in execution.The arrangement place of authorized_keys is directly under ~/.ssh bydefault. With regard to ~/.ssh, change the attribute to 700 (give write,read, and execute privilege only to the owner).

Configuring a shared property1. Log into the HAD application.2. Select [Administration] > [Shared Properties Settings].3. Open the Pass phrase of the private key (for SSH public key

authentication).4. Enter the pass phrase as a value.

The value is the pass phrase of the private key (for SSH public keyauthentication).

Keyboard interactive authentication

To use keyboard interactive authentication, it is necessary to setupauthentication to a SSH server.1. Log into a remote operation target host as root.2. Open sshd_config.

HP-UX: /opt/ssh/etc/sshd_configOther than HP-UX: /etc/ssh/sshd_config

3. Setup keyboard interactive authentication as follows:For RHEL/CentOS/SUSE, Linux/Oracle Linux,Linux/AIX/HP-UX

- Set yes to the value of ChallengeResponseAuthentication. ((If theline of ChallengeResponseAuthentication is commented out, removethe comment out hash sign (#).)- Set yes to the value of UsePAM. (If the lUsePAM line is commented out,remove the comment out hash sign (#).)

For Solaris10


- Set yes to the value of PAMAuthenticationViaKBDInt. (If the line ofPAMAuthenticationViaKBDInt is commented out, remove the commentout hash sign (#).)

For Solaris11

- Set yes to the value of KbdInteractiveAuthentication. ((If the line ofKbdInteractiveAuthentication is commented out, remove thecomment out hash sign (#).)

4. For AIX, perform the following setting.

Note: With the exception of the AIX OS, It is not necessary tomake a setting change.

- Open /etc/pam.conf and add the following:

# Inside the Authentication blockAdd sshd auth required /usr/lib/security/pam_aix# Inside the Account Management blockAdd sshd account required /usr/lib/security/pam_aix# Inside the Password Management blockAdd sshd auth required /usr/lib/security/pam_aix.# Inside the Password Management blockAdd sshd password required /usr/lib/security/pam_aix# Inside the Session Management blockAdd sshd session required /usr/lib/security/pam_aix

- Open /etc/ssh/sshd_config and change the following line.

Change UsePAM = no into UsePAM = yes . (If the line of UsePAM iscommented out, remove the comment out hash sign (#).)

- Open /etc/security/login.cfg and change the following line.

Change auth_type = STD_AUTH into auth_type = PAM_AUTH. (If the lineof auth_type is commented out, remove the comment out hash sign(#).)

5. Run the following command and restart the sshd service. An examplecommand for each supported OS is shown.For RHEL/CentOS/SUSE Linux/Oracle Linux (example - RHEL 6.4):

/etc/rc.d/init.d/sshd restart

For Solaris (example - Solaris 10):

/usr/sbin/svcadm restart ssh

For AIX (example - AIX 6.1):

kill -HUP [Process ID of sshd]


For HP-UX (example of HP-UX 11i V3):

/sbin/init.d/secsh stop; /sbin/init.d/secsh start

Note: These commands may change depending on the operating systemversion. For details, refer to the applicable OS manual.

Using multiple Device Managers from one HAD severHitachi Automation Director enables you to use multiple Device Managersfrom one HAD server. This feature is made possible by using mutualauthentication between multiple Common Component authentication servers(primary) using only one token.

Mutual authentication is a security feature in which a client must prove itsidentity to a server, and the server must prove its identity to the client,before any application traffic is sent over the client-to-server connection.

Note: Mutual authentication cannot be done with built-in accounts such assystem accounts or Common Component internal accounts (used for setup orother internal functions).

The following figure shows an example of operating multiple Device Managersfrom one HAD server.

The following figure illustrates mutual authentication based on the guidelinesbelow.


