1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Ops Center Analyzer Installation and Configuration Guide

11.0.x

Ops Center Analyzer

MK-99ANA001-22

Last updated: 2024-12-03

Generated from docs.hitachivantara.com

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 1/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Overview
Before you install Hitachi Ops Center Analyzer, it's important to understand the product components, the functionality, and the system configuration as described in the following
sections.

Ops Center Analyzer overview

Ops Center Analyzer provides a comprehensive application service-level and storage performance management solution that enables you to quickly identify and isolate performance
problems, determine the root cause, and provide solutions. It enables proactive monitoring from the application level through network and storage resources for end-to-end visibility
of your monitored environment. It also increases performance and storage availability by identifying problems before they can affect applications.

Ops Center Analyzer collects and correlates data from these sources:

Storage systems
Fibre channel switches
Hypervisors
Hosts

Ops Center Analyzer components

To use Ops Center Analyzer, you install and configure the following components:

Analyzer server This server is the primary component that communicates with the Analyzer detail view server. It correlates the configuration and performance data obtained
by Analyzer detail view server to generate reports and enable data analytics for performance monitoring and problem resolution in your monitored infrastructure resources.
Analyzer detail view server This server processes performance and configuration data received from probes that connect to monitoring targets and provides the data to the
Analyzer server for reporting and analysis.
Analyzer probe server This server manages the probes connected to the monitoring target.

Ops Center Analyzer system configuration

You can install the Ops Center Analyzer components either by deploying a virtual appliance or by using an installer.

There are three types of virtual appliances: the Ops Center OVA, the Analyzer OVA, and the Analyzer probe OVA. The Ops Center OVA installs multiple Ops Center components at
the same time, including Ops Center Analyzer components, and the Analyzer OVA installs only the Analyzer server and Analyzer detail view server. In both cases, you must also
install the Analyzer probe server after installing the Analyzer server and Analyzer detail view server. Deploying a virtual appliance is for new installations only.

You can install the Ops Center Analyzer components individually by using the product installers, or you can install multiple Ops Center products by using the Express installers. For
information on using the Express installers, see the Hitachi Ops Center Installation and Configuration Guide.

The following figure shows an example of a system configuration where Ops Center Analyzer components are installed by using the Ops Center OVA. Note that the required
configuration is the same whether you use the Ops Center OVA or the Analyzer OVA.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 2/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

The Analyzer server and Analyzer detail view server are installed on the same host. Install the Analyzer probe server on a different host than the one where the Analyzer detail view
server is installed. When you install the Analyzer probe server, the following are installed at the same time: RAID Agent, Virtual Storage Software Agent (optional), and the On-
demand real time monitoring module. Use Ops Center API Configuration Manager in an environment installed by using the Analyzer probe OVA.

RAID Agent can be installed on a Windows host different from the Analyzer probe server. When RAID Agent is installed on a Windows host, the On-demand real time monitoring
module is installed at the same time.

Note the following when configuring the system:

Ops Center Analyzer cannot be used in a cluster environment.

Ops Center Analyzer only supports IPv4 communications.

If an IPv6 environment is included as a communication destination for Ops Center Analyzer, configure the system so that Ops Center Analyzer can establish communications
in IPv4.

For each component of Ops Center Analyzer, if you change the OS time to an earlier time, the component no longer works properly. Configure settings to minimize the
impact on applications. For example, if time is synchronized by using an NTP server, use slew mode.
The time on the Analyzer host must be synchronized with the time on other hosts running Ops Center products. For best results, configure an NTP server.
The Analyzer detail view server must be connected to one Analyzer server only.
The Analyzer probe server or RAID Agent (Windows) cannot be installed on a host where the JP1/Performance Management is installed.
The Hitachi Enterprise Storage probe uses RAID Agent to collect information for the following Virtual Storage Platform (VSP) storage systems:

VSP One B20, VSP E series, VSP F series, VSP G series, and VSP 5000 series

The Hitachi VSP One SDS Block probe uses Virtual Storage Software Agent to collect VSP One SDS Block information. To monitor the cloud model of VSP One SDS Block,
you must deploy Analyzer, including the Virtual Storage Software Agent component, in an on-premises environment, and design the network so that Virtual Storage Software
Agent can communicate with the cloud model of VSP One SDS Block in a cloud environment.
The Analyzer probe server can connect with RAID Agent or Virtual Storage Software Agent installed on another host. Also, the Analyzer probe server can connect to multiple
RAID Agents or Virtual Storage Software Agents.

If you are not using a given instance of Analyzer probe server, RAID Agent, or Virtual Storage Software Agent, stop the relevant services:

If you are using RAID Agent or Virtual Storage Software Agent installed on a host other than the Analyzer probe server host, stop the Analyzer probe server services
on the other host. For details, see Stopping the Analyzer detail view server or Analyzer probe server services.
If you are not using the RAID Agent or Virtual Storage Software Agent instances installed on the same host as the Analyzer probe server, stop the RAID Agent and
Virtual Storage Software Agent services. For details, see Stopping the RAID Agent services or Stopping the Virtual Storage Software Agent services.

If you followed the procedure Starting the RAID Agent services to specify the setting that starts the RAID Agent services automatically when the OS starts, clear that
setting.

You can connect only one RAID Agent or Virtual Storage Agent to a storage system. If you connect two or more RAID Agents or Virtual Storage Software Agents, data
collection might fail, some data might be missing, or the load on the storage system might increase.
For some storage systems, you can select the data collection method. For details, see Selecting the data collection method.
Install Ops Center Automator if the following conditions apply:
If you run the Ops Center Automator service from the resource selected on Ops Center Analyzer
If you use the Ops Center Analyzer Storage I/O controls feature to limit the I/O activity of volumes of the storage system by connecting with Ops Center Automator
If you want to limit the I/O activity of volumes by using the Ops Center Analyzer Storage I/O controls feature, install the Ops Center API Configuration Manager on a host of
your choice.
If you are already using Ops Center Automator or the Ops Center API Configuration Manager, you can configure the product or products that you are currently using with Ops
Center Analyzer.

Authentication method in Ops Center Analyzer

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 3/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The following authentication methods are supported:

Local user authentication:

This method uses the local built-in user authentication that uses the Common component.

Common Services authentication:

This method centrally manages user information when using other Ops Center products. You can also use external user authentication (LDAP authentication or Kerberos
authentication) through Common Services. For details, see the Hitachi Ops Center Installation and Configuration Guide.

External user authentication:

This method centrally manages user information when linking with other systems. For details, see Configure external user authentication.

Default installation directory

The default installation directory for each component is shown in the following table.

Component name
Default installation directory

Analyzer server /opt/hitachi

Analyzer detail view server /data

Analyzer probe server /home

Analyzer Windows probe C:\Program Files\HDCA\HDCA Windows Probe

Ops Center API Configuration Manager /opt/hitachi/ConfManager

If this component was upgraded from a version earlier than 10.0.0, the previous installation path is inherited.

Common component1 Analyzer-server-installation-directory/Base64

If a Common component was already installed with another product, the new Common component is installed in the same directory.

Notes:

1. The Common component includes functions that are used by some Ops Center products and some Hitachi Command Suite products and is installed as part of the
Analyzer server.

System requirements
Before installing, you must ensure that your environment meets the system requirements for Hitachi Ops Center Analyzer server, Ops Center Analyzer detail view server, and
Analyzer probe server.

The following describes the system requirements when you use the Analyzer OVA, Analyzer probe OVA, or the installer. For details about system requirements for using the Ops
Center OVA or Express installers, see the Hitachi Ops Center System Requirements.

System requirements for using the Analyzer OVA and Analyzer probe OVA

Requirements for the Analyzer OVA

Before you install the Analyzer server and Analyzer detail view server using the Analyzer OVA (stand-alone OVA), review the guest operating system settings, virtualization software,
virtual machine resource settings, and hardware requirements.

Guest operating system settings

Note:

By default, iptables is used instead of the firewalld daemon.

Oracle Linux 9.4 (Architecture x86_64)

For questions about the Oracle Linux OS that is packaged with this product, contact Oracle customer support.

Note:

Apply operating system patches as needed.

Virtualization software

VMware vSphere Hypervisor (VMware ESXi) 7.0, 7.0u2, 7.0u3, 8.0, 8.0u1, 8.0u2, or 8.0u3

Resource settings for the virtual machine

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 4/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The default resource settings assume that you are managing nineteen (Medium scale) storage systems. For larger-scale systems, change the settings for memory, disk size, and
virtual memory.

The following table lists the default resource settings for the Analyzer server, the Analyzer detail view server, and the operating system.

Item Settings

Processor 8 cores

Memory 20 GB

Disk space 900 GB

Hardware requirements

The following tables list the required resources according to the size of the monitoring target. Change the resources as needed. For details, see Hardware sizing based on system
scale.

Hardware requirements for the Analyzer server

Processor (cores) Memory Free disk space for installation directory

Monitoring storage systems only1 Monitoring storage systems only Monitoring storage systems, hypervisors, and
switches
Small: 5 Small: 3 GB
Small + Level 1: 100 GB
Medium: 5 Medium: 6 GB
Medium + Level 2: 100 GB
Large: 5 Large: 8 GB
Large + Level 3: 100 GB
Additional processors required for monitoring Additional memory required for monitoring
hypervisors2, 3 hypervisors2, 3

Level 1: 0 Level 1: 0 GB

Level 2: 11 Level 2: 8 GB

Level 3: 11 Level 3: 8 GB

Additional processors required for monitoring Additional memory required for monitoring

switches2, 3 switches2, 3

Level 1: 3 Level 1: 8 GB

Level 2: 11 Level 2: 24 GB

Level 3: 11 Level 3: 24 GB

Set an appropriate maximum value for the memory by

Based on an Intel® Xeon® Processor E5-2670 v2 @
running the changememory command. For details, see
2.50 GHz.
changememory.

1. If Analyzer server and Analyzer detail view server are installed on the same host, use these values:

Small: 7, Medium: 8, Large: 8

2. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
3. If you want to monitor both hypervisors and switches, just use the larger of the two resource requirements.
Hardware requirements for the Analyzer detail view server
Processor (cores) Memory Free disk space for installation directory

Data retention period

14 days 32 days 365 days

Monitoring storage systems Monitoring storage systems only Monitoring storage systems, Monitoring storage systems, Monitoring storage
only1 hypervisors, and switches hypervisors, and switches systems only
Small: 6 GB
Small: 7 Small + Level 1: 150 GB Small + Level 1: 150 GB Small: 150 GB
Medium: 8 GB
Medium: 7 Medium + Level 2: 150 GB Medium + Level 2: 150 GB Medium: 700 GB
Large: 43 GB
Large: 7 Large + Level 3: 150 GB Large + Level 3: 250 GB Large: 1,700 GB
Additional memory required for
Additional processors required monitoring hypervisors2, 3 Additional free disk
space required for
for monitoring hypervisors2
Level 1: 8 GB monitoring
Level 1: 0 hypervisors2
Level 2: 8 GB
Level 2: 0 Level 1: 15 GB
Level 3: 8 GB
Level 3: 0 Level 2: 50 GB
Additional memory required for
2, 3
Additional processors required monitoring switches Level 3: 250 GB
for monitoring switches2
Level 1: 8 GB Additional free disk
Level 1: 0 space required for
Level 2: 8 GB
monitoring
Level 2: 0
Level 3: 8 GB switches2
Level 3: 0
Level 1: 15 GB

Level 2: 20 GB

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 5/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Processor (cores) Memory Free disk space for installation directory

Data retention period

14 days 32 days 365 days

Based on an Intel® Xeon® Level 3: 60 GB

Processor E5-2670 v2 @ 2.50
GHz.

1. If Analyzer server and Analyzer detail view server are installed on the same host, use these values:

Small: 7, Medium: 8, Large: 8

2. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
3. If you want to monitor both hypervisors and switches, just use the larger of the two resource requirements.
Note:

Values are calculated based on the Hitachi Enterprise Storage system.

Requirements for the Analyzer probe OVA

Before you install the Analyzer probe server and Ops Center Protector Client using the Analyzer probe OVA, review the guest operating system settings, virtualization software,
virtual machine resource settings, and hardware requirements.

Guest operating system settings

Note:

By default, iptables is used instead of the firewalld daemon.

Oracle Linux 9.4 (Architecture x86_64)

Virtualization software

VMware vSphere Hypervisor (VMware ESXi) 7.0, 7.0u2, 7.0u3, 8.0, 8.0u1, 8.0u2, or 8.0u3

Resource settings for the virtual machine

The default resource settings assume that you are managing nineteen (Medium scale) storage systems.

The following table lists the default resource settings.

Item Settings

Processor 8 cores

Memory 32 GB

Disk space 400 GB

Hardware requirements

The following tables list the required resources according to the size of the monitoring target. Change the resources as needed. For details, see Hardware sizing based on system
scale.

Processor (cores) Memory Free disk space for installation directory

Monitoring storage systems only Monitoring storage systems only Monitoring storage systems, hypervisors, and
switches
Small: 2 Data collection using command device3
Small + Level 1: 150 GB
Medium: 6 Small: 6 GB
Medium + Level 2: 350 GB1
Large: 12 Medium: 26 GB

Additional processors required for monitoring Large + Level 3: 350 GB1

Large: 40 GB
2
hypervisors
Data collection using SVP and REST API4
Level 1: 0
Small: 6 GB
Level 2: 2
Medium: 18 GB
Level 3: 2
Large: 28 GB
Additional processors required for monitoring
Additional memory required for monitoring
switches2
hypervisors2
Level 1: 0
Level 1: 1 GB
Level 2: 0
Level 2: 1 GB
Level 3: 10
Level 3: 2 GB
Based on an Intel® Xeon® Processor E5-2670 v2 @ 2.50
GHz. Additional memory required for monitoring switches2

Level 1: 0 GB

Level 2: 1 GB

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 6/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Processor (cores) Memory Free disk space for installation directory
Level 3: 2 GB

Note: If you are monitoring a system with a size similar to

or larger than is defined as "Large" or "Level 3", consider
installing multiple Analyzer probe servers.

1. If you change the data collection interval, the amount of free disk space required also changes.

For example, If you change the data collection interval from 5 minutes to 1 minute, the following free disk space is required:

Monitoring storage systems, hypervisors, and switches

Medium + Level 2: 300 GB
Large + Level 3: 450 GB
2. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
3. When RAID Agent is configured to monitor storage systems by using Access Type 1 or 2.
4. When RAID Agent is configured to monitor storage systems by using Access Type 3 or 4. If you are collecting data by using command devices and by using the SVP and
REST API, the system requirements for data collection using command devices apply.

Note:

Values are calculated based on the Hitachi Enterprise Storage system.

OS changes based on security best practices (OVA)

The following OS setting changes are applied to the OVA to strengthen security. You can revert to the original settings if necessary. These OS settings can also be applied for the
Ops Center products installed by using the installer.

Note that Hitachi Vantara does not take responsibility for, or support any interactions between, third-party programs and these OS settings.

/etc/modprobe.d/CIS.conf

Additional settings:

install cramfs /bin/true

install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

/etc/fstab

Original settings:

/dev/mapper/ol-home /home xfs defaults 0 0

Additional settings:

/dev/mapper/ol-home /home xfs defaults,nodev 0 0

/etc/sysctl.conf

Additional settings:

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
kernel.randomize_va_space = 2
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
fs.suid_dumpable = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_forward = 0

/etc/motd, /etc/issue, /etc/issue.net

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 7/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Additional settings:

Authorized uses only. All activity may be monitored and reported.

Note: The default lines that identify the system name and kernel version for the login prompt in /etc/issue and /etc/issue.net have been removed.

Affected OVAs

Item OVA

/etc/modprobe.d/CIS.conf
Analyzer OVA

Analyzer probe OVA

/etc/fstab Analyzer probe OVA

/etc/sysctl.conf
Analyzer OVA

Analyzer probe OVA

/etc/motd, /etc/issue, /etc/issue.net

Analyzer OVA

Analyzer probe OVA

System requirements for using the installer

This section provides the system requirements for using the installer.

Analyzer server requirements

The requirements for operating systems, network configuration, RPM packages, kernel parameters, and hardware are as follows:

Supported operating systems

Red Hat Enterprise Linux 8.8, 8.10, 9.2, 9.4 (x64)

Oracle Linux 8.8, 8.10, 9.2, 9.4 (Unbreakable Enterprise Kernel) (x64)
Oracle Linux 8.8, 8.10, 9.2, 9.4 (Red Hat Compatible Kernel) (x64)

Network configuration

The Analyzer server supports IPv4 only.

Prerequisite RPM packages

Install the following RPM packages before installing the Analyzer server. You can check which RPM packages are missing by running the precheck tool (analytics_precheck.sh)
provided by Ops Center Analyzer.

RPM packages Details

If dashboard reports are sent to users, you must install the following
alsa-lib.x86_64 1.0.27.2-3 or later packages and package group:
bash.x86_64
bc.x86_64 1.06.95-1 or later package
bzip2-libs.x86_64 gtk3-3.22.10 or later
chkconfig.x86_64 libXScrnSaver 1.2.2-6.1 or later
coreutils.x86_64 libxshmfence.x86_64
cpio.x86_64 mesa-libgbm.x86_64
cups-libs.x86_64 nss-3.22 or later
findutils.x86_64 package group
fontconfig.x86_64 fonts
freetype.x86_64 2.9.1-4 or later
gawk.x86_64
gdb.x86_64
glib2.x86_64
glibc.i686 2.28-72 or later
glibc.x86_64
glibc-common.x86_64
glibc-devel.i686
glibc-devel.x86_64
glibc-headers.x86_64
glibc-utils.x86_64
grep.x86_64
gtk2.x86_64
gtk3.x86_64
gzip.x86_64
iproute.x86_64
krb5-libs.x86_64
ksh.x86_64
libgcc.i686 8.3.1-4.5 or later
libgcc.x86_64
libnsl.x86_64 2.28-72 or later
libpng.x86_64 1.6.34-5 or later

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 8/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
RPM packages Details
libselinux-utils.x86_64
libstdc++.i686 8.3.1-4.5 or later
libstdc++.x86_64
libX11.x86_64
libXau.x86_64
libxcb.x86_64
libxcrypt.x86_64
libXext.x86_64
libXi.x86_64
libXrender.x86_64
libXtst.x86_64
lksctp-tools.x86_64
ncurses.x86_64
net-tools.x86_64 1.60-110 or later
nscd.x86_64
nss.x86_64
pcsc-lite-libs.x86_64
policycoreutils-python-utils.noarch
policycoreutils.x86_64 2.2.5-11 or later
procps-ng.x86_64
rpm.x86_64
sed.x86_64
sysstat.x86_64
tar.x86_64
tcsh.x86_64 6.17-24 or later
which.x86_64
zlib.x86_64

For Red Hat Enterprise Linux and Oracle Linux 8, the following packages are also required:

GConf2.x86_64
ncompress.x86_64

For Red Hat Enterprise Linux and Oracle Linux 9, the following packages are also required:

graphite2.x86_64
harfbuzz.x86_64
libbrotli.x86_64
pcre.x86_64

Kernel parameters

Before installing the Analyzer server, you must set the following kernel parameter values:

File* Parameter Value to be set

/etc/sysctl.conf Fourth parameter (SEMMNI) of kernel.sem The larger of 1024 and the following value: 24 + current-system-value

/etc/security/limits.conf soft nofile The larger of 8514 and the following value: 4418 + current-system-value

hard nofile

* The file path differs according to the environment. In addition, kernel parameters can also be set for files that are not listed here.

Hardware requirements

For details on the number of manageable resources for each system scale, see Hardware sizing based on system scale.

Processor (cores) Memory Free disk space for installation Free disk space by directory1, 2
directory1

Monitoring storage systems only3 Monitoring storage systems only Monitoring storage systems,
/var/opt: 1 GB
hypervisors, and switches
Small: 5 Small: 3 GB
/var/installation-directory-path: 3 GB
Small + Level 1: 100 GB
Medium: 5 Medium: 6 GB
Medium + Level 2: 100 GB
Large: 5 Large: 8 GB
Large + Level 3: 100 GB
Additional processors required for Additional memory required for
4, 5 To complete the installation, you need a
monitoring hypervisors4, 5 monitoring hypervisors
minimum of 2 GB.
Level 1: 0 Level 1: 0 GB
Do not include any symbolic links in the
Level 2: 11 Level 2: 8 GB installation directory.

Level 3: 11 Level 3: 8 GB If the Common component is already

installed, you need at least 2 GB of free
Additional processors required for Additional memory required for
space in the directory where the Common
monitoring switches 4, 5 monitoring switches4, 5
component is installed.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 9/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Processor (cores) Memory Free disk space for installation Free disk space by directory1, 2
directory1
Level 1: 3 Level 1: 8 GB

Level 2: 11 Level 2: 24 GB

Level 3: 11 Level 3: 24 GB

® ® Set an appropriate maximum value for the

Based on an Intel Xeon Processor E5-
2670 v2 @ 2.50 GHz. memory by running the changememory
command. For details, see changememory.

1. Do not create these directories on a Network File System (NFS) partition.

2. The Analyzer server retrieves the partition details and checks the free disk space. Make sure that the required disk space is available. For example, if the /var/opt
directory is mounted on the P1 partition, the partition must have a minimum of 1 GB free.
3. If Analyzer server and Analyzer detail view server are installed on the same host, use these values:

Small: 7, Medium: 8, Large: 8

4. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
5. If you want to monitor both hypervisors and switches, just use the larger of the two resource requirements.

Analyzer detail view server requirements

The requirements for operating systems, network configuration, java version, RPM packages, kernel parameters, and hardware are as follows:

Supported operating systems

Red Hat Enterprise Linux 8.8, 8.10, 9.2, 9.4 (x64)

Oracle Linux 8.8, 8.10, 9.2, 9.4 (Unbreakable Enterprise Kernel) (x64)
Oracle Linux 8.8, 8.10, 9.2, 9.4 (Red Hat Compatible Kernel) (x64)

Network configuration

The Analyzer detail view server supports IPv4 only.

Java version

Amazon corretto 17
Oracle JDK 17

Amazon Corretto 17 is bundled with Analyzer detail view server. If the default OS Java (the Java that is specified as /usr/bin/java by the alternatives command) is not Oracle JDK 17,
Amazon Corretto 17 is installed and is set as the default OS Java.

If you want to use Oracle JDK 17, install it in advance, and specify it as the default OS Java. If you are using a version earlier than the supported versions of Oracle JDK 17, upgrade
it in advance.
Note:

For details on Java versions, see the Release Notes.

You can change the Java version to Oracle JDK 17 after you install Analyzer detail view server. For details, see the Release Notes.

Prerequisite RPM packages

Install the following RPM packages before installing the Analyzer detail view server. You can check which RPM packages are missing by running the precheck tool (analytics_prec
heck.sh) provided by Ops Center Analyzer.

RPM packages Details

alsa-lib.x86_64 For Red Hat Enterprise Linux and Oracle Linux 8, if nc (or nmap-ncat)
atk.x86_64 and lsof are not installed, some maintenance information will be
bc unavailable.
crontabs
For this reason, we recommend you install the optional tool and set the
cups-libs.x86_64
dejavu-sans-fonts necessary path.
expat-devel
expect
fontconfig 2.13.0-4.3 or later
gcc
gtk3.x86_64
initscripts
iproute
libXScrnSaver.x86_64
libXcomposite.x86_64
libXcursor.x86_64
libXdamage.x86_64
libXext.x86_64
libXi.x86_64
libXrandr.x86_64
libXtst.x86
mesa-libgbm.x86_64
nss 3.79 or later

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 10/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
RPM packages Details
openssl-devel (1.0.1e-fips 11 Feb 2013 or later)
pango.x86_64
parted
perl
perl-CPAN
perl-IO-Socket-SSL
perl-XML-Simple
policycoreutils-python-utils
sudo
sysstat
tar
unzip
xorg-x11-fonts-100dpi
xorg-x11-fonts-75dpi
xorg-x11-fonts-Type1
xorg-x11-fonts-cyrillic
xorg-x11-fonts-misc
xorg-x11-utils
zip

For Red Hat Enterprise Linux and Oracle Linux 8, the following packages are also required:

lsof (recommended)
nc or nmap-ncat (recommended)
xorg-x11-font-utils 7.5-40 or later

For Red Hat Enterprise Linux and Oracle Linux 9, the following packages are also required:

mkfontscale
perl-LWP-Protocol-https
perl-YAML

Kernel parameters

Before installing the Analyzer detail view server, you must set the following kernel parameter values:

File* Parameter Value to be set

/etc/sysctl.conf fs.file-max 327675 or greater

/etc/security/limits.conf megha soft nofile 262140 or greater

megha hard nofile

* The file path differs according to the environment. In addition, kernel parameters can also be set for files that are not listed here.

Hardware requirements

For details on the number of manageable resources for each system scale, see Hardware sizing based on system scale.

Processor (cores) Memory Free disk space for installation directory1, 2, 3 Free disk space by
directory3, 4
Data retention period

14 days 32 days 365 days

Monitoring storage Monitoring storage Monitoring storage Monitoring storage Monitoring storage
/root: 300 MB
systems only5 systems only systems, hypervisors, systems, hypervisors, systems only
and switches and switches
Small: 6 GB Small: 150 GB /home: 100 MB
Small: 7
Small + Level 1: 150 GB Small + Level 1: 150 GB
Medium: 8 GB Medium: 700 GB /usr/local: 1 GB
Medium: 7
Medium + Level 2: 150 GB Medium + Level 2: 150 GB
Large: 7 Large: 43 GB Large: 1,700 GB
Large + Level 3: 150 GB Large + Level 3: 250 GB
Additional processors Additional memory Additional free disk
required for monitoring required for monitoring space required for

hypervisors6 hypervisors6, 7 monitoring hypervisors6

Level 1: 0 Level 1: 8 GB Level 1: 15 GB

Level 2: 0 Level 2: 8 GB Level 2: 50 GB

Level 3: 0 Level 3: 8 GB Level 3: 250 GB

Additional processors Additional memory Additional free disk

required for monitoring required for monitoring space required for
switches6 switches6, 7 monitoring switches6

Level 1: 0 Level 1: 8 GB Level 1: 15 GB

Level 2: 0 Level 2: 8 GB Level 2: 20 GB

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 11/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Processor (cores) Memory Free disk space for installation directory1, 2, 3 Free disk space by
directory3, 4
Data retention period

14 days 32 days 365 days

Level 3: 0 Level 3: 8 GB Level 3: 60 GB

® ®
Based on an Intel Xeon
Processor E5-2670 v2 @
2.50 GHz.
Do not include any symbolic links in the installation directory.

1. To complete the installation, you need a minimum of 5 GB and the disk usage must be less than 95%.
2. You must install the Analyzer detail view server on a physical disk. When you run the analytics_install.sh command, do not install the Analyzer detail view server on the
same disk where the operating system is installed.
3. Do not create these directories on a Network File System (NFS) partition.
4. The Analyzer detail view server retrieves the partition details and checks the free disk space. Make sure that the required disk space is available. For example, if the /home
and /usr/local directories are mounted on the P1 partition, the partition must have a minimum of 1124 MB free.
5. If Analyzer server and Analyzer detail view server are installed on the same host, use these values:

Small: 7, Medium: 8, Large: 8

6. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
7. If you want to monitor both hypervisors and switches, just use the larger of the two resource requirements.

Note:

Values are calculated based on the Hitachi Enterprise Storage system.

Analyzer probe server requirements

The requirements for operating systems, network configuration, java version, RPM packages, kernel parameters, and hardware are as follows:

Supported operating systems

Red Hat Enterprise Linux 8.8, 8.10, 9.2, 9.4 (x64)

Oracle Linux 8.8, 8.10, 9.2, 9.4 (Unbreakable Enterprise Kernel) (x64)
Oracle Linux 8.8, 8.10, 9.2, 9.4 (Red Hat Compatible Kernel) (x64)

When installing the operating system, select the default software package settings or add a software package with the default settings selected for installation.

Time zone

For the OS time zone, set the canonical time zone.

Network configuration

The Analyzer probe server supports IPv4 only.

Java version

Amazon Corretto 17
Oracle JDK 17

Amazon Corretto 17 is bundled with Analyzer probe server. If the default OS Java (the Java that is specified as /usr/bin/java by the alternatives command) is not Oracle JDK 17,
Amazon Corretto 17 is installed and is set as the default OS Java.

If you want to use Oracle JDK 17, install it in advance, and specify it as the default OS Java. If you are using a version earlier than the supported versions of Oracle JDK 17, upgrade
it in advance.
Note:

For details on Java versions, see the Release Notes.

You can change the Java version to Oracle JDK 17 after you install Analyzer probe server. For details, see the Release Notes.

Prerequisite RPM packages

Install the following RPM packages before installing the Analyzer probe server. You can check which RPM packages are missing by running the precheck tool (dcaprobe_prechec
k.sh) provided by Ops Center Analyzer.

