HP MIF Admin Guide

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 57

HP Management Integration Framework 1.

6
Administrator Guide

Abstract
This document describes the use of HP Management Integration Framework interfaces and is intended for administrators involved
in the installation, operation, management and security of HP P6000 EVA storage systems.

HP Part Number: T5494-96539


Published: October 2012
Edition: 6
© Copyright 2010, 2012 Hewlett-Packard Development Company, L.P
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.

Adobe and Acrobat are trademarks of Adobe Systems Incorporated.

1.6 — 2012.09.20
Contents
1 Introduction...............................................................................................6
Administrator guide..................................................................................................................6
What's new.............................................................................................................................6
Management Integration Framework software overview.................................................................6
Quick tour...............................................................................................................................7
Single Pane of Glass interface quick tour.................................................................................7
Configuration interface – Details page quick tour.....................................................................9
Configuration interface – Registry page quick tour....................................................................9
Security interface – Administration page quick tour.................................................................10
Security interface – Import Machines wizard quick tour...........................................................10
Security interface – Manage OS Security Domains wizard quick tour........................................11
Security interface – Move Machine wizard quick tour.............................................................11
Security interface – Single Sign-on page quick tour................................................................12
Searching online help.............................................................................................................12
2 Installing Management Group security certificates.........................................13
Management Group security certificate installation overview........................................................13
Installing Management Group security certificates in Internet Explorer 8.0 and 9.0..........................13
Installing Management Group security certificates in Mozilla Firefox..............................................14
Configuring Windows Server 2003 IE ESC................................................................................15
Configuring Windows Server 2008 IE ESC................................................................................15
Configuring Windows Server 2012 IE ESC.................................................................................15
3 Configuring browsers for single sign-on.......................................................17
Configuring Firefox for single sign-on........................................................................................17
Configuring Internet Explorer for single sign-on...........................................................................17
4 Troubleshooting........................................................................................18
Login issues (MIF)...................................................................................................................18
Login issues (other than MIF)....................................................................................................19
Single Pane of Glass tree errors................................................................................................19
5 Using the configuration interface................................................................21
Best practices.........................................................................................................................21
Changing a machine's configuration.........................................................................................21
Configuring a multi-home machine............................................................................................21
Logging in to the configuration interface....................................................................................22
Resetting or replacing HP P6000 EVA management modules........................................................22
Restarting the Management Integration Framework service...........................................................23
Restoring the default configuration for a machine........................................................................23
Setting the same IP version.......................................................................................................23
Using keyboard navigation......................................................................................................23
Viewing configuration guidelines..............................................................................................24
Viewing the configuration for a machine....................................................................................25
6 Configuration settings...............................................................................26
Configuration settings overview................................................................................................26
General configuration settings..................................................................................................26
Audit file max age.............................................................................................................26
Audit file max size.............................................................................................................26
Log file max age................................................................................................................26
Log file max size................................................................................................................27
Logging level.....................................................................................................................27
Secured web service port....................................................................................................27

Contents 3
Unsecured web service port................................................................................................27
Web server connections......................................................................................................28
Web server port................................................................................................................28
Web service IP address (IPv4/IPv6)......................................................................................28
Discovery configuration settings................................................................................................29
Discovery interval..............................................................................................................29
Discovery URI....................................................................................................................29
Non-local registry entry time-out..........................................................................................30
Registry table updates........................................................................................................30
Registry update address (IPv4/IPv6).....................................................................................30
Security configuration settings..................................................................................................30
Available OS security domains............................................................................................31
Cipher List.........................................................................................................................31
Tree integrator configuration settings.........................................................................................31
Decorator age time-out.......................................................................................................31
Tree discovery interval........................................................................................................31
Local only.........................................................................................................................32
SPoG session time-out.........................................................................................................32
Tree aggregation...............................................................................................................32
Tree age time-out...............................................................................................................32
7 Using the security interface........................................................................33
Adding LDAP security domains to a machine..............................................................................33
Adding machines to a Management Group...............................................................................33
Creating a Management Group...............................................................................................34
Deleting a Management Group................................................................................................34
Deleting LDAP security domains for a machine...........................................................................35
Editing LDAP security domains for a machine.............................................................................35
Logging in to the security interface............................................................................................35
Removing machines from a Management Group.........................................................................36
Renaming a Management Group.............................................................................................36
Using keyboard navigation......................................................................................................37
Troubleshooting......................................................................................................................38
Import Machines troubleshooting.........................................................................................38
Management Group change troubleshooting.........................................................................40
8 Management Integration Framework concepts..............................................42
Applications (Management Integration Framework specific)..........................................................42
Authenticators (Management Integration Framework specific)........................................................42
Configuration settings and service startup..................................................................................42
Discovery..............................................................................................................................42
LDAP security domain mapping................................................................................................43
Log and audit files..................................................................................................................43
Login user names and passwords..............................................................................................43
Management Groups..............................................................................................................44
Management Group machines.................................................................................................46
Management Group names.....................................................................................................46
Management Group security certificates....................................................................................46
OS security domains...............................................................................................................47
OS user groups (security groups)..............................................................................................47
Registry (Management Integration Framework specific)................................................................47
Roles (Management Integration Framework specific)....................................................................48
Security integration.................................................................................................................48
Service (Management Integration Framework specific).................................................................48
Single Pane of Glass interface..................................................................................................49
Single sign-on features (Management Integration Framework specific)............................................49

4 Contents
Web services (Management Integration Framework specific)........................................................49
9 Support and other resources......................................................................50
Release history.......................................................................................................................50
Contacting HP........................................................................................................................51
Related information.................................................................................................................51
A HP MIF security environment overview.........................................................53
HP MIF privilege mechanisms ..................................................................................................53
HP MIF security environment assumptions...................................................................................53
Glossary....................................................................................................55
Index.........................................................................................................56

Contents 5
1 Introduction
Administrator guide
This administrator guide for HP Management Integration Framework software covers use of the
following:
• Configuration interface
• Security interface
• Single Pane of Glass interface

What's new
HP Management Integration Framework version 1.6 includes the following new or updated features
compared to version 1.5. See the HP P6000 Enterprise Virtual Array Compatibility Reference for
support and version details.
Software support. Support is added for:
• HP P6000 Command View 10.2
• HP P6000 Performance Advisor 10.2
• HP EVA to 3PAR Online Import 10.2
• HP P6000 Control Panel 2.7
For the latest information on support of Windows Server 2012, see the HP P6000 Command View
Software Suite 10.2 Release Notes.

Management Integration Framework software overview


HP Management Integration Framework software provides storage-related security features and
user interface capabilities and is included in the following HP applications and products:
• HP P6000 EVA storage systems with HP P6000 Command View array-based management
(ABM), version 9.2 or later
• HP P6000 Command View server-based management (SBM), version 9.2 or later
HP Management Integration Framework software provides the following interfaces and high level
features:
• Single-Pane-of Glass interface. See quick tours and Single Pane of Glass interface.
• Configuration interface. See quick tours.
• Security interface. See quick tours.
• Enhanced storage-related security integration and Management Group administration.
• Automatic discovery of machines on a LAN.
• Command line tools.
The following illustration shows four machines with HP Management Integration Framework software
on them, in a common LAN: A server with server-based HP P6000 Command View (SVR01) which
is managing a set of HP P6000 EVA storage systems, another server with server-based HP P6000
Command View (SVR07) which is managing different set of HP P6000 EVA storage systems and

6 Introduction
two HP P6000 EVA storage systems with array-based HP P6000 Command View (STOR02 and
STOR05).

The HP Management Integration Framework software on SVR01 and SVR07 was automatically
installed as part of the installation of server-based HP P6000 Command View and HP P6000
Performance Advisor. The HP Management Integration Framework software on STOR02, and
STOR05 was factory installed. Every machine with HP Management Integration Framework software
can detect and communicate with the other similar machines on the LAN. For more information,
see Management Integration Framework discovery.
Management Groups
A key feature of HP Management Integration Framework software is security integration, which
allows aggregation of machines into Management Groups. All members of a Management Group
can participate in a single sign-on environment.
Referring to the illustration, assume that each of the five machines was initially in its own
Management Group. This would have occurred automatically, either during installation of
server-based HP P6000 Command View, or during factory manufacture. Communicating over the
LAN, the five machines inform each other of their Management Integration Framework capabilities.
Using the Management Integration Framework security interface, a security administrator could
assign the five machines to one Management Group.
Then, rather than having to use five sets of security credentials, users could log in to any of the five
machines with a single user credential (user name and password).

Quick tour
Single Pane of Glass interface quick tour
Configuration interface – Details page quick tour
Configuration interface – Registry page quick tour
Security interface – Administration page quick tour
Security interface – Import Machines wizard quick tour
Security interface – Manage OS Security Domains wizard tour
Security interface – Move Machine wizard quick tour
Security interface – Single Sign-on page quick tour

Single Pane of Glass interface quick tour


The Single Pane of Glass interface displays multiple HP P6000 EVA storage applications, such as
HP P6000 Command View and Performance Advisor, in a single browser window. And when
multiple storage management servers or storage systems with array-based management have been
included in a Management Group, the interface displays all of the managed storage systems in
the single browser window. For more information, see Single Pane of Glass interface.

Quick tour 7
The basic organization of the Single Pane of Glass interface is:

1. Point of view selector 2. Navigation pane 3. Content pane 4. Aspect tabs 5. Session pane

Point of view selector (1). Selects the point of view to be displayed. When the Settings point of
view is selected, you can click the storage application resources in the navigation pane to view
or change application settings. When the Storage Systems point of view is selected, you can click
the storage system resources to view the overall storage system network or view and manage
specific storage systems.
Navigation pane (2). The navigation pane displays an expandable resource tree for the selected
point of view. When you select a resource in the navigation pane, the information and available
actions for the resource are displayed in the content pane.
Content pane (3). The content pane displays information and actions that you can perform on the
resource that is selected in the navigation pane.
Aspect tabs (4). Aspect tabs organize content for a resource based on HP storage applications.
For example, the Management aspect tab includes content from the HP P6000 Command View
application and the Performance tab includes content from the HP P6000 Performance Advisor
application.
Session pane (5). The session pane displays the name of the HP Management Group in which the
resources are members, the user that is logged in, a link to online help and the logout button.

8 Introduction
Configuration interface – Details page quick tour
The Configuration page allows you to view and change configuration settings. The main areas of
the page are identified in the following illustration. Each of the configuration setting types: General,
Discovery, Security and Tree Integrator are displayed in expandable panels.