Guidelines1. To change the server ID, use the hcmds64chgtsid command. If the

server ID is the default host name, this step is not required.2. Run the hcmds64trust command on [Device Manager]_D, and register

the destination information of [Device Manager]_B.3. Select the settings of the user to perform mutual authentication at

authentication zone A and authentication zone B as follows:

- If you use the user registered in the common user management,register the same user to the common user management atauthentication zone A and authentication zone B, and give the privilege

- If you use the user of external authentication group, who is notregistered to the common user management, register the group DN(where the user of external authentication group belongs on theauthentication server) to the common user management atauthentication zone A and at authentication zone B, and the give theprivilege.


4Removing Hitachi Automation Director

This chapter describes how to remove Hitachi Automation Director.

□ Removing Hitachi Automation Director (Windows)

□ Removing Hitachi Automation Director (Linux)

□ Removing Hitachi Automation Director software in a cluster environment

□ Deleting authentication data

Removing Hitachi Automation Director 93Hitachi Automation Director Installation and Configuration Guide

Removing Hitachi Automation Director (Windows)You remove Hitachi Automation Director in a Windows environment bycompleting the steps listed in the following sections.

Before you begin

• If tasks in the Status column of the Tasks tab of Hitachi AutomationDirector are in the Waiting, Waiting for Response, In Progress, "LongRunning", or Failure Detection state, wait until the tasks have stopped orhave finished running.

• Close all of the service dialog boxes.• Close any Windows Services or open command prompts.• Disable any security monitoring, virus detection, or process monitoring

software on the server.

Caution: If other Hitachi Command Suite products are installed inthe same host, do not delete the shared folder (\Base\database).Removing this folder will stop other Hitachi Command Suiteproducts.

Procedure

1. Log on to Windows as the administrator.2. Run the following command to stop all services:

Common-Component-installation-folder\bin\hcmds64srv /stop3. Open the Control Panel, and then choose Programs and Features or

Add or Remove Programs.4. Select Automation Director, and then click Remove, or select the

program, right-click and select Uninstall.5. In the Setup window, click Uninstallation to start the software removal

process.The removal process deletes the HAD-installation-folder\Automationfolder.

ResultAutomation Director is removed from the host.

Removing Hitachi Automation Director (Linux)You remove Hitachi Automation Director in a Linux environment as listed inthe following procedure.

94 Removing Hitachi Automation DirectorHitachi Automation Director Installation and Configuration Guide

Procedure

1. Move to a root directory, such as cd /root.2. Run the following command: <Installation directory of HAD>/

ADUninstall/uninstall.sh

Removing Hitachi Automation Director software in a clusterenvironment

You can remove the Hitachi Automation Director software from the server ina cluster environment if you want to migrate to a different server or stopHitachi Automation Director operation.

Note: If you remove Hitachi Automation Director, the properties files, logfiles, and other product-related files are deleted.

Procedure

1. In the cluster management software, move the group in which theHitachi Automation Director services are registered from the standbynode to the active node by right-clicking the group, and then selectingMove and then either Select Node or Move this service orapplication to another node.

2. Take offline and disable failover for the group in which Hitachi CommandSuite services including Hitachi Automation Director are registered byusing the following command:• From integrated installation media:


• From the installation directory of a Hitachi Command Suite productwith v8.2 or later:Hitachi-Command-Suite-Common-Component-installation-directory\ClusterSetup\hcmds64clustersrvstate /soff /r HCS-cluster-group-namewherer - specifies the name of the group in which the Hitachi CommandSuite product services including Hitachi Automation Director areregistered. If the group name contains spaces, you must enclose thegroup name in quotation marks ("); for example, if the group name isHAD cluster, you would specify "HAD cluster".

3. Delete the Hitachi Command Suite services including Hitachi AutomationDirector by using the following command:

Note: Before deleting the services, delete the "customer script"from the cluster management software.


