Deployment guidelines and limitations for Storage Resource agents

You must consider the following guidelines and limitations when you manage Storage Resource agents in your environment.

Use the following information when you deploy Storage Resource agents:
Multiple Storage Resource agents that are probing or scanning the same resources
If multiple Storage Resource agents are set up to probe or scan the same storage resources, the Storage Resource agents that was added to IBM Spectrum Control first is used for the probe or scan. Therefore, only data that is gathered by the first Storage Resource agent is shown.
Platforms that support the deployment of Storage Resource agents
For a list of platforms on which you can deploy Storage Resource agents, see the External link iconIBM Spectrum Control interoperability matrix and go to the Agents, Servers and Browsers section.
Product functions that are unavailable for resources that are monitored by Storage Resource agents
Before you deploy a Storage Resource agent, ensure that the product functions you want to use on the monitored resources are available for those agents. The following functions are not available for resources that are monitored by Storage Resource agents:
  • Certain relational database monitoring. For list of relational databases that can be monitored by Storage Resource agents, see the External link iconIBM Spectrum Control interoperability matrix and go to the Agents, Servers and Browsers section.
  • The reporting of HBA, fabric topology, or zoning information for fabrics that are connected to hosts that are running Linux on IBM® System z® hardware. These limitations also apply to Storage Resource agents on all guest operating systems for VMware configurations.
Required authorities for deploying and running Storage Resource agents
Before you can create deployment schedules and deploy Storage Resource agents on target computers, you must meet the following requirements:
  • To create deployment schedules, you must be logged in to IBM Spectrum Control with a user ID that has the Administrator role. For information about user roles, see Authorizing users.
  • To deploy Storage Resource agents on target computers, you must provide a user ID that has administrative rights on those computers. You enter this ID when you create a deployment schedule. IBM Spectrum Control uses this ID to log on to the target computers and install and configure the necessary runtime files for the agents.
The user under which a Storage Resource agent (daemon or non-daemon) runs must have the following authorities on the target computers:
  • On the Linux or AIX operating systems, the user must have root authority. By default, an agent runs under the user 'root'.
  • On the Windows operating systems, the user must have Administrator authority and be a member of the Administrators group. By default, a Storage Resource agent runs under the 'Local System' account.
Orphan zones
Storage Resource agents do not collect information about orphan zones. An orphan zone is a zone that does not belong to at least one zoneset.
Firewalls and Storage Resource agent deployments
Before you can deploy a Storage Resource agent on a computer, you must turn off the firewall on that computer. If you do not turn off the firewall, the deployment fails.
Deploying Storage Resource agents on multiple computers
If you deploy Storage Resource agents on multiple computers at the same time, the computers must have the same administrative user ID and password. IBM Spectrum Control uses these user credentials to log on to the computers when you install Storage Resource agents.
Tip: When you deploy Storage Resource agents on multiple computers, a globally unique identifier (GUID) is created for each computer (if one does not exist).
Communication between the IBM Spectrum Control server and a Storage Resource agent
The IBM Spectrum Control server connects to a monitored computer when a Storage Resource agent is deployed and whenever a data collection schedule runs against that agent.
During deployment, the server communicates with the target computer by using one of the following protocols:
  • Windows server message block protocol (SMB)
  • Secure Shell protocol (SSH)
  • Remote execution protocol (REXEC)
  • Remote shell protocol (RSH)

After deployment, the type of communication between the server and agent on that computer depends on whether you deployed the agent as daemon service or non-daemon service.

Daemon and non-daemon services
You can deploy a Storage Resource agent as a daemon or non-daemon service:
  • A Storage Resource agent that is deployed as a daemon service runs in the background on the monitored computer and listens for requests from the IBM Spectrum Control server. Connectivity between the server and agent is established by using SSL. The server and agent have their respective certificates and no additional information is required besides those certificates and the security that is provided by the SSL protocol.
  • A Storage Resource agent deployed as a service on demand (non-daemon service) runs as a stand-alone executable file on the monitored computer. Communication from the server to the agent uses the same protocol that was used during the deployment of the agent. Communication from the agent to the server uses SSL.
  • A Storage Resource agent that is deployed as a daemon service on AIX, Linux, and Windows servers monitors disk paths in near real-time to detect errors. When deployed as a daemon service on an AIX server, the agent also monitors disk error events in near real-time.

    If the Storage Resource agent detects path status changes or disk errors, they are included in the status of the disks and paths. You can define alerts so that you are notified of changes to the status of the paths on monitored disks.

    Only status changes for existing paths are detected. If a new path is added, or an existing path is removed, the number of paths that is displayed is not updated immediately. The number of paths is updated after the next scheduled probe collects data.

    If a disk on an AIX server has an error status and you fix the error, you might want the new status of the disk to be displayed immediately. To display the new status immediately, you must reset the status indicator for the disk. To reset the status indicator, use the errclear command to clear the error log. To clear the error log, use the following syntax:

    errclear -d H -N disk_name 0

    For example, if you fixed an error on hdisk4, and want to display the new status immediately, run the following command:

    errclear -d H -N hdisk4 0

    If you do not reset the status indicator for the disk, the status changes automatically after a few hours.

    For information about the errclear command, see errclear Command.