1. Actions 2. Service state 3. Configuration status 4. Configuration details

Configuration interface – Registry page quick tour


The Registry page allows you to view registry entries.

Quick tour 9
Security interface – Administration page quick tour
The Administration page allows you to view key characteristics of a Management Group, change
authenticator states, and access the wizards.

1. Management Group 2. Wizards 3. Authenticating OS security domains 4. Machines and authenticator


state

Security interface – Import Machines wizard quick tour


The Import Machines wizard guides you through the steps to import one or more machines in one
or more Management Groups into another Management Group.

1. Machines eligible for import into the currently viewed Management Group

10 Introduction
Security interface – Manage OS Security Domains wizard quick tour
The Manage OS Security Domains wizard guides you through steps to add, copy, edit, and delete
an LDAP security domain from a machine in the currently viewed Management Group.

1. Machine being managed

Security interface – Move Machine wizard quick tour


The Move Machines wizard guides you through the steps to remove one member from the currently
viewed Management Group and add it to another Management Group, or to create a new
Management Group and add it to the new group.

1. Machine being moved to a different Management Group

Quick tour 11
Security interface – Single Sign-on page quick tour
The Single Sign-on page allows you to enable or disable the Management Integration Framework
single sign-on feature for a Management Group.

1. Management Group 2. Single Sign-on setting

Searching online help


Procedure
1. In online help, select Search. The search pane appears.
2. Enter a term to search for and click List Topics or press the Enter key. A list of topics that
contains the term is displayed.
3. Click any topic in the list to display it.
Tips
Tips for using search:
• Capitalization (case sensitivity). Search is not case sensitive. Example: searching for cat or
Cat finds the same topics.
• Singular and plural. Search finds topics that contain plurals of singular words. For example,
searching for cat also finds topics that contain the word cats.
• Wild cards. Search does not support wild card characters.
• Multiple words. Search supports multiple-word searches (but not literal phrases). For example,
searching for big cat, finds topics that contain both the word big and the word cat. In addition,
search also finds topics that contain only the word big or only the word cat.
• Pasting search entries. Search supports pasting of terms. For example, you can copy a term
from another window, right-click the search text box and select Paste.
• Repeating searches. Search maintains a search term history list. To repeat a search without
retyping, double-click the search text box and select the term.

12 Introduction
2 Installing Management Group security certificates
Management Group security certificate installation overview
Each Management Group uses a unique self-signed Management Group security certificate to
manage login access.
When browsing to a Management Integration Framework interface, if there is no trusted certificate
authority to attest to the certificate, then connection to the machine is blocked. This condition is
indicated by an error message on the login dialog box.

If this occurs, the certificate for the Management Group can be installed in the browser as a trusted
certificate authority. After installing the certificate and refreshing the browser, the connection will
no longer be blocked. Installation of a certificate on a given browser is only required one time per
Management Group.
If there is more than one Management Group in your environment, you may need to install the
certificate for each group.
Click a link below to view summaries for installing Management Group security certificates on
various browsers.

Microsoft Internet Explorer 8.0 and 9.0


Mozilla Firefox

Installing Management Group security certificates in Internet Explorer 8.0


and 9.0
Considerations
• When browsing from a server which is running Windows Server 2003 the server's Enhanced
Security Configuration (ESC) must be uninstalled. Otherwise, browser access to Management
Group members will be blocked. See Configuring Windows Server 2003 IE ESC.
• When browsing from a server which is running Windows Server 2008, the server's Enhanced
Security Configuration (ESC) must be turned off. Otherwise, browser access to Management
Group members will be blocked. See Configuring Windows Server 2008 IE ESC.
Procedure
1. Browse to a Management Group member machine. A Website Security Certificate page
opens.

Management Group security certificate installation overview 13


2. Select Continue to this website. If the login dialog box displays a connection error, proceed
with the following steps.

3. Click the link for installing the Management Group certificate. A File Download dialog box
opens.
4. Click Open.
5. Click Install Certificate. The Certificate Import wizard opens.
a. Click Next.
b. Select Place all certificates in the following store and click Browse.
c. Select Trusted Root Certification Authorities.
d. Click Next, then click Finish. The certificate for the Management Group is installed in the
browser.
6. Close the dialog boxes and refresh the browser. After the refresh, the connection error should
no longer be displayed.

Installing Management Group security certificates in Mozilla Firefox


This topic applies to Mozilla Firefox 4.0 and later.
Considerations
• When browsing from a server which is running Windows Server 2003 the server's Enhanced
Security Configuration (ESC) must be uninstalled. Otherwise, browser access to Management
Group members will be blocked. See Configuring Windows Server 2003 IE ESC.
• When browsing from a server which is running Windows Server 2008, the server's Enhanced
Security Configuration (ESC) must be turned off. Otherwise, browser access to Management
Group members will be blocked. See Configuring Windows Server 2008 IE ESC.
Procedure
1. Browse to a Management Group member machine. A This Connection is Untrusted dialog
box opens.
2. Click I Understand the Risks.
a. Click Add Exception. The Add Security Exception page opens.
b. Click Get Certificate.
c. Click Confirm Security Exception.

14 Installing Management Group security certificates


3. The login dialog box opens and a connection error is displayed.

4. Click the link for installing the Management Group certificate. A trust dialog box opens.
5. Select Trust this CA to identify the web sites and click OK. The certificate for the Management
Group is installed in the browser.
6. Close the dialog boxes and refresh the browser. After the refresh, the connection error should
no longer be displayed.

Configuring Windows Server 2003 IE ESC


If you browse from Windows Server 2003, the Internet Explorer Enhanced Security Configuration
(ESC) must be uninstalled; otherwise, browser access to Management Group members will be
blocked.
Procedure
1. On the desktop, click Start > Control Panel > Add or Remove Programs. The Control Panel
window opens.
2. Click Add/Remove Windows Components. The Windows Components Wizard opens.
3. Uncheck Internet Explorer Enhanced Security Configuration and follow the instructions in the
wizard.

Configuring Windows Server 2008 IE ESC


If you browse from Windows Server 2008, the Internet Explorer Enhanced Security Configuration
(ESC) must be turned off; otherwise, browser access to Management Group members will be
blocked.
Procedure
1. On the desktop, click Start > Administration Tools > Server Manager. The Server Manager
window opens.
2. In the Security Information section, click Configure IE ESC.
3. In the dialog box, select Off and click OK.

Configuring Windows Server 2012 IE ESC


If you browse from a Windows 2012 Server, the Internet Explorer Enhanced Security Configuration
(ESC) must be turned off; otherwise, browser access to Management Group members will be
blocked.
Procedure
1. On the desktop, click Start > Administrative Tools > Server Manager. The Server Manager
window opens.
2. In the Local Server properties page, click On/Off next to IE Enhanced Security Configuration.
Configuring Windows Server 2003 IE ESC 15
3. Select Off and click OK.

16 Installing Management Group security certificates


3 Configuring browsers for single sign-on
Configuring Firefox for single sign-on
Use the following procedure to prevent a Firefox browser from displaying a login dialog prior to
initiating the single sign-on authentication with the Management Integration Framework web server.
Considerations
• The format for entering a URL is: https://<IP Address>:2374.
• Multiple URLs should be separated with commas.
Procedure
1. In Firefox, enter about:config in the address bar. The about:config page opens with a list of
preference names.
2. In the Filter box, enter network.automatic-ntlm-auth.trusted-uris. The corresponding Preference
Name is displayed.
3. Double-click the Preference Name. A dialog opens. Enter the URLs and click OK.

Configuring Internet Explorer for single sign-on


Use the following procedure to prevent an Internet Explorer browser from displaying a login dialog
prior to initiating the single sign-on authentication with the Management Integration Framework
web server.
Considerations
• The format for entering a URL is: https://<IP Address>:2374.
Procedure
1. In Internet Explorer, select Tools > Internet Options.
2. Select Security > Local intranet, then click Sites
3. Deselect Automatically detect intranet network, then select these settings:
Include all local (intranet) sites not listed in other zones
Include all sites that bypass the proxy server
Include all network paths (UNCs)
4. To enable specific sites, click Advanced, then enter the URL each site, then click Close.

Configuring Firefox for single sign-on 17


4 Troubleshooting
Login issues (MIF)
This topic includes messages that can appear when logging in (browsing) to HP Management
Integration Framework interfaces (Configuration and Security) or logging in to the Single Pane of
Glass interface in HP applications such as HP P6000 Command View.
• Message: Failed to connect to Discovery. The Management Group (MG)
certificate may not be installed. Please refer to help for more
information.
Resolution: Install the Management Group certificate in the browser then restart the browser.
For procedures with supported browsers, see Management Group security certificate installation
overview.
If you still cannot log in, check the following and retry logging in:
◦ Ensure that the date-time on the browsing computer matches the date-time on the target
machine (the machine being logged in to). If the date-times do not match they must be
synchronized. For example, if the date-time on the target machine was ahead of the
browsing computer when it generated the security certificate, the browser may treat the
security certificate as being invalid. If the date-time on the target machine is changed,
the HP MIF service on that machine must be restarted.
◦ Ensure that the Domain Name System for the environment is correctly configured to resolve
names to IP addresses.
◦ Disable the browser's proxy settings.

◦ Clear the browser's cache and restart the browser.

◦ Ensure that the firewall on the target machine is not preventing access.
• Message: Lookup of Security Component failed. View help for more
information.
Resolution: Ensure that the Domain Name System for your environment is correctly configured
to resolve names to IP addresses.
• Message: Failed to find a Security Component.
Resolution: Restart the HP MIF service on the target machine.
• Message: No Security Component could be found. Make sure a Security
Component is started and refresh the page.
Resolution: Restart the HP MIF service on the target machine then refresh the browser. In rare
cases, it may be necessary to reboot the target machine to clear the issue.
• Message: Failed to connect to Security Component. The Management Group
(MG) certificate may not be installed. Please refer to help for more
information.
Resolution: Install the Management Group certificate in the browser then restart the browser.
For procedures with supported browsers, see Management Group security certificate installation
overview.
If you still cannot log in, check the following and retry logging in:
◦ Ensure that the date-time on the browsing computer matches the date-time on the target
machine (the machine being logged in to). If the date-times do not match they must be
synchronized. For example, if the date-time on the target machine was ahead of the
browsing computer when it generated the security certificate, the browser may treat the
18 Troubleshooting
security certificate as being invalid. If the date-time on the target machine is changed,
the HP MIF service on that machine must be restarted.
◦ Ensure that the Domain Name System for the environment is configured correctly to resolve
names to IP addresses.
◦ Disable browser proxy settings.

