hcp s series node api reference · 2019. 4. 23. · chapter5:managementapiresourcedetails 85...

Hitachi Content Platform S Series NodeHCP S Series Node API Reference

MK-HCPS004-0319 August 2016

© 2015, 2016 Hitachi Data Systems Corporation. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic ormechanical, including photocopying and recording, or stored in a database or retrieval system forcommercial purposes without the express written permission of Hitachi, Ltd., or Hitachi Data SystemsCorporation (collectively, “Hitachi”). Licensee may make copies of the Materials provided that any suchcopy is: (i) created as an essential step in utilization of the Software as licensed and is used in no othermanner; or (ii) used for archival purposes. Licensee may not make any other copies of the Materials."Materials" mean text, data, photographs, graphics, audio, video and documents.

Hitachi reserves the right to make changes to this Material at any time without notice and assumes noresponsibility for its use. The Materials contain the most current information available at the time ofpublication.

Some of the features described in the Materials might not be currently available. Refer to the most recentproduct announcement for information about feature and product availability, or contact Hitachi DataSystems Corporation at https://support.hds.com/en_us/contact-us.html.

Notice: Hitachi products and services can be ordered only under the terms and conditions of the applicableHitachi agreements. The use of Hitachi products is governed by the terms of your agreements with HitachiData Systems Corporation.

By using this software, you agree that you are responsible for:

1) Acquiring the relevant consents as may be required under local privacy laws or otherwise fromauthorized employees and other individuals to access relevant data; and

2) Verifying that data continues to be held, retrieved, deleted, or otherwise processed in accordance withrelevant laws.

Notice on Export Controls. The technical data and technology inherent in this Document may besubject to U.S. export control laws, including the U.S. Export Administration Act and its associatedregulations, andmay be subject to export or import regulations in other countries. Reader agrees tocomply strictly with all such regulations and acknowledges that Reader has the responsibility to obtainlicenses to export, re-export, or import the Document and any Compliant Products.

Hitachi is a registered trademark of Hitachi, Ltd., in the United States and other countries.

AIX, AS/400e, DB2, Domino, DS6000, DS8000, Enterprise Storage Server, eServer, FICON, FlashCopy,IBM, Lotus, MVS, OS/390, PowerPC, RS6000, S/390, System z9, System z10, Tivoli, z/OS, z9, z10, z13,z/VM, and z/VSE are registered trademarks or trademarks of International Business Machines Corporation.

Active Directory, ActiveX, Bing, Excel, Hyper-V, Internet Explorer, the Internet Explorer logo, Microsoft,the Microsoft Corporate Logo, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SmartScreen, SQLServer, Visual Basic, Visual C++, Visual Studio, Windows, the Windows logo, Windows Azure, WindowsPowerShell, Windows Server, the Windows start button, andWindows Vista are registered trademarks ortrademarks of Microsoft Corporation. Microsoft product screen shots are reprinted with permission fromMicrosoft Corporation.

All other trademarks, service marks, and company names in this document or web site are properties oftheir respective owners.

EXPORT CONTROLS - Licensee will comply fully with all applicable export laws and regulations of theUnited States and other countries, and Licensee shall not export, or allow the export or re-export of, theSoftware, API, or Materials in violation of any such laws or regulations. By downloading or using theSoftware, API, or Materials, Licensee agrees to the foregoing and represents andwarrants that Licensee isnot located in, under the control of, or a national or resident of any embargoed or restricted country.

https://support.hds.com/en_us/contact-us.html

Contents

Preface xiiiIntended audience xiiiProduct version xiiiRelease notes xiiiSyntax notation xivTerminology xivRelated document xivAccessing product documentation xivGetting help xvComments xv

Chapter 1: Introduction to HCPSSeries Nodes 1About HCP S Series Nodes 2HCP S10 Node hardware components 2HCP S30 Node hardware components 3User accounts 4

Usernames 6Passwords 7User roles 7Considerations for working with user accounts 9

Objects 10Buckets 10

Bucket names 11Bucket owners 11Considerations for working with buckets 11

HCP S Series Node networks 12Access network 13Management network 16

Contents iii

HCP S Series Node API Reference

Server interconnect network 19BMC interconnect network (S30 Nodes only) 19Service network (S30 Nodes only) 20Considerations for working with S Series Node networks 20

HCP S Series Node identification 21HCP S Series Node licenses 22HCP S Series Node access 22

HCP S Series Management Console configuration 23HCP S Series management API configuration 23HCP S Series data access protocol configuration 24Allow and deny lists 24SSL server certificates 26

HCP S Series Node security 26DNS servers and time servers 28HCP S Series Node event log 29HCP S Series Node alerts 29Syslog logging 29HCP S Series Node internal logs 31HCP S Series software, OS, and license maintenance 31

HCP S Series Node update files 32Considerations for software and license updates 33

HCP S Series Node hardware maintenance 35Adding, removing, and replacing data and database drives 36Adding, removing, and replacing enclosures 38

Chapter 2: Introduction to the HCPSSeriesmanagement API 41What you can do with the management API 42Who can use the management API 45Resources and properties 45Supported methods for the management API 46Management API input and output format 47Management API query parameters 47prettyprint query parameter 48Management API error response body 48X-HCPS-API-VERSION request and response headers 49HTTP Server response header 50X-HCPS-Domain-Name response header 50X-HCPS-Server-Module-Number response header 50X-HCPS-ErrorMessage response header 50

iv Contents


Chapter 3: Management API access and authentication 51URLs for S Series Node access through the management API 52Considerations for resource URLs 54Management API authentication 55

Chapter 4: Management API resources 57Alerts resource 59Beaconing resources 59Bucket resources 60Certificate resources 62Console resource 62DNS resource 63Events resource 63Hardware resource 64Identification resource 64Irreparables resources 65License resource 65Log resources 66Maintenance resources 67Management API resource 69Metrics resources 69Miscellaneous settings resource 70Network resources 71Power resources 71Protocol resources 72Security resource 73Status resources 73Syslog resources 74Time resource 74Update resources 75User account resources 76Versions resource 78Managing resource lists 78

Management API count query parameter 79Management API marker query parameter 80Management API prefix query parameter 81Management API owner query parameter 82

Contents v


Chapter 5: Management API resource details 85Resource property usage 86/alerts 86

/alerts properties 87/alerts query parameters 92/alert example 93

/buckets 94/buckets properties 95/buckets example 96

/buckets/bucket-name 97/buckets/bucket-name properties 98/buckets/bucket-name example 99

/buckets/bucket-name/irreparables 99/buckets/bucket-name/irreparables properties 100/buckets/bucket-name/irreparables examples 102

/configuration/certificates/system 104/configuration/certificates/system properties 105/configuration/certificates/system example 106

/configuration/certificates/system/generate 107/configuration/certificates/system/generate properties 108/configuration/certificates/system/generate example 109

/configuration/console 110/configuration/console properties 111/configuration/console example 115

/configuration/dns 116/configuration/dns properties 117/configuration/dns example 118

/configuration/ident 119/configuration/ident properties 119/configuration/ident example 120

/configuration/mapi 121/configuration/mapi properties 122/configuration/mapi example 125

/configuration/networks/builtin 127/configuration/networks/builtin property 127/configuration/networks/builtin example 127

/configuration/networks/builtin/network-name 128/configuration/networks/builtin/network-name properties 129/configuration/networks/builtin/network-name example 133

vi Contents


/configuration/protocols 134/configuration/protocols property 134/configuration/protocols example 135

/configuration/protocols/hs3 135/configuration/protocols/hs3 properties 136/configuration/protocols/hs3 example 139

/configuration/security 140/configuration/security properties 141/configuration/security example 142

/configuration/syslog 143/configuration/syslog properties 144/configuration/syslog example 147

/configuration/syslog/test 148/configuration/time 149

/configuration/time properties 149/configuration/time example 150

/events 151/events properties 152/events query parameters 158maxEvents query parameter 159eventsAfter and eventsBefore query parameters 159severity query parameter 160major query parameter 161scopes, scopeRefs, and scopeSubRefs query parameters 161