RPM packages Details

alsa-lib.x86_64 For Red Hat Enterprise Linux and Oracle Linux 8, if nc (or nmap-ncat)
bash.x86_64 and lsof are not installed, some maintenance information will be
bc.x86_64 unavailable.
bzip2-libs.x86_64
For this reason, the best practice is to install the optional tool and set the
chkconfig.x86_64
necessary path.
coreutils.x86_64
cpio.x86_64 Note:
crontabs
cups-libs.x86_64 For best results after you install the prerequisite packages,
expat-devel upgrade the following packages to the following versions:
expect libsemanage 2.9-3 or later
findutils.x86_64 python3-libsemanage 2.9-3 or later
firewalld

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 12/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
RPM packages Details
fontconfig.x86_64 If you want to monitor a Linux host, you must install the rsync
freetype.x86_64 package on both the Analyzer probe server and the target Linux
gawk.x86_64 host.
gcc
gdb.x86_64
glib2.x86_64
glibc-all-langpacks.x86_64
glibc-common.x86_64
glibc-devel.i686
glibc-devel.x86_64
glibc-headers.x86_64
glibc-locale-source.x86_64
glibc-minimal-langpack.x86_64
glibc-utils.x86_64
glibc.i686
glibc.x86_64
grep.x86_64
gtk2.x86_64
gtk3.x86_64
gzip.x86_64
initscripts
iproute.x86_64
krb5-libs.x86_64
ksh.x86_64
libgcc.i686
libgcc.x86_64
libnsl.i686
libnsl.x86_64
libpng.x86_64
libstdc++.i686
libstdc++.x86_64
libX11.x86_64
libXau.x86_64
libxcb.x86_64
libxcrypt.i686
libxcrypt.x86_64
libXext.x86_64
libXi.x86_64
libXrender.x86_64
libXtst.x86_64
libyaml
lksctp-tools.x86_64
make
ncurses.x86_64
net-tools.x86_64
nscd.x86_64
nss-softokn-freebl.i686
nss-softokn-freebl.x86_64
nss.x86_64-3.21.0 or later
openssh-clients
openssl-1.0.2k or later
openssl-devel (1.0.1e-fips 11 Feb 2013 or later)
pcsc-lite-libs.x86_64
perl
perl-CPAN
perl-Digest-MD5
perl-IO-Socket-SSL
perl-XML-Simple
policycoreutils
policycoreutils-python-utils
procps-ng.x86_64
rpm.x86_64
sed.x86_64
sudo
sysstat.x86_64
systemd
tar.x86_64
tcsh.x86_64
unzip
which.x86_64
zip
zlib.x86_64

For Red Hat Enterprise Linux and Oracle Linux 8, the following packages are also required:

GConf2.x86_64
lsof (recommended)
nc or nmap-ncat (recommended)
ncompress.x86_64
ncurses-compat-libs.x86_64

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 13/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
RPM packages Details
nss_db.i686
nss_db.x86_64

For Red Hat Enterprise Linux and Oracle Linux 9, the following packages are also required:

graphite2.x86_64
harfbuzz.x86_64
libbrotli.x86_64
pcre.x86_64
perl-CPAN-Meta-Check
perl-Date-Calc
perl-Date-Manip
perl-ExtUtils-MakeMaker
perl-File-Copy
perl-File-ShareDir
perl-File-stat
perl-LWP-Protocol-https
perl-Net-Ping
perl-Time-Local
perl-YAML

Kernel parameters

Before installing the Analyzer probe server, you must set the following kernel parameter values:

File* Parameter Value to be set

/etc/sysctl.conf fs.file-max 327675 or greater

/etc/security/limits.conf megha soft nofile 262140 or greater

megha hard nofile

* The file path differs according to the environment. In addition, kernel parameters can also be set for files that are not listed here.

Hardware requirements

For details on the number of manageable resources for each system scale, see Hardware sizing based on system scale.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 14/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Processor (cores) Memory1 Free disk space for installation Free disk space by directory2,3
directory2,3

Monitoring storage systems only Monitoring storage systems only Monitoring storage systems,
Analyzer probe server:
hypervisors, and switches
Small: 2 Data collection using command
/etc: 100 MB
device7 Small + Level 1: 150 GB
Medium: 6
/home: 100 MB
Small: 6 GB Medium + Level 2: 350 GB4
Large: 12
/root: 300 MB
Medium: 26 GB Large + Level 3: 350 GB4
Additional processors required for
/usr/local: 1 GB
monitoring hypervisors6 Large: 40 GB To complete the installation, you need a
minimum of 5 GB and the disk usage must RAID Agent:
Level 1: 0 Data collection using SVP and
be less than 95%.
8
REST API /opt/jp1pc:
Level 2: 2
Do not include any symbolic links in the
Small: 6 GB Small: 6 GB
Level 3: 2 installation directory.

Medium: 18 GB Medium: 25 GB
Additional processors required for
monitoring switches6 Large: 28 GB Large: 35 GB

Level 1: 0 Additional memory required for /tmp: 350 MB

monitoring hypervisors6
Level 2: 0 /var: 600 MB
Level 1: 1 GB
Level 3: 10 Virtual Storage Software Agent5:
Level 2: 1 GB
Based on an Intel® Xeon® Processor E5- installation-directory-
2670 v2 @ 2.50 GHz. Level 3: 2 GB path/VirtualStorageSoftwareAgent: 1GB

Additional memory required for /var/installation-directory-

monitoring switches6 path/VirtualStorageSoftwareAgent: 1GB

Level 1: 0 GB /var/log: 7GB

Level 2: 1 GB /usr/lib/jvm: 1GB

Level 3: 2 GB

Note: If you are monitoring a system that is

similar or larger than Large scale, consider
installing multiple probe servers.

1. When analyzing Universal Replicator performance, if you perform monitoring with the maximum value of C/T delta set to a value greater than the default (3,600 seconds),
the amount of memory used by the Analyzer probe server increases. You can calculate the amount of the increase by using the following formula:

6,144,000 bytes x ((maximum-value-of-C/T-delta - 3600) / 3600) x number-of-storage-systems-to-be-monitored

For details on how to change the maximum value of C/T delta, see Changing the maximum C/T delta value monitored when analyzing Universal Replicator performance.

2. Do not create these directories on a Network File System (NFS) partition.

3. The Analyzer probe server retrieves the partition details and checks the free disk space. Make sure that the required disk space is available.

For example, if:

the /home and /usr/local directories are mounted on the P1 partition, the partition must have a minimum of 1124 MB free.
the /etc directory is mounted on the P2 partition, the partition must have a minimum of 100 MB free.
4. If you change the data collection interval, the amount of free disk space required also changes. For example, If you change data collection interval from 5 minutes to 1
minute, the following free disk space is required:
Monitoring storage systems, hypervisors, and switches
Medium + Level 2: 300 GB
Large + Level 3: 450 GB
5. This is the free disk space required to install Virtual Storage Software Agent.
6. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
7. When RAID Agent is configured to monitor storage systems by using Access Type 1 or 2.
8. When RAID Agent is configured to monitor storage systems by using Access Type 3 or 4. If you are collecting data by using command devices and by using the SVP and
REST API, the system requirements for data collection using command devices apply.

Note:

Values are calculated based on the Hitachi Enterprise Storage system.

RAID Agent requirements (Windows)

The following describes the operating system, network configuration, and hardware requirements for installing RAID Agent on a Windows host.

Supported operating systems

OS name Edition SP Architecture

Windows Server 2016 No SP x64

Standard
Server core and Nano Server are not supported.
Datacenter

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 15/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
OS name Edition SP Architecture

Windows Server 2019 No SP x64

Standard
Server core is not supported.
Datacenter

Windows Server 2022 No SP x64

Standard
Server core is not supported. Datacenter

Network configuration

RAID Agent supports the use of IPv4 and IPv6 together or IPv4 only.

Hardware requirements

For details on the number of manageable resources for each system scale (Small, Medium, and Large), see the table of "Monitoring storage systems by using RAID Agent
(Windows)" in Hardware sizing based on system scale.

Processor (cores) Memory Free disk space for installation Free disk space for Hybrid Store Free disk space by folder
folder folder

Small: 2 Small: 8 GB Small: 2 GB Small: 20 GB RAID Agent:

Medium: 4 Medium: 12 GB Medium: 5.5 GB Medium: 70 GB system-drive: 350 MB

Large: 8 Large: 16 GB Large: 10 GB Large: 130 GB RAID-Agent-installation-folder:

Note: If you are monitoring a system To complete the installation, you
that is similar or larger than Large
scale, consider installing multiple
RAID Agent servers.
need a minimum of 900 MB.
Do not include any symbolic links
and junction points in the installation
folder.
If you change the data collection Small: 3.1 GB
interval, the amount of free disk
Medium: 6.8 GB
space required also changes. For
example, if you want to change the
Large: 11.5 GB
data collection interval from 5
minutes to 1 minute, you need 5 Folder specified by the TEMP
times the free disk space listed environment variable: 400 MB
above.

Analyzer Windows probe requirements

The requirements for operating systems, network configuration, locale, software, and hardware are as follows:

Supported operating systems

OS name Edition SP Architecture

Windows Server 2016 Standard No SP x64

Server core with Nano Server is not supported.

Windows Server 2019 Standard No SP x64

Datacenter
Server core is not supported.

Windows Server 2022 Standard No SP x64

Datacenter
Server core is not supported.

Network configuration

The Windows probe supports IPv4 only.

System locale

The Analyzer Windows probe must be installed on an English Windows machine with one of the following English System locales:

Australia
Belize
Canada
Caribbean
India
Ireland
Jamaica
Malaysia
New Zealand
Philippines
Singapore
South Africa
Trinidad and Tobago
United Kingdom
United States

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 16/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Zimbabwe

The Display language and Input Method language on the Windows machine must be set to English.

Software requirements

Software name Version Protocol

Microsoft .NET Framework 3.5 Service Pack1 or later HTTP

4.5 or later HTTP

HTTPS

Hardware requirements

Prerequisites Minimum

Processor 4 cores

Memory 8 GB

Disk space (system drive) 50 GB

Note: You must install one Analyzer Windows probe for every 100 machines.
Note: If you are using the Analyzer Windows probe, you must use the same version of Analyzer detail view server included in the product package for the probe. For details, see the
Release Notes.

Hardware sizing based on system scale

The following table contains guidelines for determining the size of your environment based on the number of monitoring targets. Based on the sizing and scalability guidelines, you
can identify the hardware requirements and scale your environment to meet workload demands.

Monitoring storage systems only

System scale Maximum number of resources

Storage

Volume* Storage Volume Pair

Small scale 5,000 3 300

Medium scale 20,000 19 600

Large scale 50,000 30 1,200

* Total number of volumes for all storage systems.

Note:

To manage a system larger than that described in "Large scale", please contact us separately.

The system scale requirements for just monitoring storage systems are the same for all Ops Center products. For details, see the Hitachi Ops Center System Requirements.

Monitoring hypervisors and switches

Maximum number of resources

System scale
Hypervisor FC Switch

ESX VM Switch Total Port count

Level 1
8 120 8 384

Level 2
25 375 25 1,200

Level 3
50 3,000 40 1,920

The memory and disk space requirements vary depending on the managed resources. For example:

a large number of volumes require a sizable database.

if you decrease the interval at which you obtain performance information, the volumes occupy more disk space in the database.

Monitoring storage systems by using RAID Agent (Windows)

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 17/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Maximum number of resources
System scale
Storage

Storage Volume

Small scale 1 5,000

Medium scale 5 35,000

Large scale 10 70,000

Larger scale 40 200,000

Use this table to perform hardware sizing based on the scale of the system to be monitored by using RAID Agent (Windows).

Port requirements

Before you install the Analyzer server, Analyzer detail view server or Analyzer probe server, review the desktop, port, and firewall requirements.

Note: By default, iptables is used instead of the firewalld daemon in the virtual appliance.

Default port number for Analyzer server

Source IP address Target IP address Default port Protocol

User Desktop1 Analyzer server 220152 HTTP

220162 HTTPS

Analyzer server RAID Agent Server 242213 HTTP

242223 HTTPS

223 SSH

Common Services
443 HTTPS

Common component 22031, 22032, 22035, 22036, 22037, and 22038 TCP

localhost localhost 27100, 27102, 27103, and 27104 (internal; do not open these ports for external communication.) TCP

Notes:

1. For virtual appliances, Any is open.

2. By default, HTTP and HTTPS can be used to access the Analyzer server.
3. For API requests that access RAID Agent, make sure that the server can communicate with RAID Agent.

Default port number for Analyzer detail view server

Source IP address1 Target IP address Default port Protocol

User Desktop, Analyzer Analyzer detail view 8443 TCP

server server

Analyzer probe server Analyzer detail view 9092 HTTP (default) or

server HTTPS

Analyzer probe server Analyzer detail view 222 SFTP

server

74432 HTTPS

Intermediate FTP 222 SFTP

Server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 18/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Source IP address1 Target IP address Default port Protocol

212 FTP

9902 FTPS

SNMP Manager server Analyzer detail view 9191 UDP

server

Common Services
Analyzer detail view server 443 HTTPS

localhost localhost 222 SFTP

9999, 8888, 8013, 6379, 6380, 6381, 6382, and 2181 (internal; do not open these ports for external TCP
communication.)

Notes:

1. For virtual appliances, Any is open.

2. This port is required for the data transfer protocol. Close this port if it is not required.

Default port number for Analyzer probe server

Source IP address1 Target IP address Default port Protocol

User Desktop Analyzer probe server 8443 TCP

Analyzer detail view On-demand real time monitoring 24262 WSS (WebSocket over
server module TLS)

Analyzer probe server Common Services

443 HTTPS

localhost localhost
9999 and 8888 (internal; do not open these ports for external TCP
communication.)

Notes:

1. For virtual appliances, Any is open.

Probe port and firewall requirements

Probe name Collection method Source IP address Target IP address Default port Protocol

Storage systems

Hitachi Enterprise Storage RAID Agent Analyzer probe server RAID Agent Server 24221 HTTP

24222 HTTPS

See "Port numbers for each

RAID Agent Server Storage systems that are TCP
destination storage system"
managed through SVP
in the next table.

RAID Agent (required if RAID Agent Server ESM (for VSP One B20) 80 HTTP
using REST API)
or

SVP (for VSP 5000 series)

or 443 HTTPS

GUM (CTL) (for any other

storage system)

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 19/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Probe name Collection method Source IP address Target IP address Default port Protocol

Hitachi Ops Center API Analyzer probe server Hitachi Ops Center API 23450 HTTP
Configuration Manager Configuration Manager
(REST API) Server
23451 HTTPS

Hitachi NAS RUSC Analyzer probe server HNAS SMU 22 SSH

REST API HNAS REST API Server 8444 HTTPS

Hitachi NAS (REST API) REST API Analyzer probe server HNAS REST API Server 8444 HTTPS

VSP One SDS Block Vitural Storage Software Analyzer probe server Virtual Storage Software 24081 HTTPS
Agent (REST API) Agent Server

The representative for 443 HTTPS

Virtual Storage Software
storage clusters or the
Agent
control network for storage
nodes of VSP One SDS
Block

Hypervisors

VMware VMware vCenter API Analyzer probe server VMware vCenter 443 TCP
Server/VMware ESXi Host

Windows (Hyper-V) WMI Windows probe Windows Host/Hyper-V 135 TCP

Perfmon 445

SCOM SCOM server 5723, 5724 and 51905

SCCM SCCM server 1433

IBM Power Systems HMC (Hardware Analyzer probe server IBM Power Systems 12443 HTTPS
Management Console) managed by Hardware
REST API Management Console
(HMC)

FC Switches

Brocade FC Switch Brocade Switch CLI Analyzer probe server Brocade FC Switch 22 SSH

Fabric OS REST API 80 HTTP

443 HTTPS

Cisco FC Switch (DCNM) DCNM (REST API) Analyzer probe server DCNM Server 443 HTTPS

Analyzer probe server

Cisco FC Switch (CLI) Cisco Switch CLI Cisco FC Switch 22 SSH

Hosts

rsync over SSH Analyzer probe server

Linux Linux host 22 SSH

Note: Make sure that the time on the target device is synchronized with the UTC time. For example, when the time in UTC is 23:00, then time on the target device in the PST time
zone must be 15:00.

Port numbers for destination storage systems

VSP One B20 VSP 5000 series VSP E990, VSP G/F350, G/F370, VSP G1000, G1500, and VSP
G/F700, G/F900, VSP G200, F1500
G/F400, G/F600, G/F800

Default port 443 443 443 443

-- 11099 1099 1099

-- 51099 51099 51099

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 20/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
VSP One B20 VSP 5000 series VSP E990, VSP G/F350, G/F370, VSP G1000, G1500, and VSP
G/F700, G/F900, VSP G200, F1500
G/F400, G/F600, G/F800

-- 51100 51100-51355 51100

Supported ciphers

The Analyzer detail view server and Analyzer probe server support various different ciphers when transferring data using HTTPS or SFTP connections.

Supported ciphers for Analyzer probe

This section describes the supported ciphers for Analyzer probe.

The following ciphers are supported while transferring data using SFTP and HTTPS connections from the Analyzer probe server to the Analyzer detail view server or
Intermediate FTP server:
Note: The first matching algorithm on the Analyzer detail view server or Intermediate FTP server is used for the SSL handshake.

Kex algorithm: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1

-sha1

Host key algorithm: ssh-rsa, ssh-dss

Encryption algorithm: aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, twofish256-cbc, twofish192-cbc, twofish-cbc,
twofish256-ctr,
twofish192-ctr, serpent256-cbc, serpent192-cbc, serpent128-cbc, serpent256-ctr, serpent192-ctr, serpent128-ctr, 3des-cbc, 3des-ctr, cast128
-cbc, cast128-ctr,
arcfour256, arcfour128, arcfour, idea-cbc, idea-ctr, blowfish-ctr, none

MAC algorithm: hmac-sha2-512-96, hmac-sha2-512, hmac-sha2-256-96, hmac-sha2-256, hmac-sha1-96, hmac-sha1, hmac-md5-96, hmac-md5, none

Compression algorithm: zlib, none

The following ciphers are supported in Analyzer probe server to establish secure communication with Analyzer detail view server for various operations if you are using the
TLS v1.3:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256

Supported ciphers for Analyzer Windows probe

The following ciphers are supported while transferring data using an HTTPS connection from the Analyzer Windows probe to the Analyzer detail view server or Intermediate HTTPS
server:

Note: The first matching algorithm on the Analyzer detail view server or Intermediate HTTPS server is used for the SSL handshake.

Kex algorithm: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Host key algorithm: ssh-rsa, ssh-dss

Encryption algorithm: aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, twofish256-cbc, twofish192-cbc, twofish-cbc, twofis
h256-ctr, twofish192-ctr, serpent256-cbc, serpent192-cbc, serpent128-cbc, serpent256-ctr, serpent192-ctr, serpent128-ctr, 3des-cbc, 3des-ctr, cas
t128-cbc, cast128-ctr, arcfour256, arcfour128, arcfour, idea-cbc, idea-ctr, blowfish-ctr, none

MAC algorithm: hmac-sha2-512-96, hmac-sha2-512, hmac-sha2-256-96, hmac-sha2-256, hmac-sha1-96, hmac-sha1, hmac-md5-96, hmac-md5, none

Compression algorithm: zlib, none

The following ciphers are supported while transferring data using an SFTP connection from the Analyzer Windows probe to the Analyzer detail view server or Intermediate SFTP
server:

Kex algorithm: ecdh-sha2-nistp521 ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha

1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Host key algorithm: ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ssh-rsa, ssh-dss

Encryption algorithm: aes128-cbc 3des-cbc aes192-cbc, aes256-cbc, aes128-ctr, 3des-ctr, aes192-ctr, aes256-ctr

MAC algorithm: [email protected], [email protected], hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hma
c-md5-96

Compression Algorithm: [email protected], zlib, none

Supported browsers

Analyzer server supports the following browsers:

Web browser/other Version

Firefox ESR 115

Microsoft Edge Latest version of stable channel

Chrome Browser for enterprise Latest version of stable channel

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 21/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Analyzer detail view server and Analyzer probe server support the following browsers:

Web browser/other Version

Firefox ESR 115

Microsoft Edge Latest version of stable channel

Chrome Browser for enterprise Latest version of stable channel

Monitoring target requirements

You can monitor the following storage systems, hypervisors, hosts, and FC switches.

Monitoring target storage systems

You can monitor the following storage systems:

Storage System Microcode/Firmware Analyzer probe

version

VSP One B24, B26, B28 A3-02-21 or later Hitachi Enterprise Storage probe

VSP 5100, 5500, 5100H, 5500H
VSP 5200, 5600, 5200H, 5600H
VSP E590, E790
90-02 or later Note: If performance data is collected using a command device by using RAID Agent on the same host
as the Analyzer probe server, make sure that the RAID Manager LIB is installed on the same server as
90-08 or later
the Hitachi Enterprise Storage probe.
93-03-21 or later

VSP E590H, E790H 93-05-01 or later

VSP E990 93-02 or later

VSP E1090, E1090H 93-06-21 or later

VSP G1000, G1500, and VSP F1500 80-06-63 or later

VSP G/F350, G/F370, G/F700, G/F900 88-02-01 or later

VSP G200, G/F400, G/F600, G/F800 83-05-29 or later

VSP N400, N600, N800 83-06-01 or later

See VSP N series notation.

Hitachi NAS platform (HNAS) firmware and 13.5 or later

Hitachi NAS probe
System management unit (SMU)
Hitachi NAS (REST API) probe
4040, 4060, 4080, 4100, 5000 series, VSP
G/F400, G/F600, G/F800, VSP N400, N600,
Note: To view NAS configuration and performance reports, go to the Analyzer detail view server.
N800

VSP One File 32, 34, 38 15.1 or later Hitachi NAS (REST API) probe

Note: To view VSP One File configuration and performance reports, go to the Analyzer detail view
server.

VSP One SDS Block 1.10 or later Hitachi VSP One SDS Block probe
Note:

The following storage systems might be referred to as VSP One B20:

VSP One B24
VSP One B26
VSP One B28
The following storage systems might be referred to as VSP family:
VSP E series
VSP F series
VSP G series
VSP 5000 series
The VSP family supports Granular Data Collection.
Ops Center Analyzer supports the use of Server Priority Manager (which controls I/O) for the following storage systems: VSP E series, VSP F series, VSP G series and VSP
5000 series. For VSP G200, G/F400, G/F600, G/F800 storage systems with microcode 83-03-0x or earlier, you might get an error if you specify or refer to Server Priority
Manager information using the Storage I/O controls feature.
For I/O control settings using Server Priority Manager, use Automation Director 8.5.0 or later (except 8.5.1).

VSP N series notation

Because the VSP N series is equivalent to the VSP F series or VSP G series, Ops Center Analyzer uses the VSP F series or VSP G series storage model names to indicate the VSP
N series. (The model descriptions are equivalent as well.)

The following table lists the correspondence.

Storage system model in the VSP N series Notation in Ops Center Analyzer

VSP N400 VSP F400 or VSP G400

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 22/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Storage system model in the VSP N series Notation in Ops Center Analyzer

VSP N600 VSP F600 or VSP G600

VSP N800 VSP F800 or VSP G800

Monitoring target hypervisors

You can monitor the following hypervisors:

Product name Version Analyzer probe name

VMware vCenter server VMware probe

7.0u3
8.0
8.0u1
8.0u2
8.0u3

VMware ESXi
7.0u3
8.0
8.0u1
8.0u2
8.0u3

Hyper-V Windows Server 2016 Hyper-V Windows probe

--
Windows Server 2019 Hyper-V

Standard
Datacenter

Windows Server 2022 Hyper-V

Standard
Datacenter

IBM Power Systems HMC V9R2 IBM Power Systems probe

IBM Power Systems P7-740 (8205-E6C)

Monitoring target hosts

You can monitor the following hosts:

OS name Version/Edition Analyzer probe name

Windows Windows probe

Windows Server 2016 Standard

Server core with Nano Server is not supported.

Windows Server 2019 Standard

Datacenter
Server core is not supported.

Windows Server 2022 Standard

Datacenter
Server core is not supported.

Linux Red Hat Enterprise Linux Linux probe

8.8
8.10
9.2
9.4

SUSE Linux Enterprise Server

12

Oracle Linux
8.8
8.10
9.2
9.4

CentOS
7.1
7.2

Monitoring target FC switches

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 23/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You can monitor the following FC switches:

Switch name Software Version/Model Analyzer probe name

Brocade Brocade Fabric OS (CLI) Brocade FC Switch probe

8.1.2a
8.2.0
8.2.0a
8.2.0b
8.2.1c
8.2.2
8.2.2a

Brocade Fabric OS (REST API)

8.2.1a1
8.2.2
8.2.2a
8.2.3a
9.0.1b
9.1.1c
9.2.0a

Cisco Cisco Data Center Network Manager (REST API) Cisco FC Switch (DCNM) probe
11.4
11.5(1)

Analyzer can monitor all SAN switched supported by these versions of DCNM.

Cisco FC Switch (CLI) Cisco FC Switch (CLI) probe

MDS 9718
MDS 9396T
MDS 9250i (9.3 (2a) )

Installation by using the virtual appliances

Install Ops Center Analyzer components using a virtual appliance by preparing your environment, installing all components, and performing initial setup.

To install the Analyzer server, the Analyzer detail view server, and the Analyzer probe server using the stand-alone OVA installers, first verify the system requirements and then
deploy the software.

You can also install the Analyzer server and Analyzer detail view server using the Ops Center OVA. For details, see the Hitachi Ops Center Installation and Configuration Guide.

Workflow for installing and using a virtual appliance

The following figure shows the workflow for creating an Ops Center Analyzer system by using a virtual appliance.

If you use the Ops Center OVA, Ops Center Analyzer is automatically registered in Common Services on the same host. However, in the following cases, you must manually register
Ops Center Analyzer in Common Services after the installation:

When you use Common Services on a different host

When you install Analyzer using a stand-alone OVA

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 24/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Installing Ops Center Analyzer and Analyzer detail view servers (VMware vSphere Client)

By deploying the OVA file (Analyzer OVA), you can create a virtual machine on which the Analyzer server and the Analyzer detail view server are installed.

Review the requirements for the Analyzer server and the Analyzer detail view server (hardware and software).

1. From a VMware vSphere client, log in to the VMware ESXi server.

2. Deploy the Analyzer OVA (AnalyzerVM_version.ova) by selecting File > Deploy OVF Template, and then following the prompts.
3. To avoid IP address conflicts when the virtual machine starts, you must change the settings so that the machine does not connect to the network.

You can skip this step if you are sure that the IP addresses will not conflict.

When deployment is complete, the following are set by default for the virtual machine:

IP address: 172.30.197.99
Network mask: 255.255.0.0
Default gateway: 172.30.0.1
a. Right-click the new virtual machine, and select Edit Settings.
b. In the Hardware tab, select Network adapter 1, and then clear the Connect at power on check box.
4. Start the virtual machine.
5. If you changed the settings in step 3 so that the virtual machine does not connect to the network when it starts, perform the following steps:
a. Right-click the virtual machine, and select Edit Settings.
b. In the Hardware tab, select Network adapter 1, and then check the Connect at power on check box.

Running the setup tool (opsvmsetup)

After you complete the OVA deployment, run the setup tool (opsvmsetup) to complete the initial setup.
You can use the setup tool to set the following:

Network settings

Host name
IP address
Default gateway
Network mask

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 25/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
DNS server (up to two servers)
Password-based SSH root login
Time settings

Time zone
NTP server

During initial setup, firewall settings for the service port are configured in addition to the network and time settings for the guest OS, and SSL settings. If you want to use Common
Services, you must manually register Analyzer, Analyzer detail view and Analyzer probe in Common Services.

Note:

You can run the setup tool only once. Afterwards, you must change the settings manually.
The setup tool only supports IPv4 addresses.
Specify the time zone in the area/location format. If you do not know the proper values, use the following command to check the time zone values before running the
setup tool:

timedatectl list-timezones

1. From the VMware vSphere client, log in to the guest operating system using the following user ID and temporary password:

User ID: root

Password: manager

After logging in, you must change the root password.

2. Run the setup tool: opsvmsetup.

Note:

This setup tool is stored in /opt/OpsVM/vmtool but you can run the tool from any location.

3. Specify the values as prompted.

When you are finished, a list of the settings is displayed.
4. Check the settings, enter y, and then apply the settings.

The guest operating system restarts automatically.

5. If you changed the settings so that the virtual machine is not connected to the network when deployed, enable the network adapter:
a. Log in to the guest operating system, and then stop the virtual machine by using the shutdown command.
b. From the VMware vSphere client, click Power On the virtual machine.

Default settings for the guest operating system

When you deploy the OVA file (Analyzer OVA), the necessary settings for the Analyzer server and the Analyzer detail view server are specified for the virtual machine and guest OS.

The following table lists the defaults for the guest operating system. To change the settings for the Analyzer server and the Analyzer detail view server after deployment, change the
operating system settings as needed.

Item Settings

Operating system version Oracle Linux

For details about the latest operating system version, see Requirements for the Analyzer OVA.

Installed libraries Prerequisite libraries required for the Analyzer server and the Analyzer detail view server included in the Analyzer
OVA.

Kernel parameters Values required for the Analyzer server and the Analyzer detail view server included in the Analyzer OVA.

Registering firewall exceptions In addition to the ports that are registered as exceptions by the operating system, the ports that must be registered
as exceptions for each of the products.

Installing the Analyzer probe server and Protector Client (VMware vSphere Client)

By deploying the OVA file (the Analyzer probe OVA), you can create a virtual machine on which Analyzer probe server, Protector Client, and Ops Center API Configuration Manager
are installed.

Review the Analyzer probe server requirements (hardware and software).

Make sure that the ports you specify are available for communication. The default port is 8443. The default port for SSH is 22.
If you use the Analyzer probe server in a DNS environment, exclude the domain name when specifying the host name because the Analyzer probe server does not support
FQDN.
Specify a static IP address for Analyzer probe server because the RAID Agent cannot run on hosts the use DHCP to assign IP addresses.
When you run RAID Agent in a virtual environment:
Before setting up the RAID Agent, you must specify C for the LANG environment variable on the Analyzer probe server host.

At startup, RAID Agent is subject to the system LANG environment variable. If the LC_ALL environment variable differs from the LANG environment variable, either
unset LC_ALL or change the value to match the LANG value. Use the following example as a reference when setting the LANG value for RAID Agent. The last line is
an example of coding that unsets the LC_ALL value.

Example settings:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 26/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
## Set Environment-variables
PATH=/sbin:/bin:/usr/bin:/opt/jp1pc/bin
SHLIB_PATH=/opt/hitachi/common/lib
LD_LIBRARY_PATH=/opt/hitachi/common/lib
LIBPATH=/opt/hitachi/common/lib
HCCLIBCNF=/opt/jp1/hcclibcnf
LANG=C
export PATH SHLIB_PATH LD_LIBRARY_PATH LIBPATH HCCLIBCNF LANG
unset LC_ALL
If you want to monitor VSP One B20 or VSP family, you must enable access from a guest OS to the command device. For details, see the documentation for your
virtual system.
Note: If you do not want to collect performance information using a command device, skip these settings.

Use a VMware vSphere Client to add a device to the guest OS. By doing so, if you designate a command device as the device to add, the command device can be
accessed from the guest OS.

When configuring settings to add a device, make sure that the following requirements are met:

Device type: Hard disk

Disk selection: Raw device mapping
Compatibility mode: Physical
Virtual disks (including VMware VVols) are not used for the command device.
When you use a virtualization system to replicate an OS environment in which the RAID Agent is running, do not apply the replicated environment to any other host.
The RAID Agent startup might fail in the replicated environment.

1. From a VMware vSphere client, log on to the VMware ESXi server.

2. Deploy the Analyzer probe OVA (dcaprobe_version.ova) by selecting File > Deploy OVF Template, and then following the prompts.

From the VMware vSphere client, select File > Deploy OVF Template, and then follow the on-screen instructions.