◦ Clear the browser cache and restart the browser.

◦ Ensure that the firewall on the target machine is not preventing access.
• Message: Security Component encountered a server error. Please refer
to help for more information.
Resolution: Restart the HP MIF service on the target machine.
If you still cannot log in, the Host Reset tool (XFHostReset.exe) should be used to reset the
target machine. For details on using the tool see the Management Integration Framework
Maintenance & Service Guide.
• Message: Lookup of GUI server failed.
Resolution: The Tree Aggregator setting for the GUI server may not be enabled on the target
machine. Enable the setting using the Configuration interface then restart the HP MIF service.
For more information about the Tree Aggregator setting, see the Management Integration
Framework Administrator Guide or Configuration interface online help.
• Message: No GUI server could be found. Make sure a GUI server is
started and refresh the page.
Resolution: The Tree Aggregator setting for the GUI server may not be enabled on the target
machine. Enable the setting using the Configuration interface then restart the HP MIF service.
For more information about the Tree Aggregator setting, see the Management Integration
Framework Administrator Guide or Configuration interface online help.
• MIF web service IP Address. When the Management Integration Framework is bound to a
hostname, the hostname must be resolvable by the client, either by adding hostname mapping
in the DNS or in an etc\hosts file. If this is not done, users will not be able to log in using
IP addresses, because the Management Group security certificate will never be applied on
the machine. See also Web service IP address.

Login issues (other than MIF)


Problem
During login to a Management Integration Framework interface using an IPv6 address, a browser
prompts for user credentials, even though single sign-on features are active.
Explanation / resolution
This is due to the design of certain browsers. When using an IPv6 address to log in with these
browsers, you will need to enter your user credentials.

Single Pane of Glass tree errors


• The same storage systems appear twice in the navigation pane. This can be caused by
Management Group operations or restarting HP P6000 Command View. The condition is

Login issues (other than MIF) 19


typically cleared automatically in 30 seconds. The Tree Age Timeout setting in the Configuration
interface controls the timing.
• Storage systems do not appear in the navigation pane.
◦ Some older models of HP P6000 EVA storage systems in the SAN may not be supported
by the version of HP P6000 Command View. See the HP P6000 EVA Compatibility
Reference for support details.
◦ Ensure that all instances of HP P6000 Command View in the Management Group are
running.
◦ Ensure that firewalls are not blocking access to machines in the Management Group.

◦ Ensure that network issues are not preventing access to machines in the Management
Group.

20 Troubleshooting
5 Using the configuration interface
Best practices
• Avoid simultaneous configuration sessions for a given machine.
Although Management Integration Framework software supports simultaneous browser sessions,
communication errors can result when multiple sessions simultaneously attempt to configure
the same machine.
Example. Assume that two administrators simultaneously have sessions running to make changes
for machine A. One administrator changes port numbers on machine A, saves the changes
and restarts the Management Integration Framework service. When the service is restarted
with the changed port numbers, a communication error could occur in the session for the other
administrator.
• Plan and coordinate restarting Management Integration Framework services.

IMPORTANT: To avoid the possibility of interrupting storage related operations, HP


recommends that you carefully plan and coordinate restarting the Management Integration
Framework service.

• In a Management Group which includes multiple member machines, configure more than one
machine as an OS security domain authenticator. This practice prevents losing single sign-on
functionality for the Management Group should an authenticator machine become unavailable.

Changing a machine's configuration


In most cases the default settings are adequate and should not be changed. Guidelines for settings
are included in the online help, documentation, and in the interface. See Viewing configuration
guidelines.
Considerations
• Plan and coordinate restarting Management Integration Framework services.

IMPORTANT: To avoid the possibility of interrupting storage related operations, HP


recommends that you carefully plan and coordinate restarting the Management Integration
Framework service.

1. Log in to the Management Integration Framework configuration interface for the machine.
2. On the Configuration page, change the applicable configuration settings.
3. Click Save Changes. Wait until the changes are saved.
4. Click Restart Service. The changed settings are applied when the service restarts.

Configuring a multi-home machine


On a multi-homed (multiple NICs) machine, Management Integration Framework software binds
to the first IP address which is reported by the OS. If this is not the desired IP address, you can
specify the address by setting the Management Integration Framework Web Service IP Address.
Procedure
1. Browse to the Management Integration Framework configuration interface for the machine
and log in. The Configuration page opens.
2. Expand the General panel.
3. In the Web Service IP Address box, enter the desired IP address.
4. Click Save Changes. Wait until the change is saved.

Best practices 21
5. After the change is saved, click Restart Service. The Management Integration Framework
software will bind to the specified IP address.

Logging in to the configuration interface


Considerations
• Viewing a Management Integration Framework interface requires a supported browser and
Flash Player plug-in. Supported browsers and Flash Players are listed in the HP Enterprise
Virtual Array Compatibility Reference.
• HP recommends using qualified user names. See Login user names.
• The Management Integration Framework web server port number shown in the example is the
default, 2374. If the port number has been changed, you must enter the new port.
• When browsing from a server which is running Windows Server 2008, the server's enhanced
security level must be turned off.
Procedure
1. Browse to https://<machine_name or IP address>:2374/Configuration.
2. Enter your user name and password.
3. Click OK.

Resetting or replacing HP P6000 EVA management modules


HP P6000 EVA storage systems with array-based management lose Management Group settings
(if any) when their management modules are reset or replaced. To avoid losing the settings, perform
the following steps before and after resetting or replacing a management module.
Before resetting or replacing
1. If necessary, install the Adobe Flash Player plug-in required to browse to HP Management
Integration Framework. Supported browsers and Adobe Flash Players are listed in the HP
P6000 Enterprise Virtual Array Compatibility Reference.
2. Log on to HP P6000 Command View on the storage system by browsing to
https://<storage system IP address:2374>.
3. Select Server Options > Other Options > Configure management infrastructure. If necessary,
install the Management Group certificate (See help in the communication error message).
4. Locate and record the name of the Management Group on the Service State pane in the
Configuration window. If it contains the same name as the management module, then
Management Groups are not configured on the storage system.
5. Click Discovery to expand the Discovery section and record the following:
• Discovery URI settings
• Registry Update Addresses
After resetting or replacing
1. Log on to the storage system again.
2. Select Server Options > Other Options > Configure management infrastructure.
3. Click Discovery to expand the section.
If the Discovery URI and Registry Update Addresses values are the same as those you recorded
before, skip to step 6.
4. Set the Discovery URI and Registry Update Addresses to the values you recorded before.
5. Click Save Changes > OK > Restart Service.
6. Return to HP P6000 Command View and select Server Options > Configure management
group.
7. Select the name of the management module.

22 Using the configuration interface


8. Click Move Machine. Follow the instructions in the Move Machine wizard.
9. Select the Management Group that you recorded before.
10. Enter the user name, password, and OS security domain from the authenticator.
11. Click Next > Finish > OK to finalize the Management Group settings.

Restarting the Management Integration Framework service


Considerations
• Plan and coordinate restarting Management Integration Framework services.

IMPORTANT: To avoid the possibility of interrupting storage related operations, HP


recommends that you carefully plan and coordinate restarting the Management Integration
Framework service.

1. Log in to the Management Integration Framework configuration interface for the machine.
2. Click Restart Service. The service is stopped then restarted. All configuration settings are
applied when the service restarts. See Configuration settings and startup.

Restoring the default configuration for a machine


Considerations
• Plan and coordinate restarting Management Integration Framework services.

IMPORTANT: To avoid the possibility of interrupting storage related operations, HP


recommends that you carefully plan and coordinate restarting the Management Integration
Framework service.

1. Log in to the Management Integration Framework configuration interface for the machine.
2. On the Configuration page, click Restore Defaults and confirm the action. The default settings
are displayed.
3. Click Save to File. Wait until the changes (default settings) are saved.
4. Click Restart Service. The default settings are applied when the service restarts.

Setting the same IP version


The following settings must specify the same IP version (IPv4 or IPv6) or the Management Integration
Framework will not work correctly.
• Discovery URI
• Registry update address
• Web service IP address

Using keyboard navigation


The area of the page that is active for keyboard navigation is indicated with a colored border.

Restarting the Management Integration Framework service 23


Examples. Restore Defaults button and Unsecured Web Service Port setting:

Navigation methods and key combinations are as follows:

Common navigation Key

Click (activate) a selected element Spacebar

Move forward through settings, choices or buttons Tab

Move backwards through settings, choices or buttons Shift+Tab

Select a choice (radio button) Up and down arrows

Drop down list navigation Key

Close a drop down list Ctrl + up arrow

Move through a list and highlight an item Up and down arrows

Open a drop down list Ctrl + down arrow

Select a highlighted list item Enter

Viewing configuration guidelines


Management Integration Framework configuration guidelines appear in the:
• Management Integration Framework configuration online help
• Management Integration Framework administrator guide
Also, the user interface includes proactive assistance for most fields. For example, in the Discovery
Interval, you can delete the displayed value, type an x, then mouse-over the warning icon to see
the guideline.

Default value example

24 Using the configuration interface


Interactive assistance example

Viewing the configuration for a machine


1. Log in to the Management Integration Framework configuration interface for the machine.
2. On the Configuration page, view the configuration settings. Example: Configuration page.
3. On the Registry page, view the Management Integration Framework registry entries. Example:
Registry page.

Viewing the configuration for a machine 25


6 Configuration settings
Configuration settings overview
In most cases the default settings are adequate and should not be changed. Guidelines for settings
are included in the online help, documentation, and in the interface. See Viewing configuration
guidelines.
Considerations
The following considerations are common to all settings:
• All Management Integration Framework web service port numbers must be unique, with the
exception of the Discovery URI port.
• The value 0 (zero) in a port number field indicates that Management Integration Framework
can automatically assign the port number. There can be multiple ports that show the value of
0.

General configuration settings


Audit file max age
This general setting establishes the number of calendar days that Management Integration
Framework audit files are retained. The files are deleted the day after the max age is reached.
• Typical use. To increase how long audit files are retained. This setting is used mostly by HP
support personnel.
• The default is 10 days.
• If you change the setting, it must be in the range of 1 to 365 days.