/events example 164/hardware 166

/hardware properties 166Hardware: enclosure high-level properties 167Hardware: enclosure alarm properties 178Hardware: enclosure current properties 183Hardware: enclosure detail properties 186Hardware: enclosure service properties 191Hardware: enclosure fan properties 196Hardware: enclosure power supply properties 199Hardware: enclosure SAS connector properties 206Hardware: enclosure SAS expander properties 209Hardware: enclosure slot properties 212Hardware: data and database drive properties 218Hardware: enclosure temperature properties 227

Contents vii


Hardware: enclosure voltage properties 233Hardware: server module properties 237Hardware: server module core hardware properties 241Hardware: server module disk properties 245Hardware: server module file system properties 247Hardware: server module IPMI properties 250Hardware: server module IPMI sensor properties 252Hardware: server module mirror state property 253Hardware: server module mirror set properties 254Hardware: server module network interface properties 256Hardware: server module bonded network interface properties 256Hardware: server module Ethernet interface properties 259Hardware: server module peer state property 262Hardware: server module peer properties 263

/hardware example 264/hardware/beacon/enclosure/enclosure-number 276

/hardware/beacon/enclosure/enclosure-number query parameters 276/hardware/beacon/enclosure/enclosure-number example 277

/hardware/beacon/enclosure/enclosure-number/iom/io-module-id 277/hardware/enclosure/enclosure-number/iom/io-module-id queryparameters 278/hardware/beacon/enclosure/enclosure-number/iom/io-module-idexample 278

/hardware/beacon/enclosure/enclosure-number/power_supply/power-and-cooling-module-id 279

/hardware/beacon/enclosure/enclosure-number/power_supply/power-and-cooling-module-id query parameters 279/hardware/beacon/enclosure/enclosure-number/power_supply/power-and-cooling-module-id example 279

/hardware/beacon/server_module/server-module-number 280/hardware/beacon/server_module/server-module-number queryparameters 280/hardware/beacon/server_module/server-module-number example 281

/hardware/maintenance 281/hardware/maintenance request body property 282/hardware/maintenance response body properties 283/hardware/maintenance example 283

/hardware/maintenance/active 284/hardware/maintenance/active property 284/hardware/maintenance/active example 285

viii Contents


/hardware/maintenance/history 286/hardware/maintenance/history properties 287/hardware/maintenance/history example 288

/hardware/maintenance/procedure-id 291/hardware/maintenance/procedure-id properties 291/hardware/maintenance/procedure-id example 291

/hardware/maintenance/procedure-id/cancel 292/hardware/maintenance/procedure-id/cancel properties 293/hardware/maintenance/procedure-id/cancel example 293

/hardware/maintenance/procedure-id/candidates 294/hardware/maintenance/procedure-id/candidates property 295/hardware/maintenance/procedure-id/candidates example 295

/hardware/maintenance/procedure-id/complete 296/hardware/maintenance/procedure-id/complete properties 297/hardware/maintenance/procedure-id/complete example 297

/hardware/maintenance/procedure-id/confirm 298/hardware/maintenance/procedure-id/confirm request body properties 299/hardware/maintenance/procedure-id/confirm response body properties 301/hardware/maintenance/procedure-id/confirm example 301

/hardware/maintenance/procedure-id/perform 303/hardware/maintenance/procedure-id/perform properties 303/hardware/maintenance/procedure-id/perform example 303

/hardware/maintenance/procedure-id/select 304/hardware/maintenance/procedure-id/select request body properties 305/hardware/maintenance/procedure-id/select response body properties 307/hardware/maintenance/procedure-id/select example 307

/hardware/maintenance/procedure-id/update 308/hardware/maintenance/procedure-id/update request body property 309/hardware/maintenance/procedure-id/update response body properties 309/hardware/maintenance/procedure-id/update example 309

/hardware/maintenance/procedure-id/verify 311/hardware/maintenance/procedure-id/verify properties 311/hardware/maintenance/procedure-id/verify example 311

/hardware/power/node 313/hardware/power/node query parameters 313/hardware/power/node example 313

/hardware/power/server-module-number 314/hardware/power/server-module-number query parameters 314/hardware/power/server-module-number example 315

Contents ix


/metrics/buckets 315/metrics/buckets properties 316/metrics/buckets example 317

/metrics/gateways 318/metrics/gateways properties 319/metrics/gateways example 324

/metrics/protection 325/metrics/protection property 326/metrics/protection example 326

/metrics/system 327/metrics/system properties 327/metrics/system example 329

/system/database/update 330/system/database/update property 330/system/database/update example 331

/system/irreparables 332/system/irreparables properties 332/system/irreparables examples 334

/system/license 336/system/license properties 336/system/license example 338

/system/logs/cancel 339/system/logs/download 339/system/logs/mark 340

/system/logs/mark query parameter 340/system/logs/mark example 340

/system/logs/prepare 341/system/logs/prepare query parameters 341/system/logs/prepare example 342

/system/logs/status 343/system/logs/status properties 344/system/logs/status example 346

/system/misc/settings/network/management/monitor 347/system/misc/settings/network/management/monitor property 347/system/misc/settings/network/management/monitor query parameter 348/system/misc/settings/network/management/monitor examples 348

/system/status/full 350/system/status/full properties 350/system/status/full example 352

x Contents


/system/status/health 353/system/status/health properties 353/system/status/health example 354

/system/update/apply 355/system/update/history 355

/system/update/history properties 356/system/update/history example 357

/system/update/manifest 359/system/update/manifest properties 359/system/update/manifest example 360

/system/update/progress 361/system/update/progress properties 361/system/update/progress example 363

/system/update/restart 365/system/update/status 365

/system/update/status property 365/system/update/status example 367

/system/update/upload/license 368/system/update/upload/license properties 369/system/update/upload/license example 369

/system/update/upload/software 370/system/update/upload/software properties 371/system/update/upload/software example 372

/user_accounts 373/user_accounts properties 374/user_accounts examples 375

/user_accounts/username 377/user_accounts/username properties 378/user_accounts/username example 382

/user_accounts/username/access_key/generate 383/user_accounts/username/access_key/generate properties 383/user_accounts/username/access_key/generate example 384

/versions 384/versions GET properties 385/versions POST query parameter and properties 385/versions examples 386

Chapter 6: Management API procedures 389Downloading the internal logs 390

Contents xi


Performing a hardware maintenance procedure 392Replacing a data or database drive 393Maintenance procedure properties 399Maintenance procedure: target component list property 404Maintenance procedure: target component properties 405Maintenance procedure: enclosure or slot properties 417Maintenance procedure: data or database drive properties 421

Performing an update 426

Chapter 7: Management API HTTP status codes 431

Glossary 435

Index 441

xii Contents


Preface

This book contains all the information you need to use the HCP S Seriesmanagement API. This RESTful HTTP API enables you to programmaticallyconfigure, monitor, and manage a Hitachi Content Platform (HCP) SSeries Node. This book explains how to use the management API to accessan S Series Node and retrieve information about and manipulate S SeriesNode resources. The book also includes an introduction to the S Series Nodeconcepts that underlie the management API resources.

Intended audience

This book is intended for people who want to configure, monitor, andmanage an S Series Node programmatically. This audience includes:

• S Series Node administrators and monitors

• Authorized S Series Node service providers

This book assumes that you are familiar with the HTTP protocol.

Product version

This book applies to release 2.1 of the HCP S Series Node.

Release notes

Read the release notes before installing and using this product. They maycontain requirements or restrictions that are not fully described in thisdocument or updates or corrections to this document. Release notes are inthe HCP S Series Node Help available on Hitachi Data Systems SupportConnect: https://knowledge.hds.com/Documents

Preface xiii


https://knowledge.hds.com/Documents

Syntax notation

The table below describes the conventions used for the syntax of URLs inthis book.

Notation Meaning Example

boldface Type exactly as it appearsin the syntax (if thecontext is caseinsensitive, you can varythe case of the letters youtype)

This book shows:https://mapi.node-domain-name:9090/resource-identifier

You enter:http://admin.hcp-ma.example.com:9090/user_accounts

italics Replace with a value ofthe indicated type

Terminology

Throughout this book, the word Unix is used to represent all UNIX®-likeoperating systems (such as UNIX itself or Linux®), except where Linux isspecifically required.