• From integrated installation media:integrated-installation-media\HCS\ClusterSetup\hcmds64clustersrvupdate /sdel /r HCS-cluster-group-name

• From the installation directory of a Hitachi Command Suite productwith v8.2 or later:Hitachi-Command-Suite-Common-Component-installation-directory\ClusterSetup\hcmds64clustersrvupdate /sdel /rHCS-cluster-group-namewherer - specifies the name of the group in which the Hitachi CommandSuite product services including Hitachi Automation Director areregistered. If the group name contains spaces, you must enclose thegroup name in quotation marks ("); for example, if the group name isHAD cluster, you would specify "HAD cluster".

Note:• All Hitachi Automation Director and Hitachi Command Suite

product services that are registered in the group specified bythe r option are deleted. However, the Hitachi File ServicesManager services are not deleted.

• If you plan to continue using Hitachi Command Suite products,you can re-registered them after you remove HitachiAutomation Director. Deleting the Hitachi Automation Directorservices does not cause a problem.Remember that if you changed the service resource names, allresource names are reinitialized when the services are re-registered. Therefore, you must record the resource names forthe services that you are deleting, and change the names afterre-registering those services.

4. Delete the user script (the script that issues the "stopcluster /prepare"command) from the cluster software.

5. Use the following command to stop the Hitachi Command Suite products.HCS-Common-Component-installation-folder\bin\hcmds64srv /stop

6. Remove Hitachi Automation Director from the active node.7. On the active node, delete any files and folders that are no longer

required (such as those files and folders created during installation in thecluster environment).

8. In the cluster management software, move the Hitachi AutomationDirector services group to the standby node by right-clicking the group,selecting Move and selecting either Select Node or Move this serviceor application to another node.

9. Remove Hitachi Automation Director from the standby node.


10. After performing the removal of the cluster installation, delete theAutomation folder and, if you no longer plan to use any other HCSservices, delete the Base folder as well from the standby node.

11. If the following resources are not in use by other applications, use thecluster management software to take them offline, and then delete them.• IP address• shared disk

12. On the standby node, delete any files and folders that are no longerrequired (such as those files and folders created during installation in thecluster environment).

13. If you want to continue using other Hitachi Command Suite products, usethe following command to register the Hitachi Command Suite services inthe cluster management software group:

HCS-Common-Component-installation-folder\ClusterSetup\hcmds64clustersrvupdate /sreg /r HCS-cluster-group-name /sddrive-letter-of-shared-disk /ap resource-name-for-client-access-point

where

r - specifies the name of the group in which you to plan to register theHitachi Command Suite product services. If the group name containsspaces, you must enclose the group name in quotation marks ("); forexample, if the group name is HAD cluster, you would specify "HADcluster".

sd - specifies the drive letter of the shared disk that is registered to thecluster management software. You cannot specify multiple drive lettersfor this option. If the database of Hitachi Command Suite products isdivided into multiple shared disks, run the hcmds64clustersrvupdatecommand for each shared disk.

ap - specifies the name of the resource for the client access point that isregistered to the cluster management software.

14. If you want to continue using other Hitachi Command Suite products, usethe following command to bring online and enable failover for the groupin which the Hitachi Command Suite services are registered:

HCS-Common-Component-installation-folder\ClusterSetup\hcmds64clustersrvstate /son /r HCS-cluster-group-name

where

r - specifies the name of the group in which the Hitachi Command Suiteproduct services are registered. If the group name contains spaces, youmust enclose the group name in quotation marks ("); for example, if thegroup name is HAD cluster, you would specify "HAD cluster".

15. In the cluster management software, move the group containing theHitachi Command Suite resources to the active node by right-clicking the


group, selecting Move and then selecting either Select Node or Movethis service or application to another node.

Deleting authentication dataIf the KNAE04574-E warning dialog box appears even though the removalcompletes successfully, the deletion of authentication data has failed. Deletethe authentication data by executing the hcmds64intg command on theserver that administrates user accounts (on the host which Device Manager isinstalled in, and is connected to).