Audit file max size


This general setting establishes the maximum size of a Management Integration Framework audit
file. A new audit file is started when the maximum size is exceeded.
• Typical use. To increase the size of the audit file. This setting is used mostly by HP support
personnel.
• The default is 10 MB.
• If you change the setting, it must be in the range of 1 to 100 MB.

Log file max age


This general setting establishes the number of calendar days that Management Integration
Framework log files are retained. The files are deleted the day after the max age is reached.
• Typical use. To increase how long log files are retained. This setting is used mostly by HP
support personnel.
• The default is 10 days.
• If you change the setting, it must be in the range of 1 to 365 days.

26 Configuration settings
Log file max size
This general setting establishes the maximum size of a Management Integration Framework log
file. A new log file is started when the maximum size is exceeded.
• Typical use. To increase the size of the log file. This setting is used mostly by HP support
personnel.
• The default is 10 MB.
• If you change the setting, it must be in the range of 1 to 100 MB.

Logging level
This general setting specifies the level of detail that is recorded in a Management Integration
Framework log file.
• Typical use. To change amount of detail being recorded about the Management Integration
Framework service. Increasing the detail is helpful when troubleshooting. This setting is used
mostly by HP support personnel.
• The default is 1 (least detail).
• If you change the setting, it must be in the range of 1 to 4 (most detail).

Secured web service port


This general setting establishes the port number for the web service interfaces which are served
using secure HTTPS protocol.
• Typical use. To accommodate environments where corporate policy or network infrastructure
(firewall, proxy, etc.) requires specific ports be used instead of allowing the Management
Integration Framework to pick free ports. The system administrator must specify the port for
the Management Integration Framework to use and then configure the firewall to allow the
port.
• The default setting is 0 (zero). A zero in a port number field indicates that the Management
Integration Framework can automatically assign the port number.
• If you specify a port number, it must be in the range of 1024 to 65535.
• The system administrator must pick a port that will be free every time the Management
Integration Framework starts, otherwise, the web service will not be available.

Unsecured web service port


This general setting establishes the port number for the web service interfaces which are served
using unsecure HTTP protocol.
• Typical use. To accommodate environments where corporate policy or network infrastructure
(firewall, proxy, etc.) requires specific ports be used instead of allowing the Management
Integration Framework to pick free ports. The system administrator must specify the port for
the Management Integration Framework to use and then configure the firewall to allow the
port.
• The default setting is 0 (zero). A zero in a port number field indicates that the Management
Integration Framework can automatically assign the port number.
• If you specify a port number, it must be in the range of 1024 to 65535.
• The system administrator must pick a port that will be free every time the Management
Integration Framework starts, otherwise, the web service will not be available.

General configuration settings 27


Web server connections
This general setting establishes the maximum number of concurrent connections for the Management
Integration Framework web server.
• Typical use. To increase the number of allowed connections.
• The default is 2 concurrent connections.
• If you change the setting, it must be in the range of 1 to 25 connections.

Web server port


This general setting establishes the port number for the Management Integration Framework web
server. This is the port number that is used to browse to Management Integration Framework
interfaces.
• Typical use. When corporate policy or network infrastructures (firewalls, proxies, etc.) do not
allow port number 2374 to be used.
• The default is 2374.
• If you specify a port number, it must be in the range of 1024 to 65535.
• The entry must not be 0 (zero). Zero would allow Management Integration Framework to
silently assign a port number. Not knowing the port number would prevent browsing to the
Management Integration Framework web server.
• Considerations. The specified port must be free every time the Management Integration
Framework service starts; otherwise, the service will not be available.

Web service IP address (IPv4/IPv6)


This general setting establishes the IP address or host name for all Management Integration
Framework web services. This is the address that is used to browse to Management Integration
Framework interfaces.
• Typical use. When a specific IP address must be used. For example, when required to use a
specific network card.
• By default this field is empty, which allows Management Integration Framework to use the IP
address of the machine.
Management Integration Framework software determines the IP address of the machine as
follows:
◦ Management Integration Framework searches for IPv4 addresses on the machine and
uses the first IPv4 address that it finds.
◦ If no IPv4 addresses are found, Management Integration Framework uses the first IPv6
address that it finds on the machine.
• If you specify an IP address, it can be any legal IPv4 or IPv6 address (40 characters maximum).
• The IP version must be the same as certain other settings, otherwise the Management Integration
Framework will not work properly. See Setting the same IP version.
• If you enter a non-specific address value, for example 0.0.0.0 (IPv4) or :: (IPv6), the
Management Integration Framework web services and server will listen for any network
connection on the machine. In this case, web services will register the short name and the
DNS must be set up properly to resolve the short name.

28 Configuration settings
• If you enter an IP address that is not on the machine, the Management Integration Framework
will try an IP address that is valid. If no network is detected, Management Integration Framework
will start with the non-specific (any) address.
• When the Management Integration Framework is bound to a hostname, the hostname must
be resolvable by the client, either by adding hostname mapping in the DNS or in an
etc\hosts file. If this is not done, users will not be able to log in using IP addresses, because
the Management Group security certificate will never be applied on the machine.

Discovery configuration settings


Discovery interval
This discovery setting establishes how often Management Integration Framework software performs
discoveries in a Management Integration Framework network.
• Typical use. To optimize performance relative to the size of a Management Integration
Framework network.
• The default is 60 seconds (1 minute).
• If you change the setting, it must be in the range of 1 to 3600 seconds (1 hour).
• Considerations. A short interval increases network traffic. A long interval reduces responsiveness
to changes in the Management Integration Framework network.

Discovery URI
This discovery setting establishes the mechanism, IP address, and port by which Management
Integration Framework software discovery components detect each other and share information.
See also Web service IP address setting.
• Typical use. To optimize Management Integration Framework discovery performance in
different networking environments.
• The default settings are: multicast, IP 231.0.1.10, and port 9000.
• Mechanism options include: Multicast, Broadcast, and Network Scan range.
• The IP version must be the same as certain other settings, otherwise the Management Integration
Framework will not work properly. See Setting the same IP version.
Multicast setting
• IP address. An IPv4 or IPv6 multicast address.
◦ An IPv4 multicast address in the range of 224.0.0.0 to 239.255.255.255.

◦ An IPv6 multicast address beginning with the letters FF.


• Port. A valid UDP port number, except IANA-assigned port numbers 0 to 1023.
• Examples
IPv4: 232.0.1.10:8080
IPv6: [FF15::101]:8080
Broadcast and Network Scan Range settings
• IP address. A legal IPv4 address for the machine. Do not use IPv6.
• Port. A valid UDP port number, except IANA-assigned port numbers 0 to 1023.

Discovery configuration settings 29


• Subnet mask. A valid subnet mask for the IP address of this machine. The default is
255.255.255.240.
• Example
IPv4: 192.168.1.20/255.255.254.0:8080

Non-local registry entry time-out


This discovery setting establishes how long Management Integration Framework software waits
before it removes non-local entries from its registry. The entries are removed if they are not updated
during the time-out period.
• Typical use. Used in conjunction with a change in the Registry Table Update interval.
• The default is 60 seconds (1 minute).
• If you change the setting, it must be in the range of 1 to 3600 seconds (1 hour).
• Considerations. If the non-local registry entry time-out is shorter than the Registry Table Updates
interval, then the Management Integration Framework registry will not maintain constant entries
for the other machines.
• Non-local registry entries are the entries for member machines other than the machine on
which the Management Integration Framework registry is located.

Registry table updates


This discovery setting establishes how often Management Integration Framework software refreshes
its registry table.
• Typical use. If the network of Management Group member machines is large, or if updates
are frequent, it may be necessary to change this setting.
• The default is 10 seconds.
• If you change the setting, it must be in the range of 1 to 3600 seconds (1 hour).
• Considerations. When changing (increasing) this setting, be sure to make corresponding
changes to the Non-local Registry Entry Timeout setting. Otherwise, non-local registry entries
could be prematurely timed-out or not kept.

Registry update address (IPv4/IPv6)


This discovery setting establishes specific IP addresses and ports to which all registry entries are
sent.
• Typical use. When an administrator wants to specify specific IP addresses and ports.
• By default this setting is empty. A specific entry is not required.
• If you change this setting, you can use any legal IPv4 or IPv6 address and port number, or a
DNS name.
• The IP version must be the same as certain other settings, otherwise the Management Integration
Framework will not work properly. See Setting the same IP version.

Security configuration settings


The following topics describe configuration settings for the Management Integration Framework
security function. See also Management Integration Framework security concepts.

30 Configuration settings
Available OS security domains
This security setting establishes an administrator-specified list of OS security domains that
Management Integration Framework software can use for authentication.
• Typical use. When it is known that a machine has trust relationships with an OS security
domain that Management Integration Framework software cannot automatically detect, you
can add the domain to this list. This allows Management Integration Framework software to
authenticate users with the specified domain.
• By default, this setting is empty.
• If you specify a security domain, it can be any legal domain name (up to 255 characters).
• Considerations. Management Integration Framework software does not verify OS security
domain entries. If an incorrect domain is entered, security administrators will mistakenly believe
that user accounts for the security domain are being authenticated, when in fact they are not.
Incorrect entries can also cause failed login attempts.
Management Integration Framework software also uses certain domains which do not appear in
the administrator-specified list. On Windows machines these are:
• Local machine
• Primary active domain

Cipher List
This security setting establishes security ciphers, key strengths and hash algorithms that apply to
SSL connections. The cipher list consists of cipher strings separated by colons.
• Typical use. When an administrator wants to change the default cipher list.
• The default cipher list is: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH.
• Considerations. Changing the security cipher list can affect interoperability with clients that
require specific settings.

Tree integrator configuration settings


Decorator age time-out
This tree integrator setting establishes how long Management Integration Framework software
waits before removing a registered decoration. Timing is relative to the last time the decoration
was registered.
• Typical use. Shorten the time-out if the Management Integration Framework interface is not
responsive. Increase the time-out if the network is unreliable.
• The default is 30 seconds.
• If you change the setting, it must be in the range of 1 to 3600 seconds (1 hour).
• Considerations. A short time-out causes tree decorators to be removed from stale decorations
more quickly. If the time-out is too short, tree decorations could be repeatedly displayed,
removed, and displayed again (looping).

Tree discovery interval


This tree integrator setting establishes how often Management Integration Framework software
checks for new trees.
• Typical use. When the Management Integration Framework interface does not seem to find
new trees fast enough. Also, when there are many trees and Management Integration
Framework interface performance is effected.
• The default is 5000 milliseconds.