Related document

HCP S Series Node Help— This Help system contains information aboutconfiguring, managing, and maintaining an HCP S Series Node. The Helpincludes both information you need to effectively use the HCP S SeriesManagement Console and instructions for physical S Series Nodemaintenance tasks that you manage from the Management Console. TheHelp also contains a complete reference for using the HCP S Seriesmanagement API. Additionally, the Help includes release notes for thecurrent release of the product and copyright and license information forthird-party software distributed with or embedded in an S Series Node.

Accessing product documentation

Product documentation is available on Hitachi Data Systems SupportConnect: https://knowledge.hds.com/Documents. Check this site for themost current documentation, including important updates that may havebeen made after the release of the product.

Syntax notation

xiv Preface


https://knowledge.hds.com/Documents

Getting help

Hitachi Data Systems Support Portal is the destination for technicalsupport of products and solutions sold by Hitachi Data Systems. To contacttechnical support, log on to Hitachi Data Systems Support Connect forcontact information: https://support.hds.com/en_us/contact-us.html.

Hitachi Data Systems Community is a global online community for HDScustomers, partners, independent software vendors, employees, andprospects. It is the destination to get answers, discover insights, and makeconnections. Join the conversation today! Go to community.hds.com,register, and complete your profile.

Note: If you purchased your HCP S Series Node from a third party, pleasecontact your authorized service provider.

Comments(missing or bad snippet)

Getting help

Preface xv


https://support.hds.com/https://support.hds.com/en_us/contact-us.htmlhttps://community.hds.com/welcomehttp://community.hds.com/welcome

xvi Preface


Introduction to HCP S Series Nodes

The Hitachi Content Platform (HCP) S Series Node is one of thestorage products offered by Hitachi Data Systems®. This chapter describesthe S Series Node concepts you need to understand in order to successfullyuse the HCP S Series management API. The chapter includes informationabout both hardware and software.

Chapter 1: Introduction to HCP S Series Nodes 1


1

About HCP S Series Nodes

An HCP S Series Node is a highly efficient, highly available, cost-effectivestorage device that supports very large amounts of data. The S10 model ofthe S Series Node consists of two cooperating server modules and multiplehigh-density disks in a single enclosure. The S30 model consists of twocooperating server modules that are standalone servers and up to 60 disksin each of three through 16 enclosures. With both models, the use ofcommodity hardware ensures that the costs of growth and repair remainlow.

During normal operation, the two server modules actively shareresponsibility for all S Series Node functions. Because the server modulesare equals, if one becomes unavailable, the other can still provide full SSeries Node functionality.

The S Series Node data storage implementation ensures that data is well-protected. Additionally, S Series Nodes use several internal processes tocontinuously check the integrity of the stored data and the storage media.

S Series Nodes can provide direct-write storage for HCP systems or serve asstorage tiering platforms for such systems. HCP systems use the S SeriesNode HS3 API, which is compatible with Amazon® S3™, to write, retrieve,and otherwise manage objects in an S Series Node. A single HCP system canseamlessly store data across multiple S Series Nodes, thereby enablingscalability in both capacity and performance.

For administrative purposes, S Series Nodes provide a web-basedManagement Console and a RESTful management API. Using theseinterfaces, S Series Node administrators and service providers canconfigure, manage, and monitor an S Series Node. These interfaces can alsobe used to initiate and verify S Series Node hardware procedures, such asadding and replacing disks.

HCP S10 Node hardware components

The main components of an S10 Node are:

• The enclosure that's the container for the other components

• Two power and cooling modules that provide power and cooling forthe enclosure and its components

2 Chapter 1: Introduction to HCP S Series Nodes


About HCP S Series Nodes

• Two server modules that run the HCP S Series software that managesthe S10 Node, provides data access, and ensures data protection

• Twenty-eight or 56 SATA hard disk drives that are used to store thedata written to the S10 Node

• Four SAS hard disk drives on which the S10 Node stores the internaldatabase that holds information such as user account and bucketdefinitions and various configuration settings

All these components are replaceable. The procedures for replacing theenclosure and for adding, removing, or replacing hard disk drives must bestarted and finished either in the HCP S Series Management Console or byusing the management API.


The main components of an S30 Node are:

• Three through 16 enclosures that are containers for the drives thatstore data written to the S30 Node and the drives that store the S30Node internal database.

• Two power and cooling modules in each enclosure that providepower and cooling for the enclosure and its components.

• Two I/O modules in each enclosure that have the SAS ports used toconnect the enclosure to the server modules and/or to other enclosures.

• SATA hard disk drives that are used to store the data written to theS30 Node. Each of the first three enclosures can have either 30 or 58 ofthese drives. Enclosures beyond the first three can have either 32 or 60of these drives.

• Two SSDs in each of the first three enclosures. The S30 Node uses theseSSDs to store the internal database that holds information such as useraccount and bucket definitions and various configuration settings.

• Two server modules that run the HCP S Series software that managesthe S30 Node, provides data access, and ensures data protection.




All these components are replaceable. The procedures for adding,removing, or replacing the enclosures and hard disk drives must be startedand finished either from the HCP S Series Management Console or by usingthe management API.

User accounts

To access an S Series Node, you need an S Series Node user account. A useraccount is a set of credentials that gives a user permission to use one ormore of these interfaces:

• The HCP S Series Management Console

• The HCP S Series management API

• The HCP S Series HS3 API

User account credentials consist of a username and password. You can usethe HCP S Series Management Console or management API to change thepassword for your own user account at any time. An S Series Node user withthe security role can change the password for any user account at any time.

Important: Passwords for S Series Node user accounts created byHCP systems are generated automatically and are not known toadministrators of those systems. If you change the password for such a useraccount, the applicable system will no longer be able to manage or reporton its usage of the S Series Node storage.

For you to use the HCP S Series HS3 API, your user account must have thedata role and additional credentials that consist of an access key and secretkey. You can use the HCP S Series Management Console or managementAPI to generate these credentials. Only you can generate the HS3credentials for your user account.

Note: In release 2.1 of the S Series Node, only an HCP system can be adirect user of the HCP S Series HS3 API.

Normally, user account passwords expire after a configurable amount oftime. However, security administrators can configure individual useraccounts such that the password never expires automatically.



User accounts

Security administrators can also modify individual user accounts such thatthe password expires immediately. A password that is set to expireimmediately expires regardless of whether it's subject to automaticexpiration.

If your user account password expires, you can use an interface thatrequires password access only to change that password. An expiredpassword does not prevent the user account from being used for dataaccess.

Access keys and secret keys do not expire. However, if you lose these keys,you can generate new ones. As soon as you generate new keys, the old keysstop working.

In addition to a username and password, user accounts have theseproperties:

• A full name. The full name can be used to identify the user for whom theaccount was created. This name must be from one through 256characters long and can contain any valid UTF-8 characters, includingwhite space.

• A description (optional). The description can be up to 1,024 characterslong and can contain any valid UTF-8 characters, including white space.

• Roles that determine which interfaces the user can use with the accountand what the user can do with those interfaces.

• Whether the account password must be changed before the account canbe used for any purpose other than to change the password (that is,whether the password is expired).

• Whether the password for the user account ever expires automaticallybased on the S Series Node security setting for password expiration.

• Whether the account is enabled or disabled. While a user account isdisabled, it cannot be used for any purpose. You might choose to disablean account, for example, while the user for whom you created it is onvacation.

An S Series Node can have at most 10,000 user accounts.



User accounts

Usernames

When you create an S Series Node user account, you specify a username forit. The username uniquely identifies that account on the S Series Node.

Usernames:

• Must be three through 128 characters long

• Can contain only valid UTF-8 characters

• Cannot contain uppercase letters

• Cannot contain an opening angle bracket ()

• Cannot start with an opening square bracket ([) or closing squarebracket (])

• Cannot contain white space

• Must be unique for the current S Series Node

Additionally, the following strings are reserved and cannot be used asusernames:

• allusers

• authenticatedusers

• internal

• logdelivery

• http://acs.amazonaws.com/groups/global/allusers

• http://acs.amazonaws.com/groups/global/authenticatedusers

• http://acs.amazonaws.com/groups/s3/logdelivery



User accounts

You can reuse usernames that are not currently in use. So, for example, ifyou delete the account for a user, you can create a new account for that userwith the same username as the deleted account had.