Port numbers for Storage Resource agents deployed as a daemon service
The following port numbers are used by Storage Resource agents that are deployed as daemon service:
  • 9567 (For the Storage Resource agent that is deployed on the same server as IBM Spectrum Control.)
  • 9510 (For Storage Resource agents that are deployed on remote servers.)
Storage Resource agents that are deployed as a non-daemon service do not use a port.
Authentication between the IBM Spectrum Control server and a Storage Resource agent
IBM Spectrum Control requires the correct authentication information (user name, password, port, certificate location, or passphrase) for monitored computers each time it communicates with Storage Resource agents on those computers. If the authentication information changes for a host computer on which a Storage Resource agent is deployed, the authentication information for that agent must be updated by using the Modify Agents > Update Credentials action on the Servers page in the GUI.
Replacing default SSL certificates
IBM Spectrum Control provides default SSL certificates for communication between the Data server and Storage Resource agent.
IBM Spectrum Control 5.2.2 uses SSL certificates with 2048-bit encryption keys whereas previous versions of IBM Spectrum Control used 1024-bit encryption keys. If you upgrade IBM Spectrum Control from a version earlier than 5.2.2, your SSL certificates are not updated automatically. If you want to use 2048-bit encryption keys with previous versions of IBM Spectrum Control, you must replace the default SSL certificates with custom SSL certificates.
For information about how to replace SSL certificates, see Replacing default SSL certificates for the Data server and Storage Resource agents with custom SSL certificates.
Storage Resource agents on the same computer
You cannot deploy a Storage Resource agent on a computer where a Storage Resource agent is already installed and pointing to the same Data server. You can deploy a Storage Resource agent on the same computer as another Storage Resource agent if those agents communicate with different Data servers and use different ports when you listen for requests.
Time zones for computers that are monitored by Storage Resource agents
The time zones of computers that are monitored by Storage Resource agents are shown as Greenwich mean time (GMT) offsets in IBM Spectrum Control reports. For example, a computer in Los Angeles shows the following time zones in the By Computer report in Asset reporting:
(GMT-8:00) GMT-8:00
Connections for Linux and AIX operating systems by using Remote Shell protocol (RSH)
If RSH is configured to use a user ID and password, the connection fails. To successfully connect to a system by using RSH, you must set up the .rhosts file (in the home directory of the account). RSH must be configured to accept a login from the system that is running your application.
Deployments on Windows operating systems - NetBIOS setting
To install a Storage Resource agent on Windows targets, the Enable NetBIOS over TCP/IP option must be selected in the Control Panel settings for the computer's network connections properties. To set this option, complete the following steps:
  1. Open Windows Control Panel. For information about how to open Windows Control Panel, see Accessing administration tools.
  2. Select Network and Dial-Up Connections > some_connection > Properties > Internet Protocol (TCP/IP) > Advanced > WINS > Enable NetBIOS over TCP/IP.

To determine whether these ports are not blocked for inbound requests, see the documentation for your firewall.

To determine whether security policies are blocking the connection ports, open Administrative Tools. For information about how to open Administrative Tools, see Accessing administration tools. .

Depending on whether your policies are stored locally or in Active Directory, follow these directions:
Policies that are stored locally
For policies that are stored locally, complete the following steps:
  1. Open Windows Administrative Services.
  2. Click Local Security Policy > IP Security Policies on Local Computer.
Policies that are stored in Active Directory
For policies that are stored in Active Directory, examine the IP security policies and edit or remove filters that block the ports:
  • Click Administrative Tools > Default Domain Security Settings > IP Security Policies on Active Directory.
  • Click Administrative Tools > Default Domain Controller Security Settings > IP Security Policies on Active Directory.

For all Windows systems, the Server service must be running to connect to a Windows system by using the Windows protocol.

The following table lists the ports that are reserved for NetBIOS. Ensure that these ports are not blocked.
Port Description
135 NetBIOS Remote procedure call. (Not currently used.)
137 NetBIOS name service.
138 NetBIOS datagram. (Not currently used.)
139 NetBIOS session (for file and print sharing).
445 CIFS (on Windows XP).
For Windows , shares must be shared for the Guest or Everyone accounts, and password protected sharing must be disabled. To disable password protected sharing, follow these steps:
  1. Click Control Panel > Networking and Sharing Center.
  2. Click Change advanced sharing settings.
  3. Click the down arrow next to All Networks.
  4. Select Turn off password protected sharing.
  5. Click Save Changes.
  6. Exit from the Control Panel.
Deployments on Windows - User Account Control (UAC) remote restrictions
To install Storage Resource agents remotely on a Windows operating system, you must disable the User Account Control (UAC) remote restrictions on the Windows operating system. User Account Control is a security component on Windows operating systems.
Tip: To disable UAC restrictions, you must modify the computer registry. Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if problems occur. For information about how to back up and restore the registry, see External link iconhttp://support.microsoft.com/kb/322756/.
To disable UAC remote restrictions, follow these steps:
  1. Open the Windows Run window. For information about how to open the Run window, see Accessing administration tools.
  2. Enter regedit and click OK.
  3. Locate and click the following registry subkey: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
     Policies\System
  4. Double click the EnableLUA registry entry.
  5. In the Edit DWORD (32-Bit) dialog, change the value in the Value data field from 1 to 0.
  6. Click OK.
  7. Exit the registry editor.