Tree integrator configuration settings 31


• If you change the setting, it must be in the range of 1 to 300000 milliseconds (5 minutes).
• Considerations. A short interval causes the Management Integration Framework software to
check for trees more often, which increases interface responsiveness but also increases network
traffic. A longer interval causes Management Integration Framework software to check for
trees less often, which decreases network traffic but also decreases interface responsiveness.

Local only
This tree integrator setting establishes whether tree content is limited to content from the local
machine or if tree content from other machines can be included.
• The local only setting applies only when the tree aggregation setting is enabled.
• The default setting is Not enabled for server-based HP P6000 Command View and Enabled
for array-based HP P6000 Command View.

SPoG session time-out


The SPoG is continually communicating with the SPoG server, unless there is a network problem.
This tree integrator setting establishes how long Management Integration Framework software
waits before ending a SPoG session. Timing is relative to the last communication with the SPoG
session.
• Typical use. To have Management Integration Framework software store SPoG session
information for longer or shorter periods of time.
• The default is 120 seconds (2 minutes).
• If you change the setting, it must be in the range of 1 to 3600 seconds (1 hour).
• Considerations. A short time-out removes session information sooner, which frees memory but
may cause slower tree updates.

Tree aggregation
This tree integrator setting establishes whether or not SPoG server functionality is enabled on the
machine.
• The default setting is Enabled.
See also the local only setting.

Tree age time-out


This tree integrator setting establishes how long Management Integration Framework software
waits before removing a tree. Timing is relative to the last communication with the tree.
• Typical use. Shorten the time-out if the Management Integration Framework interface is not
responsive. Increase the time-out if the network is unreliable.
• The default is 30 seconds.
• If you change the setting, it must be in the range of 1 to 3600 seconds (1 hour).
• Considerations. A short time-out causes trees to be removed faster than a longer time-out.
However, if the time-out is too short, trees could be repeatedly displayed, removed, and
displayed again (looping).

32 Configuration settings
7 Using the security interface
Adding LDAP security domains to a machine
You can use the Manage OS Security Groups wizard to add LDAP security domains to a machine
and map LDAP security domains to Management Integration Framework roles.
Procedure
1. Browse to the security interface for the machine.
2. Select the machine and click Manage OS Security Domains. The Manage OS Security Domains
wizard opens.
3. Select Add LDAP Security Domain and follow the instructions in the wizard.

Adding machines to a Management Group


You can use the Move Machine or Import Machines wizards to add machines to a Management
Group. A brief comparison of the wizards follows.

Move Machine wizard Import Machines wizard

Summary Removes a single machine from Removes one or more machines


one Management Group and from one or more Management
adds the machine to another Groups, then adds the machines
Management Group. to another Management Group.

New Management The Move Machine wizard can The Import Machines wizard
Group? create a new Management does not create a new
Group. Management Group.

Considerations
• The Move Machine wizard allows you to add a machine to a new Management Group; the
Import Machines wizard does not create new Management Groups.
• A machine can only be a member of one Management Group at a time.
• If the machine you choose is the only member of the existing Management Group, then the
wizard will delete the existing group.
Procedure for Move Machine
1. Identify the target machine to add to another Management Group.
2. Browse to the security interface on any member machine in the target machine's Management
Group.
3. Select the target machine. Management Integration Framework software will determine if the
machine's membership can be changed. If yes, the Move Machine button is enabled.
4. Click Move Machine. The Move Machine wizard opens.
5. Click Next.
6. On the Select Destination Management Group page, select the method (existing or new group)
for adding the machine to another group, then click Next.
7. Follow the instructions in the wizard pages, then click Finish.
Procedure for Import Machines
1. Identify a machine which is a member of the Management Group in which you want to import
other machines.
2. Browse to the security interface for that machine.
3. Click Import Machines. The Import Machines wizard opens.
4. Select the machines to import and follow the instructions in the wizard pages, then click Finish.

Adding LDAP security domains to a machine 33


Creating a Management Group
You cannot use the wizards to create an empty Management Group or to directly create a
Management Group. Instead, you must use the Move Machine wizard and choose a machine to
be the initial member of the new group. The following considerations are important when planning
new groups.
Considerations
• Only the Move Machine wizard can be used to create a Management Group.
• The machine that you choose to be the initial member of the new Management Group will no
longer be a member of the existing Management Group.
• If the machine that you choose is the only member of the existing Management Group, then
the wizard will delete the existing group.
1. Determine the target machine to use as the initial member of your new Management Group.
2. Browse to security interface on any member machine in the target machine's Management
Group.
3. Select the target machine. Management Integration Framework software will determine if the
machine's membership can be changed. If yes, the Move Machine button is enabled.
4. Click Move Machine. The Move Machine wizard opens.
5. Click Next.
6. On the Select Destination Management Group page, select New Management Group, enter
the name for the new group, then click Next.
7. Follow the instructions in the wizard pages, then click Finish to create the new group.

Deleting a Management Group


You cannot use the wizards to directly delete a Management Group. Instead, you use the Move
Machine or Import Machines wizards to delete a group by removing all member machines from
the group. A brief comparison of the wizards follows.

Move Machine Import Machines

Summary Removes a single machine from Removes one or more machines


one Management Group and from one or more Management
adds the machine to another Groups, then adds the machines
Management Group. to another Management Group.

Considerations
• All machines that are members of the Management Group to be deleted must become members
of another Management Group.
• The Move Machine wizard allows you to move a machine to a new Management Group; the
Import Machines wizard does not create new Management Groups.
Procedure for Move Machine
1. Determine the Management Group to be deleted.
2. Browse to the security interface on any member machine in the Management Group to be
deleted.
3. For each machine in the Management Group.
a. Select the machine. Management Integration Framework software will determine if the
machine's membership can be changed. If yes, the Move Machine button is enabled.
b. Click Move Machine. The Move Machine wizard opens.
c. On the Select Destination Management Group page, select the method (existing or new
group) for adding the machine to another group, then click Next.
4. Follow the instructions in the wizard pages, then click Finish to delete the existing group.

34 Using the security interface


Procedure for Import Machines
1. Determine the Management Group to be deleted.
2. Identify a machine which is a member of a Management Group that will receive the machines
being removed from the Management Group to be deleted.
3. Browse to the security interface for that machine.
4. Click Import Machines. The Import Machines wizard opens.
5. Select the machines to import and follow the instructions in the wizard pages, then click Finish.

Deleting LDAP security domains for a machine


You can use the Manage OS Security Groups wizard to delete LDAP security groups for a machine.
Considerations
• An LDAP security domain cannot be deleted if it is the only authenticating OS security domain
for the selected machine.
Procedure
1. Browse to the security interface for the machine.
2. Select the machine and click Manage OS Security Domains. The Manage OS Security Domains
wizard opens.
3. Select Delete LDAP Security Domain and follow the instructions in the wizard.

Editing LDAP security domains for a machine


You can use the Manage OS Security Groups wizard to edit LDAP security groups for a machine.
Procedure
1. Browse to the security interface for the machine.
2. Select the machine and click Manage OS Security Domains. The Manage OS Security Domains
wizard opens.
3. Select Edit LDAP Security Domain and follow the instructions in the wizard.

Logging in to the security interface


Considerations
• Viewing a Management Integration Framework interface requires a supported browser and
Flash Player plug-in. Supported browsers and Flash Players are listed in the HP Enterprise
Virtual Array Compatibility Reference.
• HP recommends using qualified user names. See Login user names.
• The Management Integration Framework web server port number shown in the example is the
default, 2374. If the port number has been changed, you must enter the new port.
• When browsing from a server which is running Windows Server 2003, the server's IE Enhanced
Security Configuration (ESC) must be uninstalled. See Configuring Windows Server 2003 IE
ESC.
• When browsing from a server which is running Windows Server 2008, the server's IE Enhanced
Security Configuration (ESC) must be turned off. See Configuring Windows Server 2008 IE
ESC
Procedure
1. Browse to https://<machine_name or IP address>:2374/Security.
2. Enter your user name and password.
3. Click OK.

Deleting LDAP security domains for a machine 35


Removing machines from a Management Group
You can use the Move Machine or Import Machines wizards to remove machines from a
Management Group. A brief comparison of the wizards follows.

Move Machine wizard Import Machines wizard

Summary Removes a single machine from Removes one or more machines


one Management Group and from one or more Management
adds the machine to another Groups, then adds the machines
Management Group. to another Management Group.

Considerations
• The Move Machine wizard allows you to remove one machine at a time.
• The Import Machines wizard allows you to remove one or more machines at a time.
• When you remove a machine from a Management Group, you must add it to another existing
group or to a new group.
• If the machine that you choose is the only member of the existing Management Group, then
the wizard will delete the existing group.
Procedure for Move Machine
1. Identify the target machine to remove from a Management Group.
2. Browse to security interface on any member machine in the target machine's Management
Group.
3. Select the machine. Management Integration Framework software will determine if the
machine's membership can be changed. If yes, the Move Machine button is enabled.
4. Click Move Machine. The Move Machine wizard opens.
5. Click Next.
6. On the Select Destination Management Group page, select the method (existing or new group)
for adding the machine to another group, then click Next.
7. Follow the instructions in the wizard pages, then click Finish.
Procedure for Import Machines
1. Identify a machine which is to receive the members of the Management Group from which
you want to remove machines.
2. Browse to the security interface for that machine.
3. Click Import Machines. The Import Machines wizard opens.
4. Select the machines to remove from the other Management Group and follow the instructions
in the wizard pages, then click Finish.

Renaming a Management Group


You cannot use the wizards to directly rename a Management Group. Instead, you use the Move
Machine or Import Machines wizards to delete a group by removing all member machines from
the group. A brief comparison of the wizards follows.
You cannot use the wizards to directly rename a Management Group. Instead, you rename a
group by removing all member machines from the group and adding them to a new group that
you name.
Considerations
• If the Management Group includes only one machine, use the Move Machines wizard to
remove the machine and move it to a new Management Group that you create with the desired
new name.
• If the Management Group includes multiple machines, first use the Move Machines wizard to
remove one machine and move it to a new Management Group that you create with the
36 Using the security interface
desired new name. Second, use the Import Machines wizard to move the remaining machines
into the new Management Group.
Procedure
1. Identify the Management Group to rename.
2. Browse to the security interface on any member machine in the Management Group to rename.
3. Select the machine. Management Integration Framework software will determine if the
machine's membership can be changed. If yes, the Move Machine button is enabled.
4. Click Move Machine. The Move Machine wizard opens.
5. Click Next.
6. On the Select Destination Management Group page, select New Management Group, enter
the name for the new group, then click Next.
7. Follow the instructions in the wizard pages, then click Finish to create the new group.
8. Browse to the security interface on the member machine in the new Management Group.
9. Click Import Machines. The Import Machines wizard opens.
10. Select the machines to import from Management Group to be renamed and follow the
instructions in the wizard pages, then click Finish.