Passwords

When you create an S Series Node user account, you specify a password forit. Users can change their account passwords at any time.

Passwords:

• Can be up to 256 characters long

• Must be at least as long as the configured minimum password length,which cannot be less than eight

• Can contain any valid UTF-8 characters

• Can include white space

• Are case sensitive

• Must include at least one character from each of these character sets:

¡ Lowercase letters

¡ Uppercase letters

¡ Numbers

¡ These special characters: ~`!@#$%^&*()_-+={[}]|:;"'.?/\

When changing the password for your own user account, you cannot reuseyour current password.

As a security administrator, when you modify a user account, you can reusethe current password.

User roles

A role is a named collection of permissions that can be associated with an SSeries Node user account. The roles associated with a user accountdetermine which S Series Node interfaces the user can use and what theuser can do with those interfaces. Roles generally correspond to jobfunctions.



User accounts

A user account must be associated with one or more roles. The account userhas all the permissions granted by each of the associated roles.

The roles that you can associate with a user account are:

• Administrator— Grants permission to use the HCP S SeriesManagement Console and management API to view S Series Nodeconfiguration and status, perform configuration activities, and insertcomments into and download the internal logs. With this role, you canalso view the user account and bucket lists, create, modify, and deletebuckets, and view the list of irreparable objects in those buckets.However, you cannot create, view, or otherwise manage objects inbuckets.

The administrator role does not grant permission to configure useraccounts.

• Monitor— Grants permission to use the HCP S Series ManagementConsole and management API to view S Series Node configuration andstatus and insert comments into the internal logs. With this role, youcan also view the bucket list and view the list of irreparable objects inthose buckets. However, you cannot create, view, or otherwise manageobjects in buckets.

The monitor role does not grant permission to view or configure useraccounts.

• Security— Grants permission to use the HCP S Series ManagementConsole and management API to view security events, create andmanage user accounts, configure security settings, and insert commentsinto the internal logs.

Tip: Always have at least two user accounts with the security role. Thisensures that if one of the accounts with the security role becomesdisabled, another account that can manage user accounts still exists.

• Service— Grants permission to use the HCP S Series ManagementConsole and management API to view S Series Node configuration andstatus, perform most configuration activities, perform maintenanceactivities, insert comments into and download the internal logs, andupdate the S Series Node software, OS, and license. With this role, youcan also view the bucket list and view the list of irreparable objects inthose buckets. However, you cannot create, view, or otherwise manageobjects in buckets.



User accounts

The service role does not grant permission to view or configure useraccounts.

Note: You should associate the service role only with user accountscreated for authorized service providers.

• Data— Grants permission to use the HCP S Series HS3 API to createand manage buckets and store and manage objects in buckets. With thisrole, you can also use the Management Console and management API togenerate your access key and secret key.

All users can use the HCP S Series Management Console and managementAPI to change their passwords.

Considerations for working with user accounts

If you have the security role, you can create, modify, and delete S SeriesNode user accounts. To perform these actions, you can use either the HCP SSeries Management Console or the HCP S Series management API.

These considerations apply to creating, modifying, and deleting useraccounts:

• You cannot change the username for an existing user account.

• When changing the password for a user account other than your own,you can reuse the current password. When changing the password foryou own user account, you cannot reuse the current password.

• At all times, at least one user account must have the security role.Therefore:

¡ You cannot remove the security role from the last user account thathas that role.

¡ You cannot delete the last user account that has the security role.

• You cannot disable the last user account that has the security role.However, that user account can be disabled automatically due to theconfigured number of consecutive invalid login attempts.

• If you disable the user account you used to log into the current HCP SSeries Management Console, the Console session immediately ends.



User accounts

• You cannot delete a user account that owns any buckets. To delete sucha user account, you first need to change the owner of each applicablebucket to a different user.

• You cannot delete the user account you're currently using to access theS Series Node.

• Multiple people can use the same user account concurrently to accessthe same or different S Series Node interfaces. To prevent this fromhappening, you should create a separate account for each user, andusers should keep their passwords confidential.

Objects

An S Series Node stores objects. An S Series object is a combination of:

• An exact digital reproduction of data as it existed before it was stored onthe S Series Node.

• Information that describes the object (for example, the data size andthe object creation date). This information is called metadata.

When data is written to an S Series Node, the S Series Node creates anobject from it.

S Series objects are not the same as HCP objects, and the two types ofobjects do not have a one-to-one correspondence with each other. EachHCP object tiered to an S Series Node can result in multiple objects on the SSeries Node.

Buckets

An S Series Node stores objects in buckets. A bucket is a logical groupingof objects such that the objects in one bucket are not visible in any otherbucket.

Buckets have these properties:

• A name.

• An owner.



Objects

• A description (optional). The description can be up to 1,024 characterslong and can contain any valid UTF-8 characters, including white space.

An S Series Node can have at most 10,000 buckets.

Bucket names

When you create a bucket, you specify a name for it. This name uniquelyidentifies that bucket on the S Series Node.

Bucket names:

• Must be from three through 63 characters long

• Can contain only lowercase letters, digits, hyphens (-), and periods (.)

• Cannot contain consecutive periods

• Must start and end with a lowercase letter or digit

• Can consist of multiple parts delimited by periods, where each partmust start and end with a lowercase letter or digit

• Cannot have the form of an IP address (for example, 192.168.10.4)

Bucket owners

Each S Series Node bucket has an owner that corresponds to an S SeriesNode user account with the data role. When you create a bucket, you selectthe bucket owner. Only the owner of a bucket can store and manage objectsin that bucket.

If you have the administrator role, you can use the HCP S SeriesManagement Console or management API to change the owner of a bucketto a different user account.

An individual user can own at most 100 buckets.

Considerations for working with buckets

If you have the administrator role, you can create, modify, and deletebuckets. To perform these actions, you can use either the HCP S Series



Buckets

Management Console or the HCP S Series management API. If you have thedata role, you can use the HCP S Series HS3 API to create and deletebuckets.

These considerations apply to modifying and deleting buckets:

• You cannot change the name of an existing bucket.

• You should not change the owner of a bucket that is being used by HCP.Doing so prevents HCP from storing and managing objects in thebucket.

• You can delete a bucket only if it's empty (that is, it does not containany objects).

HCP S Series Node networks

An S Series Node makes use of three customer-visible networks and, in theS30 Node only, two networks that are not exposed to customers:

• The access network is used for external client access to the S SeriesNode through the HCP S Series HS3 API. This network can also be usedfor external client access to the S Series Node through the HCP S SeriesManagement Console and management API.

Note: HCP always communicates with S Series Nodes over the accessnetwork for both data access and management purposes.

• The management network is used for external client access to the SSeries Node through the HCP S Series Management Console andmanagement API. This network cannot be used for access to the SSeries Node through the HS3 API.

You can use the management network to segregate network traffic formanagement purposes from network traffic for data access.

• The server interconnect network is used by the two S Series Nodeserver modules to communicate with each other. The two servermodules are the only devices on this isolated network.

• The BMC interconnect network (S30 Nodes only) is used by thetwo S Series Node server modules to provide high availability. The twoserver modules are the only devices on this isolated network.




• The service network (S30 Nodes only) is reserved for use byauthorized service providers.

Access network

For the access network, each S Series Node server module has two bonded10Gb Ethernet ports that can be configured as active-active (802.3ad) oractive-backup. These ports connect the server modules to the customernetwork through one or two Ethernet switches. The recommendedconfigurations are:

• One Ethernet switch, with both the S Series Node and the switchconfigured for active-active bonding. With this configuration, bothaccess network ports on both server modules are connected to the sameswitch.

• Two Ethernet switches. With this configuration, one access network porton each server module is connected to one of the switches, and the otheraccess network port on each server module is connected to the otherswitch.

For the appropriate configuration for your, consult your networkadministrator.

Each server module has both physical and virtual access networkIP addresses. To ensure that access to the HCP S Series Node is notdisrupted by the unavailability of a single server module, clients must usethe virtual IP addresses to communicate with the S Series Node.Communications that use a virtual IP address for an unavailable servermodule are automatically redirected to the available server module.