To execute the hcmds64intg command to delete the authentication data froma Windows host:

Procedure

1. Start all installed services of Hitachi Command Suite products byexecuting the following command:Common-Component-installation-folder\bin\hcmds64srv /start

2. Delete the authentication data by executing the following command:

Common-Component-installation-folder\bin\hcmds64intg /delete /type component-name /user user-ID /pass password• /type

Specify the name of the component that you want to delete.Automation can be specified.

• /userSpecify the user ID of a user who has the Admin (user management)permission. If you execute the command without the user option, youwill be prompted to specify a user ID.

• /passSpecify the password of a user who has the Admin (usermanagement) permission. If you execute the command without thepass option, you will be prompted to specify a password.

Note: If you display a GUI window of another Hitachi CommandSuite product without deleting the authentication data, thefollowing problems might occur even after removing theAutomation server:• User management information of the Automation server is

displayed.

• The button used to start the Automation server is enabled onthe dashboard. Clicking the enabled button causes a link errorto appear.




AHitachi Automation Director file location

and portsThis appendix includes all the folders that are created as a part of HitachiAutomation Director installation.

□ Automation Director file location

□ Port settings

Hitachi Automation Director file location and ports 101Hitachi Automation Director Installation and Configuration Guide

Automation Director file locationInstallation folders

The following tables list the folders that are created when Hitachi AutomationDirector is installed. The Folder Details column lists default paths that can bechanged during installation.

Windows folder details Windows folder locations

Installation folder system-drive\Program Files\HiCommand\Automation

Commands files system-drive\Program Files\HiCommand\Automation\bin

Configuration files system-drive\Program Files\HiCommand\Automation\conf

Folder for service templates system-drive\Program Files\HiCommand\Automation\contents

Data files system-drive\Program Files\HiCommand\Automation\data

Help files system-drive\Program Files\HiCommand\Automation\docroot

Preset property definition files system-drive\Program Files\HiCommand\Automation\extra_presets

Temporary working folder forinstallation and removal

system-drive\Program Files\HiCommand\Automation\inst

Library files system-drive\Program Files\HiCommand\Automation\lib

Log files system-drive\Program Files\HiCommand\Automation\logs

Source files for open sourcesoftware

system-drive\Program Files\HiCommand\Automation\ossSource

System files system-drive\Program Files\HiCommand\Automation\system

Working used by Internal command system-drive\Program Files\HiCommand\Automation\webapps

Working folder system-drive\Program Files\HiCommand\Automation\work

Common component system-drive\Program Files\HiCommand\Base64

Linux folder details Linux directory locations

Installation folder /opt/HiCommand/Automation

Commands files /opt/HiCommand/Automation/bin

Configuration files /opt/HiCommand/Automation/conf

Folder for service templates /var/opt/HiCommand/Automation/contents

Data files /var/opt/HiCommand/Automation/data

102 Hitachi Automation Director file location and portsHitachi Automation Director Installation and Configuration Guide

Linux folder details Linux directory locations

Help files /opt/HiCommand/Automation/docroot

Preset property definitions files /var/opt/HiCommand/Automation/extra_presets

Temporary working folder forinstallation and removal

/opt/HiCommand/Automation/inst

Library files /opt/HiCommand/Automation/lib

Log files /var/opt/HiCommand/Automation/logs

Source files for open sourcesoftware

/opt/HiCommand/Automation/ossSource

System files /opt/HiCommand/Automation/system

Working used by Internal command /var/opt/HiCommand/Automation/work

Common component /opt/HiCommand/Base64

Port settingsHitachi Automation Director uses the following port settings:

External connection port

Port number Firewall Description

22/tcp HAD <--> Operation target Used for SSH.

cjstartweb uses this port.

23/tcp HAD <--> Operation target Used for Telnet.


445/tcp or udp HAD <--> Operation target Used in shared management.


135/tcp and 139/tcp HAD <--> Operation target Used in shared management.


22015/tcp Browser -> HAD Use to access HBase StorageMgmt Web Service. In non-SSL(unsecured) communication,initial setup is a required.

This port number can bechanged.

httpsd uses this port.