Using keyboard navigation


The area of the page that is active for keyboard navigation is indicated with a colored border.
Example. Move Machine button and select existing or new Management Group.

Navigation methods and key combinations are as follows:

Common navigation Key

Click (activate) a selected element Spacebar

Move forward through settings, choices or buttons Tab

Move backwards through settings, choices or buttons Shift+Tab

Select a choice (radio button) Up and down arrows

Drop down list navigation Key

Close a drop down list Ctrl + up arrow

Move through a list and highlight an item Up and down arrows

Open a drop down list Ctrl + down arrow

Select a highlighted list item Enter

Using keyboard navigation 37


Troubleshooting
Import Machines troubleshooting
The following error messages and resolutions apply to the Import Machines, Import Progress and
Results page:
• Message: Failed import - operation canceled.
Resolution: None; the user has cancelled the import.
• Message: Failed import – communication error.
Resolution: Verify that the local Management Integration Framework service is started and is
configured properly. Verify the status of machines in their current Management Groups and
ensure that the machines are running. Verify that SSL certificates are loaded properly. Check
for network problems that might prevent communication with the machines.
This problem can occur when:
◦ There was no communication with machines being imported into the current Management
Group.
◦ There was no communication with the Management Integration Framework service in the
local Management Group; and thus, there was no communication with the security
services.
• Message: Failed import – unknown handle.
Resolution: Log out and back in to the Management Integration Framework Security interface.
This problem can occur when:
◦ The users current session has expired.

◦ The security token (handle) is no longer valid for the machine that is being imported.
• Message: Failed import – insufficient privileges.
Resolution: Log out and back into the Management Integration Framework Security interface.
This problem can occur when:
◦ The users current session has expired.

◦ The security token is no longer valid for the machine that is being imported.
• Message: Failed import – insufficient target privileges.
Resolution: Retry the import operation.
This problem can occur when:
◦ The security token used to import the machines expired during the import operation,

◦ The security token is no longer valid for the machine that is being imported.
• Message: Failed import – unable to find management group.
Resolution: Verify that the destination Management Group exists. Verify the status of the
authenticating machines in the destination Management Group and ensure that at least one
authenticating machine is running. Check for network problems that might prevent
communication with the machines.
This problem can occur when:
◦ The destination Management Group is deleted before or during the import operation.
◦ The destination Management Group contains only one machine and that machine is
down. The machine may have gone down while the import operation was underway.
38 Using the security interface
• Message: Failed import – unknown MG.
Resolution: Verify that the destination Management Group exists. Verify the status of the
authenticating machines in the destination Management Group and ensure that at least one
authenticating machine is running. Check for network problems that might prevent
communication with the machines.
This problem can occur when:
◦ The destination Management Group is deleted before or during the import operation.

◦ The destination Management Group contains only one machine and that machine is
down. The machine may have gone down while the import operation was underway.
• Message: Failed import – invalid configuration.
Resolution: Select only the non-authenticating machines in the Management Group, or make
another machine in the Management Group an authenticator, then retry the import operation.
This problem can occur when:
◦ The operation is trying to remove the only authenticating machine from the machine's
current Management Group, when other machines remain in the group.
◦ Two people perform operations that are interrelated. For example, if one person starts a
move operation while another person is about to start an import operation. Or, if one
person disables a machine's role as an authenticator just as another person starts an
import operation.
◦ An authenticating machine goes down before or during the import operation.
• Message: Failed import – cannot move only authenticator.
Resolution: Select only the non-authenticating machines in the Management Group, or make
another machine in the Management Group an authenticator, or fix the error in the
non-authenticating machine that prevented the import, then retry the import operation.
This problem can happen when:
◦ Trying to import the only authenticating machine from a Management Group when
non-authenticating machines remain in the group.
◦ A non-authenticating machine fails during an import and the user decides to continue,
resulting in an attempt to import the only authenticating machine.
• Message: Failed import – invalid input.
Resolution: Management Integration Framework software may have an internal error. Contact
HP Support.
This can happen when data regarding the destination or source management group is incorrect
or invalid.
• Message: Failed import – bad clock skew.
Resolution: Check the clocks on the machines in the destination Management Group and on
the machines that are being imported. Synchronize the clocks as needed.
Clock skew refers to a condition when the time on one or more machines in the destination
management group is significantly different than the time on one or more machines that are
being imported. For example, if the time on one of the machines that is being imported is 2
hours different than the machines in the destination management group, the import will fail.
A best practice is to keep the clocks synchronized on all machines.

Troubleshooting 39
Management Group change troubleshooting
The following error messages and resolutions apply to the Management Group change page:
• Message: The current session has expired or the machine’s security
token is no longer valid. Please re-login.
Resolution: Log out of the Management Integration Framework security interface, then log
back in.
• Message: Invalid information was obtained from the destination
Management Group. This may indicate a critical error - please contact
HP.
Resolution: Management Integration Framework software may have an internal error. Contact
HP Support.
• Message: An invalid Management Group name was detected. Refer to help
for more information.
Resolution: Return to the Select Destination Management Group page and verify that the
Management Group name consist only of alphanumeric characters and “_”, and “-“characters.

◦ If name was entered into the “New Management Group” text field, re-enter a valid name
and try the operation again.
◦ If the name came from the drop down list, try the operation again. If the error message
appears again there may be a Management Integration Framework software internal
error. Please contact HP Support.
• Message: Unable to communicate with security component on the local
machine. Verify local Management Integration Framework security
component is started and configured properly. Verify SSL certificates
are loaded properly.
Resolution: Verify that the local Management Integration Framework security component is
started and configured properly. Verify that all SSL certificates are correctly loaded.
• Message: Invalid OS security domain credentials for destination
Management Group. Return to “Collect OS Security Domain Details”
screen and reenter credentials.
Resolution: Follow the instructions in the message.
• Message: Unable to communicate with authenticators in the destination
Management Group. Verify at least one authenticating machine in
destination Management Group is running and that there are no network
problems.
Resolution: Verify the status of the authenticating machines in the destination Management
Group and ensure that the machines are running. Verify the status of the selected machine
and ensure the machine is running. Verify that there are no network problems.
• Message: Destination Management Group not found. Verify destination
Management Group exists, at least one authenticating machine in

40 Using the security interface


destination Management is running and that there are no network
problems.
Resolution: Verify that the destination Management Group exists. Verify the status of the
authenticating machines in the destination Management Group and ensure that the machines
are running. Verify there are no network problems.
• Message: The machine’s clock is significantly out of sync with the
machines in the destination Management Group. Refer to help for more
information.
Resolution: Check the clocks on the machines in the destination Management Group and on
the machine that is being moved. Synchronize the clocks as needed.
This condition, also called clock skew, is when the time on one or more machines in the
destination management group is significantly different than the time on the machine that is
being moved. For example, if the time on the machine being moved is 2 hours different that
the machines in the destination management group, the move will fail. A best practice is to
keep the clocks synchronized on all machines.

Troubleshooting 41
8 Management Integration Framework concepts
Applications (Management Integration Framework specific)
The term Management Integration Framework application refers to an HP storage management
product or software component that is Management Integration Framework capable, usually for
the purposes of participating in Management Integration Framework security integration and Single
Pane-of-Glass interface.

Authenticators (Management Integration Framework specific)


A Management Group member machine is an authenticator if it can authenticate Management
Integration Framework users.
• Authenticator machines in the same Management Group can be members of different OS
security domains.

Configuration settings and service startup


When Management Integration Framework software is first installed on a machine, the default
settings are applied and there is no Management Integration Framework configuration file. When
you make and save the first change using the configuration interface, Management Integration
Framework software creates a configuration file and writes the changes to the file. All subsequent
configuration changes are written to the configuration file.
If no changes are made to the configuration settings, the default settings are applied whenever the
Management Integration Framework service is started. Once any setting is changed, the settings
in the configuration file are applied whenever the Management Integration Framework service is
started.
See also Restoring a default configuration.

Discovery
All machines with Management Integration Framework software which are on the same LAN can
automatically discover and communicate with each other.
To do this, the Management Integration Framework discovery component on each machine stores
information about its web service API and other functions in a local Management Integration
Framework registry. The local registry information is available to all Management Integration
Framework services and each discovery component synchronizes its registry with other discovery
components. Management Integration Framework components can then look up web services from
other Management Integration Framework components. The distributed and replicated registry
approach is supported on IPv4 and IPv6 networks using multicast, broadcast, and range-scanning
techniques, as appropriate.
Although discovery components can belong to only one Management Group at a time, they are
aware of, and communicate with, all discovery components that are visible on the LAN.
A Management Integration Framework discovery component is included in each instance of
Management Integration Framework software.

Discovery configuration settings include:


Discovery interval Non-local registry entry time-out
Discovery URI Registry table updates
Registry update address

42 Management Integration Framework concepts


LDAP security domain mapping
LDAP security domains can be mapped to Management Integration Framework roles. See Adding
LDAP security domains to a machine.

Log and audit files


Log file. On a Management Integration Framework server which is running Windows, the
Management Integration Framework log file is located in the folder C:\Program
Files\Hewlett-Packard\XFROOT\log. The file naming format is xf-YYMMDD-number.log,
for example: xf-090824-1.log.
You can control the logging level by using the Management Integration Framework configuration
interface. See logging level.

Example – Log file content


Aug/24/2009 14:46:18.999998, XF, 4984, 3288, 1, main, 57, XFROOT = c:\xf

Aug/24/2009 14:46:19.250934, RestartThread, 4984, 5176, 1,


XfRestartThread, 23...
Aug/24/2009 14:46:19.272154, XF, 4984, 5052, 1, XfService, 82, Version
1.0 [Bu...
Aug/24/2009 14:46:19.513826, WebServiceEndpoint[class
xfd::RegistryService], 4...
Aug/24/2009 14:46:19.578464, WebServiceEndpoint[class
xfd::RegistryService], 4...
Aug/24/2009 14:46:19.605425, WebServiceEndpoint[class
xfd::RegistryService], 4...
Aug/24/2009 14:46:19.606039, WebServiceEndpoint[class
xfd::RegistryService], 4...
Aug/24/2009 14:46:19.626497, Xfd, 4984, 5052, 1, discoverycomponent,
44, Start...