Tip: For best results, select Thick Provision Lazy Zeroed in the window for selecting the disk provisioning method.
3. Change the settings so that the virtual machine does not connect to the network when started.
This operation is not required if you are sure that the IP addresses will not conflict.

When deployment is complete, the following default network settings are used for the virtual machine:

IP address172.30.197.101
Network mask255.255.0.0
Default gateway172.30.0.1
a. Right-click the virtual machine that you want to edit, and then select Edit Settings.
b. In the Hardware tab, select Network adapter 1, and then clear the Connect at power on check box.
4. Start the virtual machine.

When you log in for the first time, use the following user ID and password:

User ID: root

Password: manager

After you log in, you must change the root password.

5. Confirm that the network setting is correct.

Run the setup tool on the guest OS, and then specify the guest OS initial settings.
Note: When running the Analyzer probe server, Ops Center API Configuration Manager, and Protector Client on the same VM, all components share the same command device, but
Ops Center API Configuration Manager and Protector Client must access the storage systems using different credentials. This means they must use different user accounts when
accessing the storage system.
Tip: The Analyzer probe server and Protector Client are installed in the following directory on the virtual machine.

Analyzer probe server: /home

Protector Client: /opt/hitachi/protector

Initial setup of the guest OS or VMs

After deploying the virtual appliance, run the setup tool (opsvmsetup) to specify the guest OS initial settings. If you want to use Protector, specify settings for Protector. If you want to
use Common Services, you must manually register Analyzer probe in Common Services.

1. From the VMware vSphere Client, log on to the guest OS.

2. Run the opsvmsetup command.
Note:
You can run the setup tool only once. To change the settings after running the setup tool, use the operating system commands.
This setup tool is stored in /opt/OpsVM/vmtool but you can run the tool from any location.
3. In the setup tool, you can specify the following settings:
Network settings
Host name: The Analyzer probe server does not support FQDNs. Omit the domain name when specifying the host name.
DHCP: RAID Agent does not support the use of DHCP. If you are using RAID Agent, specify n.
IP address: The setup tool specifies an IPv4 address.
Default gateway
Network mask
DNS server (2 servers maximum)
Password-based SSH root login
Time settings
Time zone
Specify the time zone in the area/location format. If you do not know the specifiable values, use the following command in advance to check the
available time zone values:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 27/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
timedatectl list-timezones
The times and time zones of the following servers must be synchronized:
Analyzer server
Analyzer detail view server
NTP server
Security setting
Server certificate
Protector settings
Whether to use Protector
Protector master host name
Protector master IPv4 address
4. Check the contents of the list that displays your specified settings, and then apply the settings.

After the settings are applied, the guest OS restarts automatically.

5. If the virtual machine is not connected to the network when deployed, complete the following steps to enable the network adapter:
a. Log on to the guest OS.
b. Stop the virtual machine by running the shutdown command.
c. Right-click the virtual machine that you want to stop, and then select Edit Settings.
d. In the Hardware tab, select Network adapter 1, and then select the Connect at power on check box.
e. Run the Power On the virtual machine.

Installation by using the installer

Install Ops Center Analyzer components using the installer.

You can also install the Ops Center Analyzer components using the Express installers. For details, see the Hitachi Ops Center Installation and Configuration Guide.

Workflow for installing using an installer

The following figure shows the workflow for creating an Ops Center Analyzer system by using the installer. If you want to use Common Services, you must manually register
Analyzer, Analyzer detail view, and Analyzer probe in Common Services by performing the procedures described in "Initial setup after installation".

Installing or updating the prerequisite RPM packages

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 28/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You can obtain the prerequisite RPM packages from the Linux OS media or the distribution website, such as for Red Hat Enterprise Linux.

You can check which RPM packages are missing by running the precheck tool (analytics_precheck.sh).

If the libstdc++ package is already installed in the environment in which the Analyzer probe server:

Protected multilib versions: libstdc++-xx.xx.xx-xx.xx.el6.i686 != libstdc++-yy.yy.yy-yy.yy.el6.x86_64

This error occurs because the version of the x86_64 package (the 64-bit library) differs from that of the i686 package (the 32-bit compatibility library). If this happens, update the x86
_64 (the 64-bit library), and then retry the installation of libstdc++.i686:

yum update libstdc++.x86_64

Installing or updating the RPM packages by using the Linux OS media

The following describes how to install or update the RPM packages by using the Linux OS media.

1. Mount the Linux OS media and obtain the RPM packages:

mkdir /media/OSImage
mount /dev/cdrom /media/OSImage

2. Configure the yum repository.

touch /etc/yum.repos.d/OSImage.repo
echo [dvd-baseos]>>/etc/yum.repos.d/OSImage.repo
echo name=dvd-baseos>>/etc/yum.repos.d/OSImage.repo
echo baseurl=file:///media/OSImage/BaseOS/>>/etc/yum.repos.d/OSImage.repo
echo gpgcheck=0>>/etc/yum.repos.d/OSImage.repo
echo enabled=1>>/etc/yum.repos.d/OSImage.repo
echo >>/etc/yum.repos.d/OSImage.repo
echo [dvd-appstream]>>/etc/yum.repos.d/OSImage.repo
echo name=dvd-appstream>>/etc/yum.repos.d/OSImage.repo
echo baseurl=file:///media/OSImage/AppStream/>>/etc/yum.repos.d/OSImage.repo
echo gpgcheck=0>>/etc/yum.repos.d/OSImage.repo
echo enabled=1>>/etc/yum.repos.d/OSImage.repo

3. Run the yum command to install or update the packages and package group:
For packages

yum install package-to-install

For the package group

yum group install package-group-to-install

4. Unmount the Linux OS media:

umount /media/OSImage/
rm /etc/yum.repos.d/OSImage.repo

Installing or updating the RPM packages using the distribution website

The following describes how to install or update the RPM packages by using the distribution website.

1. Specify the repository to which the yum command is to connect.

For Red Hat Enterprise Linux, register the system by using Red Hat Subscription Management. For details, see https://access.redhat.com/articles/11258.
For Oracle Linux, the initial settings are set by default (the file repo is already located in the directory /etc/yum.repos.d). For details, see http://yum.oracle.com/getting-
started.html.
2. If you are using a proxy, specify the proxy for the yum command:
a. Add the following information to the /etc/yum.conf file:

proxy=http://host-name:port-number
proxy_username=user-name
proxy_password=password

b. Clear the cache for the yum command.

yum clean all

3. Run the yum command to install or update the packages and package group.
For packages

yum install package-to-install

For the package group

yum group install package-group-to-install

Increasing the maximum number of open files (Linux OS)

Before installing the Analyzer detail view server or Analyzer probe server on a Linux host, the minimum value of the system-wide and user-level limits on the number of open files
must be set to 65535 or greater.

The recommended values are:

System-wide: 327675

User-level: 262140

1. Log on as follows:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 29/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
a. If you are installing the Analyzer detail view server or Analyzer probe server for the first time, log on to the Linux machine as root.
b. If you are performing this task post-installation or while upgrading, log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty)
as a root user.
2. Run the following command to check the system-wide kernel limit:
Note: The recommended kernel limit is 327675.

sysctl -a | grep fs.file-max

If the value is 65535 or greater, skip to step 3. Otherwise, do the following:

a. Navigate to the /etc directory and create the sysctl.d directory if it does not exist:

mkdir sysctl.d

b. Navigate to the /etc/sysctl.d directory and create the sysctl.conf file if it does not exist.
c. Ensure that the fs.file-max property is present in the sysctl.conf file and the value is set to 65535 or greater.
d. Run the following command to apply the revised configuration:

sysctl -p /etc/sysctl.d/sysctl.conf

3. Run the following command to check the user-level limit:

Note: The recommended user-level limit is 262140.

ulimit -a | grep -i open

If the value is less than 65535, then do the following:

a. Navigate to the /etc/security/limits.d directory and create the 20-nproc.conf file, if it does not exist.
b. Ensure that the following two properties are present in the 20-nproc.conf file and set their values as follows:

* soft nofile 65535

* hard nofile 65535

4. If you changed the system-wide kernel or user-level limits on the Analyzer detail view machine, you must restart the machine.

Installing the Analyzer server and Analyzer detail view server

To install the Analyzer server and Analyzer detail view server, run the installer and follow the prompts. You can install the Analyzer server and the Analyzer detail view server at the
same time by using the installer (analytics_install.sh), or you can choose to install only one of the components.

The installer starts and stops the crond service. Therefore, do not run any operations that use the crond service when the installer is running.

Verify the following prerequisites before installing the Analyzer server and Analyzer detail view server.

Common prerequisites for the Analyzer server and the Analyzer detail view server:

Review the Analyzer server and the Analyzer detail view server requirements (hardware and software).
Verify that you have root permission to run the installer and the precheck tool.
Verify that the console and clock properties are set to the same time zone.
Verify that the times and time zones of the following servers are synchronized:
Analyzer server
Analyzer detail view server
Do not include any symbolic links in the installation path.
Do not set the COLUMNS environment variable.
If firewalld is enabled during installation, settings will be changed for all active zones. If necessary, revise the settings after the installation finishes.

Analyzer server requirements:

Verify that you can resolve the IP address from the host name of the Analyzer server.

Check the hosts file or the domain name system (DNS) server configuration of the host where the Analyzer server is installed.

Verify that the ports you specify are available for communication. The default ports are 22015 (non-SSL) and 22016 (SSL).
To prevent an installation error, verify that the ports used by the Common component (27100, 27102, 27103, and 27104) are not used by other processes.
During installation, when prompted to specify the installation directory for the Analyzer server, follow these rules:
For best results, specify the /opt directory.
Specify a directory name with no more than 93 characters.
Use the following characters:

A-Z a-z 0-9 / _

Do not use spaces.

Do not use a path separator (/) at the end of a path.
Make sure that the following directories are not mounted with the noexec option:
/opt
/var/opt

Analyzer detail view server requirements:

Prepare an unformatted device (physical device or logical device such as an LVM) specifically for installing the Analyzer detail view server. For details, see the Analyzer detail
view server requirements .
Verify that the ports you specify are available for communication. The default port is 8443.
Verify that group and other users have read and execute permissions (755) for the installation path directories.
Do not change the time zone after installing Analyzer detail view server.
During installation, when prompted to specify the installation directory for the Analyzer detail view server, follow these rules:
Specify a directory name with no more than 93 characters.
Use the following characters:

A-Z a-z 0-9 + ^ , ~ ! # @ { } _ . -

Do not use spaces.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 30/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Check the kernel and system limits on the number of open files and processes. For more information, see Increasing the maximum number of open files (Linux OS).
Make sure that the time on the Analyzer detail view server machine is synchronized with the UTC time. For example, when the time in UTC is 23:00, then time in the Analyzer
detail view server machine in the PST time zone must be 15:00.

1. Stop any security monitoring software, antivirus software, and process monitoring software.
2. Mount the Hitachi Ops Center installation media and copy the directories and files in the ANALYTICS directory on the installation media to a directory on the Linux host.
Note:
You must use only the following characters in the directory path to which the installer is copied: A-Z a-z 0-9 - . _
Do not use spaces.

In the following example, if the /root/ANALYTICS directory already exists, create a new directory, and then perform the subsequent steps in the new directory.

mkdir /media/OpsImage
mount /dev/cdrom /media/OpsImage
cp -rT /media/OpsImage/ANALYTICS /root/ANALYTICS

3. Move to the /root/ANALYTICS directory.

cd /root/ANALYTICS

4. Run the precheck tool as a root user to check whether the Analyzer server and Analyzer detail view server can be installed.

sh ./analytics_precheck.sh

If OK is displayed in [ Check results ], you can start the installation. If NG is displayed, make sure the system requirements have been met.

Output example when the Ops Center Analyzer version is 10.0.0:

============================================================
Analytics Precheck ver. 10.0.0-00
============================================================

[ Check results ]
Ops Center Analyzer detail view server [10.0.0-00] [OK]
Ops Center Analyzer server [10.0.0-00] [OK]

[ Details ]
Check premise OS version. [OK]

If the following message is shown, refer to the release notes.

An Analyzer server earlier than v10.7.0, Hitachi Ops Center Automator earlier than v10.8.0, or Hitachi Command Suite earlier than v8.8.3 is
already installed on this server. Make sure to upgrade the relevant products by referring to the Release Notes.

Note:
When you run the precheck tool, it checks the static information of the system environment.
If the -v option is specified, information such as the host name and the OS name is also displayed.
5. Run the following command as a root user to start the installation:

sh ./analytics_install.sh NEW

A message is displayed, confirming that you want to install the Analyzer detail view server and Analyzer server.

Do not change the size of the device window while the command is running. If you change the size of the window, the installation fails.

6. Enter y, and then specify the components that you want to install.
Tip: The prompt displays the default value. To use the default value, simply press the Enter key.

Do you want to install the Ops Center Analyzer detail view server? (y/n) [n]: y

Do you want to install the Ops Center Analyzer server? (y/n) [n]: y

[Confirmation]
------------------------------------------------------------
Installation Product
(1) Ops Center Analyzer detail view server
(2) Ops Center Analyzer server
------------------------------------------------------------
Do you want to install the server listed above? (y/n) [n]: y

7. You are prompted for a drive and directory to install the Analyzer detail view server.
The following describes how to specify a device as the installation destination:
To specify a physical device The device file name (Example: sdb)
To specify a logical device that uses the device-mapper functionality (devices in a configuration such as LVM, multipath, or RAID) The device name of the terminal
(with a TYPE of lvm, mpath, or raid) as displayed in the tree in <System device information> (Example: DCAvg-DCAlv00)

If you select a partition or a volume group of LVM, all the free disk space is used to create a logical volume for the LVM.

[INFO] Analytics installer started

============================================================
Installation of the Ops Center Analyzer detail view server
============================================================
[INFO] Installation of the Ops Center Analyzer detail view server started.

[Partition parameter]
------------------------------------------------------------
<System device information>

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 31/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:16 0 200G 0 disk
sr0 11:0 1 1024M 0 rom
fd0 2:0 1 4K 0 disk
sda 8:0 0 80G 0 disk
|-sda2 8:2 0 79G 0 part
| |-ol-swap 252:1 0 2G 0 lvm [SWAP]
| |-ol-home 252:2 0 27G 0 lvm /home
| `-ol-root 252:0 0 50G 0 lvm /
`-sda1 8:1 0 1G 0 part /boot

Specify the device name in which to store application data. [sdb]:

Specify the directory in which to store application data.

File permissions for all files in the top-level directory and below will be changed to 'megha:megha'. [/data]:
8. When prompted, enter y to configure the firewall settings. Specify the IP addresses of the Analyzer probe servers. You can also accept the default value 0.0.0.0 and
configure the IP addresses later. When you enter y, the firewall rules that are currently applied are saved.

[Firewall parameter ]
------------------------------------------------------------
Do you want to configure the firewall to accept connections from the Ops Center Analyzer probe servers? (y/n) [y]: y

Specify the IP addresses of the Ops Center Analyzer probe servers,

so that these IP addresses will be added in the configuration of firewall,
and the connection from these servers can be accepted.(port 22/tcp)
You can also use 0.0.0.0 and change it later.
[0.0.0.0]:

9. Specify the information to use for secure communication by the Analyzer detail view server.
To apply the default settings, press the Enter key in each prompt window.

[Keytool parameter ]
------------------------------------------------------------
[INFO] This setting is for SSL configuration.
What is the name of your organizational unit? [Unknown]: organizational-unit
What is the name of your organization? [Unknown]: organization
What is the name of your City or Locality? [Unknown]: city-or-locality
What is the name of your State or Province? [Unknown]: state-or-province
What is the two-letter country code for this unit? [Unknown]: two-letter-country-code-for-unit

10. Verify the settings that you specified:

[Confirmation]
------------------------------------------------------------
Installation directory(Mount point) : /data
Device name : [create new partition, volume group, and logical volume] on /dev/sdb
Filesystem : xfs
Port number : 8443
Firewall accept rule to be added :
Protocol Source IP Destination IP Destination PORT
-------- ---------------- ---------------- ----------------
ALL 0.0.0.0 0.0.0.0 ALL <RELATED,ESTABLISHED>
TCP 0.0.0.0 0.0.0.0 22
TCP 0.0.0.0 0.0.0.0 8443
Required CPAN libraries : Module::Build YAML Log::Log4perl LWP::Protocol::https
Distinguished Name for keytool : CN=host-name, OU=organizational-unit, O=organization, L=city-or-locality, ST=state-or-province, C=two-le
tter-country-code-for-unit

------------------------------------------------------------

11. Check the CAUTION message.

** CAUTION **

* This installation will change firewall settings. (Listing above)

* Installation of the required CPAN libraries may take more than 4 minutes.

12. Unless the CAUTION message includes a problem that requires your attention, enter y.

Do you want to continue the installation? (y/n) [n]: y

Analyzer detail view server is installed, and then the following message is displayed:

[INFO] Installation of the Ops Center Analyzer detail view server finished successfully.

13. You are prompted for a directory in which to install Analyzer server.

============================================================
Installation of the Ops Center Analyzer server
============================================================
[INFO] Installation of the Ops Center Analyzer server started.
Specify the directory to store application data. [/opt/hitachi]:

14. When prompted, enter y to configure the firewall settings. At this time, the firewall rules that are currently applied are saved.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 32/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
[Firewall parameter ]
------------------------------------------------------------
Do you want to configure the firewall to accept connections to the Ops Center Analyzer server? (y/n) [y]: y

The Ops Center Analyzer server sets 22015 and 22016 port as the default port.
This port can be changed after installation.
If you change the port number, you must change the firewall setting.
15. If your settings are complete, enter y.

Do you want to continue the installation? (y/n) [n]: y

If the following message is shown, refer to the release notes.

An Analyzer server earlier than v10.7.0, Hitachi Ops Center Automator earlier than v10.8.0, or Hitachi Command Suite earlier than v8.8.3 is
already installed on this server. Make sure to upgrade the relevant products by referring to the Release Notes.

Analyzer server is installed, and then the following message is displayed.

[INFO] Analytics installer finished.

Note: The Analyzer detail view server uses the crond service. If the crond service is disabled or stopped, enable and start it.

As a best practice, you should set the crond service to start automatically when the OS starts.

Installing Analyzer probe server

To install the Analyzer probe server, run the installer (dcaprobe_install.sh) and follow the prompts.

The installer starts and stops the crond service. Therefore, do not run any operations that use the crond service when the installer is running.

Review the following:

Review the Analyzer probe server requirements (hardware and software). The Analyzer probe server cannot be installed on a host where the JP1/Performance Management
is installed.
Install the Analyzer detail view server first. The Analyzer detail view server IP address is required for setting up the Analyzer probe server.
Make sure that the ports you specify are available for communication. The default port is 8443. (The default port for SSH is 22.)
Verify that you have root permission to run the installer and the precheck tool.
Group and other users must have read and execute permissions (755) for the installation path directories.
During installation, when prompted to specify the installation directory for the Analyzer probe server, follow these rules:
Specify an absolute path.
Do not include any symbolic links.
Do not specify a directory under /opt/jplpc.
Use the following characters only:

A-Z a-z 0-9 + [ ] , ~ ! # @ { } _ . -

Do not use spaces.

Check the kernel and system limits on the number of open files and processes. Refer to Increasing the maximum number of open files (Linux OS) for more information.
Do not set the COLUMNS environment variable.
If firewalld is enabled during installation, settings will be changed for all active zones. If necessary, revise the settings after the installation finishes.
Make sure that the time on the Analyzer probe server machine is synchronized with the UTC time. For example, when the time in UTC is 23:00, then time in the Analyzer
probe server machine in the PST time zone must be 15:00.
When you install the Analyzer probe server, the RAID Agent is installed automatically. Review the RAID Agent requirements before you begin installation:
The installation directory is fixed (/opt/jp1pc) and cannot be changed. Make sure that the directory is empty. Do not include any symbolic links in the installation path.
You cannot install other components or products in /opt/jp1pc.
Make sure that the following directories are not mounted with the noexec option:
/tmp
/var
Note: After a successful installation, do not add the noexec option to the /tmp directory. (It might prevent the service from running properly.)
When you install the RAID Agent, a temporary work directory jp1pc_AGT is created in the /opt or /opt/jp1pc directory. (This directory is automatically deleted after the
installation is successful.)

If an error occurs during installation, delete it manually if necessary.

The IP address must be resolvable from the host name of the host where RAID Agent is installed. Check the hosts file or the domain name system (DNS) server
configuration of the host where RAID Agent is installed.
The RAID Agent cannot run on hosts that use DHCP to assign IP addresses. You must specify a fixed IP address for Analyzer probe server.
The Analyzer probe server can be used in a DNS environment, but does not support FQDN. You must exclude the domain name.
Before setting up the RAID Agent, you must specify C for the LANG environment variable on the Analyzer probe server host.

At startup, RAID Agent is subject to the system LANG environment variable. If the LC_ALL environment variable differs from the LANG environment variable, either
unset LC_ALL or change its value to match the LANG value. The following example is an example that sets C for the LANG value and unsets the LC_ALL value.

Example settings:

## Set Environment-variables
PATH=/sbin:/bin:/usr/bin:/opt/jp1pc/bin
SHLIB_PATH=/opt/hitachi/common/lib
LD_LIBRARY_PATH=/opt/hitachi/common/lib
LIBPATH=/opt/hitachi/common/lib
HCCLIBCNF=/opt/jp1/hcclibcnf
LANG=C
export PATH SHLIB_PATH LD_LIBRARY_PATH LIBPATH HCCLIBCNF LANG
unset LC_ALL

If needed, you can install Virtual Storage Software Agent when you install the Analyzer probe server.
If firewalld is enabled, the settings will be changed for the default zone. If required, revise the settings after the installation finishes.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 33/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
For the installation path:
Specify an absolute path.
Do not include any symbolic links.
Do not specify a path of a directory under /opt/jp1pc.

1. Stop any security monitoring software, antivirus software, and process monitoring software.
2. Mount the Hitachi Ops Center installation media and copy the directories and files in the DCAPROBE directory on the installation media to a directory on the Linux host.
Note:
You must use only the following characters in the directory path to which the installer is copied: A-Z a-z 0-9 - . _
Do not use spaces.
In the following example, if the /root/DCAPROBE directory already exists, create a new directory, and then perform the subsequent steps in the new directory.

mkdir /media/OpsImage
mount /dev/cdrom /media/OpsImage
cp -rT /media/OpsImage/DCAPROBE /root/DCAPROBE

3. Move to the /root/DCAPROBE directory.

cd /root/DCAPROBE

4. Run the precheck tool as a root user to check whether the Analyzer probe server can be installed:

sh ./dcaprobe_precheck.sh

If OK is displayed in [ Check results ], you can start the installation. If NG is displayed, make sure the system requirements have been met.

Output example when the Ops Center Analyzer version is 10.0.0:

============================================================
Ops Center Analyzer probe Precheck ver. 10.0.0-00
============================================================

[ Check results ]
Ops Center Analyzer probe server [10.0.0-00] [OK]

[ Details ]
Check resolved hostname. [host-name (IP-address)] [OK]
Check premise OS version. [OK]

Note:
When you run the precheck tool, it checks the static information of the system environment.
If the -v option is specified, information such as the OS name is also displayed.
5. Run the following command as root to start the installation:

sh ./dcaprobe_install.sh NEW

Do not change the size of the device window while the command is running. If you change the size of the window, the installation fails.

6. Specify a directory for installing the Analyzer probe server:

Tip: The prompt displays the default value. To use the default value, simply press the Enter key.

Specify the path of the directory in which to store application data. [/home]:

7. Specify y to configure the firewall settings. At this time, the firewall rules that are currently applied are saved.

Do you want to configure the firewall to accept connections from the Ops Center Analyzer probe servers? (y/n) [y]: y

8. Specify the secure communication information to use for the Analyzer probe server.
To apply the default settings, press the Enter key in each prompt window.

[Keytool parameter ]
------------------------------------------------------------
[INFO] This setting is for SSL configuration.
What is the name of your organizational unit? [Unknown]: organizational-unit
What is the name of your organization? [Unknown]: organization
What is the name of your City or Locality? [Unknown]: city-or-locality
What is the name of your State or Province? [Unknown]: state-or-province
What is the two-letter country code for this unit? [Unknown]: two-letter-country-code-for-unit

9. Verify the settings that you specified:

The number of CPAN libraries to be installed varies depending on the environment.

[Confirmation]
------------------------------------------------------------
Data directory (for the RAID Agent) : /home/RAIDAgent
Data directory (for the Ops Center Analyzer probe server): /home
Port number (for the Ops Center Analyzer probe server): 8443,24221
Firewall accept rule to be added :
Protocol Source IP Destination IP Destination PORT
-------- ---------------- ---------------- ----------------
ALL 0.0.0.0 0.0.0.0 ALL <RELATED,ESTABLISHED>
TCP 0.0.0.0 0.0.0.0 24221
TCP 0.0.0.0 0.0.0.0 8443
TCP 10.197.195.109 10.197.195.109 ALL
TCP 127.0.0.1 127.0.0.1 ALL
Required CPAN libraries : Module::Build YAML IO::Pty Date::Calc Net::OpenSSH DateTime DateTime::Format::Strptime Da
te::Gregorian Log::Log4perl Log::Dispatch::FileRotate Sys::RunAlone LWP::Protocol::https

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 34/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Distinguished Name for keytool : CN=host-name, OU=organizational-unit, O=organization, L=city-or-locality, ST=state-or-pro
vince, C=two-letter-country-code-for-unit

------------------------------------------------------------
10. Check the CAUTION message.

** CAUTION **

* This installation will change firewall settings. (Listing above)

* Installation of the required CPAN libraries may take more than 12 minutes.

11. Unless the CAUTION message includes a problem that requires your attention, enter y.

Do you want to continue the installation? (y/n) [n]: y

Note: Installation of the CPAN library Net::OpenSSH package might display the following prompt:

root@localhost's password:

You should ignore this prompt and the installation process will resume in approximately ten seconds.
12. If you want to monitor VSP One SDS Block systems, you must install the required agent.

Do you want to install the Virtual Storage Software Agent server? (y/n) [n]: y

13. Specify the directory in which to install the Virtual Storage Software Agent server.
Tip: The prompt displays the default value. To use the default value, simply press the Enter key.

Specify the directory to store application data. [/opt/hitachi]:

14. If your settings are complete, enter y.

Do you want to continue the installation? (y/n) [n]: y

When the process is complete, the following message is displayed:

[INFO] Installation of the Ops Center Analyzer probe servers finished successfully.

Note: The Analyzer probe server uses the crond service. If the crond service is disabled or stopped, enable and start it.

As a best practice, you should set the crond service to start automatically when the OS starts.

Installing RAID Agent (Windows)

The following explains installing RAID Agent on a Windows host.

Review the following:

You must have Administrator permission to run the installer.

RAID Agent cannot be installed on a host where the JP1/Performance Management is installed.

When prompted to specify the installation folder for the RAID Agent, follow these rules:

Specify a folder name with no more than 59 characters.

Use the following characters:

A-Z a-z 0-9 . _ space

You can use a backslash (\) as a delimiter.

You can also use space characters. However, you cannot use space characters before or after a delimiter, nor use more than one space consecutively.
Do not use a period at the end of the folder path.
You cannot specify a folder location at the top of a drive (for example, D:\).
You cannot install RAID Agent on a removable disk, network drive, or UNC path. You also cannot use words reserved by the OS as file or directory names (for
example, CON, AUX, PRN, and NUL).
Do not specify the following folders as installation destinations:
%ProgramFiles%
%SystemDrive%\Windows\System32
You cannot specify a drive or folder mounted on a Network File System (NFS) as the installation destination.
When prompted to specify the installation folder for the Hybrid Store, follow these rules:
Specify a folder name with no more than 80 characters.
You cannot specify a folder location directly under a drive (for example, D:\).
Do not specify the following folders as installation destinations:
%ProgramFiles%
%SystemDrive%\Windows\System32
Make sure there are no files or folders in the installation-destination folder.
The IP address must be resolvable from the host where RAID Agent is installed. Check the hosts file or the domain name system (DNS) server configuration of the host
where RAID Agent is installed.
The RAID Agent cannot run on hosts that use DHCP to assign IP addresses. You must specify a fixed IP address for the host where RAID Agent is installed.
The RAID Agent can be used in a DNS environment, but does not support FQDN. You must exclude the domain name.

1. Log in to the host on which you want to install RAID Agent.

2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Run Setup.exe in the installation media to start the installer.
4. Enter the required values according to the prompts, and complete the installation.
Note: The default storage destinations for RAID Agent are as follows:
Installation folder: %SystemDrive%\HITACHI\raid_agent\jp1pc
Hybrid Store storage destination folder: %SystemDrive%\HITACHI\raid_agent\datastore

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 35/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
5. Restart the operating system.

Preparing to collect information in case of failure

When a problem occurs, you might need to user mode process dumps or other information. Configure settings so that these dumps are output when a problem occurs.

Registry key to be configured:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

Specify the following registry values for the registry key:

DumpFolder : REG_EXPAND_SZ output-folder
DumpCount : REG_DWORD number-of-dumps-to-be-saved
DumpType : REG_DWORD 2

Note
For user mode process dumps, information is output not only for the RAID Agent program but also for other application programs. In addition, when user mode process
dumps are output, the amount of disk space consumed is proportional to the size of the dumps. When configuring settings to output user mode process dumps, be sure to
specify a destination folder with sufficient disk space.

Linux environment changed by the installer

When you run the Ops Center Analyzer installer, it makes certain changes to the host environment when you install the Analyzer detail view server or the Analyzer probe server.

Note: The installer does not make any changes to the Analyzer server.

Analyzer detail view server

The installer makes the following changes to the host environment settings.

Change Details

Addition of users The following users are added:

megha
meghadata

You must change the default passwords. Refer to Changing the megha and meghadata
passwords for more information.

The megha and meghadata users require execution privileges to access the crond
service. If you have restricted the execution privileges on the host, make sure you
remove the restriction to provide the execution privileges for these users.

Addition of groups The following group is added: megha.

Changes to the cron settings A setting that periodically starts the service and monitors resource usage for the
Analyzer detail view server is added.

Changes to the ssh settings The /etc/ssh/sshd_config file is edited, and settings are added as follows to allow the
meghadata user to access the Analyzer detail view server by using password
authentication.

If sftp /usr/libexec/openssh/sftp-server is set in the SFTP server

subsystem settings:
Match User meghadata
PasswordAuthentication yes
If sftp internal-sftp is set in the SFTP server subsystem settings:
Match User meghadata
PasswordAuthentication yes
ForceCommand internal-sftp -u 2

If you want to change the SFTP server subsystem settings, see Default meghadata user
settings for Analyzer detail view server.