The access network can have an IP mode of either IPv4 or IPv6. If theIP mode is IPv4, the two server modules must have access network IPv4addresses on the same IPv4 subnet. If the IP mode is IPv6, the two servermodules must have primary access network IPv6 addresses on the sameIPv6 subnet. In all cases, the virtual IP address for a server module must beon the same subnet as the physical IP address.

With an IP mode of IPv6, the server modules can also have secondaryphysical and virtual access network IPv6 addresses. These addresses mustbe on the same IPv6 subnet, and that subnet must not overlap the primaryaccess network subnet. If one server module has a secondary accessnetwork IPv6 address, the other server module must also have one.




The access network subnet or subnets cannot overlap the subnets for the SSeries Node management and server interconnect networks.

The S Series Node access network has these properties:

• An IP mode (either IPv4 or IPv6). By default, the access network has anIP mode of IPv4.

• If the IP mode is IPv4:

¡ An IPv4 gateway address. This is the address from whichcommunications initiated by the S Series Node are sent over thenetwork when the access network using the IPv4 gateway is theselected network for the particular type of communication.

By default, the access network has an IPv4 gateway address of10.0.0.254.

¡ An IPv4 subnet mask. By default, the access network has an IPv4subnet mask of 255.255.255.0.

¡ An IPv4 subnet. The S Series Node derives this subnet from theaccess network IPv4 gateway address and access network IPv4subnet mask.

By default, the access network has an IPv4 subnet of 10.0.0.0/24.

¡ A physical IPv4 address for each server module. By default, theaccess network has physical IPv4 addresses of 10.0.0.1 for servermodule 1 and 10.0.0.2 for server module 2.

¡ A virtual IPv4 address for each server module. By default, the accessnetwork virtual IP addresses of are not set. They must be set duringthe initial on-site configuration of the S Series Node.


¡ A primary IPv6 gateway address. This is the address from whichcommunications initiated by the S Series Node are sent over thenetwork when the access network using the primary IPv6 gateway isthe selected network for the particular type of communication.

¡ A primary IPv6 prefix length.




¡ A primary IPv6 subnet. The S Series Node derives this subnet fromthe primary access network IPv6 gateway address and primaryaccess network IPv6 prefix length.

¡ A primary physical IPv6 address for each server module.

¡ A primary virtual IPv6 address for each server module.

¡ Optionally, a secondary IPv6 gateway address, a secondary IPv6prefix length, a secondary IPv6 subnet, a secondary physical IPv6address for each server module, and a secondary virtual IPv6 addressfor each server module.

• Optionally, if the networking infrastructure supports virtual networking,a VLAN ID other than zero. Valid values for the VLAN ID are integers inthe range zero through 4,094. If the networking infrastructure doesn'tsupport virtual networking, the VLAN ID must be zero.

If the access network has a nonzero VLAN ID, the applicable switchesmust be configured to support that ID. Additionally, the networkinginfrastructure must be configured to allow client requests to be routedto the S Series Node through the access network.

By default, the access network has a VLAN ID of zero.

• A maximum transmission unit (MTU). The MTU is the largest packet sizesupported for data sent on the network.

The MTU for a network can be 1,500 or, if supported by the networkinginfrastructure, 9,000. The larger MTU reduces overhead and increasesnetwork throughput.

By default, the access network has an MTU of 1,500.

• A combined speed and duplex setting. By default, the access networkhas a speed and duplex setting of auto. With this setting, the S SeriesNode detects the speed and duplex settings of the device with which it’scommunicating and then adjusts its settings to provide the highestpossible data rate.

• A bonding mode of active-backup or active-active (802.3ad). By default,the access network has a bonding mode of active-backup.

Note: In the zone definition for the S Series Node in the DNS, use thevirtual IP addresses of the server modules.




Management network

For the management network, each S Series Node server module has one1Gb Ethernet port. These ports connect the server modules to the customernetwork using either of these configurations:

• Two Ethernet switches, with the management port on each servermodule connected to a different switch. With this configuration, loss ofconnectivity to one switch does not prevent access to the S Series Nodeover the management network.

• One Ethernet switch, with the management ports on both servermodules connected to the same switch. With this configuration, ifconnectivity to the switch is lost, access to the S Series Node over themanagement network is not possible.

Use of the management network is not required. If you don't plan to usethis network, you have the option of not physically connecting it to thecustomer network.

Tip: If you don't connect the management network, disable monitoring ofthat network.

The management network can have an IP mode of either IPv4 or IPv6. If theIP mode is IPv4, the two server modules must have management IPv4addresses on the same IPv4 subnet. If the IP mode is IPv6, the two servermodules must have primary management IPv6 addresses on the same IPv6subnet.

With an IP mode of IPv6, the server modules can also have secondarymanagement IPv6 addresses. These addresses must be on the same IPv6subnet, and that subnet must not overlap the subnet for the primarymanagement IPv6 addresses. If one server module has a secondarymanagement IPv6 address, the other server module must also have one.

The management network subnet or subnets cannot overlap the subnets forthe S Series Node access and server interconnect networks.

The S Series Node management network has these properties:

• An IP mode (either IPv4 or IPv6). By default, the management networkfor a new S Series Node has an IP mode of IPv4.





¡ An IPv4 gateway address. This is the address from whichcommunications initiated by the S Series Node are sent over thenetwork when the management network using the IPv4 gateway isthe selected network for the particular type of communication.

By default, the management network has an IPv4 gateway addressof 10.2.2.254.

¡ An IPv4 subnet mask. By default, the management network has anIPv4 subnet mask of 255.255.255.0.

¡ An IPv4 subnet. The S Series Node derives this subnet from themanagement network IPv4 gateway address and managementnetwork IPv4 subnet mask.

By default, the management network has an IPv4 subnet of10.2.2.0/24.

¡ An IPv4 address for each server module. By default, themanagement network has IPv4 addresses of 10.2.2.1 for servermodule 1 and 10.2.2.2 for server module 2.

Note: Do not use 10 as the fourth octet for the IPv4 gateway address orserver module IPv4 addresses. This value is reserved for use byauthorized service providers.


¡ A primary IPv6 gateway address. This is the address from whichcommunications initiated by the S Series Node are sent over thenetwork when the access network using the primary IPv6 gateway isthe selected network for the particular type of communication.

¡ A primary IPv6 prefix length.

¡ A primary IPv6 subnet. The S Series Node derives this subnet fromthe primary management network IPv6 gateway address andprimary management network IPv6 prefix length.

¡ A primary IPv6 address for each server module.




¡ Optionally, a secondary IPv6 gateway address, a secondary IPv6prefix length, a secondary IPv6 subnet, and a secondary IPv6address for each server module.

Note: Do not use 10 as the last segment for the primary or secondaryIPv6 gateway address or primary or secondary server module IPv6addresses. This value is reserved for use by authorized serviceproviders.

• Optionally, if the networking infrastructure supports virtual networking,a VLAN ID other than zero. Valid values for the VLAN ID are integers inthe range zero through 4,094. If the networking infrastructure doesn'tsupport virtual networking, the VLAN ID must be zero.

If the management network has a nonzero VLAN ID, the managementswitches must be configured to support that ID. Additionally, thenetworking infrastructure must be configured to allow client requests tobe routed to the S Series Node through the management network.

By default, the management network has a VLAN ID of zero.

• A maximum transmission unit (MTU). The MTU is the largest packet sizesupported for data sent on the network.

The MTU for a network can be 1,500 or, if supported by the networkinginfrastructure, 9,000. The larger MTU reduces overhead and increasesnetwork throughput.

By default, the management network has an MTU of 1,500.

• A combined speed and duplex setting. By default, the managementnetwork has a speed and duplex setting of auto. With this setting, the SSeries Node detects the speed and duplex settings of the device withwhich it’s communicating and then adjusts its settings to provide thehighest possible data rate.

• Whether monitoring of the management network is enabled or disabled.If you don't make the physical connections for the managementnetwork, you should disable monitoring for the network. If monitoring isenabled without the physical connections present, the S Series Nodereports that the network is not functioning properly, and the HCP SSeries Management Console displays alerts to that effect.

