Sunday, December 25, 2016

Ontap 9 Snaplock Configuration


NetApp SnapLock Configuration


Introduction:

SnapLock is an alternative to the traditional optical "write once, read many" (WORM) data. SnapLock is used for the storage of read-only WORM data.
SnapLock is a license-based, disk-based, open-protocol feature that works with application software to administer non-rewritable storage of data. The primary objective of this Data ONTAP feature is to provide storage-enforced WORM and retention functionality by using open file protocols such as CIFS and NFS. SnapLock can be deployed for protecting data in strict regulatory environments in such a way that even the storage administrator is considered an untrusted party.
SnapLock provides special purpose volumes in which files can be stored and committed to a non-erasable, non-rewritable state either forever or for a designated retention period. SnapLock allows this retention to be performed at the granularity of individual files through standard open file protocols such as CIFS and NFS.



NetApp SnapLock compliance software helps you meet strict data retention regulations and internal IT governance rules.

SnapLock is available in tow version: SnapLock compliance for strict regulatory environment, and SnapLock Enterprise, for more flexible environments.

SnapLock can integrates with the snap Mirror and snap vault, and snap mirror allows the SnapLock volumes to be replicated to another storage system and Lock vault backs up SnapLock volumes to a secondary storage system to ensure that if the original data is destroyed than the data can be restored or accessed from another location.

Once the data is created in the SnapLock volume they comes under the retention period and these files get treated as WORM, so that nobody can delete or modify the data until and unless it reach to its retention period, the SnapLock volumes cannot be deleted by the user, administrator nor by the application, the retention date on a WORM file is set when the file is committed to WORM state, but it can be extended at any time. The retention period can never be shortened for any WORM file.

SnapLock Compliance 

SnapLock Compliance is used in strictly regulated environment, where data is retained for longer period of time and these data are accessed frequently only for readable purpose.

SnapLock Compliance even does not allow the storage administrator’s to perform any operations that might modify the file, it uses the feature called “ComplianceClock” to enforce the retention periods. SnapLock Compliance requires the SnapLock license to enable the SnapLock features and to restrict the administration access to the file.

SnapLock Enterprise 

SnapLock Enterprise allows the administrator to destroy the SnapLock volume before all the file on the volume reach their expiration date. However no one else can delete or modify the files.

It requires the SnapLock _enterprise license



Configuration Steps:

1. Check the licenses or else add the snaplock licenses.





 2. Check and initialize the snaplock time.

Manages ComplianceClock of nodes
The snaplock compliance-clock manages the ComplianceClock of the system. ComplianceClock determines the expiry time of the SnapLock objects in the system. ComplianceClock can be initialized only once by the user and once it is set, it cannot be changed or altered by the user. There are two types of ComplianceClocks in the system:
  • System ComplianceClock
  • Volume ComplianceClock
System ComplianceClock (SCC) is maintained per node. SCC is used to update the Volume ComplianceClock and to provide a base value for Volume ComplianceClock for new SnapLock volumes. The SCC is initialized once by the user and takes the initial base value from the system clock. snaplock compliance-clock show can be used to check the value of the System ComplianceClock.
Volume ComplianceClock (VCC) is maintained per volume and is used as the time reference to calculate the expiry time of SnapLock objects in the SnapLock volume, such as files and the expiry date of the volume. volume snaplock show can be used to check the value of the Volume ComplianceClock.




3. Initialize the snaplock time stamp to the node.


4. Now create an aggregate with snaplock type is Enterprise or Compliance.




5. Now create a volume using an aggregate.



6. Modify the retention period as per your requirement either using CLI or GUI.




Friday, December 23, 2016

ONTAP 9 Domain Tunnel Configuration



Enabling Active Directory domain users to access the cluster


To enable Active Directory domain users to access the cluster, you must set up an authentication tunnel through a CIFS-enabled Vserver. You must also create cluster user accounts for the domain users. This functionality requires that CIFS is licensed on the cluster.

1. CIFS license is required.
2. Configure the cifs server for an existing vserver.


1. First create a security domain tunnel.



2. Create a cluster user, to access via ssh, http and ontapi.



3. Login with the new user, now authentication is done by the domain server.



4. Now create a role, to access the vserver vs1 only the paritcular volume called vol1.



5. Create a new user with using this role.



6. Login with the new user and now you see, you can access only volume command directory.





7. If you try with access the vol2 then it through an error.




8. If you login as a admin role user, you can access all the command directory.