Kernel parameter settings The following kernel parameters are set:

Maximum number of file descriptors for the entire system

If the maximum number of file descriptors for the entire system specified in the
OS is less than 327675, 327675 is specified in the following definition files:

/usr/lib/sysctl.d/60-hiaa.conf

Maximum number of file descriptors for the user megha

If the maximum number of file descriptors for the user megha specified in the OS
is less than 262140, 262140 is specified in the following definition files:

/etc/security/limits.conf

Maximum number of processes for the user megha

If the maximum number of processes specified in the OS for the user megha is
less than 2048, 2048 is specified in the following definition file:

/etc/security/limits.d/20-nproc.conf

These maximum values can be specified in multiple definition files. If these maximum
values are specified in any file that has a higher priority than the files listed here, you

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 36/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Change Details
must change those settings manually.

Automatic startup settings for the Analyzer detail view server service A setting that automatically starts the service when the OS is started is added to /etc/r
c.local.

Installation of the Perl module The Analyzer detail view server uses the Perl module registered in CPAN
(Comprehensive Perl Archive Network). If the Perl module is not installed as follows in
the default path on the host where Analyzer detail view server is installed, the module is
installed as part of the installation of Analyzer detail view server.

Module::Build
YAML
XML::Simple
Log::Log4perl
LWP::UserAgent
LWP::Protocol::https

Required prerequisite perl modules are also installed.

Installation of Amazon Corretto 17 If a Java version other than the supported Amazon Corretto 17 or Oracle JDK 17 is
specified as the default OS Java (the Java that is specified as /usr/bin/java by the
alternatives command) , Amazon Corretto 17 is installed and is set as the default OS
Java.

Analyzer probe server

The installer makes the following changes to the host environment settings.

Change Details

Addition of users The following user is added:

megha

You must change the default password. Refer to Changing the megha and meghadata
passwords for more information.

Do not restrict or remove the sudo permission for the megha user. The sudo permission
is added in the /etc/sudoers file during installation.

The megha user requires execution privileges to access the crond service. If you have
restricted the execution privileges in the host, make sure you remove the restriction to
provide the execution privileges for this user.

Addition of groups The following group is added: megha.

Changes to the cron settings A setting that periodically starts the service and monitors resource usage for the
Analyzer probe server is added.

Kernel parameter settings The following kernel parameters are set:

Maximum number of file descriptors for the entire system

If the maximum number of file descriptors for the entire system specified in the
OS is less than 327675, 327675 is specified in the following definition files:

/usr/lib/sysctl.d/60-hiaa.conf

Maximum number of file descriptors for the user megha

If the maximum number of file descriptors for the user megha specified in the OS
is less than 262140, 262140 is specified in the following definition files:

/etc/security/limits.conf

Maximum number of processes for the user megha

If the maximum number of processes specified in the OS for the user megha is
less than 2048, 2048 is specified in the following definition file:

/etc/security/limits.d/20-nproc.conf

These maximum values can be specified in multiple definition files. If these maximum
values are specified in any file that has a higher priority than the files listed here, you
must change those settings manually.

Automatic startup settings for the Analyzer probe server service A setting that automatically starts the service when the OS is started is added to /etc/r
c.local.

Installation of the Perl module The Analyzer probe server uses the Perl module registered in CPAN (Comprehensive
Perl Archive Network). If the Perl module is not installed as follows in the default path on
the host where Analyzer probe server is installed, the module is installed as part of the
installation of Analyzer probe server.

Module::Build
YAML
IO::Pty

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 37/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Change Details
Date::Calc
Net::OpenSSH
DateTime
DateTime::Format::Strptime
Date::Gregorian
Log::Log4perl
Log::Dispatch::FileRotate
Sys::RunAlone
HTTP::Request
LWP::UserAgent
LWP::Protocol::https
Time::HiRes
XML::Simple

Required prerequisite perl modules are also installed.

Addition of SELinux policy records If Virtual Storage Software Agent is installed, policy records for files in the following
directory are added:

/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent

Installation of Amazon Corretto 17 If a Java version other than the supported Amazon Corretto 17 or Oracle JDK 17 is
specified as the default OS Java (the Java that is specified as /usr/bin/java by the
alternatives command) , Amazon Corretto 17 is installed and is set as the default OS
Java.

Initial setup after installation

After installing the Ops Center Analyzer components, continue with the setup of Ops Center Analyzer detail view, the Analyzer probe server, Analyzer server, the environment for
Storage I/O controls feature, and Granular Data Collection.

Initial setup of Analyzer detail view server

After installing Analyzer server and the Analyzer detail view server, perform the initial setup of Analyzer detail view.

To use Common Services and single sign-on through the Ops Center Portal, you must also register Analyzer detail view in Common Services and assign Analyzer detail view
permissions to Ops Center user groups. If you deployed the Ops Center OVA, Analyzer detail view is already registered in Common Services. If you used the stand-alone OVA or
installer, you must register with Common Services manually. If you change the host name, IP address, or port number of the server where Common Services is installed, you must
register Analyzer detail view again.

Note:

Products installed with the Ops Center OVA are registered in Common Services with their host names. Specify the settings so that the host names of individual Ops Center products
can be resolved from client machines.

Workflow for initial setup

After installing the Analyzer server and the Analyzer detail view server, complete the following tasks on the Analyzer detail view server:

1. (Optional) If you want to use Common Services and access Analyzer detail view from the Ops Center Portal, run the setupcommonservice command to register Analyzer
detail view in Common Services.
2. Perform the initial setup of the Analyzer detail view server.
3. (Optional) If you want to use Common Services, assign Analyzer detail view permissions to the Ops Center user group.

Registering Analyzer detail view server with Common Services

If you want to use Common Services installed on a different host, or you installed Analyzer detail view server using the stand-alone OVA or installer, you must register Analyzer detail
view server with Common Services.

If you deployed the Ops Center consolidated OVA, Analyzer detail view is already registered in Common Services.
Verify the following:

The host name of Common Services is resolvable from the Analyzer detail view server.
The Analyzer detail view server and Common Services are running.
SSL is configured for the Analyzer detail view server and Common Services.
A user account exists with Common Services that has Administrator permissions.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Navigate to the following directory:

/usr/local/megha/bin

3. Run the setupcommonservice command to register the Analyzer detail view server with Common Services.

setupcommonservice -csUri Common-Services-URL -csUsername Common-Services-user-name -appHostname Analyzer-detail-view-server-host-name-or-I

P-address -appPort Analyzer-detail-view-server-port -appName product-name-to-display-in-the-portal -appDescription description-todisplay-in
-the-portal

Use the -help option for command usage information.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 38/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The following is an example to register a new instance of Analyzer detail view server in Common Services:

setupcommonservice -csUri https://myopscenter.com:443/portal -

csUsername sysadmin -appHostname mydetailview.com -appPort 8443 -
appName detailview_B -appDescription "detail view B"

Note:
The Common-Services-user-name must not contain greater than and less than signs (< >), Square brackets ([ ]), spaces, double quotation mark ("), colon (:), or
ampersand (&).
The Analyzer-detail-view-server-host-name-or-IP-address must contain the correct host name or IP address.
4. Enter the password of the Common Services user.

Analyzer detail view server is shown in the Common Services.

Note: You cannot unregister a Hitachi Ops Center product using the setupcommonservice command. To delete products, use the Ops Center Portal.

Setting up Analyzer detail view server

Open the URL of the Analyzer detail view server and follow the prompts.

Check the IP address of the Analyzer detail view server.

Obtain the Analyzer detail view license from your Hitachi Vantara representative.

1. Enter the Analyzer detail view server URL in your browser:

https://ip-address:port-number
The default port for HTTPS access is 8443.
2. Read and accept the license agreement, and then click Next.
3. In the Upload License window, click Choose File to browse to the license file and click Open.
4. Click Submit to register the license.
5. In the Set Details For Existing admin User window, enter the password, select the locale, and then click Submit. (The user name for the built-in administrator account is
admin.)
Note: The current version of Ops Center Analyzer detail view supports only the English locale.
6. In the Analyzer detail view server login window, enter the administrator user credentials and click Login.
7. In the Select Time zone window, select the appropriate time zone and click Next.
The Analyzer detail view server home page is displayed.
Note: Reports display data using the time zone of the Analyzer detail view server (not that of the storage systems). For example, if the Analyzer detail view server UI time
zone is configured to IST, reports will use IST time regardless of where individual storage systems are located.
8. (Optional) Configure the settings that control the accumulation of data. Refer to Managing the Analyzer detail view database size for more information.
9. (Optional) Configure an alert notification email or Syslog to monitor the downloader and import delay, license expiration, and system memory usage. Configure SNMP for
performance-based alerts. For information, see "Monitoring Analyzer detail view server alerts" in the Analyzer detail view server Online Help. For instructions on setting up
the mail server, see "Configuring the SMTP server" in the online help.
10. (Optional) Create an Analyzer server account that belongs to the Administrator group on the Analyzer detail view server.

For information about how to add accounts, see the Analyzer detail view server Online Help. If you use the built-in administrator account to access the Analyzer server, this
step is unnecessary.

Note: Several accounts are created automatically in Analyzer detail view server when you configure Analyzer server for connecting with the Analyzer server. Do not change
or delete the information of the following user accounts:
HIAA_Server_Admin
HIAA_REST_Admin
HIAA_REST_Normal
HIAA_GUI_Report

Assigning Analyzer detail view roles to Ops Center user groups

When you use the Ops Center to perform operations in Analyzer detail view, you must assign Analyzer detail view roles to Ops Center user groups to provide required access.

Make sure that Analyzer detail view is registered with Common Services.

1. Log in to the Ops Center portal as a member of the administrator group (for example opscenter-administrators) and then launch Analyzer detail view.
Note: The user name must not contain greater than and less than signs (< >), square brackets ([ ]), spaces, double quotation mark ("), colon (:), and ampersand (&).
2. In the Analyzer detail view, in the application bar, click the Manage menu.
3. In the Manage window, in the Administration section, click the Manage Ops Center Groups and Roles link.
4. In the Manage Ops Center Groups and Roles window, select the check boxes to assign the Normal and Admin role to user groups and then click Save.

Initial setup of Analyzer probe server

After installing Analyzer probe server, perform the initial setup of Analyzer probe.

To use Common Services and single sign-on through the Ops Center Portal, you must also register Analyzer probe in Common Services and assign Analyzer probe permissions to
Ops Center user groups. If you used the stand-alone OVA or installer, you must register with Common Services manually. If you change the host name, IP address, or port number
of the server where Common Services is installed, you must register Analyzer probe again.

Note: Products installed with the Ops Center OVA are registered in Common Services by using host names. Specify the settings so that the host names of individual Ops Center
products can be resolved from client machines.

Workflow for initial setup

After installing the Analyzer probe server, complete the following tasks on the Analyzer probe server:

1. (Optional) If you want to use Common Services and access Analyzer probe from the Ops Center Portal, run the setupcommonservice command to register Analyzer probe in
Common Services.
2. Perform the initial setup of Analyzer probe.
3. (Optional) If you want to use Common Services, make sure that Analyzer probe permissions have been assigned to the Ops Center user group.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 39/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Registering Analyzer probe server with Common Services

If you want to use Common Services installed on a different host, or you installed Analyzer probe server using the stand-alone OVA or installer, you must register Analyzer probe
server with Common Services.

Verify the following:

The host name of Common Services is resolvable from the Analyzer probe server.
The Analyzer probe server and Common Services are running.
SSL is configured for the Analyzer probe server and Common Services.
A user account exists with Common Services that has Administrator permissions.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Navigate to the following directory:

/usr/local/megha/bin

3. Run the setupcommonservice command to register Analyzer probe server with Common Services.

setupcommonservice -csUri Common-Services-URL -csUsername Common-Services-user-name -appHostname Analyzer-probe-server-host-name-or-IP-addr

ess -appPort Analyzer-probe-server-port -appName product-name-to-display-in-the-portal -appDescription description-todisplay-in-the-portal

Use the -help option for command usage information.

The following is an example to register a new instance of Analyzer probe server in Common Services:

setupcommonservice -csUri https://myopscenter.com:443/portal -

csUsername sysadmin -appHostname myprobe.com -appPort 8443 -appName
probe_B -appDescription "probe B"

Note:
The Common-Services-user-name must not contain greater than and less than signs (< >), Square brackets ([ ]), spaces, double quotation mark ("), colon (:), and
ampersand (&).
The Analyzer-detail-view-server-host-name-or-IP-address must contain the correct host name or IP address.
4. Enter the password of the Common Services user.

Analyzer probe server is shown in the Common Services.

Note: You cannot unregister a Hitachi Ops Center product using the setupcommonservice command. To delete products, use the Ops Center Portal.

Setting up Analyzer probe server

Open the URL of the Analyzer probe server and follow the prompts.

Check the IP address of the Analyzer detail view server.

Check the IP address of the Analyzer probe server.
Obtain the Analyzer detail view license from your Hitachi Vantara representative.

1. Open your browser and enter the Analyzer probe server URL.
https://Analyzer-probe-server-IP-address:8443
2. When you first launch the Analyzer probe server UI, you see the license agreement details. Read it and then click Next.
3. In the Upload License window, click Choose File to browse to a license file and click Open.
4. Click Submit to add the license.
5. In the Create Administrator Account window, provide the following and then click Submit:
User name and password
First name, last name, and email address of the user
Locale: Only the U.S. English locale is currently supported
Group: Select Admin to create an administrator account
Note: To complete the Analyzer probe server configuration you must create a local user with an administrator account. After creating the local user, you can add the required
Active Directory users.
6. In the Analyzer probe login window, enter the administrator user credentials and click Login.
7. The Basic Information window displays the Customer Name (which cannot be changed). Provide the following contact information and click Next:
Administrator Contact Name and email
Technical Contact Name and email
8. In the Select Time zone window, make a selection and then click Next.
9. In the Primary Analyzer detail view Server Information window, specify the following details:
Note:
If you are connecting the Analyzer detail view server to the Analyzer probe server using the host name and a proxy server, you must add the IP address and host
name of the Analyzer detail view server to the /etc/hosts file on the Analyzer probe server.
If you edit the existing connection details, make sure that you update these details on the Analyzer detail view server by updating the downloader. For more
information, refer to Updating the downloader on the Analyzer detail view server.
Protocol: FTP, FTPS, SFTP, or HTTPS.

The Analyzer detail view server supports the SFTP and HTTPS protocols. If you are using an FTP or FTPS protocol, make sure that the FTP or FTPS server is
configured and you provide the IP address in the Host field. The intermediate FTP or FTPS server must not be the same as the Analyzer detail view server.

Note:
For the SFTP protocol, you can use key-based or password-based authentication. If you plan to use key-based authentication, make sure that it is configured.
The key-based authentication is supported for sending the data directly from the Analyzer probe server to the Analyzer detail view server (without an
intermediate FTP or FTPS server) using the meghadata user. Refer to Configuring key-based authentication to transfer data directly from Analyzer probe
server to Analyzer detail view server. After configuring the key-based authentication, select the SFTP protocol and then select the Key-Based button. If you
have provided the passphrase, enter the passphrase.
If you are using SFTP and HTTPS protocols: refer to Supported ciphers for Analyzer probe.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 40/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If you are using the HTTPS protocol, make sure that the meghadata user can log on to localhost using SSH and a connection from localhost to port 22 can be
established on the Analyzer detail view server.
The System Diagnostics data for the Analyzer probe server is not collected in case of HTTPS protocol.
Host: Analyzer detail view server or intermediate FTP server IP address.

If you are using an intermediate FTP server as a primary server, then you must configure the downloader on the Analyzer detail view server to download the data
from this FTP server.

Port: Based on the selected protocol.

User: User name for the host. For an Analyzer detail view server, the user name is: meghadata.
Note: If you are using an intermediate FTP server, make sure that:
The FTP user must have the required permission to create a new directory in the current working directory on the FTP server.

If the FTP user does not have the required permission, then you must create the directory manually. Refer to Getting the Appliance UUID and configuring the
intermediate FTP server.

The intermediate FTP server supports the following commands: open, rmdir, delete, disconnect, send, pwd, dir, size, modtime, nlist, put, rename, binary,
debug, cd, lcd, passive, put
Password: Password for the host. For an Analyzer detail view server, the default password is: meghadata123
Note: To improve security for the FTP account, you must change the meghadata default password. Refer to Changing the megha and meghadata passwords for more
information.
Advanced Settings:
Proxy: Select to configure a proxy server.
Real-time Server: By default the Real time server field uses the value that you entered in the Host field.

If you are using an intermediate FTP server, make sure you provide the Analyzer detail view server IP address that is processing the data of the primary
server. In addition, make sure that you are not connecting the Analyzer probe server to the Analyzer detail view server using a proxy.

Note: Port number 9092 must be open on the Analyzer detail view server. The Analyzer probe server uses this port to send the real-time data.
10. Click Next.
In addition to sending Analyzer probe server data to a single (local) Analyzer detail view server, you can configure a secondary (cloud-based or on-premises) Analyzer detail
view server, or intermediate FTP server. The purpose is to host a copy of the probe data where it can be accessed outside of your internal network. You can add this
secondary server from the Analyzer probe server UI.
Note: The secondary Analyzer detail view server does not support real-time data collection.
11. In the Data Collection duration window, verify the license expiry date in your license, and then click Next.
12. From the list of probes, select the probe type and configure it to collect data from the monitoring target. You must add at least one probe to complete the installation.
To add additional probes, go to the Analyzer probe server web UI home page and click Add Probe.

The following are available:

Hitachi Enterprise Storage probe

Hitachi NAS probe

VMware probe

Brocade FC Switch probe

Cisco FC Switch (DCNM) probe

Cisco FC Switch (CLI) probe

Linux probe

Viewing Ops Center user groups for Analyzer probe

The Analyzer probe only includes the Admin role. Therefore, all Ops Center user groups are assigned the Admin role by default. You can view the list of Ops Center user groups in
the Manage Ops Center Groups and Roles window.

Make sure that Analyzer probe is registered with Common Services.

1. Log in to the Ops Center portal as a member of the administrator group (for example opscenter-administrators) and then launch Analyzer probe.
Note: The user name must not contain contain greater than and less than signs (< >), square brackets ([ ]), spaces, double quotation mark ("), colon (:), and ampersand (&).
2. In the Analyzer probe, in the application bar, click the Manage menu.
3. In the Manage window, in the Administration section, click the Manage Ops Center Groups and Roles link.
4. In the Manage Ops Center Groups and Roles window, the list of Ops Center groups is displayed.

Initial setup of Analyzer server

After installing Analyzer server and the Analyzer detail view server, set up the Analyzer server, register the license, change the system account password, connect to the Analyzer
detail view server, and then configure the mail server.

To use Common Services and single sign-on through the Ops Center Portal, you must also register Analyzer in Common Services and assign Analyzer permissions to Ops Center
user groups. If you deployed the Ops Center OVA, Analyzer is already registered in Common Services. If you used the stand-alone OVA or installer, you must register with Common
Services manually. If you change the host name, IP address, or port number of the server where Common Services is installed, you must register Analyzer again.

Note: Products installed with the Ops Center OVA are registered in Common Services by using host names. Specify the settings so that the host names of individual Ops Center
products can be resolved from client machines.

Workflow for initial setup

After installing the Analyzer server and the Analyzer detail view server, complete the following tasks on the Analyzer server:

1. Make sure that you can access the Analyzer server from your web browser.
2. (Optional) If you want to use Common Services and access Analyzer from the Ops Center Portal, run the setupcommonservice command to register Analyzer in Common
Services.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 41/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
3. Register the license.
4. Change the system account password.
5. (Optional) If you want to use Common Services, assign Analyzer permissions to the Ops Center user group.
6. Set up a connection to the Analyzer detail view server.
7. Configure the mail server.

Verifying access to the Analyzer server

Use your web browser to make sure that you can access the Analyzer server.

Check the IP address or host name of the host where the Analyzer server is installed.

1. Open a web browser that is supported by Ops Center Analyzer.

2. If you are using a pop-up blocker, add the Analyzer server product URL to the list of exceptions in your browser.
3. Enter the URL for the Analyzer server in your web browser:
http://host-name-or-IP-address-of-the-Analyzer-server:22015/Analytics/login.htm

The login window is displayed, indicating that you can access the Analyzer server.

Registering Ops Center Analyzer in Common Services

If you want to use Common Services installed on a different host, or you installed Analyzer using the stand-alone OVA or installer, you must register Analyzer with Common Services.
If you deployed the Ops Center OVA, Analyzer is already registered in Common Services.

Verify the following:

The host name of Common Services is resolvable from the Analyzer server.
The Analyzer server and Common Services are running.
SSL is configured for the Analyzer server and Common Services.

For details, see Configuring an SSL certificate (Common Services).

A user account exists with Common Services that has Administrator permission.

1. Access the following directory:

Analyzer-server-installation-directory/Analytics/bin
2. Run the setupcommonservice command with the auto option specified to register Analyzer in Common Services.

setupcommonservice -csUri Common-Services-URL [-appHostname Analyzer-server-host-name-or-IP-address] [-appPort Analyzer-server-port] [-appN

ame product-name-to-display-in-the-portal] [-appDescription description-to-display-in-the-portal] [-auto]

The help option shows command usage information. For details, see setupcommonservice.

3. Enter the username and password of the Common Services user according to the message output by the command.

Ops Center Analyzer is shown in the Ops Center Portal.

Note: You cannot unregister a Hitachi Ops Center product using the setupcommonservice command. To delete products, use the Ops Center Portal.

Registering the license for Analyzer server

Register the license for Analyzer server, and then use the built-in account to log on to Analyzer server.

If you are using Common Services, you can use the Ops Center Portal to register the license. For details, see the Ops Center Help.

Obtain the Analyzer server license from your Hitachi Vantara representative.

1. In the login window, click the Licenses information link in the lower right-hand corner.
Note: If the link is not displayed, you can access the License registration window directly using this URL:

https://Analyzer-server-host-name-or-IP-address:22016/Analytics/license.htm

a. Use either of the following methods:

Enter the license key
Specify the license file
b. Click Save.
The license is added in the list.
2. To log on to the Analyzer server, use these credentials:
User IDsystem
Passwordmanager
Note: The account "zzz_HIAA_Reportuser_xxx" is created automatically in Analyzer server.

The logon is complete, and the Analyzer server Dashboard displays.

Changing the system account password

Change the default password for the system account. The system account is a built-in account that has the user management permission and permissions for all Analyzer server
operations.

1. In the Administration tab, select User Management > Users and Permissions.
2. From the displayed dialog box, display Users, and then select System.
3. Click Change Password.

Assigning Analyzer permissions to Ops Center user groups

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 42/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
When you use the Common Services single sign-on to perform operations in Analyzer, you must assign Analyzer operating permissions to Ops Center user groups.

Make sure that Analyzer is registered in Common Services.

1. Log in to the Ops Center Portal as a user with the Security Admin role or System Admin role, and then launch Analyzer.
2. In the Analyzer Administration tab, select User Group Management > User Groups And Permissions.
3. Select the check box for the user group to which you want to assign permissions, and then click Edit Permission Mapping.
Note: You can select multiple user groups.
4. In the Edit User Groups window, select the check boxes for the permissions you want to assign.
5. Click OK.

Setting up a connection with Analyzer detail view server

Set up a connection so that the data collected by the Analyzer detail view server can be analyzed by the Analyzer server.

Check the IP address of the Analyzer detail view server.

1. In the Administration tab, select System Settings > Analyzer detail view Server.
2. Click Edit Settings, and specify the Analyzer detail view server information.
Note: Specify the built-in administrator account. If you want to use a different account, specify the account created during the initial setup of the Analyzer detail view server. If
you change the password of the specified user on the Analyzer detail view server, you must also change the same password in Password of the Edit Settings dialog box.
3. Click Check Connection to confirm that the server is connected properly.
If you cannot access the Analyzer detail view server, verify the following:
The certificate is correctly specified on the Analyzer server.
The certificate is not expired.
4. Click OK.

Configuring the mail server

Configure the mail server and the sender email address to notify the administrator of problems with monitored resources and to periodically send dashboard reports to users.

Make sure you have Admin permissions for Ops Center Analyzer.
Use the following settings for Email Notification and Send Test Mail:
Protocol: SMTPS, STARTTLS, cleartext
Authentication Methods: LOGIN, PLAIN, DIGEST-MD5

1. In the Administration tab, select Notification Settings > Email Server.

2. Click Edit Settings to specify information about the mail server.
3. To verify that the mail server is configured correctly, click Send Test Mail.
4. Confirm that the test email arrives, and then click Save Settings.

Changing Ops Center Analyzer passwords

You must change the Ops Center Analyzer passwords.

Changing the megha and meghadata passwords

You should change the megha and meghadata user passwords to enhance the security. The megha user exists on both the Analyzer detail view server and the Analyzer probe
server. The Analyzer probe server does not have a meghadata account.

Note: You can also use this procedure if the current megha or meghadata user password has expired.

If a security policy for the maximum number of login attempts is enabled in your environment, you must disable it before changing the megha and meghadata passwords. After
completing the procedure, you can re-enable the setting.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

5. Run the change password script:

/usr/local/megha/bin/changePassword.sh --user

6. Choose the account you want to change.

7. Type the user password and confirm it.
Note: Passwords can contain uppercase and lowercase letters, numbers, and the following special characters:

@, !, ~, #, $, `, %, ^, &, *, (, ), -, _, =, +, {, }, <, >, [, ], \

8. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

9. Start the crond service using the following command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 43/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond start

If the Analyzer probe server is uploading the data directly to an Analyzer detail view server for which you have changed the meghadata user password, you must also update the
meghadata user password on the Analyzer probe server. To change the password, log on to the Analyzer probe server and then go to the Home > Reconfigure > Analyzer detail view
Server tab.

Changing the real-time database password

A real-time mechanism transfers data to the Analyzer detail view server as soon as the data is received by the Analyzer probe server. This real-time data is stored in the database for
30 minutes. You must change the real-time database password to improve security.

Note: The Analyzer detail view server and the Analyzer probe server share the same username and password for the real-time database. When changing the password you must
change it on both servers.
Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Change the real-time database password using the command:

/usr/local/megha/bin/changePassword.sh --realTimeDB

Note: Passwords can contain uppercase and lowercase letters, numbers, and the following special characters:

@, !, ~, #, $, `, %, ^, &, *, (, ), -, _, =, +, {, }, <, >, [, ]

5. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

6. Start the crond service using the following command:

service crond start

Initial setup for connecting with Ops Center Automator

You can resolve performance issues by running the Ops Center Automator service templates. The initial setup procedure varies depending on whether you want the primary server
to be the instance of Ops Center Automator that you are connecting to or the Analyzer server.

If you want the Analyzer server to be the primary server, we recommend that you install Ops Center Automator on the same host as the Analyzer server. For details about how to
install Ops Center Automator, see the Hitachi Ops Center Automator Installation and Configuration Guide.

Configuring settings for Ops Center Automator (when the Analyzer server is the primary server)

To configure settings for connecting to Ops Center Automator when the Analyzer server is set as the primary server.

1. Verify that Ops Center Automator is installed and that the host name can be resolved as described in Verifying that the Ops Center Automator host name can be resolved.
2. Change the Common component settings (if Ops Center Automator and the Analyzer server are installed on separate hosts) as described in Changing Common component
settings.
3. Check the permissions of the user account as described in Checking user account permissions.
4. (Optional) Create Ops Center Automator service-integration definition files as described in Creating a definition file to connect with Ops Center Automator.

Verifying that the Ops Center Automator host name can be resolved

Verify that the Ops Center Automator host name can be resolved by the Analyzer server host and the host running the browser.

1. Log on to the host on which Ops Center Automator is installed as a user with root permission.
2. Display the Ops Center Automator URL by running the hcmds64chgurl command, and check the host name.

Automator-installation-directory/Base64/bin/hcmds64chgurl -list

3. On the Analyzer server host and the host running the browser, verify that you can resolve Ops Center Automator host name reported by hcmds64chgurl command.
If the name resolution fails, enable name resolution for the Ops Center Automator host name by using a method such as adding an entry to the hosts file.

Changing Common component settings

If Ops Center Automator and the Analyzer server are installed on different hosts, you must change the settings of the Common component so that user accounts can be managed on
the Analyzer server. If you want to centrally manage user information by using Common Services, you must perform the following procedure before connecting to Ops Center
Automator.

Note: If Ops Center Automator and the Analyzer server are installed on the same host, skip this procedure.

The host that manages the user accounts is called the primary server.

Perform the following steps to set the Analyzer server as the primary server and Ops Center Automator as the secondary server.

1. Log on to the host on which Ops Center Automator is installed as a user with root permission.
2. Run the hcmds64prmset command to change the settings of the Common component.

For the host, port, and sslport options, specify information about the Analyzer server to use as the primary server. The default port number for non-SSL communication is
22015. The default port number for SSL communication is 22016.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 44/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Automator-installation-directory/Base64/bin/hcmds64prmset -host host-name-or-IP-address {-port port-number-for-non-SSL-communication | -ssl
port port-number-for-SSL-communication}
3. Stop and restart the services:
a. Run the hcmds64srv command with the stop option.
b. Run the hcmds64srv command with the start option.

User account information on Ops Center Automator can now be managed in the Analyzer server.

Checking user account permissions

Check whether the required permissions are assigned to the user account used to connect to Ops Center Automator. Check the settings in both the Analyzer server and Ops Center
Automator.

1. Log on to the Analyzer server by using the system account or as a user who has user management permissions.
2. Check the settings of the user account for Ops Center Analyzer:
a. In the Administration tab, select User Management > Users and Permissions.
b. In the Users and Permissions window, select Users. From the user list, click the user account to use to connect to Ops Center Automator.
c. In the Granted Permission field, make sure that the IAA Admin or Modify permission is set. If the permission is not set, click Change Permission to set it.
3. Log on to Ops Center Automator by using the system account.
4. Assign the user account to use to connect Ops Center Automator to an Ops Center Automator user group:
a. In the Administration tab, select Resources and Permissions > User Groups.
b. Select a user group that has permission to run services in Ops Center Automator. On the Users tab, click Assign to assign the user account to the user group.
5. Assign the user group to an Ops Center Automator service group:
a. Select Resources and Permissions > Service Groups.
b. Select the Ops Center Automator service group, and then select the Permissions tab.
c. Confirm that the user group is assigned to the service group.