By default, management network monitoring is enabled.




Server interconnect network

For the server interconnect network, each S Series Node server module hasone 1Gb Ethernet port. These ports connect the server modules to eachother.

The server interconnect network has an IP mode of IPv4. By default, on anS10 Node, the subnet for this network is 10.1.1.0/24. By default, on an S30Node, the subnet for this network is 10.1.1.0/26.

On an S30 Node, the server interconnect network shares the first threeoctets of its subnet with the BMC interconnect and service networks.Changing those octets for the server interconnect network subnet alsochanges those octets for the BMC interconnect network and service networksubnets.

The subnets for the server interconnect, BMC interconnect, and servicenetworks cannot overlap the subnets for the S Series Node access andmanagement networks. Additionally, the server interconnect networksubnet cannot overlap any subnet used in the customer networkingenvironment.

Note: You should change the subnet for the server interconnect networkonly if a conflict exists.

Caution: Do not disconnect the purple server interconnect cable fromeither server module while the S Series Node is powered on. Doing so canresult in data loss.

BMC interconnect network (S30 Nodes only)

For the BMC interconnect network, each server module has one 1GbBMC Ethernet port and one 1Gb BMC interconnect Ethernet port. TheBMC port on each server module connects to the BMC interconnect port onthe other server module.

The BMC interconnect network has an IP mode of IPv4. By default, thesubnet for this network is 10.1.1.128/26.




The BMC interconnect network subnet has the same first three octets as theserver interconnect network subnet. If you change those three octets for theserver interconnect network subnet, they also change for theBMC interconnect network subnet.

Service network (S30 Nodes only)

For the service network, each server module has one 1Gb Ethernet port. Theservice network is intended exclusively for use by authorized serviceproviders.

The service network has an IP mode of IPv4. By default, the subnet for thisnetwork is 10.1.1.192/26.

The service network subnet has the same first three octets as the serverinterconnect network subnet. If you change those three octets for the serverinterconnect network subnet, they also change for the service networksubnet.

Considerations for working with S Series Node networks

If you have the administrator or service role, you can modify S Series Nodenetworks. To do this, you can use either the HCP S Series ManagementConsole or the HCP S Series management API.

These considerations apply to modifying networks:

• You cannot change the names of the S Series Node networks.

• You can modify all properties of the access network and managementnetwork except their names. To modify a subnet, change the applicablegateway address and/or the applicable netmask or prefix length.

• When you modify the access network or management network,communication with the S Series Node is briefly disrupted. However, theS Series Node server modules are not rebooted.

• You can change the physical or virtual IP address of the server modulethat's servicing the change request. If the IP address you change is theone the request is using and you're making the change in the HCP SSeries Management Console, the Console session immediately ends.




• You can change the subnet for the server interconnect network, but youcannot change the fourth octet of the server module IP addresses on theserver interconnect network.

• When you change the subnet for the server interconnect network, bothS Series Node server modules are automatically rebooted. Until thereboot is complete, no communication can occur between the S SeriesNode and other devices.

• Two different S Series Nodes can have the same server interconnectnetwork subnet and the same server interconnect network IP addressesfor their server modules. This is because the server interconnect networkfor each S Series Node is isolated from the server interconnect networkfor the other S Series Node.

• When you correctly change the configuration of a network, the HCP SSeries Management Console displays a success message. However, thismessage is displayed before the change is fully implemented. To ensurethat the change succeeded, check the S Series Node event log. If you donot see the following message, the change succeeded:

Network configuration change could not be applied

HCP S Series Node identification

Each S Series Node can be identified by both a domain name and a serialnumber.

Domain nameThe domain name for an S Series Node must be a valid DNS domain namethat can be used for access to that S Series Node (for example, s-node-1.example.com). Valid domain names:

• Can contain only letters, numbers, and hyphens (-)

• Must consist of at least three segments, separated by periods, whereeach segment is one through 63 characters long

• Can be up to 127 characters long, including the periods betweensegments

For clients to access the S Series Node by domain name, the domain mustbe defined as a primary zone in the DNS.



HCP S Series Node identification

Even if the customer doesn't use DNS, the S Series Node must have adomain name. This dummy domain name must comply with the rules forvalid domain names.

You can use the HCP S Series Management Console or management API tochange the domain name for an S Series Node. If you do this and thecustomer uses DNS, be sure to also change the domain name in the DNS.

Serial numberThe serial number for an S Series Node uniquely identifies the S SeriesNode. You can find the serial number on a label that's attached to the frontright corner of the top of enclosure. You can also view the serial number inthe HCP S Series Management Console or by using the S Series Nodemanagement API.

You cannot change the serial number for an S Series Node.

HCP S Series Node licenses

Every HCP S Series Node must be licensed. Each license is for an individualS Series Node. A license specifies the total storage capacity that can beinstalled in the S Series Node without violating the license agreement.

A license can have an expiration date or can be valid for an indefinite periodof time. If the license for an S Series Node expires, using that S Series Nodeis a violation of the license agreement.

HCP S Series Node access

An S Series Node has three interfaces that provide access to it:

• The web-based HCP S Series Management Console supports bothmanagement functions and data access.

• The RESTful HCP S Series management API supports onlymanagement functions.

• The RESTful HS3 API supports only data access functions.

To support the use of HTTPS with these interfaces, the S Series Node musthave an SSL server certificate. HTTPS is possible with the HS3 API only ifyour S Series Node is configured to support the use of SSL for data access.



HCP S Series Node licenses

HCP S Series Management Console configuration

You can enable access to the HCP S Series Management Console on both theaccess network and the management network. At any given time, at leastone of these networks must be enabled for Console access. By default, bothnetworks are enabled for Console access.

For each of these networks individually, you can enable HTTPS alone orHTTPS and HTTP together for access to the Management Console. Bydefault for both networks, only HTTPS is enabled for Console access.

Support for HTTP without SSL security is provided so that the ManagementConsole can accept requests passed on by load balancers where the loadbalancer has terminated the SSL connection. Client requests for access tothe Management Console should always use HTTPS, not HTTP.

By default, users can access the Management Console from any IP address.You can choose to allow access only from specific IP addresses. Similarly,you can choose to deny access from specific IP addresses. You control howthe S Series Node handles IP addresses that are included in both or neitherof the lists of allowed or denied addresses.

You can specify message text to appear on the login page of theManagement Console. This text is optional. If specified, it can be up to1,024 characters long and can contain any valid UTF-8 characters, includingwhite space.

The text you specify appears above the fields for the username andpassword on the login page. You can use this text, for example, formessages such as “Authorized Users Only” or “Welcome to the HCP S SeriesManagement Console.”

HCP S Series management API configuration

You can enable access to an S Series Node through the HCP S Seriesmanagement API on both the access network and the managementnetwork. At any given time, at least one of these networks must be enabledfor management API access. By default, both networks are enabled formanagement API access.

Note: HCP always communicates with S Series Nodes over the accessnetwork. If the access network is disabled for the management API, HCPsystems cannot use the S Series Node.




For the access and management networks individually, you can enableHTTPS alone or HTTPS and HTTP together for access to the S Series Nodethrough the management API. By default for both networks, only HTTPS isenabled for management API access.

Although S Series Nodes can support HTTP without SSL security, forsecurity reasons, client requests for access through the management APIshould always use HTTPS, not HTTP.

By default, users can use the management API to access an S Series Nodefrom any IP address. You can choose to allow access only from specific IPaddresses. Similarly, you can choose to deny access from specific IPaddresses. You control how the S Series Node handles IP addresses that areincluded in both or neither of the lists of allowed or denied addresses.

HCP S Series data access protocol configuration

Note: In release 2.1 of the S Series Node, the only supported data accessprotocol is HS3.

You can enable or disable use of the HCP S Series HS3 API. If you disableuse of this API, clients cannot read, write, modify, or delete data stored onthe S Series Node.

If your S Series Node supports the use of SSL for data access, you canenable HTTPS alone or HTTPS and HTTP together for access to the S SeriesNode through the HS3 API. By default, both are enabled. If your S SeriesNode does not support the use of SSL for data access, HTTP is the onlyoption for access through the HS3 API.