Audit file. On a Management Integration Framework server which is running Windows, the
Management Integration Framework audit file is located in the folder C:\Program
Files\Hewlett-Packard\XFROOT\log. The file naming format is
xfaudit-YYMMDD-number.log, for example: xfaudit-090824-1.log

Example – Audit file content


Aug/24/2009 14:46:19.738423, SYSTEM, Security component starting
Aug/24/2009 14:46:20.365803, SYSTEM, XF domain name is PETS_MG, local
domain...
Aug/24/2009 14:46:22.449833, SYSTEM, Host 'PETS' initiated an
authorization co...
Aug/24/2009 14:46:26.033940, SYSTEM, Host 'PETS' initiated an
authorization co...
Aug/24/2009 14:47:53.419685, xftest, Login attempt from client address
99.999...
Aug/24/2009 14:47:53.439929, xftest, Login failed
Aug/24/2009 14:47:53.440490, xftest, Login failed
Aug/24/2009 14:48:01.250345, xftest, Login attempt from client address
99.999....
Aug/24/2009 14:48:01.629247, xftest, Login success

Login user names and passwords


• Qualified user names. When logging in to a Management Integration Framework interface,
HP recommends that you enter a qualified user name. That is, enter a name that includes a
valid OS security domain, for example user@domain, domain\user and user.
If you enter an unqualified user name (one with no explicit domain), Management Integration
Framework will silently append the local machine name. Because of the distributed nature of
the Management Integration Framework environment, this could lead to authentication issues.
• Leading and trailing spaces. Leading and trailing spaces are trimmed from user names and
passwords that are entered in login screens. This can prevent login.

LDAP security domain mapping 43


Management Groups
A Management Group is a set of Management Group machines.
Management Groups allow you to:
• Log in to any member of a Management Group, or to Management Integration Framework
capable application, using a single credential (single sign-on).
• Specify the machines and OS security domains to be used as authenticators for access.
• Add or remove a machine from membership in a Management Group.
In the following illustration, assume that five machines with Management Integration Framework
software are on a common LAN.

Machines with Management Integration Framework software on a LAN

The HP Management Integration Framework software on SVR01 and SVR07 was automatically
installed as part of the installation of server-based HP P6000 Command View. The HP Management
Integration Framework software on STOR02, and STOR05 (HP P6000 EVA storage systems) was
factory installed. As part of their installation, each machine would be a member of its own
Management Group. Thus, there would initially be four Management Groups, as shown below.

Initial Management Groups

Next, assume that you would like the instances of HP P6000 Command View on SVR01 and SVR07
to participate in a single sign-on. You could make either machine be a member of the other

44 Management Integration Framework concepts


machine's Management Group, or you could create a new Management Group and make the
two machines members of the new group, as shown below.

Reorganized into fewer Management Groups

Or, assume that you would like all of the machines to participate in single sign-on. You could make
any three of the four machines members of another machine's Management Group, or you could
create a new Management Group and make the four machines members of the new group, as
shown below.

Reorganized into one Management Group

Management Groups are created when:


• When a Management Integration Framework capable application is initially installed on a
server, for example, when server-based HP P6000 Command View is installed.
• When certain HP products are manufactured, for example, HP P6000 EVA storage systems
with array-based HP P6000 Command View, or HP P6000 Performance Advisor.
• When Management Integration Framework software is installed as a standalone HP storage
application on a server.
• When you use the security interface to create a new group. See Creating a Management
Group.
General guidelines
A Management Group must have:

Management Groups 45
• At least one machine with Management Integration Framework software as a member.
• At least one OS security domain designated as an authenticator.
Best practices
• In Management Groups that include multiple machines, configure more than one machine as
an OS security domain authenticator. This practice prevents losing single sign-on functionality
for the Management Group should an authenticator machine become unavailable.

Management Group machines


The term Management Group machine refers to a device that has discovery and security logical
components. The Single Pane of Glass interface logical component can also be present but is not
required.
Examples of Management Group machines include:
• A server with server-based HP P6000 Command View installed
• HP P6000 EVA storage systems with array-based HP P6000 Command View installed
• A server with HP P6000 Performance Advisor installed
General guidelines
• A machine can be a member of only one Management Group at a time.

Management Group names


Management Group naming guidelines:
• Names must be unique in a given Management Integration Framework environment.
• Names can only include alphabetical and numeric characters, underscores _ and dashes -.
Automated names
Name formats in automatically created Management Groups:

HP Product Format / Example Naming event

HP P6000 Command <machine name>_MG First Installation


View SVR01_MG
(server based)

HP P6000 EVA storage <machine-name>_<time-stamp>_MG Manufacture *


systems with 7FTBM104139_1254171264_MG
array-based HP P6000
Command View

* The time stamp characters ensure uniqueness in Management Group names when array-based
HP P6000 Command View is factory installed.

Management Group security certificates


Each Management Group uses a unique self-signed security certificate to manage login access.
When browsing to a Management Integration Framework interface, if there is no trusted certificate
authority in the Management Integration Framework environment to attest to the certificate, then
connection to Management Group member machines is blocked.

46 Management Integration Framework concepts


This condition can be resolved by installing the Management Group self-signed certificate in the
browser as a trusted certificate authority. See Management Group security certificate installation.
• When an installed Management Group certificate is valid, the next time the browser connects
to the Management Group member machine, the connections will be automatically
authenticated.
• When an installed Management Group certificate is not valid, then a message will appear
for the user to make a decision. If the user does not additionally accept the invalid certificate,
then the connection will fail.
For a security certificate to be considered valid by a browser, the following conditions must be
met:
• The certificate can be authenticated by a trusted certificate authority.
• The dates on the certificate must be valid.
• The common name, or entry in subject alternative name section on the certificate, must match
the address the browser client is using to connect to the Management Integration Framework
service.

OS security domains
The term OS security domain refers to a security domain which is managed by a Management
Group member machines's operating system. All OS security domains have an associated type.
For example, in Windows the types are: local and active directory.

OS user groups (security groups)


An OS user group is a collection of user accounts, managed by an OS, that all have the same
access and security privileges.
The HP Management Integration Framework software automatically establishes relationships
between OS user groups and Management Integration Framework roles. LDAP security domains
can also be associated with the roles by using the Manage OS Security Domains wizard in the
Security interface.

Registry (Management Integration Framework specific)


The term registry refers to the distributed registry tables where Management Integration Framework
discovery components store information and where Management Integration Framework capable
applications can advertise their services and find the services that they need. A registry is located
in every discovery component on every Management Integration Framework server.
The distributed Management Integration Framework discovery components cooperate to replicate
their registries and to forward lookup requests, if necessary. There is no central discovery component
or registry.
You can view a registry page in the configuration interface. See registry page quick tour

OS security domains 47
Roles (Management Integration Framework specific)
The HP Management Integration Framework software automatically establishes relationships
between Management Integration Framework roles and OS user groups. Typical roles are shown
in the following table.

Role Privileges Typical function

HP Security Administrator Manage security Persons responsible for


managing security for
storage applications

Storage Administrators Create, delete , view Persons responsible for


storage resources managing storage
environments and storage
applications

Storage Users View storage resources Persons who only view


storage resources

For more information regarding roles, see the HP Management Integration Framework Maintenance
and Service Guide.

Security integration
The Management Integration Framework security function includes: authenticating users, establishing
trust between Management Integration Framework components, grouping machines into
Management Groups, handling single sign-on and auditing.
The Management Integration Framework security component creates Management Groups. A
Management Group can be local to the machine that the security component is on, or it can include
other machines. The Management Group concept is very similar to network security domains.
Management Integration Framework security components locate each other using the Management
Integration Framework discovery registry and can replicate certificates to all member machines in
the Management Group. This allows services on other machines to access security credentials for
a service on another machine.
This approach allows Management Integration Framework capable applications to share a common
security model. This is possible even when the applications are on different machines, use different
operating systems, and are written in different programing languages.
A Management Integration Framework security component is included with each instance of
Management Integration Framework software.

Security configuration settings include:


Available OS security domains

Service (Management Integration Framework specific)


The term Management Integration Framework service refers to the Management Integration
Framework process which runs in the background on a Management Integration Framework server.
The Management Integration Framework service must be restarted to apply changes to a
Management Integration Framework configuration.

IMPORTANT: To avoid the possibility of interrupting storage related operations, HP recommends


that you carefully plan and coordinate restarting the Management Integration Framework service.

48 Management Integration Framework concepts


Single Pane of Glass interface
The Management Integration Framework user interface integration function allows multiple
Management Integration Framework capable user interfaces to be displayed in a single
browser-based interface.
This function is implemented by various components and mechanisms, including: Management
Integration Framework Single Pane of Glass (SPoG) component, Management Integration Framework
tree integrator component, tree source, and tree decorator.
Single Pane of Glass interface. The Single Pane of Glass interface displays Management Integration
Framework capable application interfaces in a browser window. Application pages are displayed
in the Management Integration Framework content pane and a unified tree represents all registered
applications in the Management Integration Framework navigation pane. Before a Management
Integration Framework application can display its content and tree in the SPoG, it is registered by
the discovery component. The Management Integration Framework user interface runs in a browser
and can run on multiple client machines at the same time. See also Single Pane of Glass interface
quick tour.
Tree integrator. After applications are registered, the tree integrator aggregates the trees and
makes the unified tree available for the SPoG server to display in the navigation pane.
Tree Source. The tree source mechanism manages the list of trees to be displayed by responding
to queries from the tree integrator and notifying the integrator of changes to each tree.
Tree Decorator. The tree decorator mechanism allows additional URLs from other applications to
be added to a tree node. For tree example, the tree decorator supplies the aspect tabs.

Tree integration configuration settings include:


Decorator age time-out Tree aggregation
Local only Tree age time-out
SPoG session time-out Tree Discovery Interval

Single sign-on features (Management Integration Framework specific)


The Management Integration Framework provides single sign-on features.
Automatic single sign-on from HP P6000 Command View. The Security interface and the
Configuration interface can be accessed from the Management Options page in HP P6000
Command View. An automatic single sign-on feature uses the HP P6000 Command View login
credentials to bypass the Management Integration Framework interface login screens. This automatic
single sign-on feature is always enabled.
Management Group single sign-on. A single sign-on feature is also available for accessing any
Management Integration Framework interface in a Management Group. This feature uses the login
credentials for a Windows session. By default, this feature is disabled. Security administrators can
use the Security interface to enable the feature.
Related single sign-on. HP P6000 Command View also provides a single sign-on feature for
accessing other applications, such as HP Systems Insight Manager and HP P6000 Replications
Solutions Manager. For more information, see the HP P6000 Command View User Guide or online
help.