Check the connection between Ops Center Analyzer and Ops Center Automator.

Configuring settings for Ops Center Automator (when Ops Center Automator is the primary server)

To configure settings for connecting to Ops Center Automator when Ops Center Automator is set as the primary server:

1. Verify that Ops Center Automator host name can be resolved as described in Verifying that the Ops Center Automator host name can be resolved.
2. Change the Common component settings (if Ops Center Automator and the Analyzer server are installed on separate hosts) as described in Changing Common component
settings.
3. Create user accounts as described in Creating user accounts.
4. Check the permissions of the user account as described in Checking user account permissions.
5. (Optional) Create Ops Center Automator service-integration definition files as described in Creating a definition file to connect with Ops Center Automator.

Verifying that the Ops Center Automator host name can be resolved

Verify that the Ops Center Automator host name can be resolved by the Analyzer server host and the host running the browser.

1. Log on to the host on which Ops Center Automator is installed as a user with root permission.
2. Display the Ops Center Automator URL by running the hcmds64chgurl command, and check the host name.

Automator-installation-directory/Base64/bin/hcmds64chgurl -list

3. On the Analyzer server host and the host running the browser, verify that you can resolve Ops Center Automator host name reported by hcmds64chgurl command.
If the name resolution fails, enable name resolution for the Ops Center Automator host name by using a method such as adding an entry to the hosts file.

Changing Common component settings

If Ops Center Automator and the Analyzer server are installed on different hosts, you must change the settings of the Common component so that user accounts can be managed in
Ops Center Automator. If you want to centrally manage user information by using Common Services, you must perform the following procedure before connecting to Ops Center
Automator.

Note: If Ops Center Automator and the Analyzer server are installed on the same host, skip this procedure.

The host that manages the user accounts is called the primary server.

Perform the following steps to set Ops Center Automator as the primary server and the Analyzer server as the secondary server.

1. Log on to the host on which the Analyzer server is installed as a user with root permission.
2. Run the hcmds64prmset command to change the settings of the Common component.

For the host, port, and sslport options, specify information about the Ops Center Automator instance to use as the primary server. The default port number for non-SSL
communication is 22015, and the default port number for SSL communication is 22016.

Common-component-installation-directory/bin/hcmds64prmset -host host-name-or-IP-address {-port port-number-for-non-SSL-communication | -ssl

port port-number-for-SSL-communication}

3. Stop and restart the services:

a. Run the hcmds64srv command with the stop option.
b. Run the hcmds64srv command with the start option.

User account information on the Analyzer server can now be managed in Ops Center Automator.

Creating user accounts

If you set the Analyzer server as a secondary server using the hcmds64prmset command, Ops Center Analyzer users (other than the system account and users with the User
Management permission) that were created previously will no longer be able to log on to the Analyzer server. In this case, you must use the Ops Center Analyzer web client to create
new user accounts that have Ops Center Analyzer permissions.

Note: This procedure only applies to local user authentication. If Common Services is used, this procedure is not necessary.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 45/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
1. Log on to the Analyzer server by using the system account.
2. In the Administration tab, select User Management > Users and Permissions.
3. In the Users and Permissions window, select Users, and then click Add User.
4. Specify all required items, and then click OK.
5. From the list of users, click the link for the user account that you created in the previous step, and then click Change Permission.
6. Select the check box for Admin or Modify permission for IAA, and then click OK.

Checking user account permissions

Check whether the user account used to connect to Ops Center Automator has the required permissions. Check the settings in Ops Center Automator.

1. Log on to Ops Center Automator as a user who belongs to the Admin group of Ops Center Automator.
2. Assign the user account to use to connect to Ops Center Automator to an Ops Center Automator user group:
a. In the Administration tab, select Resources and Permissions > User Groups.
b. Select a user group that has permission to run services in Ops Center Automator. On the Users tab, click Assign to assign the user account to the user group.
3. Assign the user group to the service group of Ops Center Automator:
a. Select Resources and Permissions > Service Groups.
b. Select the service group of Ops Center Automator, and then select the Permissions tab.
c. Confirm that the user group is assigned to the service group.

Check the connection between Ops Center Analyzer and Ops Center Automator.

Creating a definition file to connect with Ops Center Automator

If you create a definition file to connect with Ops Center Automator, the Ops Center Automator service defined in that file is displayed in the Execute Action window. This allows you
to select the service. Information about the selected resources (such as resource names, IP addresses, and virtual host names) is inherited as parameters when the Submit Service
Request window of Ops Center Automator is opened. In addition, by specifying resource information as filtering conditions, you can display the Ops Center Automator services that
meet the conditions in the Execute Action window.

The sample definition files to connect with Ops Center Automator are stored in the following location:

Analyzer-server-installation-directory/Analytics/conf/template/automation_sample

Sample files usually must be revised to match your environment; however, the following sample file for the built-in service of Ops Center Automator can be used without change:
AllocateLikeVolumeswithConfigurationManager_016200.

Allocate Like Volumes with Configuration Manager

In the definition file to connect with Ops Center Automator, filtering conditions are specified so that this service is displayed in the Execute Action window only when a volume
of the storage system is selected.

Note, however, that if you change the service group to which this service template is assigned from Default Service Group to a different service group in Ops Center Automator,
you must also change the contents of the sample file.

For details, see Format of definition files used to connect with Ops Center Automator.

1. Create a definition file corresponding to the service to run in Ops Center Automator.
In the definition file, you can define the property key to use for the Ops Center Automator service. If you specify information (variables) about the resource owned by Ops
Center Analyzer, you can apply the information about the specified resource in the service execution window of Ops Center Automator launched from Ops Center Analyzer.
2. Store the created definition file in the following location:

Analyzer-server-installation-directory/Analytics/conf/template/automation

3. Restart the Analyzer server or run the reloadtemplate command for changes to take effect.

Format of definition files used to connect with Ops Center Automator

The following items are set in the definition file used to connect with Ops Center Automator:

Format
specified-key-name=specified-value
File

You can specify any file name and file extension.

Save the file in UTF-8 format.
The maximum number of files that can be set in Ops Center Analyzer (including the number of email template definition files and command definition files) is 1,000.
Files load in alphabetical order by file name, and any files after the 1,000th file are not loaded.

Folder

Analyzer-server-installation-directory/Analytics/conf/template/automation

Update frequency
Indicates when the Analyzer server is started or the reloadtemplate command is run.
Content to specify
Specify each key name and value on a single line. The following rules apply when you specify settings in a definition file to connect with Ops Center Automator:

A line starting with # is treated as a comment line.

Blank lines are ignored.
The entered values are case-sensitive.
If you specify an invalid value, the default value is used.
If you specify the same key more than once in the same file, the last key is used.
To display \, specify \\.
To display %, specify %%.
If you specify the filter condition SE.template.filter.xxxxxxx.string more than once, settings display when all of the conditions are met.

Setting descriptions

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 46/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Key name Setting description Specifiable values Default value Optional or required

SE.automation.template.serviceGro Specify the service group name used in The same service group name N/A Required
upName.string Ops Center Automator. as the one used in Ops Center
Automator

SE.automation.template.serviceNam Specify the service name used in Ops The same service name as the N/A Required
e.string Center Automator. one used in Ops Center
Automator

SE.template.filter.resourceName.s Specify conditions to narrow down the Values of no more than 255 Null character Optional
tring resource names that appear in the bytes that do not include control
If this key is omitted,
Execute Actions list.1 characters
the default value is
used.

SE.template.filter.resourceType.s Specify conditions to narrow down the Values of no more than 32 bytes Null character Optional
tring types of resources that display in the that do not include control
If this key is omitted,
Execute Actions list.1 characters
the default value is
used.

SE.template.filter.vmHostname.str Specify conditions to narrow down the Values of no more than 64 bytes Null character Optional
ing virtual machine names that display in that do not include control
If this key is omitted,
the Execute Actions list.1 characters
the default value is
used.

SE.template.filter.ipaddress.stri Specify conditions for the IP addresses Values of no more than 255 Null character Optional
ng that display in the action list during bytes that do not include control
If this key is omitted,
resource selection.1 characters
the default value is
used.

SE.template.filter.upperResourceN Specify conditions to narrow down the Values of no more than 512 Null character Optional
ame.string names of higher-level resources during bytes that do not include control
If this key is omitted,
resource selection.1 characters
the default value is
used.

SE.template.filter.upperResourceT Specify conditions to narrow down the Values of no more than 32 bytes Null character Optional
ype.string higher-level resource types during that do not include control
If this key is omitted,
resource selection.1 characters
the default value is
used.

SE.template.filter.MultipleResour To complete actions for multiple true or false false Optional

ces.boolean selected resources, specify whether to
If this key is omitted,
display the services in the Execute
Actions list. the default value is
used.

SE.automation.template.service.pa Specify the property key2 used for the Values of no more than 1,024 Null character Optional
rameter.Ops Center Automator-serv Ops Center Automator service. bytes that do not include control
ice-property-key characters If this key is omitted,
the default value is
used.

Notes:

1. Settings display only when the Execute Action window is called from a resource that matches the specified conditions.
2. You cannot specify a property key whose data type is password or composite. To check the property key, use the flow window of the service template.

By using variables, you can set information about a selected resource as the value of a setting.

The following table lists the variables you can use.

Variable name Variable description Remarks

%ANALYTICS_RESOURCENAME% Name of the selected resource N/A

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 47/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Variable name Variable description Remarks

%ANALYTICS_UPPERRESOURCENAME% Name of the higher-level resource of the selected N/A

resource

%ANALYTICS_IPADDRESS% IP address N/A

%ANALYTICS_VIRTUALMACHINENAME% Name of the virtual host Displays only when the resource is a virtual machine

%ANALYTICS_RESOURCETYPE% Resource type N/A

%ANALYTICS_UPPERRESOURCETYPE% Type of higher-level resource N/A

If no value is set for the selected resource, a null character displays.

To display information about virtual hosts and IP addresses, VMware Tools must be installed on virtual hosts.
Definition example
The following is a definition example of displaying the service for stopping virtual machines defined in Ops Center Automator, in the Execute Action window of the virtual
machine selected:

SE.automation.template.serviceGroupName.string=Services for VM
SE.automation.template.serviceName.string=Stop Virtual Machine
SE.template.filter.MultipleResources.boolean=true
SE.template.filter.resourceType.string=VM
SE.automation.template.service.parameter.vmware.foreachVmName=%ANALYTICS_IPADDRESS%

Resetting Common component settings

If you no longer integrate Ops Center Analyzer with Ops Center Automator, or if you want to remove Ops Center Analyzer, remove the authentication information about the
secondary server from the primary server, and reset the settings of the Common component.

1. Log on to the host of the primary server as a user with root permission.
2. Run the hcmds64intg command to remove the authentication information about the secondary server from the primary server.
The following is an example of running the command if the Analyzer server is a primary server:

Common-component-installation-directory/bin/hcmds64intg -delete -type component-name

For the type option, specify either of the following as the component name for the secondary server where the authentication information is to be deleted:

For Ops Center Automator Automation

For the Analyzer server Analytics

If you are prompted to enter a username, enter a user ID for the primary server that has the User Management permission.

3. Stop and restart the services:

a. Run the hcmds64srv command with the stop option to stop the services.
b. Run the hcmds64srv command with the start option to start the services.
4. Log on to the host of the secondary server as a user with root permission.
5. Run the hcmds64prmset command to change the settings of the Common component.
The following is an example of running the command if Ops Center Automator is a secondary server:

Automator-installation-directory/Base64/bin/hcmds64prmset -setprimary

The relationship between the primary server and the secondary server is released, and user accounts are managed at each host.

User accounts that were registered before connecting to the primary server can be used again in the secondary server.

Note: If Ops Center Automator was used as the primary server, after the Common component settings are removed, the user accounts created on the Analyzer server remain in Ops
Center Automator. If these user accounts are no longer necessary, delete them in the user management window of Ops Center Automator.

Configuring initial settings for limiting the I/O activity of Hitachi storage resources

The I/O control configuration feature of Ops Center Analyzer enables storage administrators to prioritize I/O activity. You can set the upper limit of IOPS processed by volumes during
critical workload periods and optimize the performance of resources in a shared infrastructure.

The I/O control feature requires the Server Priority Manager function provided by Hitachi storage systems. To configure Analyzer to work with the Server Priority Manager, use one of
the following methods:

Set up an environment in advance by using the Ops Center API Configuration Manager and Ops Center Automator.

Create a script file in advance instead of using Ops Center Automator.

Configuration overview for I/O controls using Ops Center Automator

The following figure shows the workflow for configuring I/O controls for the target storage resource by connecting with the Ops Center API Configuration Manager and Ops Center
Automator.

I/O Control Configuration Workflow

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 48/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Before you begin

Ops Center API Configuration Manager and Ops Center Automator must be installed.
The target storage systems must have the Server Priority Manager function enabled.
You must have a user account with storage administrator permission for the target storage systems.
You cannot configure I/O controls if volumes use NVMe over Fabrics (NVMe-oF).

The procedure for configuring the Ops Center Automator environment is the same as the procedure described in the explanation about configuring the initial settings for connecting
with Ops Center Automator. For details, see Initial setup for connecting with Ops Center Automator.
For details about using Ops Center API Configuration Manager and Ops Center Automator, see the following manuals:

Hitachi Ops Center Automator Installation and Configuration Guide

Hitachi Ops Center Automator User Guide
Hitachi Ops Center API Configuration Manager REST API Reference Guide
Hitachi Ops Center Analyzer User Guide

For details about how to enable Server Priority Manager functionality, see the manuals for your storage systems.

Note: The Ops Center API Configuration Manager cannot manage the Server Priority Manager functions if the functions are being managed by another program (such as Storage
Navigator) in the storage system. To use the I/O control configuration function of Ops Center Analyzer, delete all the Server Priority Manager settings from the other program (such
as Storage Navigator), and then continue.

Registering storage systems in the Ops Center API Configuration Manager

Before initiating the services for I/O control tasks between Ops Center Analyzer and Ops Center Automator, you must register the target storage systems in the Ops Center API
Configuration Manager.

You can register storage system information by running a script. Script files are provided with the Analyzer probe server.

1. Specify Ops Center API Configuration Manager information in the following file:
Analyzer-Probe-server-installation-directory/Analytics/sample/config.sh
2. Create a JSON-format text file (with the extension "json") that contains information about the storage system to register in Ops Center API Configuration Manager.

For the format of the JSON file, see the following sample files:

For VSP G200, G400, G600, G800, VSP G1000, G1500, VSP F400, F600, F800, VSP F1500, or VSP 5000 series:

Analyzer-Probe-server-installation-directory/Analytics/sample/registerSvpStorage.json

For VSP One B20, VSP E series, VSP G350, G370, G700, G900, VSP F350, F370, F700, F900:

Analyzer-Probe-server-installation-directory/Analytics/sample/registerGumStorage.json

For details about the items to specify in the JSON file, see the descriptions about registration of storage systems in the Hitachi Ops Center API Configuration Manager REST
API Reference Guide.

3. Specify the created JSON file as an argument, and then run the script.

./operate_storage.sh register userID password path-of-the-created-json-file

For userID, specify an account that belongs to the Administrator user group.
4. From the script result, note the value of storageDeviceID. You need this value in the next task. Alternatively, you can check the result by running the following script:

./operate_storage.sh list

Note:
If a VSP G1000 storage system is registered in the Ops Center API Configuration Manager, and SSL is enabled between the Ops Center API Configuration Manager
and the storage system, the storage system cannot be registered on another instance of the Ops Center API Configuration Manager. For details about SSL
communication settings, see the Hitachi Ops Center API Configuration Manager REST API Reference Guide.
For linking Ops Center API Configuration Manager with Hitachi Enterprise Storage Probe, see Collecting additional configuration metrics with Hitachi Ops Center API
Configuration Manager.

Setting up Ops Center Automator to run the I/O control configuration function

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 49/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Download the service template for I/O control configuration from the Ops Center Analyzer GUI, and then register the target storage system and set services in the Ops Center
Automator GUI.

1. In Ops Center Analyzer, download the service templates.

a. On the Administration tab, select System Settings > Automator Server.
b. Click the link to download the service template.
The name of the service template is AnalyticsServiceTemplate.zip.
2. Register the storage system in Ops Center Automator.
a. On the Administration tab, select Connection Settings > Web Service Connections.
b. Click Add, and then specify the following information about the storage systems with Server Priority Manager:
Category: Specify "ConfigurationManager"
Name: Device number of the storage system
IPAddress/HostName: IP address or host name of the host on which the Ops Center API Configuration Manager is installed
Protocol: http or https
Port: Port number used by the Ops Center API Configuration Manager
User ID and password: User account with permission to access the logical devices and ports (specified when the storage system was registered to the Ops
Center API Configuration Manager)
Assigned Infrastructure Groups: Infrastructure group to which the target storage system is registered

If you are not using the infrastructure group functionality, specify "IG_Default Service Group".

Note:
If any name other than "ConfigurationManager" is specified for the category, you must edit the file config_user.properties.
If any name other than "ConfigurationManager" is specified, an error message is displayed when you connect with the Ops Center API Configuration Manager by
clicking the Test button. Despite this error message, the I/O control configuration function operates normally when the correct value is registered to each field.
When registering storage system information in Ops Center Automator, use a user account that is used for the I/O control configuration function. If you attempt to
register storage system information by using a user account that is being used in another application (such as RAID Agent), I/O control configuration tasks will fail.
3. Create an Ops Center Automator user group to use in Ops Center Analyzer.
a. On the Administration tab, select Resources and Permissions > User Groups.
b. Click Create, and then specify a name for the user group.
Note: If any name other than "AnalyticsGroup" is specified for the user group name, you must edit the configuration file.
4. Import the service templates in Ops Center Automator.
a. Decompress the file AnalyticsServiceTemplate.zip to a location of your choice.
b. On the Service Templates tab, click Import.
c. Click Browse, and then specify one of the following zip files:
If you are using Automation Director version 8.5.0:

ServiceTemplate_03.00.02.zip

If you are using Automation Director version 8.5.1 or later, or Ops Center Automator version earlier than 10.8.0:

ServiceTemplate_03.20.00.zip

If you are using Ops Center Automator version 10.8.0 or later:

ServiceTemplate_10.00.00.zip

These zip files contain two service templates:

com.hitachi.software.dna.analytics_DeleteIoControlSettings_version.st - disables I/O control configuration tasks
com.hitachi.software.dna.analytics_ModifyIoControlSettings_version.st - enables or modifies I/O control configuration tasks
d. Click OK.
Tip: If you do not see the service template for I/O control configuration, sort service template files by Registered, and the latest imported templates will appear with the New
tag.
Note: If you import the file ServiceTemplate_03.00.02.zip, "OUTDATED" might be displayed in the imported service template, indicating that the version has expired. If
"OUTDATED" is displayed, do not update the service template. If you update the file, the service template will become unusable.
5. Create a service group.
a. On the Administration tab, select Resources and Permissions > Service Groups.
b. Click Create, and then specify a name for the service group.
Note: If any name other than "Analytics Service Group" is specified for the service group name, you must edit the configuration file.
6. Use the service templates to create the services for Server Priority Manager:
a. On the Administration tab, select Resources and Permissions > Service Groups.
b. Select the service group you created.
c. On the Services tab, click Create.
d. Select the service templates, and then click Create Service.
e. Verify or specify the following information:
Name of the service for updating Server Priority Manager settings: Modify IO Control Settings for Volume
Name of the service for deleting Server Priority Manager settings: Delete IO Control Settings for Volume
Status: Release
Note: Do not modify the I/O control configuration. These fields are autopopulated by the information entered on the Ops Center Analyzer user interface when you
submit an I/O control configuration task.
f. Click Save and Close to close the window.
7. Assign the user group to the service group.
a. On the Permissions tab, click Assign.
b. Select the user group, and then click Add.
c. Select the Submit role, and then click OK.
8. Assign the user account that runs the I/O control configuration function to the user group created in step 3.
a. On the Permissions tab, select a user group that has the Submit role.
b. Click Assign, and then select the user account that runs the I/O control configuration function.
Note: For the user account, you must set the Admin or Modify permission for Ops Center Analyzer.
c. Click Add, and then click OK.
9. Assign an infrastructure group to the service group.
a. From the Infrastructure Groups view, click the infrastructure group for which the resource is being assigned. If necessary, you can create a new infrastructure group or
edit an existing one.
b. From the Service Groups tab, choose the resource and then click Assign to assign to the infrastructure group.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 50/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
10. If you use a name other than the recommended name for the service group name, category name, or service name, edit the config_user.properties file.
Specify the values set in Ops Center Automator.
The location of the config_user.properties file is as follows:

Analyzer-server-installation-directory/Analytics/conf

Specify the following keys and values:

automation.parameter.serviceGroupName: Service group name specified in Ops Center Automator
automation.parameter.productName: Category name specified in Ops Center Automator
automation.parameter.serviceName.ioControl.modify: Service name set in Ops Center Automator as the name of the service for updating Server Priority
Manager settings
automation.parameter.serviceName.ioControl.delete: Service name set in Ops Center Automator as the name of the service for deleting Server Priority
Manager settings
11. If you have edited the config_user.properties file, restart the Analyzer server services.

The environment setup for controlling storage resources is now complete.

Check the connection between Ops Center Analyzer and Ops Center Automator.

Configuring I/O control settings with user-defined scripts

This example describes how to use Ops Center Analyzer and Ops Center API Configuration Manager to configure the I/O control settings for the target storage resources with user-
defined scripts.

1. Create the script files. One for create or modify operation and another for delete operation.
2. Specify the script file name in the built-in template file.
3. Submit an I/O control task from the Ops Center Analyzer Operations tab or from the Analyze Bottleneck > Analyze Shared Resources window.
4. Running the script is initiated by Ops Center Analyzer after you submit the I/O control task.
5. Check the status of the script on the Ops Center Analyzer Events tab.

Prerequisites for setting I/O controls (using a script)

The prerequisites for setting I/O controls by using the script file to run the Ops Center API Configuration Manager are as follows:

You must have the Ops Center Analyzer User Interface login credentials with StorageOps permissions to configure the I/O control settings.
Make sure the Ops Center API Configuration Manager is installed on a host. For installation instructions, see the Hitachi Ops Center API Configuration Manager REST API
Reference Guide.
Make sure the target storage systems are registered on the Ops Center API Configuration Manager.
Make sure the Server Priority Manager function is enabled for the target storage systems.
You must have a user account with storage administrator permission for the target storage systems.

Creating the script files

Analyzer server can run user-defined script files for creating, updating and deleting storage I/O control settings.

1. Create the script files. You must create one script file for create or update operation and another for delete operation. You can specify any file name.
2. Save the script file anywhere on the Analyzer server.

Example: create or update request

You can set the upper limit of I/O activity for the volumes in a shared infrastructure. You can also update the existing I/O settings. While creating the scripts, you must determine the
logical workflow for the successful completion of a task, a sequence of tasks for creating or updating I/O control settings for the target storage resources.

The script depends on the following parameters:

The *.json file, which includes the I/O control parameters that you input from the UI. The *.json file is autocreated by the system after you submit the I/O control task using the
Ops Center Analyzer UI.
Storage device ID
LDEV ID
Host WWN
The user-environment configuration details includes the following:
storage-account-user-name
storage-account-password
API-Configuration-Manager-host-name
API-Configuration-Manager-protocol
API-Configuration-Manager-access-port

For example, when you run the script, it reads the *.json file to obtain the storage device ID based on which it determines the user-environment configuration details.

The sequence of tasks for creating or updating the I/O control settings is as follows:

1. Obtain the storage device ID and the user-environment configuration details.

2. Access the Ops Center API Configuration Manager to obtain a list of storage resources enabled for I/O control settings.
An example of the curl command that is used to communicate with the storage system to check the current I/O control settings is as follows:

curl --user storage-account-user-name:storage-account-password -H "Accept: application/json" -H "Content-Type:application/json" -X

GET “API-Configuration-Manager-protocol://API-Configuration-Manager-host-name(or IP address):API-Configuration-Manager-accessport/Configura
tionManager/v1/objects/storages/storageDeviceID/io-control-ldev-wwns-iscsis/”

The request returns a list of volumes enabled for I/O control settings.

3. Determine whether the request is to create or update by comparing the input I/O control settings and the existing settings.
For a creation request

Identify the volumes without I/O control settings.

For an update request

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 51/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Identify the volumes for which I/O control settings are already configured.
4. Access the Ops Center API Configuration Manager to run the create request for the volumes without I/O control settings.
An example of the curl command used to create the I/O control settings for the target storage resources is as follows:

json={\"ldevId\":ldevId,\"hostWwn\":\"wwn\",\"upperLimitForIops\":upperLimit}
curl --user storage-account-user-name:storage-account-password -H "Accept:application/json" -H "Content-Type:application/json" -X POST -d
$json "API-Configuration-Manager-protocol://API-Configuration-Manager-host-name(or IP address):API-Configuration-Manager-access-port/Config
urationManager/v1/objects/storages/storageDeviceID/io-control-ldev-wwns-iscsis/"

5. Access the Ops Center API Configuration Manager to run the update request for the volumes already configured with I/O control settings.
An example of the curl command used to update the I/O control settings:

json={\"upperLimitForIops\":upperLimit}
curl --user storage-account-user-name:storage-account-password -H "Accept:application/json" -H "Content-Type:application/json" -X PUT -d $j
son "API-Configuration-Manager-protocol://API-Configuration-Manager-host-name(or IP address):API-Configuration-Manager-access-port/Configur
ationManager/v1/objects/storages/storageDeviceID/io-control-ldev-wwns-iscsis/ldevId,hostWwn"

Note: The sample curl commands require you to provide the user credentials to access the resources in the protected zone. Apply security measures to protect the sensitive
information.

Example: delete request

You can delete the I/O control settings when the requirements change and you no longer want to limit the I/O control activity. While creating the scripts, you must determine the
logical workflow for the successful completion of a task, a logical sequence of tasks to delete the I/O control settings for the target storage resources.

The script depends on the following parameters:

The *.json file, which includes the I/O control parameters that you input from the UI. The *.json file is autocreated by the system after you submit the I/O control task using
the Ops Center Analyzer UI.
Storage device ID
LDEV ID
Host WWN
The user-environment configuration details includes the following:
storage-account-user-name
storage-account-password
API-Configuration-Manager-host-name
API-Configuration-Manager-protocol
API-Configuration-Manager-access-port

For example, when you run the script, it reads the *.json file to get the storage device ID that determines the user-environment configuration details.

The logical order of tasks to include in the script for deleting the I/O control settings is as follows:

1. Obtain the storage device ID and the user-environment configuration details.

2. Access the Ops Center API Configuration Manager to obtain a list of storage resources enabled for I/O control settings.
An example of the curl command that is used to communicate with the storage system to check the current I/O control settings is as follows:

curl --user storage-account-user-name:storage-account-password -H "Accept: application/json" -H "Content-Type:application/json" -X

GET “API-Configuration-Manager-protocol://API-Configuration-Manager-host-name(or IP address):API-Configuration-Manager-accessport/Configura
tionManager/v1/objects/storages/storageDeviceID/io-control-ldev-wwns-iscsis/”

The request returns a list of volumes enabled for I/O control settings.

3. Determine whether the target volumes exist and whether they are enabled for I/O control settings by initiating a comparison between the input I/O control settings and the
existing settings.
4. Access the Ops Center API Configuration Manager to delete the I/O control settings for the target volumes.
An example of the curl command used to delete the I/O control settings is as follows:

curl --user storage-account-user-name:storage-account-password -H "Accept:application/json" -H "Content-Type:application/json" -X DELETE "A

PI-Configuration-Manager-protocol://API-Configuration-Manager-host-name(or IP address):API-Configuration-Manager-access-port/ConfigurationM
anager/v1/objects/storages/storageDeviceID/io-control-ldev-wwns-iscsis/ldevId,hostWwn"

Note: The sample curl commands require you to provide the user credentials of the storage system to access the storage resources. Apply security measures to protect the
sensitive information.

Editing built-in command templates

The built-in command template files contain details about the script files for configuring I/O control settings. You must edit the built-in command templates to specify the script file
path.

1. Edit the built-in command templates to specify the script file path.
The templates are stored in the following location:

Analyzer-server-installation-directory/Analytics/conf/template/command/Built-in

2. For creating or updating the I/O control settings, edit the BuiltinTemplateIoControlModify.txt file.
An example of the BuiltinTemplateIoControlModify.txt:

SE.template.name.string = Script to modify I/O control settings

SE.cmd.template.timeOut.num = 18000000
SE.cmd.template.cmdName.string = File-path-of-the-scriptfile

3. For deleting the I/O control settings, edit the BuiltinTemplateIoControlDelete.txt file.
An example of the BuiltinTemplateIoControlDelete.txt:

SE.template.name.string = Script to delete I/O control settings

SE.cmd.template.timeOut.num = 18000000
SE.cmd.template.cmdName.string = File-path-of-the-scriptfile

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 52/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The prerequisites for the keys included in the built-in command definition file are as follows:
SE.cmd.template.timeOut.num is the timeout period that specifies the system response after the command runs. The default value is 18,000,000 milliseconds.
You can specify a value from 1 millisecond to 2,147,483,647 milliseconds.
SE.cmd.template.cmdName.string specifies the command name. Specify the absolute path to the command. You can specify a value from 0 to 255 bytes that do
not include control characters. To specify \, type \\.
4. Restart the Analyzer server or run the reloadtemplate command for changes to take effect.

Creating an I/O control task

You must submit an I/O control task using the Ops Center Analyzer UI.

Make sure you have specified the name of script files that you want to run in the built-in command template files.
You must be logged into the Ops Center Analyzer UI with StorageOps permissions.

1. To launch the Set IO Control window, perform any of the following:

From the Operations tab, search for the related volumes. Select the volumes, and then click Set IO Control.
From the Analyze Bottleneck window, click the Analyze Shared Resources tab. In the Analyze Shared Resources window, select the target volumes, and click Set IO
Control.
2. In the Set IO Control window, configure the I/O control settings:
a. In Upper Limit Setting, select ON for creating or updating I/O control settings. Select OFF for deleting the I/O control settings.
b. In Collective Settings, select the metric and enter the limit in Upper Limit for each volume.
c. Enter a task name and description, and then click Next.
A default task name based on the date and time is automatically assigned:yyyymmdd_hhmm_IOControlSettings.
3. Review the information, and then click Submit.

Running the script files

Ops Center Analyzer lets you configure the I/O control settings by running the user-defined scripts.