By default, clients can use the HS3 API to access an S Series Node from anyIP address. You can choose to allow access only from specific IP addresses.Similarly, you can choose to deny access from specific IP addresses. Youcontrol how the S Series Node handles IP addresses that are included inboth or neither of the lists of allowed or denied addresses.

Allow and deny lists

An allow list specifies IP addresses that are allowed access to an S SeriesNode through a given interface. A deny list specifies IP addresses that aredenied access through a given interface.




Each entry in an allow deny list can be:

• A single IP address

• A range of IPv4 addresses specified as ip-address/subnet-mask (forexample, 192.168.100.197/255.255.255.0) or in CIDR format (forexample, 192.168.100.0/24)

• A range of IPv6 addresses specified in CIDR format (for example,2001:0db8::/32)

The CIDR entry that matches all IPv4 addresses is 0.0.0.0/0. The CIDRentry that matches all IPv6 addresses is 0::0/0.

The same IP address can be included in neither, one, or both of the allowand deny lists for a given interface. To control how the S Series Nodehandles this, you use the Allow requests when same IP is used in both listsoption for the interface. The table below describes the effects of selecting ordeselecting this option.

List entries

Allow requests when same IP is used in both lists

Selected Deselected

Allow list: empty

Deny list: empty

All IP addresses haveaccess.

No IP addresses haveaccess.

Allow list: at least oneentry

Deny list: empty

All IP addresses haveaccess.

Only IP addresses in theallow list have access.

Allow list: empty

Deny list: at least oneentry

All IP addresses not in thedeny list have access. IPaddresses in the deny listdo not.

No IP addresses haveaccess.

Allow list: at least oneentry

Deny list: at least oneentry

IP addresses included inboth or neither of the listshave access.

IP addresses included inboth or neither of the listsdo not have access.

At all times, at least one IP address must be allowed access to the HCP SSeries Management Console, either explicitly or due to the setting for allowand deny list handling.




You cannot add the IP address from which you're currently accessing an SSeries Node to the deny list for the interface you're using. Similarly, youcannot change the setting for allow and deny list handling for that interfacesuch that access would be denied from that IP address.

SSL server certificates

For HTTPS access to an S Series Node through the Management Console,management API, or HS3 API, the S Series Node must have an SSL servercertificate. To meet this need, each S Series Node comes with a self-signedcertificate. The common name in this certificate is *.node-domain-name,where node-domain-name is the configured domain name of the S SeriesNode.

When an SSL server certificate is close to expiring, the S Series Nodedisplays an alert notifying you of the upcoming expiration. You can use theHCP S Series Management Console or management API to generate a newself-signed certificate. The new certificate has an expiration date of fiveyears from the date on which it was generated.

After you generate a new SSL server certificate for the S Series Node,clients such as HCP that had accepted the old certificate must now acceptthe new certificate to be able to continue accessing the S Series Node.

HCP S Series Node security

As a security administrator, you can control various aspects of access to anS Series Node.

Ping and SSHYou can allow or prevent the use of these services on the S Series Nodeserver modules:

• Ping — Enabling this service lets you use ping to check networkconnectivity to the server modules. This service is enabled by default.

• SSH login by authorized service providers on the managementport— Enabling this service facilitates troubleshooting when yourequest support.




With this service enabled, service providers can use SSH to access the SSeries Node on the access, management, and service (S30 Nodes only)networks. Disabling this service disables SSH access on the access andmanagement networks. On S30 Nodes, the service port can always beused for SSH access.

This service is enabled by default.

User account and Management Console propertiesYou can configure these properties that affect S Series Node user accountsand HCP S Series Management Console sessions:

• The minimum password length. Valid values are integers in the rangeeight through 256. The default is eight.

• The number of days passwords are valid before they automaticallyexpire. Valid values are integers in the range three through 180. Thedefault is 90.

Note: An HCP system that's configured to use storage on an S SeriesNode automatically changes the password for its S Series Node useraccount every 30 days. If you set the password expiration interval onthe S Series Node to fewer than 30 days, the HCP system won't be ableto access the S Series Node after the specified number of days havepassed. To prevent the from happening, turn off the automaticpassword expiration for the S Series Node user account created by HCP.

• The consecutive number of times a user can specify an incorrectpassword before the user account is automatically disabled. Valid valuesare integers in the range three through 999. The default is ten.

This limit applies both to attempts to log into the HCP S SeriesManagement Console and to attempts to access the S Series Nodethrough the management API.

If a user account with the security role is automatically disabled due toan incorrect password, the account is automatically reenabled after onehour.

• The number of minutes an HCP S Series Management Console sessioncan be inactive before it times out. Valid values are integers in the rangefive through 720. The default is ten.




DNS servers and time servers

You can choose to tell the S Series Node how to access one or more DNSservers. An S Series Node always needs to know how to access at least oneexternal time server.

DNS serversOptionally, you can make DNS servers known to an S Series Node. You canspecify up to three DNS servers. You identify each one by its IP address.

You can choose the network (access or management) to be used forcommunication between the S Series Node and the DNS servers youspecify. The default is the access network.

The S Series Node uses the selected network in the IP mode in which thenetwork is configured. If the network is configured for IPv6, you can chooseto use the primary or secondary IPv6 gateway. If you choose to use thesecondary IPv6 gateway and this gateway is not configured,communications between the S Series Node and the DNS servers fail.

For the S Series Node to communicate with the specified DNS servers, theIP mode of your network selection must match the IP mode of theDNS server IP addresses.

Time serversS Series Nodes use external time servers to set and maintain their internalclock times. Regardless of the time servers used, S Series Node time isalways expressed in UTC.

You can specify up to three external times servers for use by an S SeriesNode. You identify each time server by its IP address. You cannot useDNS hostnames to identify time servers to an S Series Node.

The time servers you specify should be the same time servers as those thatare used by the clients accessing the S Series Node.

You can choose the network (access or management) to be used forcommunication between the S Series Node and the time servers youspecify. The default is the access network.

The S Series Node uses the selected network in the IP mode in which thenetwork is configured. If the network is configured for IPv6, you can choose



DNS servers and time servers

to use the primary or secondary IPv6 gateway. If you choose to use thesecondary IPv6 gateway and this gateway is not configured,communications between the S Series Node and the time servers fail.

For the S Series Node to communicate with the specified time servers, theIP mode of your network selection must match the IP mode of thetime server IP addresses.

Changing the list of time servers used by an S Series Node causes the SSeries Node to restart itself.

HCP S Series Node event log

An S Series Node maintains a log to which it writes messages about eventsthat occur on the S Series Node. You can view the event log in the HCP SSeries Management Console. You can also use the S Series Nodemanagement API to retrieve the contents of the log.

The event times shown with log messages are in UTC.

HCP S Series Node alerts

Alerts contain information about the current state of the S Series Node. Youcan view alerts in the HCP S Series Management Console. You can also usethe S Series Node management API to retrieve the alerts that are currentlyin effect.

Alerts are triggered by events. However, although messages about eventsare always logged at the time the event occurs, some alerts may not beavailable until up to five minutes after the triggering event occurs.

Syslog logging

You can have the S Series Node send event log messages to one or morespecified syslog servers as the messages are written to the log. When youdo this, you can use tools in your syslog environment to perform functionssuch as sorting the messages, querying for certain events, or forwardingerror messages to a mobile device.

By default, the S Series Node sends messages about all events exceptsecurity events. Security event messages report actions that require thesecurity role (such as the creation of user accounts) and attempts to log into



HCP S Series Node event log

the HCP S Series Management Console with an invalid username or to usethe HCP S Series management API with an invalid username. With theManagement Console and management API, only users with the securityrole can see these messages. However, you can choose to have securityevent messages sent to the syslog servers along with other event messages.

You can limit the volume of messages sent to the syslog servers in theseways:

• By sending only messages about major events. Major events are thosethat are displayed on the Dashboard page of the HCP S SeriesManagement Console.

• By setting a minimum severity level ofWARNING or ERROR for themessages to be sent.

You can specify up to ten syslog servers. You identify each one by itsIP address (optionally, with an appended port number). If you specifymultiple servers, the S Series Node sends each message to all of them.