22016/tcp Browser -> HAD Use to access HBase StorageMgmt Web Service. In SSL(secured) communication, asetting is required.




httpsd uses this port.

25/tcp HAD -> SMTP server Use for mail transmission.



88/tcp or udp HAD -> Kerberos server cjstartweb uses this port.

359/tcp HAD -> LDAP directory server Use for ldap/tls.


636/tcp HAD -> LDAP directory server Use for LDAPs.



1812/udp HAD -> Radius server cjstartweb uses this port.

Internal connection port

Note: These ports are "reserved" and are used only for internal portconnections.


20245/tcp Task processing engine <-->Task processing engine

Use for manager's job statusnotification.

jp1ajs2report uses this port.

20250/tcp HAD → Task processing engine Task processing engine usesthis port.

ajscdinetd uses this port.

HAD always uses this port.

23031/tcp HAD -> HAD Use to access the followingservices:

- HBase Storage Mgmt WebSSO Service

- HSSO-dedicated Web server


23160/tcp Jobnet connector execution host<--> Jobnet execution host atthe connection execution

Use for communication betweenscheduler services.

jp1ajs2gw uses this port.



23800/tcp Task processing engine <-->Task processing engine

Used in task processingengine's embedded database ina cluster configuration.

EmbeddedEdition_JF1 uses thisport.



BUsing the hcmds64keytool utility

You can use the hcmds64keytool utility in a number of ways as follows:• Importing a certificate into the truststore• Removing a certificate from the truststore• Exporting a Device Manager server self-signed certificate• Specifying a unique name in the truststore, the truststore file name, and

the password• Checking the certificates imported into the truststore

Note: This operation helps to verify that a certificate was correctlyimported.

For details, see the Hitachi Command Suite Administrator Guide.

Using the hcmds64keytool utility 107Hitachi Automation Director Installation and Configuration Guide

108 Using the hcmds64keytool utilityHitachi Automation Director Installation and Configuration Guide

GlossaryAallocated volume

An LDEV for which one or more host LUN paths are defined.

Ccache

A set of RAM (Random Access Memory) modules used to store datatemporarily.

capacity

The amount of data storage space available on a disk drive or storagesystem. Measured in MB, but it can also be measured in other units suchas TB and PB, depending on the total storage space.

CCI

Command Control Interface. Software used to control volume replicationfunctionality (such as TrueCopy or ShadowImage) by means of commandsissued from a host to a storage system. A command device must be setup in the storage system to enable the storage system to receivecommands from CCI.

In an open system, Replication Manager uses the CCI configurationdefinition files to modify copy pair configurations and to acquireconfiguration information. Copy pair modification processing, such assplitting and resynchronizing copy pairs, is executed on the storagesystem via CCI.

CLI

command line interface

Glossary 109Hitachi Automation Director Installation and Configuration Guide

CLPR

Cache Logical Partition

copy pair

A primary and secondary volume pair linked by the volume replicationfunctionality of a storage system.

CSV

comma-separated value

CU (Control Unit)

Created in an enterprise-class storage system. Also called a CU image.The LDEVs created in a storage system are connected to a single CU, anda number is assigned to each CU for identifying its LDEVs. Therefore,volumes (LDEVs) in a storage system are specified by the CU number(CU#) and LDEV number.

Ddata drive

A physical data storage device that can be either a hard disk drive (HDD)or a flash (solid-state) drive.

data pool

One or more logical volumes designated to temporarily store originaldata. When a snapshot is taken of a primary volume, the data pool isused if a data block in the primary volume is to be updated. The originalsnapshot of the volume is maintained by storing the changeable datablocks in the data pool.

DB

Database

device

A physical or logical unit with a specific function.

DEVN

Device number that is assigned to each logical address when using anLDEV on a mainframe host.

110 GlossaryHitachi Automation Director Installation and Configuration Guide

DHCP

Dynamic Host Configuration Protocol

DKCMAIN

Disk controller main

DKP

Disk processor

DKU

Disk unit

EEVS

Enterprise Virtual Server

external pathA path from a storage port of a storage system to a volume on aconnected external storage system.

external volume

A logical volume whose data resides on drives that are in an externallyconnected storage system.