1. After you submit the I/O control task, the system automatically creates a *.json file with the input I/O control parameters.
Sample file format of the *.json file:

{
"storageDeviceId":"836000123456",
"IOControlParameter":
[{
"ldevId":101,
"hostWwn":"000000102cceccc9",
"upperLimitForIops":50},
{
"ldevId":102,
"hostWwn":"000000102cceccc0",
"upperLimitForIops":400
}]
}

2. The system then inputs the following parameters to the script files:
Ops Center Analyzer user name

You can use this information to track the users running the script files.

File path of the *.json file

3. The scripts read the *.json file and interface with the Ops Center API Configuration Manager to configure the I/O control settings.

Checking the status of the script

You can verify whether the scripts ran successfully. The script task is logged in as an information event on the Events tab.

1. From the Ops Center Analyzer home page, click the Events tab.
2. Click All Events or System Events tab to track the status of the script.
The name of the script file is displayed as the command action name.
Note: You can only track the status of the script on the Events tab. The status and results of the I/O control task based on the user definition script cannot be viewed under
History.

Initial setup for enabling Granular Data Collection

If you enable Granular Data Collection from Ops Center Analyzer, the RAID Agent commands are run remotely, and performance data (in units of seconds) for the monitored storage
systems is output in CSV format. You can use this data for further analysis.

Before enabling Granular Data Collection, make sure the following conditions are satisfied:

RAID Agent is running on a Linux OS that is supported by the Analyzer server.

Performance information for the monitored storage systems is being collected using a command device.
For details on the types of storage systems for which Granular Data Collection can be used, see Monitoring target requirements.

To enable Granular Data Collection:

Configure SSH on both the Analyzer server and the RAID Agent host.
Register the storage systems to be monitored by using Granular Data Collection on the Analyzer server.

Configuring SSH to use Granular Data Collection

You must enable SSH to use Granular Data Collection to remotely run commands on the RAID Agent host from the Ops Center Analyzer server.

Note: If Red Hat Enterprise Linux or Oracle Linux 9 is used on the connection-destination Analyzer server or RAID Agent host, OpenSSH must be 7.4p or later.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 53/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
To enable SSH, specify the following settings:

1. Create keys on the Analyzer server.

2. Register the public key for the RAID Agent host and configure authentication using public key cryptography.
3. Verify the connection.

Creating keys on the Analyzer server

Create the public and private keys used for SSH on the Analyzer server. You can use both the RSA and DSA cryptography key types.

You must have root permission.

1. Run the ssh-keygen command as follows:

For RSA keys:

ssh-keygen -t rsa

For DSA keys:

ssh-keygen -t dsa

Note: In the default encryption policies of Red Hat Enterprise Linux 9 and Oracle Linux 9, DSA algorithms are disabled.
2. Specify the full pathname of the file where the private key will be stored.

The default location is ~/.ssh/id_rsa.

3. Press Enter twice.

When you are prompted to enter the password for the private key, press Enter. When you are prompted again, press Enter again.

An example of running the ssh-keygen -t rsa command:

[root@HOST]$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/ssh-user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ssh-user/.ssh/id_rsa.
Your public key has been saved in /home/ssh-user/.ssh/id_rsa.pub.
The key fingerprint is:
ax:xx:xx:xx:xx:bx:xx:xc:xx:xx:xx:xd:xd:xa:ed:xx root@HOST

4. Run the chmod command to specify 600 as the attribute of the private key.

[root@HOST]$ chmod 600 id_rsa

Be sure to protect private keys.

The private key and public key for authentication are created.
Configure the public key authentication.

Configuring the public key authentication

Configure the public key authentication using public key cryptography.

You must have root permission.

1. Navigate to the .ssh directory. Specify 700 as the attribute of the directory.
Note: If there is no .ssh directory, create one.
2. Add the contents of the Analyzer server public key file to the authentication key file of the RAID Agent host.
3. Run the chmod command to specify 600 as the attribute of the authentication key file.
The following is an example of running the command. In this example, the host name of the Analyzer server where keys are created is "HIAAHost", and the host name of the
RAID Agent host is "AgentHost".

[root@AgentHost ]$ cd .ssh

[root@AgentHost .ssh]$ ssh root@HIAAHost 'cat /root/.ssh/id_rsa.pub' >> authorized_keys

root@HIAAHost's password: Enter a password here.
[root@AgentHost .ssh]$ chmod 600 authorized_keys

4. Set the authentication key file as the value of AuthorizedKeysFile in the /etc/ssh/sshd_config file.
Note: By default, ~/.ssh/authorized_keys or .ssh/authorized_keys is set as the value of AuthorizedKeysFile. If you have changed the path of the authentication key file,
revise the value of AuthorizedKeysFile.
5. Specify yes for the value of PubkeyAuthentication in the /etc/ssh/sshd_config file.
6. Specify prohibit-password or yes for the value of PermitRootLogin in the /etc/ssh/sshd_config file.
7. Restart the sshd.
Note: For details about the items to specify in sshd_config and how to specify settings, see the documentation for the SSH server that you plan to use.
8. Run the ssh -T command and verify that the settings updated in the /etc/ssh/sshd_config file have been applied.
Note: The settings updated in the /etc/ssh/ssh_config.d/*.conf file might be applied instead of those updated in the /etc/ssh/sshd_config file.

The public key is registered to the RAID Agent host, and the authentication is configured.
Verify the SSH connection.

Verifying SSH connections

Verify whether an SSH connection can be established between the Analyzer server and the RAID Agent host.

You must have root permission.

Use the created private key to run the ssh command for the RAID Agent host from the Analyzer server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 54/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If a connection is successfully established without any prompt for an identity, SSH configuration is complete. If an error occurs or you are prompted to enter a password and a
passphrase, check whether the settings are configured as described.

Registering storage systems for Granular Data Collection monitoring

Use a definition file to register the storage systems when performance information (in seconds) is collected by using the Granular Data Collection feature in Ops Center Analyzer.

Definition file

storage_agent_map.txt

Location

Analyzer-server-installation-directory/Analytics/bin/command/granular

Definition items

Specify the following items by using commas to separate them.

Setting item Description Required/Optional

Model name of the storage system Model name of the storage system Required

Serial number of the storage system Serial number of the storage system Required

IP address of the RAID Agent host IP address of the RAID Agent host Required

Port number of the RAID Agent host Port number of the RAID Agent host Optional

If you fail to provide this information, 24221 is used as the

default port number.

Instance name for collecting performance information (in The name of instance that you want collect performance Optional
seconds) information (in seconds)

If you fail to provide this information, RAID Agent searches

for the target instance by comparing the model name and
serial number specified in the definition file to the
information that RAID Agent holds.

Use of a proxy server Whether to use a proxy server for communication Optional
between the Analyzer server and the RAID Agent host.

If a proxy server is available, specify one of the following

values:

noproxy: Specify this if the server and the host

communicate directly with each other without
using a proxy server.
proxy: Specify this if you use a proxy server.

If a proxy server is not available, omit this item.

URL of the proxy server The URL of the proxy server. Optional

If you use a proxy server, you must specify a value for this
item.

Authentication information for the proxy server Authentication information for the proxy server. Optional

If you use a proxy server that requires user authentication,

specify the authentication information in the following
format:

user-name:password

In the definition file example below, the following two storage systems are registered to be monitored once per second.

VSP F1500
VSP G1000

Definition file example

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 55/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
VSP F1500 VSP G1000
Storage system

VSP F1500 VSP G1000

Model name of the storage system

Serial number of the storage system 123456 7890

IP address of the RAID Agent host 10.196.1.2 10.196.1.3

Port number of the RAID Agent host Not set 24221

Instance name for collecting performance information (in Not set INSTANCE1
seconds)

Use of a proxy server Not set Not set

URL of the proxy server Not set Not set

Authentication information for the proxy server Not set Not set

VSP F1500,123456,10.196.1.2
VSP G1000,7890,10.196.1.3,24221,INSTANCE1

Configuring initial settings for enabling the Analyzer server audit log

The audit log provides a record of all user operations on the Analyzer server. The audit log tracks events from several categories such as external services, authentication,
configuration access, start and stop services. By examining the audit log, you can check the system usage status or audit for unauthorized access.

The audit log data is output to the syslog file.

The following table lists and describes the categories of audit log data that can be generated from products that use the Common component. Different products generate different
types of audit log data.

Categories Description

StartStop Events indicating starting or stopping of hardware or software:

Starting or shutting down an OS

Starting or stopping a hardware component (including micro components)

Starting or stopping software on a storage system or SVP, and products that use the Common component

Failure Events indicating hardware or software failures:

Hardware failures

Software failures (memory error, etc.)

LinkStatus Events indicating link status among devices:

Whether a link is up or down

ExternalService Events indicating the results of communication with external services:

Communication with an external server, such as NTP or DNS

Communication with a management server (SNMP)

Authentication Events indicating that a device, administrator, or end user succeeded or failed in connection or authentication:

Fibre Channel login

Device authentication (Fibre Channel - Security Protocol authentication, iSCSI login authentication, SSL server/client authentication)

Administrator or end user authentication

AccessControl Events indicating that a device, administrator, or end user succeeded or failed in gaining access to resources:

Access control for devices

Access control for the administrator or end users

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 56/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Categories Description

ContentAccess Events indicating that attempts to access important data succeeded or failed:

Access to important files on NAS or to contents when HTTP is supported

Access to audit log files

ConfigurationAccess Events indicating that the administrator succeeded or failed in performing an allowed operation:

Reference or update of the configuration information

Update of account settings including addition or deletion of accounts

Security configuration

Reference or update of audit log settings

Maintenance Events indicating that a performed maintenance operation succeeded or failed:

Addition or deletion of hardware components

Addition or deletion of software components

AnomalyEvent Events indicating that an anomaly, such as a threshold being exceeded, occurred:

A network traffic threshold was exceeded

A CPU load threshold was exceeded

Pre-notification that a limit is being reached or a wraparound occurred for audit log data temporarily saved internally

Events indicating that abnormal communication occurred:

SYN flood attacks to a regularly used port, or protocol violations

Access to an unused port (port scanning, etc.)

Enabling audit logging

To enable the audit log of the Analyzer server and change the audit events to be output to the audit log, first configure the environment configuration file (auditlog.conf) for the
Common component. Then you must restart the Analyzer server.

Note:

If the Analyzer server is installed by using a virtual appliance, the audit log is enabled by default.

If the Analyzer server is installed by using the installer, the audit log is disabled by default. Enable the settings as required.

A large volume of audit log data might be output. Change the log file size and back up or archive the generated log files accordingly.

1. Log on to the Analyzer server as a user with root permission.

2. Open the auditlog.conf file, which is located in the following location:

Common-component-installation-directory/conf/sec/auditlog.conf

Note: The auditlog.conf file is an environment configuration file for the Common component. Therefore, if another product that uses the Common component is installed on
the same host as the Analyzer server, the audit log settings will be shared among both products.
3. To enable audit logging, specify the audit event categories for the Log.Event.Category property in the auditlog.conf file.
4. To disable audit logging, delete all audit even categories specified for the Log.Event.Category property in the auditlog.conf file.
5. Restart the Analyzer server services.

Settings in the auditlog.conf file

You can specify the audit event categories and severity to be output in the auditlog.conf file.

The following shows the items you can set in the auditlog.conf file.

Log.Facility

Specify a numeric value for the facility (the log type) required to output audit log data to the syslog file. (Default value: 1)

If an invalid value or a non-numeric character is specified, the default value is used.

The following table shows the correspondence between the specifiable values for Log.Facility and the facility defined in the syslog.conf file.

Specifiable value for Log.Facility Facility defined in the syslog.conf file

1 user

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 57/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Specifiable value for Log.Facility Facility defined in the syslog.conf file

2 mail*

3 daemon

4 auth*

6 lpr*

16 local0

17 local1

18 local2

19 local3

20 local4

21 local5

22 local6

23 local7

* For best results, do not change this value.

To filter audit logs output to the syslog file, you can combine the facility specified for Log.Facility and the severity specified for each audit event.

The following table shows the correspondence between the severity of audit events and the severity defined in the syslog.conf file.

Severity of audit events Severity defined in the syslog.conf file

0 emerg

1 alert

2 crit

3 err

4 warning

5 notice

6 info

7 debug

Log.Event.Category

Specify the audit event categories to be output. (Default value: none)

When specifying multiple categories, use commas (,) to separate them. In this case, do not insert spaces between categories and commas. If Log.Event.Category is not
specified, audit log data is not output. Log.Event.Category is not case-sensitive. If an invalid category name is specified, the specified file name is ignored.

Valid categories: StartStop, Failure, LinkStatus, ExternalService, Authentication, AccessControl, ContentAccess, ConfigurationAccess, Maintenance, or Ano
malyEvent

Sample auditlog.conf file

The following shows an example of the auditlog.conf file:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 58/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
# Specify an integer for Facility. (specifiable range: 1-23)
Log.Facility 1

# Specify the event category.

# You can specify any of the following:
# StartStop, Failure, LinkStatus, ExternalService,
# Authentication, AccessControl, ContentAccess,
# ConfigurationAccess, Maintenance, or AnomalyEvent.
Log.Event.Category StartStop,Failure,LinkStatus,ExternalService,Authentication,AccessControl,ContentAccess,ConfigurationAccess,Maintenance,Anomal
yEvent

In the example above, all types of audit events are output.

Log.Facility 1 outputs the audit log data to the syslog file that is defined as the user facility in the syslog.conf file.

Format of data output to the audit log

The audit log data is output to the syslog file.

The following shows the format of data output to the audit log:

syslog-header-message message-part

The format of the syslog-header-message differs depending on the OS environment settings. If necessary, change the settings.

For example, if you use rsyslog and specify the following in /etc/rsyslog.conf, messages are output in a format corresponding to RFC5424:

$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

The format and contents of message-part are described below. In message-part, a maximum of 953 single-byte characters can be displayed in a syslog file.

uniform-identifier,unified-specification-revision-number,serial-number,message-ID,date-and-time,detected-entity,detected-location,audit-event-typ
e,audit-event-result,audit-event-result-subject-identification-information,hardware-identification-information,location-information,location-iden
tification-information,FQDN,redundancy-identification-information,agent-information,request-source-host,request-source-port-number,request-destin
ation-host,request-destination-port-number,batch-operation-identifier,log-data-type-information,application-identification-information,reserved-a
rea,message-text

Item* Description

uniform-identifier Fixed to CELFSS.

unified-specification-revision-number Fixed to 1.1.

serial-number Serial number of audit log messages.

message-ID Message ID.

date-and-time The date and time when the message was output. This item is output in the format of yyyy-mm-ddThh:mm:ss.stim
e-zone.

detected-entity Component or process name.

detected-location Host name.

audit-event-type Event type.

audit-event-result Event result.

audit-event-result-subject-identification-informa Account ID, process ID, or IP address corresponding to the event.

tion

hardware- identification-information Hardware model or serial number.

location-information Identification information for the hardware component.

location-identification-information Location identification information.

FQDN Fully qualified domain name.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 59/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item* Description

redundancy-identification-information Redundancy identification information.

agent-information Agent information.

request-source-host Host name of the request sender.

request-source-port-number Port number of the request sender.

request-destination-host Host name of the request destination.

request-destination-port-number Port number of the request destination.

batch-operation-identifier Serial number of operations through the program.

log-data-type-information Fixed to BasicLog or DetailLog.

application-identification-information Program identification information.

reserved-area Not output. This is a reserved space.

message-text The contents vary according to the audit events.

Characters that cannot be displayed are output as asterisks (*).

* Some items are not output for some audit events.

The following is an example of the message portion of an audit log login event:

CELFSS,1.1,0,KAPM01124-I,2017-05-15T14:08:23.1+09:00,HBase-SSO,management-host,Authentication,Success,uid=system,,,,,,,,,,,,BasicLog,,,"The login
was successful. (session ID = session ID)"

Adding a secondary Analyzer detail view server

In addition to sending Analyzer probe server data to a single (local) Analyzer detail view server, you can configure a secondary, cloud-based Analyzer detail view server. The purpose
is to host a copy of the probe data where it can be accessed outside of your internal network.

Note: The secondary Analyzer detail view server does not support real-time data; the data might be received at different times from the Analyzer probe server.
The secondary Analyzer detail view server hosts an independent, non-synchronous copy of the probe data and does not constitute a failover configuration. Furthermore, the
secondary Analyzer detail view server does not include primary Analyzer detail view server configuration data, including:

Alert definitions
Custom reports
Custom trees
User logins and profiles

You can use the Analyzer detail view server backup and restore feature to save or copy these settings.

1. On the Analyzer probe home page, click Reconfigure.

2. Go to Analyzer detail view Server tab and click Add Analyzer detail view Server.
If you are connecting the Analyzer detail view server to the Analyzer probe server using the host name and a proxy server, you must add the IP address and host name of the
Analyzer detail view server to the /etc/hosts file on the Analyzer probe server.
3. In the Secondary Analyzer detail view Server window, specify the following details:
Protocol: FTP, FTPS, SFTP, or HTTPS.
For the SFTP protocol, you can use key-based or password-based authentication. If you plan to use key-based, make sure that it is configured. Key-based
authentication is supported for sending data directly from the Analyzer probe server to the Analyzer detail view server (without an intermediate FTP or FTPS
server) using the meghadata user. Refer to Configuring key-based authentication to transfer data directly from Analyzer probe server to Analyzer detail view
server. After configuring key-based authentication, select the SFTP protocol and then click Key-Based. If you have configured a passphrase, enter it when
prompted.
The Analyzer detail view server supports the SFTP and HTTPS protocols. If you are using FTP or FTPS, make sure that the server is configured and you
provide the server IP address in the Host field.
Host: Analyzer detail view server or intermediate FTP server IP address.

If you are using an intermediate FTP server as a secondary server, then make sure that you configure the downloader on the Analyzer detail view server to download
the data from this FTP server.

Port: Based on the selected protocol.

User: User name for the host. For an Analyzer detail view server the user name is: meghadata
Note: If you are using an intermediate FTP server, the FTP user must have the required permission to create a new directory in the current working directory on the
FTP server after connecting to the FTP server.
Password: Password for the host. For an Analyzer detail view server the default password is: meghadata123
Note: To improve security for the FTP account, you must change the meghadata user default password. Refer to Changing the megha and meghadata passwords for
more information.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 60/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Advanced Settings:
Proxy: Select to configure a proxy server.
4. Click Save.

Configuring the downloader on the Analyzer detail view server

When the Analyzer probe server sends data to an intermediate FTP server, the Analyzer detail view server needs the FTP server details to download the data.

Note: Do not follow this procedure if you are sending the data directly from the Analyzer probe server to the Analyzer detail view server (without an intermediate FTP server).
Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

5. Run the create or update FTP configuration script:

If you want to download the data of all the Analyzer probe server appliances:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --create --authType Password-Based --ftpServer FTP-server-host-name-or-IP-a

ddress --ftpMethod FTP-method-(FTP/FTPS/SFTP) --ftpPort FTP-port --ftpUsername FTP-username

For example:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --create --authType Password-Based --ftpServer 192.168.1.2 --ftpMethod SFTP

--ftpPort 22 --ftpUsername abc

Note: When the Analyzer probe server sends data to an intermediate FTP server, only password-based authentication is suppported (--authType Password-Based).
If you want to download the data of the specific Analyzer probe server appliance:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --create --authType Password-Based --ftpServer FTP-server-host-name-or-IP-a

ddress --ftpMethod FTP-method-(FTP/FTPS/SFTP) --ftpPort FTP-port --ftpUsername FTP-server-username --applianceidOption ApplianceIds -
-applianceidList Appliance-ID-list-separated-by-comma

For example:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --create --authType Password-Based --ftpServer 192.168.1.2 --ftpMethod SFTP

--ftpPort 22 --ftpUsername abc --applianceidOption ApplianceIds --applianceidList 1c5fbdd9-8ed3-43fe-8973-e9cba6d103c6,39cfcb01-11b2-
46b4-8fce-b4d84ea5acda

Note:
When the Analyzer probe server sends data to an intermediate FTP server, only password-based authentication is suppported (--authType Password-Based).
Do not use the createOrUpdateFTPConfiguration.sh command to change the meghadata user password. Instead, use the changePassword.sh command. See
Changing the megha and meghadata passwords for more information.
6. Type the FTP user password and confirm it.
7. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

8. Start the crond service using the following command:

service crond start

Getting the Appliance UUID and configuring the intermediate FTP server

If the FTP server user does not have sufficient permissions to create the directory automatically, then you must create it manually. The directory name must be the UUID of the
Analyzer probe.

1. Log on to the Analyzer probe UI.

The Status window opens.
2. Copy the Appliance UUID from the Status window as shown in this example.

3. Create the UUID directory on your FTP server.

4. On the Analyzer probe Status window, click Reconfigure.
The Reconfigure Settings window opens.
5. Click the Analyzer detail view server tab.
6. In the Server Details section, click the Edit corresponding to the primary server.
7. Configure the intermediate FTP server. For more information, refer to “Setting up Analyzer probe server” (from steps 9-12) .

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 61/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Configuring the RAID Agent to monitor Hitachi Enterprise Storage

Systems
Before adding the Hitachi Enterprise Storage probe, you choose and configure the RAID Agent based on your monitoring environment and data collection requirements to monitor
storage systems.

Workflow for adding the Hitachi Enterprise Storage probe

To monitor storage systems by using Ops Center Analyzer, you must use the following procedure to add the Hitachi Enterprise Storage probe to Analyzer probe server.

1. Verify the collection methods supported by the monitored storage systems, and determine the collection method to be used by the agent.
For details, see Selecting the data collection method.
2. Add the Hitachi Enterprise Storage probe to use to collect information from the monitored storage systems to the Analyzer probe server. Set up RAID Agent and add the
Hitachi Enterprise Storage probe to the Analyzer probe server. For details, see Setting up RAID Agent.

Setting up RAID Agent

The Hitachi Enterprise Storage probe collects data from the monitored storage systems using RAID Agent. RAID Agent temporarily stores the data it collects from the storage
system in a database called Hybrid Store, and then provides the data to the Hitachi Enterprise Storage probe.

The workflow for adding the Hitachi Enterprise Storage probe depends on the data collection method. You select the data collection method by specifying the Access Type when
you create a RAID Agent instance environment, which designates the method used by the RAID Agent to collect data from the storage system.

RAID Agent supports the following values for Access Type:

Access Type: 1

Data collection using command device and SVP

Access Type: 2

Data collection using command device and REST API

Access Type: 3

Data collection using SVP and REST API

Access Type: 4

Data collection using REST API

Selecting the data collection method

The method for collecting data differs depending on the combination of the storage system configuration and the agent. Specify the collection method in Access Type when you
create an instance environment. You can specify only one Access Type for each storage system.

Consider the above when determining the collection method. The procedure for setting up the Hitachi Enterprise Storage probe varies depending on the value specified in Access T
ype. If you want to set up Analyzer viewpoint, check which access types that you can use by referring to Monitoring target storage systems.

Performance data collection path

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 62/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Data collection methods

The data collection method varies depending on the storage system.

To determine which method is supported by your storage systems, use the following table:

Storage systems to monitor Data collection method Access

Type to
Command devices SVP REST API of the storage
select
system

Used Used -- 1
VSP F400

VSP F600

VSP F800

VSP F1500

VSP G200

VSP G400

VSP G600

VSP G800

VSP G1000

VSP G1500

Used Used -- 1
VSP One B202

VSP E5902

VSP E7902

VSP E990

VSP E10902 Used -- Used 2

VSP E590H2

VSP E790H2

VSP E1090H2

VSP 5000 series

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 63/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Storage systems to monitor Data collection method Access
Type to
Command devices SVP REST API of the storage
select
system

VSP F3501 -- Used Used 3

VSP F3701

VSP F7001

VSP F9001

VSP G3501
-- -- Used 4
VSP G3701

VSP G7001

VSP G9001

Notes:

1. The methods for collecting performance data depend on the microcode version:
When using the command device and the SVP, microcode version 88-03-22 or later is required.
When using the command device and the REST API, microcode version 88-02-01 or later is required.
When using the SVP and the REST API, microcode version 88-03-22 or later is required.
When using only the REST API, microcode version 88-02-01 or later is required.
2. You can only select Access Type 2 or 4.

Legend:

--: Not used

Note: Access Type 2, 3, and 4 have a monitoring limit of 4096 LDEVs per storage system. For storage systems with more than 4096 LDEVs, use Access Type 1 to avoid data loss
in Ops Center Analyzer. Otherwise, you might have potential performance problems in other products because of the storage high workload.

About selecting the data collection method

Depending on the data collection method, you can collect different types of performance data.
Note:

You can use any Access Type to collect storage system performance data and configuration information, the names of pools, and information about the saving capacity and ratio.

If RAID Agent will monitor VSP One B20, VSP E series, VSP 5000 series, VSP F350, F370, F700, F900, VSP G350, G370, G700, or G900, select the Access Type as follows:

Do you use a network that uses Fibre Channel (use a Do you use the SVP? Do you want to monitor the following Select this Access Type
command device)? additional information?

Yes Yes 1
Virtual IDs for parity groups
Tier information
Current Capacity in License window

Yes No 2
Tier information

No Yes 3
Virtual IDs for parity groups
Current Capacity in License window

No No 4
Current Capacity in License window

If you use a Fibre Channel network, you can view more detailed information about the storage system. In addition, if you select Access Type 1, the storage system is monitored at
the same level as the following storage systems:

VSP F400, F600, F800, F1500, VSP G200, G400, G600, G800, G1000, G1500

For details about performance data, see the Hitachi Ops Center Analyzer REST API Reference Guide and the Hitachi Ops Center Analyzer Detail View Metrics Reference Guide.

To analyze Universal Replicator performance, use Access Type 1 for both the primary and secondary storage systems.

If you are using the On-demand real time monitoring module, select either Access Type 1 or 2.

Select Access Type 2, 3, or 4 on RAID Agent to collect the virtual storage machine capacity data and view it in the VSM Summary report in Analyzer detail view. If you select Acces
s Type 1 on RAID Agent, the report will not show the virtual storage machine capacity details.

Workflow for setting up the Hitachi Enterprise Storage probe

To monitor storage systems by using RAID Agent, use the following workflow to add the Hitachi Enterprise Storage probe.

The operations differ depending on the combination of methods for collecting performance data (Access Type).

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 64/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

In the following procedures, only the settings required for each access type are described.

When Access Type is 1: Configuring RAID Agent for data collection using command devices and SVP

When Access Type is 2: Configuring RAID Agent for data collection using command device and REST API

When Access Type is 3: Configuring RAID Agent for data collection using SVP and REST API

When Access Type is 4: Configuring RAID Agent for data collection using REST API

Configuring RAID Agent for data collection using command devices and SVP

This method collects all available information about storage system capacity and performance metrics. To use this method, you must specify 1 for Access Type when you create the
RAID Agent instance environment.

Prerequisites

RAID Agent

To monitor storage systems, you need to install RAID Agent. RAID Agent is installed along with Analyzer probe server, but you can also use RAID Agent installed on a Windows
host. Confirm that RAID Agent is installed on the same host as the Analyzer probe server or on a Windows host.

RAID Manager LIB (Linux Only)

If you installed RAID Agent on the same host as Analyzer probe server by using the installer, confirm that the RAID Manager Library is installed on the RAID Agent host. If you
deployed the Analyzer probe server using the OVA, the RAID Manager Library is already installed.

Configuring storage systems

Create user accounts for a storage system

Verify that a user account for use by RAID Agent was created on the storage system. The user account must meet the following conditions:

SVP

To collect performance data by using a TCP/IP connection, you need to use Storage Navigator to create a user account. Create the user account as a dedicated RAID Agent
account. One user account is required for each instance. Assign one of the following roles to the user account:

Storage administrator (viewing)

Storage administrator (initial setup)
Storage administrator (system resource management)
Storage administrator (provisioning)
Storage administrator (performance management)
Storage administrator (local backup management)

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 65/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Storage administrator (remote backup management)
Performance Monitor

The user account must belong to a user group that has been assigned the Storage administrator (performance management) role.

For details about how to create a user account for a storage system, see the documentation for your storage system.

Set up a command device

Verify that a command device exists in the storage system. For details about command devices, see the appropriate documentation for the storage system you are using.

For RAID Agent (Windows), create a logical device to be assigned as a command device. The capacity of logical device should be the minimum size (8 Mib).

The following restrictions apply to command devices used by RAID Agent:

If a virtual ID is set on a command device, that command device cannot be monitored by RAID Agent.
Command devices must be defined as RAW devices. RAW devices must comply with the following rules:
Command devices for the ZFS file system cannot be used.
Do not create file systems in the logical devices specified as the command devices.
Do not mount file systems to the logical devices specified as the command devices.
If any of the following conditions are met, RAID Agent cannot obtain performance data:
A remote command device is used.
A virtual command device is used.
VMware Fault Tolerance (VMware vSphere Fault Tolerance) is used.
A command device connected by NVMe-oF is used.

Configure Performance Monitor

Make sure that the following settings have been configured for the instance of Performance Monitor for the storage system. For details on how to configure these settings and the
available values, see the Performance Monitor documentation for your storage system.

Setting Description

Monitor switch Enable the monitoring switch setting.

Monitoring-target CUs Set the logical devices (on a CU basis) from which you want to collect performance data.

Monitoring-target Set the performance data collection-target WWNs.

WWNs

Sampling interval Set the interval at which Performance Monitor collects performance data. The granularity set here becomes the granularity of data that can be collected
by RAID Agent.

Connecting the RAID Agent host and the storage system

Verify that the RAID Agent host and the storage system are connected by one of the following methods:

TCP/IP connection for the SVP

Fibre Channel, Fibre Channel over Ethernet (FCoE), or iSCSI connection for the command device

Notes on collecting performance data by using the SVP

If you power off a storage system during the monitoring period, the performance data during the power-off period is not collected in the SVP. In addition, the values of the
performance data immediately after you again power on the storage system might be extremely large.
If the load for the input from and output to the host becomes high on a storage system, some of the performance data might go missing, because the storage system
prioritizes input/output processing over monitoring processing. If performance data frequently goes missing, specify a larger value for Sample Interval in the Edit Monitoring
Switch window. For details, see the documentation about Performance Monitor of each storage system.
Do not change the SVP time setting. If you do so, the following problems might occur:
Invalid performance data is collected in the SVP
The SVP cannot collect performance data

If you changed the SVP time setting, disable the setting of Monitoring Switch, and then enable it again. After doing so, collect the performance data again. For details about
the monitoring switch settings, see the documentation about Performance Monitor of each storage system.