Web services (Management Integration Framework specific)


The term web service refers to a web-based API that can be accessed over a network. Management
Integration Framework components use web services to advertise their operations and register their
web service APIs with Management Integration Framework discovery components.

Single Pane of Glass interface 49


9 Support and other resources
Release history
HP Management Integration Framework software releases:

Release Version New features


2012 (Oct) 1.6 See What's new
2012 (May) 1.5 Software support. Support is added for:
• HP P6000 Command View 10.1
• HP P6000 Performance Advisor 10.1
• HP P6000 Control Panel 2.6
Other
• Browser support. Mozilla Firefox 3.5 is no longer
supported.
.
2011 (Oct) 1.4 Configuration interface changes
• Tree integrator settings. Tree Integrator settings are
added. The settings are used with resource navigation
trees that are displayed in the Single Pane of Glass
interface.
Security interface changes
• Single Sign-On. New automatic and administrator
controlled single sign-on are added.
• Manage OS security groups wizard. New wizard allows
you to add LDAP security domains to a machine and
map LDAP security domains to Management Integration
Framework roles.
Single Pane of Glass interface
• HP P6000 Command View. The Single Pane of Glass
interface is included with HP P6000 Command View. .
Other
• Browser support. Support is added for Microsoft Internet
Explorer 9.0 and Mozilla FireFox 4.0

2011 (Mar) 1.3 Configuration interface changes


• New ports. The following are new ports: secured web
service port, and unsecured web service port. These new
ports can be configured using the configuration interface.
• Deleted ports. The following ports have been deleted:
General – configurator port; Discovery – management
port and registry port; Security – local service port, login
service port, Management Group communicator service
port, and Management Group management service port;
Tree integrator – SPoG port, tree decorator port, and
tree integrator port.
• Tree integrator settings. The Tree Integrator settings have
been removed.
Security interface changes
• Import Machines wizard. New. Import one or more
machines from one or more Management Groups into
a Management Group. See Import Machines wizard
quick tour.
• Move Machine wizard. Enhancement. The final page of
the wizard now includes a progress bar.

50 Support and other resources


Release Version New features
2010 (Aug) 1.2 • Software name. Renamed to HP Management Integration
Framework software.

2010 (Feb) 1.0 Initial release

Contacting HP
HP technical support
For worldwide technical support information, see the HP support website:
http://www.hp.com/support

Before contacting HP, collect the following information:


• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts

After registering, you will receive e-mail notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Documentation feedback
HP welcomes your feedback. To make comments and suggestions about product documentation
you can:
• Send an e-mail to storagedocsFeedback@hp.com.
All submissions become the property of HP.

Related information
To find related documents, browse to the Manuals page of the HP Business Support Center web
site:
http://www.hp.com/support/manuals
For most related documentation, navigate to the Storage section, select a storage category (Storage
Software > Storage Device Management Software) and product.
Documents
• HP Management Integration Framework Administration Guide
• HP Management Integration Framework Maintenance & Service Guide
• HP P6000 Command View Release Notes
• HP P6000 Command View Installation Guide
• HP P6000 Command View User Guide
• HP P6000 Enterprise Virtual Array Compatibility Reference

Contacting HP 51
Websites
• HP.com
http://www.hp.com
• HP storage
http://www.hp.com/go/storage
• HP manuals
http://www.hp.com/support/manuals
• HP download drivers and software
http://www.hp.com/support/downloads
• HP software depot
http://www.software.hp.com

52 Support and other resources


A HP MIF security environment overview
This information is intended for customers who want to understand the level of protection that HP
MIF security provides.
See also the HP Management Integration Framework Maintenance & Service Guide. The guide
includes information on using HP MIF command line utilities.

HP MIF privilege mechanisms


• Users of a group have access to the SPoG interface if the group has the View HP Storage
privilege. See SPoG quick tour and SPoG interface.
• Users of a group have access to HP MIF Security and Configuration interfaces if the group
has the Manage HP Security privilege. Users do not need to be in the Administrators group
to have this privilege. See HP MIF Interface quick tours.
• If a domain user is part of the HP Security Admins group in the domain controller, and the
corresponding privilege mapping exists in HP MIF, the domain user is allowed access to the
HP MIF Security and Configuration interfaces on the local machine.

HP MIF security environment assumptions


• For installing HP MIF, it is assumed that the user account has sufficient privileges to create
environment variables and files in the file system where the HP MIF XF and XFROOT directories
reside. The local user or domain user needs to be a member of the local administrators group
in a machine to be able to perform installation of HP MIF.
• The HP MIF service listens on port 2374 for SPoG access. The HP MIF registry service listens
on port 9000. These port numbers should not be blocked by other network security applications,
firewall settings, or antivirus software.
• By default, HP MIF internally uses randomly available free ports that are reported by the
machine's operating system. Thus, free port numbers should not be blocked by other network
security applications, firewall settings, or antivirus software. For information on specifying
custom port numbers, refer to “Secured web service port” (page 27).
• HP MIF does not protect data at rest from users that have physical access to a machine. For
example, users can delete the HP MIF XFROOT directory, which will reset a user-customized
MIF configuration to the default settings.
• HP MIF-aware applications, like HP P6000 Command View, that reside on the same machine
as HP MIF can establish trust relationships with HP MIF.
• HP MIF Management Group security certificates do not expire until the Management Group
name changes as part of certain Management Group operations, such as using the Import
Machines wizard and Move Machine wizard. See Management Group certificates and
Management Groups.
• HP MIF uses self-signed security certificates. There is no option to use a certificate authority.

HTTP protocol
HP MIF uses HTTP protocol for:
• Establishing links between navigation tree objects
• Associating tabs in the content pane for an object
• Aggregating navigation tree information across a Management Group
• Helping populate the SPoG
• Use by tools for HP MIF installation
• Navigation tree related information (with HP MIF-aware applications)

HP MIF privilege mechanisms 53


HTTPS protocol
HP MIF uses HTTPS protocol for:
• Security related services, like having privilege mapping based on a file
• LDAP communication
• Security component services, like login
• Management Group related operations, like join and privilege mapping operations
• HP MIF configuration changes
• Security services, like refresh of tokens
• Webserver to serve HP MIF related pages

Ciphers used internally


• HP MIF uses the XXTea encryption algorithm.

54 HP MIF security environment overview


Glossary
CIDR Classless Inter-domain Routing.
DNS Domain Name System.
IANA Internet Assigned Numbers Authority.
MIF Management Integration Framework. HP software that provides storage-related security features
and user interface capabilities for HP applications.
SPoG Single Pane of Glass. The HP Management Integration Framework software component that
displays one or more HP storage applications in a graphical interface.
UDP User Datagram Protocol.
URI Universal Resource Identifier. Identifies a resource on the Internet.
Example: hp.com
URL Universal Resource Locator. Identifies where a resource is available on the Internet and the
mechanism for retrieving it.
Example: http://hp.com

55
Index
providing feedback, 51
A related documents, 51
applications (MIF), 42
audit file max age, 26 L
audit file max size, 26 LDAP security domain mapping (MIF), 43
authenticators (MIF), 42 local only, 32
available OS security domains, 31 log and audit files (MIF), 43
log file max age, 26
C log file max size, 27
cipher list, 31 logging level, 27
configuration interface login user names and passwords (MIF), 43
best practices, 21
changing a machine's configuration, 21 M
configuring a multi-home machine, 21 machines, 46
Details page quick tour, 9 Management Group
discovery settings, 29 secuity certificate, installation overview, 13
discovery interval, 29 secuity certificates, in Firefox, 14
discovery URI, 29 secuity certificates, in IE, 13
non-local registry entry time-out, 30 Management Groups
registry table updates, 30 machines, 46
Registry update address, 30 names, 46
general settings OS security domains, 47
audit file max age, 26 OS user groups, 47
audit file max size, 26 overview, 44
log file max age, 26, 27 security certificates, 46
logging level, 27
secured web service port, 27 N
unsecured web service port, 27 non-local registry entry time-out, 30
web server connections, 28
web server port, 28 R
web service IP address, 28 registry (MIF), 47
logging in, 22 registry table updates, 30
Registry page quick tour, 9 registry update address, 30
resetting or replacing management modules, 22 roles (MIF), 48
restarting the MIF service, 23
restoring the default configuration, 23 S
security settings, 30 searching online help, 12
available OS security domains, 31 secured web service port, 27
cipher list, 31 security integration, 48
setting the same IP version, 23 security interface
tree integrator settings, 31 Administration page quick tour, 10
Decorator age time-out, 31 Import Machines wizard quick tour, 10
local only, 32 LDAP, adding, 33
SPoG session time-out, 32 LDAP, deleting security domains, 35
tree age time-out, 32 LDAP, editing security domains, 35
tree aggregation, 32 logging in, 35
tree discovery interval, 31 Manage OS Security Domains wizard quick tour, 11
using keyboard navigation, 23 Management Group, adding machines, 33
configuration settings and service startup (MIF), 42 Management Group, creating, 34
Management Group, deleting, 34
D Management Group, removing machines, 36
decorator age time-out, 31 Management Group, renaming, 36
discovery (MIF), 42 Move Machine wizard quick tour, 11
discovery interval, 29 Single Sign-on page quick tour, 12
discovery URI, 29 troubleshooting
documentation Import Machines wizard, 38

56 Index
Management Group, change, 40
using keyboard navigation, 37
service (MIF), 48
Single Pane of Glass interface, 49
quick tour, 7
single sign-on
Firefox, 17
IE, 17
Single sign-on (MIF), 49
SPoG session time-out, 32
Subscriber's Choice, HP, 51
support, HP, 51

T
tree age time-out, 32
tree aggregation, 32
troubleshooting
login (MIF), 18
login (other than MIF), 19
Single Pane of Glass tree errors, 19

U
unsecured web service port, 27

W
web server connections, 28
web server port, 28
web service IP address, 28
web services (MIF), 49
websites
HP , 52
HP Subscriber's Choice for Business, 51
product manuals, 51
Windows Server 2003 IE ESC, 15
Windows Server 2008 IE ESC, 15
Windows Server 2012 IE ESC, 15

57

You might also like