FFC

fibre channel

FCoEFibre Channel over Ethernet. An encapsulation of Fibre Channel framesover Ethernet networks. This allows Fibre Channel to use 10-gigabitEthernet networks (or higher speeds) while preserving the Fibre Channelprotocol.

GGUI

graphical user interface


HHBA

host bus adapter

HCP (Hitachi Content Platform)

A distributed storage system for fixed content data. Provides severalprotocols to present the data in standard directory structure.

HDP

Hitachi Dynamic Provisioning. An approach to managing storage wherebyinstead of reserving storage, HDP removes capacity from the availablepool only when data is actually written to the drive.

HDT

Hitachi Dynamic Tiering

Hitachi Dynamic Provisioning (HDP)Functionality that allocates virtual volumes to a host, and uses thephysical capacity that is necessary according to the data write request.

Hitachi Dynamic Tiering (HDT)In addition to Hitachi Dynamic Provisioning functionality, this functionalityplaces data in a tier according to the I/O load. A data area that has a highI/O load is placed in a high-speed hardware tier, and a data area that hasa low I/O load is placed in a low-speed hardware tier.

host group

A means of segregating hosts by operating system.

HSD

Host storage domain. A group used to strengthen the security of volumesin storage systems. By associating and grouping hosts and volumes bystorage system port, host storage domains can be used to restrict accessfrom hosts to volumes.

Device Manager defines the host groups set up with the storage systemLUN security function as host storage domains. Host storage domains forstorage systems that do not have host groups are defined in the samemanner as if they had been set with the LUN security function.

HTML

Hypertext Markup Language


HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

II/O

Input/output

internal volume

A logical volume whose data resides on drives that are physically locatedwithin the storage system. See also external volume.

IOPS

I/Os per second

IP

Internet protocol

iSCSI

Internet Small Computer Systems Interface

JJRE

Java Runtime Environment

JVM

Java Virtual Machine

JWS

Java Web Start

LLAN

Local area network


LDAP

Lightweight Directory Access Protocol

LDEV (logical device)

A volume created in a storage system. See also LU.

LDKC

Logical disk controller

LU (logical unit)

A volume created in an open storage system. See also LDEV.

LUN (logical unit number)

A management number assigned to an LU in a storage system. A LUN is anumber assigned to identify an LU for the port in the storage system towhich the LU is connected, either by the port or by the host groupassigned to the port. An open system host uses a LUN to access aparticular LU.

LUSE

LU size expansion

Mmanagement client

A computer used to operate a graphical user interface client or acommand-line interface client.

NNAS

Network attached storage

NIC

Network interface card

OOS

Operating system


PP-VOL (primary volume)

The source volume that is copied to another volume using the volumereplication functionality of a storage system.

pair status

Copy pair status.

pathA path from a storage system volume to a host group.

In this manual, the term "path" may mean a path, external path, or LUNpath without making distinctions among them.

pool-VOL

A logical volume that is reserved for storing Copy-on-Write Snapshot dataor Dynamic Provisioning write data.

properties files

Files that define the operating environment. The operating environmentcan be modified by changing the appropriate property files.

RRACF (Resource Access Control Function)

Functionality for controlling user authentication and resource access onthe mainframe host.

RADIUS

Remote Authentication Dial In User Service

RAID

Redundant array of inexpensive disks

RAID level

The type of RAID implementation. RAID levels include RAID 0, RAID 1,RAID 2, RAID 3, RAID 4, RAID 5 and RAID 6.

refresh

To update the database using the most recent information.


resource group

Resources grouped by storage system, parity group, LDEV ID, storageport, etc.

role

Operation(s) permission that users in a user group have for resources in aresource group.

SS-VOL (secondary volume)

The copy destination volume of two volumes that are associated in a copypair by a storage system volume replication functionality.