For the SVP on which SVP High Availability Feature is installed, if you switch from the master SVP to the standby SVP, the “short range” performance data will be deleted.
Some functions cannot be run while performance data is being collected. If you run these functions while performance data is collected using the SVP of RAID Agent, either
the data collection or one or more functions will fail. Before using a function for which the problem occurs, run the htmsrv stop command (htmsrv stop -all) to temporarily
stop the RAID Agent instance.

The following are examples of tasks that cannot be performed while performance data is collected:

Displaying the following Storage Navigator windows:

Server Priority Manager window
Volume Migration window
Using the export tools described in the Performance Monitor manuals
If "SVP regular reboots" or "SVP recovery reboots" is enabled, performance data is not collected while the SVP is restarting.

Notes on Data in Place upgrades or downgrades

When planning a Data in Place upgrade or downgrade, note the following:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 66/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
During an upgrade or downgrade, you cannot collect data from the storage system by using a command device in in-band mode while operations are running on the
controller belonging to the port connected to the command device. If you want to continue collecting data, complete one of the following before running operations on the
controller:
If you are not using Analyzer viewpoint, change the value of Access Type in the instance settings of RAID Agent to 3 or 4.
Reconfigure the RAID Agent instance to assign a command device that is connected to the server where the RAID Agent is installed by using the port of a different
controller.
During an upgrade or downgrade, some data points might be missing.

Note on connecting a command device by using a Channel Board (iSCSI 25 Gbps Optic) port

When updating the Channel Board (iSCSI 25 Gbps Optic) firmware or when experiencing a Channel Board failure, some data might be lost.

Configuring access to the command device from RAID Agent

If you plan to collect performance data by using a command device, make sure that the command device of the monitored storage system can be accessed from the host where
RAID Agent is installed.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Set an LU path to a logical device designated as the command device.

Set the LU path to the host where RAID Agent is installed on the logical device designated as the command device. If the installation destination of RAID Agent is a guest OS
of VMware ESXi or Hyper-V, set the LU path to the host OS.

Access to the command device of the RAID Agent might temporarily occupy resources, such as the processor of the storage system on the LU path. Therefore, when setting
an LU path, make sure that the processor is not being used by business applications that generate steady I/O traffic.

2. Ensure that the command device can be accessed from a guest OS.
This is necessary if RAID Agent is installed on a guest OS of VMware ESXi or Hyper-V. For details, see the VMware ESXi or Hyper-V documentation.

For VMware ESXi:

Use the VMware vSphere Client to add a device to the guest OS. By doing so, if you designate a command device as the device to add, the command device can be
accessed from the guest OS.

When configuring settings to add a device, make sure that the following requirements are met:

Device type: Hard disk

Disk selection: Raw device mapping
Compatibility mode: Physical

Virtual disks (including VMware VVols) cannot be used for the command device.

For Hyper-V:

Use virtual Fibre Channel to connect the command device to the guest OS.

3. Make sure that the command device can be accessed from the host where RAID Agent is installed.
Run the jpctdlistraid command on the host where RAID Agent is installed and confirm that the information you set on the command device is output.

In Linux

/opt/jp1pc/tools/jpctdlistraid

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdlistraid

Tip: On a Linux host, rescanning a disk device might change the /dev/sd device file name. To prevent this, use the WWID based form of the device file name (/dev/disk/b
y-id/scsi-hexadecimal-WWID). To specify the WWID based file name:
a. Use the jpctdlistraid command to display the /dev/sd form of the device file name:

/opt/jp1pc/tools/jpctdlistraid
KAVF18700-I The detection of the monitorable storage system has begun.
"PRODUCT" ,"SERIAL" ,"LDEV" ,"SLPR","PORT" ,"DEVICE_FILE"
"VSP" ,"53039" ,"00:01:1F","" ,"CL1-B","/dev/sdc"
KAVF18701-I The detection of the monitorable storage system has ended.

b. Use the ls command to search for the symbolic links managed in the /dev/disk/by-id directory for the WWID device file name mapped to the corresponding /dev/
sd file name.

For example:

ls -la /dev/disk/by-id/* | grep sdc

lrwxrwxrwx 1 root root 9 Dec 10 15:43 /dev/disk/by-id/scsi-hexadecimal-WWID-> ../../sdc

c. Use the device name output by the command (/dev/disk/by-id/scsi-hexadecimal-WWID) as the Command Device File Name.
Tip: On a Windows host, select Control Panel > Administrative Tools > Computer Management > Storage > Disk Management to create a partition on the command device.
When initializing the disk, you can select either the MBR or GPT partition style. Do not assign a drive letter to the created partition, mount it to a folder, or format it. Also, use
the disk assigned to the command device as a basic disk.

After creating the partition, repeat the jpctdlistraid command to make sure that the GUID has been added. This GUID is a permanent identifier for the partition. When you
specify the GUID instead of the device file name as the RAID Agent instance information, you will not need to review or reconfigure the Agent instance information even if the
disk configuration is changed.

However, if you delete the partition , the GUID will also be deleted. Even if you subsequently create a partition of the same size on the same disk, the assigned GUID will
differ from the original.

Note: In the RAID Agent environment, only one of the following software programs is available for use as multipathing software. Other software programs are not supported
as multipathing software.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 67/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
When connecting a command device with multiple paths:

Hitachi Dynamic Link Manager

When connecting a command device with a single path:

Hitachi Dynamic Link Manager

VMware NMP
MPIO provided by Windows Server by default

However, command devices must be excluded from management by MPIO.

Whether a command device is managed as a multipath device in Hitachi Dynamic Link Manager depends on the operating system. For details see the Hitachi Dynamic Link
Manager software manual.

Creating an instance environment

To collect data from the Hitachi Enterprise Storage probe, you must create a RAID Agent instance on the host where RAID Agent is installed.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. On the RAID Agent host, run the jpcinssetup command with the service key and instance name specified. Instance names must be no longer than 32 characters, and only
half-width alphanumeric characters (A-Z, a-z, 0-9) are allowed.

For example, to create an instance environment for the instance named 35053 for RAID Agent, run the following command.

In Linux

/opt/jp1pc/tools/jpcinssetup agtd -inst 35053

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcinssetup agtd -inst 35053

2. Set up the instance information for the storage system to monitor.

To use the default value (or no value), press Enter.

The following table lists the instance information to specify.

Item Description

Storage model Specify the storage type:

12: VSP G1000, G1500, VSP F1500

13: VSP 5000 series

22: VSP G200, G400, G600, G800, VSP F400, F600, F800

23: VSP E990 or VSP G/F350, G/F370, G/F700, G/F900

Serial No Specify the serial number of the storage system.

Access Type Specify 1.

If a value other than 13 and 23 is specified for Storage model, 1 is automatically specified.

Command Device File Name Specify the command device of the storage system specified for Serial No from among the
command devices in the list output by using the jpctdlistraid command. RAID Agent uses this
command device to collect information about the storage system.

In Linux

Because the /dev/sd* form of the device file name might be changed by rescanning the disk
device, the best practice is to use the WWID based device file name.

In Windows

Use the GUID name of the command device.

For details, see Configuring access to the command device from RAID Agent .

Unassigned Open Volume Monitoring1 Specify Y to monitor a logical device or a parity group for which an open system emulation type
has been set and that has not been mapped to a port.

If no value is entered, the default value Y is set.

If you enter a value other than Y, y, N, or n, the system prompts you to enter a value
again.

Mainframe Volume Monitoring1 Specify Y to monitor a logical device for which the emulation type used for a mainframe is set.

If no value is entered, the default value Y is set.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 68/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item Description

If you enter a value other than Y, y, N, or n, the system prompts you to enter a value
again.

Ops Center Analyzer does not obtain information about mainframe devices. For this reason, you
cannot identify the mainframe host with which a logical device is associated.

SVP IP Address or Host Name Specify the IP address or host name of the SVP that manages the storage system that was
specified for Serial No.

Storage User ID for SVP Specify the user ID of the user account that accesses the target storage system using the SVP.

Storage Password for SVP Specify the password of the user account that accesses the target storage system using the SVP.

SVP Port No Specify the port number if Storage model is set to 22 or 23. You can specify a value from 0 to 65
535. The default value is 1099.

This value is the same as the initial value for the RMIIFRegist port number of the storage
system. To change the port number of the storage system, see the storage system manual that
explains how to change or initialize the port number for use with the SVP.

SVP HTTPS Port No If 22 or 23 is specified for Storage model, specify the port number that is used for connection
using the HTTPS protocol, from a host on which RAID Agent is installed, to the SVP. You can
specify a value from 0 to 65535. The default value is 443.

This value is the same as the initial value for the MAPPWebServerHttps port number of the
storage system. To change the port number of the storage system, see the storage system
manual that explains how to change or initialize the port number for use with the SVP.

Java VM Heap Memory setting Method Specify the method to use for setting the required memory size for the Java VM. The default
value is 1.

However, if you specify 1 in a large-scale environment that exceeds an assumed value2,

processing might end abnormally because of insufficient memory.

Use method 1 to calculate the required memory size.

Use method 2 to specify the memory size.

Maximum number of Volumes If you specified 1 for Java VM Heap Memory setting Method, specify the maximum number of
volumes to create on the target storage system. The required memory size for the Java VM is
automatically specified based on this setting.

You can specify a value in the range from 1000 to 99999. The default value is 4000.

Java VM Heap Memory for SVP If you specified 2 for Java VM Heap Memory setting Method, specify the required memory size
for the Java VM. The default value is 1.

1: 0.5 GB

2: 1.0 GB

3: 2.0 GB

4: 4.0 GB

5: 8.0 GB

Notes:

1. Depending on the microcode version of the storage system, you might not be able to use the Mainframe Volume Monitoring or Unassigned Open Volume Monitori
ng function even if the setting is enabled.

2. The following values are assumed for the environment when the required memory size is calculated based on the maximum number of volumes and the data is collected
by using the SVP:

Number of LU paths: 0
Sampling interval (in minutes): 1
3. When configuring multiple instances, repeat steps 1 and 2 for each instance.
4. To monitor a storage system with a command device by using the RAID Agent on the Analyzer probe server host, the RAID Manager LIB must be installed.
5. Before you start operation, run the jpctdchkinst command to verify the instance settings. (This command checks whether data can be collected from the storage system
monitored by RAID Agent.)

In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

In Windows

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 69/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name
Note: If you upgraded from Infrastructure Analytics Advisor 4.2.1-00 or earlier and have not changed the settings in the instance information, VSP G350, G370, G700, G900,
and VSP F350, F370, F700, F900 storage systems are reported as, VSP G200 G400 G600 G800 F400 F600 F800 by the jpctdchkinst command.
6. (Optional) Configure the collection-time definition file (conf_refresh_times.ini) as described in Changing the configuration information collection time. This setting helps ensure
the proper collection of performance data when the storage system contains a large amount of configuration data.
7. Run the following command to start the RAID Agent instance services:

htmsrv start -all

Note:

You must wait for approximately one hour to add the Hitachi Enterprise Storage probe after adding an instance of RAID agent.

Adding Hitachi Enterprise Storage probe

Configuring RAID Agent for data collection using command device and REST API

Use this method to collect all available information about storage system capacity performance metrics by using both the command device and REST API. To use this data collection
method, you must specify 2 for Access Type when you create the RAID Agent instance environment.

Prerequisites

RAID Agent

To monitor storage systems, you need to install RAID Agent. RAID Agent is installed along with Analyzer probe server, but you can also use RAID Agent installed on a Windows
host. Confirm that RAID Agent is installed on the same host as the Analyzer probe server or on a Windows host.

RAID Manager LIB (Linux Only)

If you installed RAID Agent on the same host as Analyzer probe server by using the installer, confirm that the RAID Manager Library is installed on the RAID Agent host. If you
deployed the Analyzer probe server using the OVA, the RAID Manager Library is already installed.

Configuring storage systems

Create user accounts for a storage system

Verify that a user account for use by RAID Agent was created on the storage system. The user account must meet the following conditions:

REST API
The user account must belong to a user group for which All Resource Groups Assigned is enabled. If the user group is assigned to one of the following roles, All Resource
Groups Assigned is enabled.
Security Administrator (View Only)
Security Administrator (View & Modify)
Audit Log Administrator (View Only)
Audit Log Administrator (View & Modify)
Support Personnel (Vendor Only)

For details about how to create a user account for a storage system, see the documentation for your storage system.

Set up a command device

Verify that a command device exists in the storage system. For details about command devices, see the appropriate documentation for the storage system you are using.

For RAID Agent (Windows), create a logical device to be assigned as a command device. The capacity of logical device should be the minimum size (8 Mib).

The following restrictions apply to command devices used by RAID Agent:

If a virtual ID is set on a command device, that command device cannot be monitored by RAID Agent.
Command devices must be defined as RAW devices. RAW devices must comply with the following rules:
Command devices for the ZFS file system cannot be used.
Do not create file systems in the logical devices specified as the command devices.
Do not mount file systems to the logical devices specified as the command devices.
If any of the following conditions are met, RAID Agent cannot obtain performance data:
A remote command device is used.
A virtual command device is used.
VMware Fault Tolerance (VMware vSphere Fault Tolerance) is used.
A command device connected by NVMe-oF is used.

Acquire a server certificate

Acquire the server certificate of the storage system. This server certificate is required for server authentication, as well as for encryption by using HTTPS communication between
RAID Agent and the storage system. If you are not using server authentication, you do not need to acquire a server certificate.

Connecting the RAID Agent host and the storage system

Verify that the RAID Agent host and the storage system are connected by one of the following methods:

TCP/IP connection
VSP One B20 storage systems: TCP/IP connection with the ESM
VSP 5000 series storage systems: TCP/IP connection with the SVP
All other storage systems: TCP/IP connection with the GUM (CTL)
Fibre Channel, Fibre Channel over Ethernet (FCoE), or iSCSI connection for the command device

Notes on Data in Place upgrades or downgrades

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 70/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
When planning a Data in Place upgrade or downgrade, note the following:

During an upgrade or downgrade, you cannot collect data from the storage system by using a command device in in-band mode while operations are running on the
controller belonging to the port connected to the command device. If you want to continue collecting data, complete one of the following before running operations on the
controller:
If you are not using Analyzer viewpoint, change the value of Access Type in the instance settings of RAID Agent to 3 or 4.
Reconfigure the RAID Agent instance to assign a command device that is connected to the server where the RAID Agent is installed by using the port of a different
controller.
During an upgrade or downgrade, some data points might be missing.

Note on connecting a command device by using a Channel Board (iSCSI 25 Gbps Optic) port

When updating the Channel Board (iSCSI 25 Gbps Optic) firmware or when experiencing a Channel Board failure, some data might be lost.

Notes on when a failover occurs in the ESM of VSP One B20

When a failover occurs in the ESM of VSP One B20, data collected by using the REST API will be lost.

Configuring access to the command device from RAID Agent

If you plan to collect performance data by using a command device, make sure that the command device of the monitored storage system can be accessed from the host where
RAID Agent is installed.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Set an LU path to a logical device designated as the command device.

Set the LU path to the host where RAID Agent is installed on the logical device designated as the command device. If the installation destination of RAID Agent is a guest OS
of VMware ESXi or Hyper-V, set the LU path to the host OS.

Access to the command device of the RAID Agent might temporarily occupy resources, such as the processor of the storage system on the LU path. Therefore, when setting
an LU path, make sure that the processor is not being used by business applications that generate steady I/O traffic.

2. Ensure that the command device can be accessed from a guest OS.
This is necessary if RAID Agent is installed on a guest OS of VMware ESXi or Hyper-V. For details, see the VMware ESXi or Hyper-V documentation.

For VMware ESXi:

Use the VMware vSphere Client to add a device to the guest OS. By doing so, if you designate a command device as the device to add, the command device can be
accessed from the guest OS.

When configuring settings to add a device, make sure that the following requirements are met:

Device type: Hard disk

Disk selection: Raw device mapping
Compatibility mode: Physical

Virtual disks (including VMware VVols) cannot be used for the command device.

For Hyper-V:

Use virtual Fibre Channel to connect the command device to the guest OS.

3. Make sure that the command device can be accessed from the host where RAID Agent is installed.
Run the jpctdlistraid command on the host where RAID Agent is installed and confirm that the information you set on the command device is output.

In Linux

/opt/jp1pc/tools/jpctdlistraid

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdlistraid

Tip: On a Linux host, rescanning a disk device might change the /dev/sd device file name. To prevent this, use the WWID based form of the device file name (/dev/disk/b
y-id/scsi-hexadecimal-WWID). To specify the WWID based file name:
a. Use the jpctdlistraid command to display the /dev/sd form of the device file name:

/opt/jp1pc/tools/jpctdlistraid
KAVF18700-I The detection of the monitorable storage system has begun.
"PRODUCT" ,"SERIAL" ,"LDEV" ,"SLPR","PORT" ,"DEVICE_FILE"
"VSP" ,"53039" ,"00:01:1F","" ,"CL1-B","/dev/sdc"
KAVF18701-I The detection of the monitorable storage system has ended.

b. Use the ls command to search for the symbolic links managed in the /dev/disk/by-id directory for the WWID device file name mapped to the corresponding /dev/
sd file name.

For example:

ls -la /dev/disk/by-id/* | grep sdc

lrwxrwxrwx 1 root root 9 Dec 10 15:43 /dev/disk/by-id/scsi-hexadecimal-WWID-> ../../sdc

c. Use the device name output by the command (/dev/disk/by-id/scsi-hexadecimal-WWID) as the Command Device File Name.
Tip: On a Windows host, select Control Panel > Administrative Tools > Computer Management > Storage > Disk Management to create a partition on the command device.
When initializing the disk, you can select either the MBR or GPT partition style. Do not assign a drive letter to the created partition, mount it to a folder, or format it. Also, use
the disk assigned to the command device as a basic disk.

After creating the partition, repeat the jpctdlistraid command to make sure that the GUID has been added. This GUID is a permanent identifier for the partition. When you
specify the GUID instead of the device file name as the RAID Agent instance information, you will not need to review or reconfigure the Agent instance information even if the
disk configuration is changed.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 71/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
However, if you delete the partition , the GUID will also be deleted. Even if you subsequently create a partition of the same size on the same disk, the assigned GUID will
differ from the original.
Note: In the RAID Agent environment, only one of the following software programs is available for use as multipathing software. Other software programs are not supported
as multipathing software.

When connecting a command device with multiple paths:

Hitachi Dynamic Link Manager

When connecting a command device with a single path:

Hitachi Dynamic Link Manager

VMware NMP
MPIO provided by Windows Server by default

However, command devices must be excluded from management by MPIO.

Whether a command device is managed as a multipath device in Hitachi Dynamic Link Manager depends on the operating system. For details see the Hitachi Dynamic Link
Manager software manual.

Creating an instance environment

To collect data from the Hitachi Enterprise Storage probe, you must create a RAID Agent instance on the host where RAID Agent is installed.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. On the RAID Agent host, run the jpcinssetup command with the service key and instance name specified. Instance names must be no longer than 32 characters, and only
half-width alphanumeric characters (A-Z, a-z, 0-9) are allowed.

For example, to create an instance environment for the instance named 35053 for RAID Agent, run the following command.

In Linux

/opt/jp1pc/tools/jpcinssetup agtd -inst 35053

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcinssetup agtd -inst 35053

2. Set up the instance information for the storage system to monitor.

To use the default value (or no value), press Enter.

The following table lists the instance information to specify.

Item Description

Storage model Specify the storage type:

13: VSP 5000 series

23: VSP E590, E790, E990, E1090, E590H, E790H, E1090H, or VSP G/F350, G/F370,
G/F700, G/F900

30: VSP One B20

Serial No Specify the serial number of the storage system.

Access Type Specify 2.

Command Device File Name Specify the command device of the storage system specified for Serial No from among the
command devices in the list output by using the jpctdlistraid command. RAID Agent uses this
command device to collect information about the storage system.

In Linux

Because the /dev/sd* form of the device file name might be changed by rescanning the disk
device, the best practice is to use the WWID based device file name.

In Windows

Use the GUID name of the command device.

For details, see Configuring access to the command device from RAID Agent .

Unassigned Open Volume Monitoring1 Specify Y to monitor a logical device or a parity group for which an open system emulation type
has been set and that has not been mapped to a port.

If no value is entered, the default value Y is set.

If you enter a value other than Y, y, N, or n, the system prompts you to enter a value
again.

Mainframe Volume Monitoring1 Specify Y to monitor a logical device for which the emulation type used for a mainframe is set.

If no value is entered, the default value Y is set.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 72/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item Description

If you enter a value other than Y, y, N, or n, the system prompts you to enter a value
again.

Ops Center Analyzer does not obtain information about mainframe devices. For this reason, you
cannot identify the mainframe host with which a logical device is associated.

SVP IP Address or Host Name If 13 is specified for Storage model, specify the IP address or host name of the SVP that
manages the storage system that was specified for Serial No.

GUM(CTL) IP Address or Host Name (Primary)
GUM(CTL) IP Address or Host Name (Secondary)
If 23 is specified for Storage model, specify the IP address or the host name (for which name
resolution is possible) of the GUM (CTL) of the storage system that was specified for Serial No.
The default value is blank. Connections with the connection destination set for GUM(CTL) IP Add
ress or Host Name (Primary) are prioritized.
Note that you do not need to specify both GUM(CTL) IP Address or Host Name (Primary)
and GUM(CTL) IP Address or Host Name (Secondary).

ESM IP Address or Host Name If 30 is specified for Storage model, specify the IP address or the host name (for which name
resolution is possible) of the ESM of the storage system that was specified for Serial No. The
default value is blank.

Storage User ID for REST-API Specify the user ID of the user account that accesses the target storage system using the REST
API.

Storage Password for REST-API Specify the password of the user account that accesses the target storage system using the
REST API.

REST-API Protocol Specify the protocol to use for accessing the target storage system using the REST API. The
default value is 2. Do not change this value.

To use HTTP: 1

To use HTTPS: 2

Java VM Heap Memory setting Method Specify the method to use for setting the required memory size for the Java VM. The default
value is 1.

However, if you specify 1 in a large-scale environment that exceeds an assumed value2,

processing might end abnormally because of insufficient memory.

Use method 1 to calculate the required memory size.

Use method 2 to specify the memory size.

Maximum number of Volumes If you specified 1 for Java VM Heap Memory setting Method, specify the maximum number of
volumes to create on the target storage system. The required memory size for the Java VM is
automatically specified based on this setting.

You can specify a value in the range from 1000 to 99999. The default value is 4000.

Java VM Heap Memory for REST-API If you specified 2 for Java VM Heap Memory setting Method, specify the required memory size
for the Java VM. The default value is 1.

1: 128 MB

2: 256 MB

3: 512 MB

4: 1.0 GB

5: 2.0 GB

6: 4.0 GB

7: 8.0 GB

Notes:

1. Depending on the microcode version of the storage system, you might not be able to use the Mainframe Volume Monitoring or Unassigned Open Volume Monitori
ng function even if the setting is enabled.

2. The following values are assumed for the environment when the required memory size is calculated based on the maximum number of volumes and the data is collected
by using the REST API:

Number of LU paths per LDEV: 4

Number of SPM settings per LDEV: 4

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 73/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item Description

Number of host groups assigned to each LDEV: 1

Number of WWNs assigned to the hosts of each LDEV: 2
3. When configuring multiple instances, repeat steps 1 and 2 for each instance.
4. To monitor a storage system with a command device by using the RAID Agent on the Analyzer probe server host, the RAID Manager LIB must be installed.
5. Before you start operation, run the jpctdchkinst command to verify the instance settings. (This command checks whether data can be collected from the storage system
monitored by RAID Agent.)

In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name

6. (Optional) Configure the collection-time definition file (conf_refresh_times.ini) as described in Changing the configuration information collection time. This setting helps ensure
the proper collection of performance data when the storage system contains a large amount of configuration data.
7. Run the following command to start the RAID Agent instance services:

htmsrv start -all

Note:

You must wait for approximately one hour to add the Hitachi Enterprise Storage probe after adding an instance of RAID agent.

Importing a certificate to the RAID Agent truststore

To enable verification of a storage system server certificate in RAID Agent, import the storage system certificate to the RAID Agent truststore, and then edit the ipdc.properties file.

You must have root permission (Linux) or Administrator permission (Windows).

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.
You must prepare the storage system certificate.

If you use a certificate issued by a certificate authority, the certificates of all authorities (from the certificate authority that issued the storage system server certificate to the
root certificate authority) must be connected in a chain of trust.

When the monitored storage system certificate is signed by a root certificate authority:

If you import the root certificate into the RAID Agent truststore, you do not need to import the monitored storage system certificate into the RAID Agent truststore.

When the monitored storage system certificate is signed by an intermediate certificate authority:

If you import the root certificate into the RAID Agent truststore, you do not need to import the monitored storage system certificate into the RAID Agent truststore. Instead, you
must import the certificate signed by the intermediate certificate authority into the monitored storage system.

If the storage system certificate already exists in the truststore, delete the existing certificate before importing a new one. The following shows the storage location of the
certificate.

In Linux

/opt/jp1pc/agtd/agent/instance-name/jssecacerts

You can delete the certificate by running the following command:

rm /opt/jp1pc/agtd/agent/instance-name/jssecacerts

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\jssecacerts

1. Import the storage system certificate to the truststore.

In Linux

/opt/jp1pc/htnm/HBasePSB/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-file-name -storepass ac

cess-password-for-truststore -storetype JKS

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\jdk\bin\keytool -import -alias alias-name -file certificate-file-name -keysto

re truststore-file-name -storepass access-password-for-truststore -storetype JKS

For alias-name, specify a name that enables you to determine which storage system will use the server certificate.
For certificate-file-name, specify the absolute path where the certificate is stored.
For truststore-file-name, specify the following absolute path.

In Linux

/opt/jp1pc/agtd/agent/instance-name/jssecacerts

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\jssecacerts

For access-password-for-truststore, specify a password of your choice.

2. Enable server certificate verification by changing the properties in the ipdc.properties file. If there is a hash mark (#) at the beginning of a property line, delete that hash mark.
Storage location

In Linux

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 74/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/opt/jp1pc/agtd/agent/instance-name/ipdc.properties

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\ipdc.properties
Target properties:
ssl.check.cert=true
ssl.check.cert.self.truststore=true
ssl.check.cert.hostname=true
Note:
To check the name of the host of the server certificate, specify a host name that can be resolved for SVP IP Address or Host Name, GUM(CTL) IP
Address or Host Name or ESM IP Address or Host Name in the RAID Agent instance information. If you cannot specify a host name that can be
resolved, specify false because the host name cannot be verified.
If the server certificate is not a wildcard certificate, specify false, because the host name cannot be verified.
3. Run the command jpctdchkinst to confirm the instance settings.
In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name

4. Run the following commands to restart the RAID Agent services:

htmsrv stop -all

htmsrv start -all

Adding Hitachi Enterprise Storage probe

Configuring RAID Agent for data collection using SVP and REST API

Use this method to collect all available information about storage system capacity and performance metrics through an IP network connection. To use this data collection method,
you must specify 3 for Access Type when you create the RAID Agent instance environment.

Prerequisites

RAID Agent

To monitor storage systems, you need to install RAID Agent. RAID Agent is installed along with Analyzer probe server, but you can also use RAID Agent installed on a Windows
host. Confirm that RAID Agent is installed on the same host as the Analyzer probe server or on a Windows host.

Configuring storage systems

Create user accounts for a storage system

Verify that a user account for use by RAID Agent was created on the storage system. The user account must meet the following conditions:

SVP

To collect performance data by using a TCP/IP connection, you need to use Storage Navigator to create a user account. Create the user account as a dedicated RAID Agent
account. One user account is required for each instance. Assign one of the following roles to the user account:

Storage administrator (viewing)

Storage administrator (initial setup)
Storage administrator (system resource management)
Storage administrator (provisioning)
Storage administrator (performance management)
Storage administrator (local backup management)
Storage administrator (remote backup management)
REST API
The user account must belong to a user group for which All Resource Groups Assigned is enabled. If the user group is assigned to one of the following roles, All Resource
Groups Assigned is enabled.
Security Administrator (View Only)
Security Administrator (View & Modify)
Audit Log Administrator (View Only)
Audit Log Administrator (View & Modify)
Support Personnel (Vendor Only)
Performance Monitor

The user account must belong to a user group that has been assigned the Storage administrator (performance management) role.

For details about how to create a user account for a storage system, see the documentation for your storage system.

Configure Performance Monitor

Make sure that the following settings have been configured for the instance of Performance Monitor for the storage system. For details on how to configure these settings and the
available values, see the Performance Monitor documentation for your storage system.

Setting Description

Monitor switch Enable the monitoring switch setting.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 75/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Setting Description

Monitoring-target CUs Set the logical devices (on a CU basis) from which you want to collect performance data.

Monitoring-target Set the performance data collection-target WWNs.

WWNs

Sampling interval Set the interval at which Performance Monitor collects performance data. The granularity set here becomes the granularity of data that can be collected
by RAID Agent.

Acquire a server certificate

Acquire the server certificate of the storage system. This server certificate is required for server authentication, as well as for encryption by using HTTPS communication between
RAID Agent and the storage system. If you are not using server authentication, you do not need to acquire a server certificate.

Connecting the RAID Agent host and the storage system

Verify that the RAID Agent host and the storage system are connected by one of the following methods:

VSP 5000 series storage systems: TCP/IP connection with the SVP
All other storage systems: TCP/IP connection with the GUM (CTL)

Notes on collecting performance data by using the SVP

If you power off a storage system during the monitoring period, the performance data during the power-off period is not collected in the SVP. In addition, the values of the
performance data immediately after you again power on the storage system might be extremely large.
If the load for the input from and output to the host becomes high on a storage system, some of the performance data might go missing, because the storage system
prioritizes input/output processing over monitoring processing. If performance data frequently goes missing, specify a larger value for Sample Interval in the Edit Monitoring
Switch window. For details, see the documentation about Performance Monitor of each storage system.
Do not change the SVP time setting. If you do so, the following problems might occur:
Invalid performance data is collected in the SVP
The SVP cannot collect performance data

If you changed the SVP time setting, disable the setting of Monitoring Switch, and then enable it again. After doing so, collect the performance data again. For details about
the monitoring switch settings, see the documentation about Performance Monitor of each storage system.