When you specify syslog servers, you also need to specify the syslog localfacility to which to direct the event messages. This selection applies to allthe syslog servers you specify.

You can choose the network (access or management) to be used forcommunication between the S Series Node and the syslog servers youspecify. The default is the access network.

The S Series Node uses the selected network in the IP mode in which thenetwork is configured. If the network is configured for IPv6, you can chooseto use the primary or secondary IPv6 gateway. If you choose to use thesecondary IPv6 gateway and this gateway is not configured,communications between the S Series Node and the syslog servers fail.

For the S Series Node to communicate with the specified syslog servers, theIP mode of your network selection must match the IP mode of thesyslog server IP addresses.

After configuring syslog logging, you can test the configuration by havingthe S Series Node send a test message to the specified syslog servers. Forthe test message to be sent, the minimum severity level must be set toNOTICE, which allows all messages to be sent, and Send major evens onlymust be enabled.



Syslog logging

Note: If the access and management networks have different IP modesand two or more syslog servers are configured to receive event logmessages, where at least one syslog server has an IPv4 address and one hasan IPv6 address, the S Series Node sends messages to the syslog serversover both the access and management network.

HCP S Series Node internal logs

In addition to the event log, which is displayed in the HCP S SeriesManagement Console and available through the HCP S Series managementAPI, an S Series Node maintains internal logs. These logs record the statusand activity of various components of the software running on the S SeriesNode. If a problem occurs with the S Series Node, the internal logs can helpsupport personnel diagnose and resolve it.

At any time, you can insert a comment into the S Series Node internal logs.You can use this capability, for example, to note unusual events that occurin the S Series Node. This can later help support personnel understand thesymptoms that indicate a possible problem. It can also help themdetermine when a problem started.

To help with troubleshooting, you can download the internal logs and sendthem to your HCP support center. You can use the HCP S SeriesManagement Console or management API to download the logs. For ease ofhandling, the S Series Node downloads the logs into a single packed file.Neither this file nor the logs themselves are encrypted.

An S Series Node generally keeps internal logs for at least 120 days.However, it keeps them for a shorter time period if not enough space isavailable for them. You can download the logs for any length of time withinthe period for which logs exist. When downloading the logs, be sure toinclude all the days on which you observed problems with the S SeriesNode.

HCP S Series software, OS, and license maintenance

When a new release of the HCP S Series software becomes available, youcan upgrade the currently installed version of the HCP S Series software tothat release. Software upgrades, which can also include an upgrade of theHCP S Series OS and updates to component firmware, are performed whilethe S Series Node is running. The S Series Node remains fully functionalduring an upgrade.



HCP S Series Node internal logs

At times, you may need to apply a hotfix to an S Series Node. A hotfix is anupdate to the software, OS, or firmware that resolves a particular problem.Typically, hotfixes are applied only to S Series Nodes that are experiencingthat problem. If possible, hotfixes are applied while the S Series Node isrunning, with no loss of functionality during the process.

When capacity is added to an S Series Node or when the product license isextended, you need to upload a new license to the S Series Node. Licenseuploads also occur while the S Series Node is running, with no loss offunctionality during the process.

You use the same procedure for upgrading the software, applying a hotfix,and uploading a new license. The first step of this procedure is to upload anupdate file. The second step is to apply the uploaded update. You canperform this procedure either in the HCP S Series Management Console orby using the HCP S Series management API.

HCP S Series Node update files

You make updates to the HCP S Series software or license by uploading andapplying the contents of a single update file. This can be a software upgradefile, a hotfix file, or a license file.

A software upgrade file contains the files necessary for upgrading theHCP S Series software and, if applicable, the HCP S Series OS and S SeriesNode component firmware.

Software upgrade files are named HS437_release-number.bin (for example,HS437_2.1.0.5.bin).

A hotfix file contains the files necessary for applying a hotfix. A hotfix canupdate the HCP S Series software, OS, or component firmware.

Hotfix files are named HCPS-release-number_HFhotfix-number.bin (forexample, HCPS-2.1.0.5_HF0001.bin).

A license file contains an S Series Node license. Each license is specific to aparticular S Series Node and cannot be applied to any other S Series Node.

License files are named HCPSLic_SNserial-number-digits_Qquote-number_Clicensed-capacityTB_expiration-date.plk (for example, HCPSLic_SN12345_Q9876543_CTB_07-23-2019.plk). New license files for an S Series Node aresent to the customer site as needed.




Considerations for software and license updates

These considerations apply to maintaining the HCP S Series software andlicense:

• Before you can start the procedure to upgrade the HCP S Seriessoftware, apply a hotfix, or upload a new license, both S Series Nodeserver modules must be running and healthy.

• When you upload an update file, the file overwrites any previouslyuploaded update file.

• After uploading an update file, you cannot apply the update while theinternal logs are being downloaded or a maintenance procedure is inprogress.

• Before the HCP S Series software can be updated (by either a softwareupgrade or a hotfix application), all component firmware must be up todate as of the last time the HCP S Series OS was installed. If thefirmware is not up to date, the software update fails. If this happens,have your authorized service provider update the firmware. Then applythe software update again.

• While the software is being updated, you can make changes to the SSeries Node configuration. However, most configuration changes don'ttake effect until the software update is complete.

• Software updates occur on one server module at a time. While thesoftware is being updated on one server module, all S Series Nodeprocessing occurs on the other server module.

• When a software update finishes on the first server module, that servermodule is automatically rebooted. When the reboot is complete, theupdate automatically starts on the second server module, andprocessing fails over from the second server module to the first servermodule. While this failover is in progress, the HCP S Series ManagementConsole may be briefly unavailable.

When the software update is complete on the second server module,that server module is automatically rebooted. When the reboot iscomplete, processing is again distributed across both server modules.

• While the software on a server module is being updated, you cannotaccess that module by physical IP address.




• If you accessed the HCP S Series Management Console by using thephysical IP address of the second server module while the software onthe first server module was being updated, when failover occurs, youlose your connection to the S Series Node. At that point, you need to login again, this time using the S Series Node domain name, a virtualIP address, or the physical IP address of the first server module to accessthe Management Console.

• At certain points during a software upgrade or hotfix application thatincludes a firmware update, the HCP S Series Management Consoledisplays an alert indicating that a firmware version mismatch exists.Depending on which server module issued the alert, the alert may showup as informational or as indicating an error condition. In either case, noaction is required.

• If an error occurs during the apply step of an update, you can tryrestarting the update. If an error occurs again, do not try to restart theupdate a second time. Instead, contact your authorized service providerfor help.

• For an upgrade from release 1.x to release 2.1, after the HCP S Seriessoftware has been upgraded, the S Series Node updates the internaldatabase. While the database update is in progress, the HCP S SeriesManagement Console displays a banner indicating that this update is inprogress.

These considerations apply to the internal database update:

¡ Depending on the number of objects stored on the S Series Node,the internal database update can take from a few minutes to severalweeks.

¡ During the internal database update, S Series Node performancemay be slightly degraded.

¡ Toward the end of the internal database update, processing of HS3requests may be paused. In most cases, this pause is brief. However,if the S Series Node is experiencing a high volume of activity, thepause in HS3 processing may be longer.

¡ After the internal database is updated, the used capacity reportedfor the S Series Node includes the space used by the database. Whilethe update is in progress, the reported used capacity reflects theincreasing use of storage space.




¡ While performing the internal database update, the S Series Nodetemporarily uses some of the available storage. The statistics on theHCP S Series Management Console Dashboard reflect this storageusage.

¡ If the S Series Node runs out of free space while performing theinternal database update, the S Series Node stops the update. The SSeries Node checks for free space every few hours and, when asufficient amount of free space becomes available, continues theupdate from the point at which the update stopped.

HCP S Series Node hardware maintenance

For certain HCP S Series Node hardware maintenance procedures, you startthe procedure either in the HCP S Series Management Console or by usingthe HCP S Series management API. These procedures are:

• Adding data and database drives to an S Series Node

• Removing data and database drives from an S Series Node

• Replacing data and database drives in an S Series Node

• Adding enclosures to an S30 Node

• Removing enclosures from an S30 Node

• Replacing an S Series Node enclosure

Additionally, you use either the Management Console or management APIto:

• Power off an S Series Node