SAN

Storage area network

SAS (Serial Attached SCSI)

A replacement for Fibre Channel drives in high performance applications.See SCSI.

SATA (Serial Advanced Technology Attachment)

A version of the ATA interface that uses a serial connection architecture.

SCSI (Small Computer System Interface)

Standards that define I/O buses primarily intended for connecting storagesystems and devices to hosts through host bus adapters.

secure sockets layer (SSL)

A commonly-used protocol for managing the security of a messagetransmission on the Internet.

SLPR

Storage Local Partition

SMUSystem Management Unit

SNMP

Simple Network Management Protocol


SSD

Solid-state drive

storage poolStorage pools are collections of system drives, and are the logicalcontainers of file systems. Storage pools are created in Hitachi NASPlatform and Hitachi High-performance NAS Platform and NAS modules.Storage pools are sometimes called spans.

system drive

A system drive is the basic (logical) storage element managed by HitachiNAS Platform and Hitachi High-performance NAS Platform and NASmodules. A system drive is equivalent to a storage system volume. Theload on volumes is distributed among system drive groups created byusers.

Ttiered storage

A layered structure of performance levels, or tiers, that matches dataaccess requirements with the appropriate performance tiers.

Uunallocated volume

An LDEV for which no host paths are assigned.

URL

Uniform Resource Locator

user group

A group of users who use the same resources and have the sameoperation(s) permission (see “role”) for the resources. Externallyauthenticated groups can be used as user groups.

VVMA

Volume management area

VOLSER

The label of a volume assigned by the mainframe host.


volume

A collective name for the logical devices (LDEVs) and logical units (LUs)that are created in a storage system.

WWeb client

Browser


IndexA

Automation Directorbasic system configuration 15installing 24related products 14security settings 44workflows 18

Ccluster

installation prerequisites 27cluster environment configuration, checking 28configuring

basic system 15management server URL 42ports 38, 39server host name 40server IP address 40

Ddocuments

related 8

FFile location 102

HHitachi Automation Director file location 101Hitachi Command Suite products 14host name

changing 40properties requiring updated when the hostname changes 41, 42

IInstallation prerequisites 22installing

Automation Director 24

avoiding port conflicts 24from integrated media with the all-in-oneinstaller 60

installing Automation Directorusing integrated media 24

Installing Automation Director 21integrated media installation 24IP address

changing 40properties requiring updated when the IPaddress changes 41, 42

Mmanagement client

setting up SSL on web-based clients 54setting up the server for secure clientcommunication 45

NName resolution 24

Ooverview

basic system configuration 15related products 14workflows 18

Overview 13

Pplanning

avoiding port conflicts 24Port settings 103ports

avoiding conflicts 24changing ports 38, 39properties requiring updated when portschange 39

Post-Installation tasks 33Preface 7

Index 119Hitachi Automation Director Installation and Configuration Guide

Properties file (config_user.properties) 62

RRegistering a license 34related documents 8Removing Automation Director 93Removing Automation Director components 94removing the software

removal procedure 95

Ssecure communications 44security settings

overview 44secure communications for managementclients 44setting up:server for secure clientcommunication 45setting up:SSL on web-based managementclients 54

SSLsetting up on the server for secure clientcommunication 45setting up on web-based management clients54using for secure client communication 44

System accountchanging the password 34

UURL

changing the management server URL 42

VVerifying the installation 34

Wworkflows

overview 18

120 IndexHitachi Automation Director Installation and Configuration Guide

Hitachi Automation Director Installation and Configuration Guide

Hitachi Data Systems

Corporate Headquarters2845 Lafayette StreetSanta Clara, California 95050-2639U.S.A.www.hds.com

Regional Contact Information

Americas+1 408 970 [email protected]

Europe, Middle East, and Africa+44 (0) 1753 [email protected]

Asia Pacific+852 3189 [email protected]

MK-92HC204-07

http://www.hds.com

MAILTO:[email protected]