For the SVP on which SVP High Availability Feature is installed, if you switch from the master SVP to the standby SVP, the “short range” performance data will be deleted.
Some functions cannot be run while performance data is being collected. If you run these functions while performance data is collected using the SVP of RAID Agent, either
the data collection or one or more functions will fail. Before using a function for which the problem occurs, run the htmsrv stop command (htmsrv stop -all) to temporarily
stop the RAID Agent instance.

The following are examples of tasks that cannot be performed while performance data is collected:

Displaying the following Storage Navigator windows:

Server Priority Manager window
Volume Migration window
Using the export tools described in the Performance Monitor manuals
If "SVP regular reboots" or "SVP recovery reboots" is enabled, performance data is not collected while the SVP is restarting.

Notes on Data in Place upgrades or downgrades

When planning a Data in Place upgrade or downgrade, note the following:

During an upgrade or downgrade, the model name after the upgrade or downgrade might be displayed as that of the target storage system.
During an upgrade or downgrade, some data points might be missing.

Creating an instance environment

To collect data from the Hitachi Enterprise Storage probe, you must create a RAID Agent instance on the host where RAID Agent is installed.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. On the RAID Agent host, run the jpcinssetup command with the service key and instance name specified. Instance names must be no longer than 32 characters, and only
half-width alphanumeric characters (A-Z, a-z, 0-9) are allowed.

For example, to create an instance environment for the instance named 35053 for RAID Agent, run the following command.

In Linux

/opt/jp1pc/tools/jpcinssetup agtd -inst 35053

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcinssetup agtd -inst 35053

2. Set up the instance information for the storage system to monitor.

To use the default value (or no value), press Enter.

The following table lists the instance information to specify.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 76/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item Description

Storage model Specify the storage type:

13: VSP 5000 series

23: VSP E990 or VSP G/F350, G/F370, G/F700, G/F900

Serial No Specify the serial number of the storage system.

Access Type Specify 3.

SVP IP Address or Host Name Specify the IP address or host name of the SVP that manages the storage system that was
specified for Serial No.

Storage User ID for SVP Specify the user ID of the user account that accesses the target storage system using the SVP.

Storage Password for SVP Specify the password of the user account that accesses the target storage system using the SVP.

SVP Port No Specify the port number if Storage model is set to 22 or 23. You can specify a value from 0 to 65
535. The default value is 1099.

This value is the same as the initial value for the RMIIFRegist port number of the storage
system. To change the port number of the storage system, see the storage system manual that
explains how to change or initialize the port number for use with the SVP.

SVP HTTPS Port No If 22 or 23 is specified for Storage model, specify the port number that is used for connection
using the HTTPS protocol, from a host on which RAID Agent is installed, to the SVP. You can
specify a value from 0 to 65535. The default value is 443.

This value is the same as the initial value for the MAPPWebServerHttps port number of the
storage system. To change the port number of the storage system, see the storage system
manual that explains how to change or initialize the port number for use with the SVP.

GUM(CTL) IP Address or Host Name (Primary)
GUM(CTL) IP Address or Host Name (Secondary)
If 23 is specified for Storage model, specify the IP address or the host name (for which name
resolution is possible) of the GUM (CTL) of the storage system that was specified for Serial No.
The default value is blank. Connections with the connection destination set for GUM(CTL) IP Add
ress or Host Name (Primary) are prioritized.
Note that you do not need to specify both GUM(CTL) IP Address or Host Name (Primary)
and GUM(CTL) IP Address or Host Name (Secondary).

Storage User ID for REST-API Specify the user ID of the user account that accesses the target storage system using the REST
API.

Storage Password for REST-API Specify the password of the user account that accesses the target storage system using the
REST API.

REST-API Protocol Specify the protocol to use for accessing the target storage system using the REST API. The
default value is 2. Do not change this value.

To use HTTP: 1

To use HTTPS: 2

Java VM Heap Memory setting Method Specify the method to use for setting the required memory size for the Java VM. The default
value is 1.

However, if you specify 1 in a large-scale environment that exceeds an assumed value*,

processing might end abnormally because of insufficient memory.

Use method 1 to calculate the required memory size.

Use method 2 to specify the memory size.

Maximum number of Volumes If you specified 1 for Java VM Heap Memory setting Method, specify the maximum number of
volumes to create on the target storage system. The required memory size for the Java VM is
automatically specified based on this setting.

You can specify a value in the range from 1000 to 99999. The default value is 4000.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 77/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item Description

Java VM Heap Memory for SVP If you specified 2 for Java VM Heap Memory setting Method, specify the required memory size
for the Java VM. The default value is 1.

1: 0.5 GB

2: 1.0 GB

3: 2.0 GB

4: 4.0 GB

5: 8.0 GB

Java VM Heap Memory for REST-API If you specified 2 for Java VM Heap Memory setting Method, specify the required memory size
for the Java VM. The default value is 1.

1: 128 MB

2: 256 MB

3: 512 MB

4: 1.0 GB

5: 2.0 GB

6: 4.0 GB

7: 8.0 GB

* The following values are assumed for the environment when the required memory size is calculated based on the maximum number of volumes.

If data is collected by using the REST API

Number of LU paths per LDEV: 4
Number of SPM settings per LDEV: 4
Number of host groups assigned to each LDEV: 1
Number of WWNs assigned to the hosts of each LDEV: 2
If the storage system being monitored is using NVMe-oF:
Number of namespace paths per LDEV: 2
Number of NVM subsystems per LDEV: 1/35
Number of NVM subsystem ports per LDEV: 2/35
Number of host NQNs per LDEV: 2/35
If data is collected by using the SVP
Number of LU paths: 0
Sampling interval (in minutes): 1
3. When configuring multiple instances, repeat steps 1 and 2 for each instance.
4. Before you start operation, run the jpctdchkinst command to verify the instance settings. (This command checks whether data can be collected from the storage system
monitored by RAID Agent.)

In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name

5. Run the following command to start the RAID Agent instance services:

htmsrv start -all

Note:

You must wait for approximately one hour to add the Hitachi Enterprise Storage probe after adding an instance of RAID agent.

Importing a certificate to the RAID Agent truststore

To enable verification of a storage system server certificate in RAID Agent, import the storage system certificate to the RAID Agent truststore, and then edit the ipdc.properties file.

You must have root permission (Linux) or Administrator permission (Windows).

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.
You must prepare the storage system certificate.

If you use a certificate issued by a certificate authority, the certificates of all authorities (from the certificate authority that issued the storage system server certificate to the
root certificate authority) must be connected in a chain of trust.

When the monitored storage system certificate is signed by a root certificate authority:

If you import the root certificate into the RAID Agent truststore, you do not need to import the monitored storage system certificate into the RAID Agent truststore.

When the monitored storage system certificate is signed by an intermediate certificate authority:

If you import the root certificate into the RAID Agent truststore, you do not need to import the monitored storage system certificate into the RAID Agent truststore. Instead, you
must import the certificate signed by the intermediate certificate authority into the monitored storage system.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 78/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If the storage system certificate already exists in the truststore, delete the existing certificate before importing a new one. The following shows the storage location of the
certificate.

In Linux

/opt/jp1pc/agtd/agent/instance-name/jssecacerts

You can delete the certificate by running the following command:

rm /opt/jp1pc/agtd/agent/instance-name/jssecacerts

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\jssecacerts

1. Import the storage system certificate to the truststore.

In Linux

/opt/jp1pc/htnm/HBasePSB/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-file-name -storepass ac

cess-password-for-truststore -storetype JKS

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\jdk\bin\keytool -import -alias alias-name -file certificate-file-name -keysto

re truststore-file-name -storepass access-password-for-truststore -storetype JKS

For alias-name, specify a name that enables you to determine which storage system will use the server certificate.
For certificate-file-name, specify the absolute path where the certificate is stored.
For truststore-file-name, specify the following absolute path.

In Linux

/opt/jp1pc/agtd/agent/instance-name/jssecacerts

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\jssecacerts

For access-password-for-truststore, specify a password of your choice.

2. Enable server certificate verification by changing the properties in the ipdc.properties file. If there is a hash mark (#) at the beginning of a property line, delete that hash mark.
Storage location

In Linux

/opt/jp1pc/agtd/agent/instance-name/ipdc.properties

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\ipdc.properties

Target properties:
ssl.check.cert=true
ssl.check.cert.self.truststore=true
ssl.check.cert.hostname=true
Note:
To check the name of the host of the SSL certificate, specify a host name that can be resolved for SVP IP Address or Host Name or GUM(CTL) IP
Address or Host Name in the RAID Agent instance information. If you cannot specify a host name that can be resolved, specify false because the
host name cannot be verified.
If the server certificate is not a wildcard certificate, specify false, because the host name cannot be verified.
3. Run the command jpctdchkinst to confirm the instance settings.
In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name

4. Run the following commands to restart the RAID Agent services:

htmsrv stop -all

htmsrv start -all

Adding Hitachi Enterprise Storage probe

Configuring RAID Agent for data collection using REST API

Use this method to collect basic information about storage system capacity and performance metrics through an IP connection. To use this data collection method, you must specify
4 for Access Type when you create the RAID Agent instance environment.

Prerequisites

RAID Agent

To monitor storage systems, you need to install RAID Agent. RAID Agent is installed along with Analyzer probe server, but you can also use RAID Agent installed on a Windows
host. Confirm that RAID Agent is installed on the same host as the Analyzer probe server or on a Windows host.

Configuring storage systems

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 79/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Create user accounts for a storage system

Verify that a user account for use by RAID Agent was created on the storage system. The user account must meet the following conditions:

REST API
The user account must belong to a user group for which All Resource Groups Assigned is enabled. If the user group is assigned to one of the following roles, All Resource
Groups Assigned is enabled.
Security Administrator (View Only)
Security Administrator (View & Modify)
Audit Log Administrator (View Only)
Audit Log Administrator (View & Modify)
Support Personnel (Vendor Only)

For details about how to create a user account for a storage system, see the documentation for your storage system.

Acquire a server certificate

Acquire the server certificate of the storage system. This server certificate is required for server authentication, as well as for encryption by using HTTPS communication between
RAID Agent and the storage system. If you are not using server authentication, you do not need to acquire a server certificate.

Connecting the RAID Agent host and the storage system

Verify that the RAID Agent host and the storage system are connected by one of the following methods:

VSP One B20 storage systems: TCP/IP connection with the ESM
VSP 5000 series storage systems: TCP/IP connection with the SVP
All other storage systems: TCP/IP connection with the GUM (CTL)

Notes on Data in Place upgrades or downgrades

When planning a Data in Place upgrade or downgrade, note the following:

During an upgrade or downgrade, the model name after the upgrade or downgrade might be displayed as that of the target storage system.
During an upgrade or downgrade, some data points might be missing.

Notes on when a failover occurs in the ESM of VSP One B20

When a failover occurs in the ESM of VSP One B20, data collected by using the REST API will be lost.

Creating an instance environment

To collect data from the Hitachi Enterprise Storage probe, you must create a RAID Agent instance on the host where RAID Agent is installed.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. On the RAID Agent host, run the jpcinssetup command with the service key and instance name specified. Instance names must be no longer than 32 characters, and only
half-width alphanumeric characters (A-Z, a-z, 0-9) are allowed.

For example, to create an instance environment for the instance named 35053 for RAID Agent, run the following command.

In Linux

/opt/jp1pc/tools/jpcinssetup agtd -inst 35053

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcinssetup agtd -inst 35053

2. Set up the instance information for the storage system to monitor.

To use the default value (or no value), press Enter.

The following table lists the instance information to specify.

Item Description

Storage model Specify the storage type:

13: VSP 5000 series

23: VSP E590, E790, E990, E1090, E590H, E790H, E1090H, or VSP G/F350, G/F370,
G/F700, G/F900

30: VSP One B20

Serial No Specify the serial number of the storage system.

Access Type Specify 4.

SVP IP Address or Host Name If 13 is specified for Storage model, specify the IP address or host name of the SVP that
manages the storage system that was specified for Serial No.

GUM(CTL) IP Address or Host Name (Primary) If 23 is specified for Storage model, specify the IP address or the host name (for which name
resolution is possible) of the GUM (CTL) of the storage system that was specified for Serial No.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 80/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Item Description

The default value is blank. Connections with the connection destination set for GUM(CTL) IP Add
ress or Host Name (Primary) are prioritized.
GUM(CTL) IP Address or Host Name (Secondary)
Note that you do not need to specify both GUM(CTL) IP Address or Host Name (Primary)
and GUM(CTL) IP Address or Host Name (Secondary).

ESM IP Address or Host Name If 30 is specified for Storage model, specify the IP address or the host name (for which name
resolution is possible) of the ESM of the storage system that was specified for Serial No. The
default value is blank.

Storage User ID for REST-API Specify the user ID of the user account that accesses the target storage system using the REST
API.

Storage Password for REST-API Specify the password of the user account that accesses the target storage system using the
REST API.

REST-API Protocol Specify the protocol to use for accessing the target storage system using the REST API. The
default value is 2. Do not change this value.

To use HTTP: 1

To use HTTPS: 2

Java VM Heap Memory setting Method Specify the method to use for setting the required memory size for the Java VM. The default
value is 1.

However, if you specify 1 in a large-scale environment that exceeds an assumed value*,

processing might end abnormally because of insufficient memory.

Use method 1 to calculate the required memory size.

Use method 2 to specify the memory size.

Maximum number of Volumes If you specified 1 for Java VM Heap Memory setting Method, specify the maximum number of
volumes to create on the target storage system. The required memory size for the Java VM is
automatically specified based on this setting.

You can specify a value in the range from 1000 to 99999. The default value is 4000.

Java VM Heap Memory for REST-API If you specified 2 for Java VM Heap Memory setting Method, specify the required memory size
for the Java VM. The default value is 1.

1: 128 MB

2: 256 MB

3: 512 MB

4: 1.0 GB

5: 2.0 GB

6: 4.0 GB

7: 8.0 GB

* The following values are assumed for the environment when the required memory size is calculated based on the maximum number of volumes and the data is collected
by using the REST API:

Number of LU paths per LDEV: 4

Number of SPM settings per LDEV: 4
Number of host groups assigned to each LDEV: 1
Number of WWNs assigned to the hosts of each LDEV: 2
If the storage system being monitored is using NVMe-oF:
Number of namespace paths per LDEV: 2
Number of NVM subsystems per LDEV: 1/35
Number of NVM subsystem ports per LDEV: 2/35
Number of host NQNs per LDEV: 2/35
3. When configuring multiple instances, repeat steps 1 and 2 for each instance.
4. Before you start operation, run the jpctdchkinst command to verify the instance settings. (This command checks whether data can be collected from the storage system
monitored by RAID Agent.)

In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 81/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
5. Run the following command to start the RAID Agent instance services:

htmsrv start -all

Note:

You must wait for approximately one hour to add the Hitachi Enterprise Storage probe after adding an instance of RAID agent.

Importing a certificate to the RAID Agent truststore

To enable verification of a storage system server certificate in RAID Agent, import the storage system certificate to the RAID Agent truststore, and then edit the ipdc.properties file.

You must have root permission (Linux) or Administrator permission (Windows).

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.
You must prepare the storage system certificate.

If you use a certificate issued by a certificate authority, the certificates of all authorities (from the certificate authority that issued the storage system server certificate to the
root certificate authority) must be connected in a chain of trust.

When the monitored storage system certificate is signed by a root certificate authority:

If you import the root certificate into the RAID Agent truststore, you do not need to import the monitored storage system certificate into the RAID Agent truststore.

When the monitored storage system certificate is signed by an intermediate certificate authority:

If you import the root certificate into the RAID Agent truststore, you do not need to import the monitored storage system certificate into the RAID Agent truststore. Instead, you
must import the certificate signed by the intermediate certificate authority into the monitored storage system.

If the storage system certificate already exists in the truststore, delete the existing certificate before importing a new one. The following shows the storage location of the
certificate.

In Linux

/opt/jp1pc/agtd/agent/instance-name/jssecacerts

You can delete the certificate by running the following command:

rm /opt/jp1pc/agtd/agent/instance-name/jssecacerts

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\jssecacerts

1. Import the storage system certificate to the truststore.

In Linux

/opt/jp1pc/htnm/HBasePSB/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-file-name -storepass ac

cess-password-for-truststore -storetype JKS

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\jdk\bin\keytool -import -alias alias-name -file certificate-file-name -keysto

re truststore-file-name -storepass access-password-for-truststore -storetype JKS

For alias-name, specify a name that enables you to determine which storage system will use the server certificate.
For certificate-file-name, specify the absolute path where the certificate is stored.
For truststore-file-name, specify the following absolute path.

In Linux

/opt/jp1pc/agtd/agent/instance-name/jssecacerts

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\jssecacerts

For access-password-for-truststore, specify a password of your choice.

2. Enable server certificate verification by changing the properties in the ipdc.properties file. If there is a hash mark (#) at the beginning of a property line, delete that hash mark.
Storage location

In Linux

/opt/jp1pc/agtd/agent/instance-name/ipdc.properties

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\ipdc.properties

Target properties:
ssl.check.cert=true
ssl.check.cert.self.truststore=true
ssl.check.cert.hostname=true
Note:
To check the name of the host of the server certificate, specify a host name that can be resolved for SVP IP Address or Host Name, GUM(CTL) IP
Address or Host Name or ESM IP Address or Host Name in the RAID Agent instance information. If you cannot specify a host name that can be
resolved, specify false because the host name cannot be verified.
If the server certificate is not a wildcard certificate, specify false, because the host name cannot be verified.
3. Run the command jpctdchkinst to confirm the instance settings.
In Linux

/opt/jp1pc/tools/jpctdchkinst -inst instance-name

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 82/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpctdchkinst -inst instance-name

4. Run the following commands to restart the RAID Agent services:

htmsrv stop -all

htmsrv start -all

Adding Hitachi Enterprise Storage probe

Configuring Virtual Storage Software Agent to monitor VSP One

SDS Block
Before adding the Hitachi VSP One SDS Block probe, configure Virtual Storage Software Agent to monitor VSP One SDS Block.

Setting up Virtual Storage Software Agent

Set up Virtual Storage Software Agent as follows:

If you want to use the web server access control function of VSP One SDS Block, you must set the IP addresses of access sources in advance. For details, see the
description of how to configure web server access in the VSP One SDS Block CLI Reference.
When you create VSP One SDS Block instances, you must specify a user with a storage or monitor role.

1. Log on as root on the host where Virtual Storage Software Agent is installed.
2. Open the Virtual Storage Software Agent client configuration file:

/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/config/userconfig-setting.yaml

3. Change the settings in the file as needed.

protocol: Specify http or https.

port: Specify a value from 1 to 65535.

verifyingSsl: Whether to verify the VSP One SDS Block server certificate. Specify true or false.

The following is an example:

serverSettings:
protocol: http
port: 24080

virtualStorageSoftwareAccessSettings:
verifyingSsl: false

4. Create or update each instance by running the following command:

Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/bin/instancesetup [--name instance-name] [--host host-nam

e-or-IP-address] [--port port-number] [--user username] [--update] [--skipVerifyConnection]

name: VSP One SDS Block instance name. Only alphanumeric characters (A-Z, a-z, 0-9) are allowed.
host: The VSP One SDS Block host name or IP address of either of the following:
The representative for storage clusters
The control network for storage nodes

If you want to specify a host name, make sure it can be resolved on the host where Virtual Storage Software Agent is installed. If you specify the IP address, you must
use IPv4.

port: The default port number is 443.

user: User name for connecting to VSP One SDS Block. Specify a user who has the following role.
If a multi-tenancy configuration is being used:

Monitor

If a multi-tenancy configuration is not being used:

Storage or Monitor

update: Update an existing instance.

skipVerifyConnection: Specify this to omit confirmation that the user can access VSP One SDS Block.
Note:
If you want to connect with multiple instances of VSP One SDS Block, create as many instances as you need. (One instance of Virtual Storage Software Agent can
monitor up to 10 instances of VSP One SDS Block.)
The password for VSP One SDS Block has an expiration date. Update your password on VSP One SDS Block before it expires. For details, see Editing Hitachi VSP
One SDS Block probe.

You must also change the password for the VSP One SDS Block instance registered to the Virtual Storage Software Agent instance. Run the instancesetup command
and enter the VSP One SDS Block password when prompted.

5. If necessary, you can delete instance by running the following command:

Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/bin/instanceunsetup [--name instance-name]

6. Restart the Virtual Storage Software Agent services by running the following command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 83/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
systemctl restart virtualstoragesoftware-agent.service

Adding probes to the Analyzer probe server

Start collecting information about your system resources by adding probes to the Analyzer probe server.

Adding Hitachi Enterprise Storage probe

The Hitachi Enterprise Storage probe collects data about the following Hitachi Enterprise storage systems: VSP E series, VSP F series, VSP G series, VSP 5000 series. This
procedure presumes you are using the RAID Agent bundled with Analyzer server.

The Hitachi Enterprise Storage probe collects all performance data and specific configuration data from the RAID Agent using the REST API.

Additional configuration data not collected from the RAID Agent is available from Hitachi Ops Center API Configuration Manager. (You are prompted with this option when adding the
Hitachi Enterprise Storage probe.)

Note: When you add the Hitachi Enterprise Storage probe, the following message might be displayed:

Some required opcodes are turned off by default on RAID Agent. Ensure that these are enabled to collect the related metrics.
Before proceeding further, refer to product user documentation.

Ignore this message as this setting is automatically enabled on RAID Agent in Ops Center Analyzer.

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes list, select Hitachi Enterprise Storage.
3. In the Provide RAID Agent Details section, provide the following details, and then click Next:
Probe Name: The probe name must be unique and contain a minimum 4 to maximum 100 alphanumeric characters, and no special characters other than hyphen and
underscore.
Connection Type: Choose HTTP or HTTPS.
RAID Agent IP Address: IP address of the machine on which the RAID Agent is installed.
Note: If you are using the Analyzer REST API functions that access RAID Agent, then make sure that the RAID Agent IP address (provided in this field) is accessible
from the Analyzer server.
RAID Agent Host name: Host name of the machine where the RAID Agent is installed. The host name must exactly match the machine host name (case-sensitive).
Specify the host name that is returned when you run the following command on the RAID Agent server.
In Linux:

uname -n

In Windows:

hostname

Note: Do not use localhost.

RAID Agent Port: Port number used by the RAID Agent on the RAID Agent host. The default port numbers are:

24221-HTTP

24222-HTTPS

Storage System Serial number: Serial number of the storage system configured on the RAID Agent.
Storage System Instance: Storage instance name (alias) used to add the storage system to the RAID Agent.
Enable real time data collection: Select this check box to collect real-time data that can be used for alerts, reports, and the REST API.
Note: Enabling the real-time data collection increases the load on the Analyzer detail view server.
4. In the Configure RAID Agent Collection Interval window, the data collection interval are displayed for each record type. This data collection interval is set in Hitachi Enterprise
Storage probe for data collection. Click Next.
Note:
The data collection interval for each record must match the data collection interval set in RAID Agent.
The data collection interval for each record must also match the data collection interval set on the storage system. If these intervals do not match, the performance
charts might not display properly (the graphs might not be continuous).
If you are using RAID Agent, use the collection_config command to verify the setting for the data collection interval, and specify a value that is the same as the
displayed data collection interval.
For the data collection interval of records that are not displayed by using the collection_config command, use the default setting (without change).
5. Select the Collect additional configuration metrics check box for collecting the additional configuration metrics.
Note: If you do not want to collect additional configuration data, click Next and skip the rest of this procedure.

For details and prerequisites, see Collecting additional configuration metrics with Hitachi Ops Center API Configuration Manager.

6. In the Validation window, click Next, and then click OK.

7. In the Status window, in Action, click Start to start collecting data.
Note: If you change the storage system configuration after you add a Hitachi Enterprise Storage probe, the old information displays until the status is updated.

Collecting additional configuration metrics with Hitachi Ops Center API Configuration Manager

The Hitachi Enterprise Storage probe provides an option to collect additional configuration metrics not available from RAID Agent. These additional metrics are collected from the
following storage systems using Hitachi Ops Center API Configuration Manager: VSP E series, VSP 5000 series, VSP F series, and VSP G series. This is optional; you can skip it if
you do not want to collect these metrics. For a list of the additional metrics, see the Hitachi Ops Center Analyzer Detail View Metrics Reference Guide.

Verify the following:

User credentials used to connect to the storage systems have one of the following roles:
Security Administrator (view only) or greater
Storage Administrator (view only) with access to all Resource Groups
If using a command device, the settings are as follows:
Security settings: Disabled

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 84/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
User authentication setting: Enabled
Settings for device group information: Disabled
Resource group: meta_resource
The Hitachi Ops Center API Configuration Manager server is connected to the SVP to collect data from the following storage systems: VSP E990 and VSP G/F350, G/F370,
G/F700.

1. Select the Collect additional configuration metrics check box.

2. In the Hitachi Configuration Manager Details section, provide the following details and click Next:
Connection Type Choose HTTP or HTTPS.
Host IP Address or Host name of the Hitachi Ops Center API Configuration Manager Server.
Port Port number of the Hitachi Ops Center API Configuration Manager Server. The default port numbers are:

23450-HTTP

23451-HTTPS

Username/Password User name and password of the storage system specified in the Provide RAID Agent Details section.
3. In the Validation window, click Next, and then click OK.
4. In the Status window, in Action, click Start to start collecting data.
Notes:
The Hitachi Ops Center API Configuration Manager server supports only 30 storage system instances.
For best results, do not use the Hitachi Ops Center API Configuration Manager server that is configured in the Analyzer probe for any other external application. (It
might affect the Hitachi Enterprise Storage probe data collection.)

Adding Hitachi VSP One SDS Block probe

The Hitachi VSP One SDS Block probe collects data from VSP One SDS Block storage systems. The Hitachi VSP One SDS Block probe uses the Virtual Storage Software Agent to
collect data. The probe connects to the Virtual Storage Software Agent using the Virtual Storage Software Agent REST API and the Virtual Storage Software Agent connects to the
VSP One SDS Block cluster instance to collect data using the VSP One SDS Block REST API.

Note:

The Virtual Storage Software Agent can be installed on the Analyzer probe machine or any other machine.
To monitor the cloud model of VSP One SDS Block, you must deploy the Analyzer product, including the Virtual Storage Software Agent component, in an on-premises
environment, and design the network so that Virtual Storage Software Agent can communicate with the cloud model of VSP One SDS Block in a cloud environment.

Make sure that the Virtual Storage Software Agent is installed and the VSP One SDS Block cluster instances are added to the Virtual Storage Software Agent.

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes menu, select Hitachi VSP One SDS Block.
3. In the Hitachi VSP One SDS Block Probe window, type the following details, and then click Next:
Probe Name: The probe name must be unique and must consist of 4-100 alphanumeric characters, with no special characters other than hyphen and underscore.
Connection Type: HTTPS (Only HTTPS connection is supported).
VSS Agent IP Address or FQDN: IP address or FQDN of the machine where the Virtual Storage Software Agent is installed.
VSS Agent Port: Port number used by the Virtual Storage Software Agent on the Virtual Storage Software Agent machine.

Default: 24081

VSS Block Cluster Instance: VSP One SDS Block cluster instance name (alias) added to the Virtual Storage Software Agent.
4. Click Next and then click OK.
5. In the Status window, in the Action column, click Start to begin collecting data.

Editing Hitachi VSP One SDS Block probe

You can change the Virtual Storage Software Agent IP address, Virtual Storage Software Agent port, or VSP One SDS Block cluster instance if these details have changed.

Note: If you want to change the Virtual Storage Software Agent password, first stop the Hitachi VSP One SDS Block probe, then change the Virtual Storage Software Agent
password, and restart the probe. Make sure that you complete this action within three hours to avoid data loss.

1. Open the Analyzer probe home page

2. In the Status window, stop the Hitachi VSP One SDS Block probe and then click Edit.
3. In the Edit Probe window, enter the Virtual Storage Software Agent IP address, Virtual Storage Software Agent port, or VSP One SDS Block cluster instance, and then click
Next.
4. In the Validation window, click Next, and then click OK.
5. In the Action column, click Start to begin collecting data.

Adding Hitachi NAS probe

Hitachi NAS probe collects configuration and performance data for the Hitachi NAS platform. There are two types of Hitachi NAS configurations: External SMU and Internal SMU.
The Hitachi NAS probe collects configuration data using REST API, and performance data using RUSC CLI.

Hitachi NAS probe supports the Hitachi NAS server configured as a cluster, single node cluster, and a standalone (non-clustered) server.
Note: The Analyzer probe supports the REST API v4 and v7 of the target Hitachi NAS storage system. Make sure that following criteria are met for REST API and NAS OS versions:

REST API v7.1.0: NAS OS v13.5 or higher

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 85/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
REST API v7.1.3: NAS OS v13.7 or higher

If the target Hitachi NAS storage system supports REST API v8.0 (at minimum), add the Hitachi NAS (REST API) probe for data collection. Refer to Adding Hitachi NAS (REST API)
probe.

The following diagram illustrates the data collection flow.

Configuration metrics that are not collected using REST API and are required for reporting in the UI are collected using CLI.

Note: If you plan to upgrade the Hitachi NAS storage system or its node configuration, make sure that the Hitachi NAS probe is stopped. After you complete the storage system
upgrade or node configuration, start the Hitachi NAS probe.

External SMU
To collect the performance data, make sure that the user has SMU CLI access.
To collect the configuration data, a login with a role of supervisor is required to use REST API calls.

A valid Enterprise Virtual Server (EVS) IP address with admin services type (called an Admin EVS IP address) is required to use REST API calls. The Hitachi NAS
probe obtains this information based on the SMU details that you provide when adding the Hitachi NAS probe.

Internal SMU
A user with a role of supervisor is required to collect the performance and configuration data.
To collect the configuration data, make sure that the REST API server is installed on one of the controllers.
The controller and the REST API server must use the same login with a role of supervisor.
If the SMU OS version is v13.9.6628.07 or higher, make sure that SMU session timeout value is configured to 1 hour. Refer to the Hitachi NAS documentation to configure
the session timeout value.
By default, the Hitachi NAS probe does not collect the Hitachi NAS File System resource snapshot size data from Analyzer probe v10.8.0-00 or later. To collect the snapshot
size data, you must enable collection on the Analyzer probe, which might cause a Hitachi NAS system restart problem. For best results, only enable snapshot size data
collection if the system restart problem has been fixed in your target Hitachi NAS system. See Enabling snapshot size data collection using the Hitachi NAS probe for more
information.
By default, the Secure Hash Algorithm 1 (SHA-1) crypto policy is disabled on Oracle Linux 9.x and Red Hat Enterprise Linux 9.x. Therefore, an error occurs when adding the
Hitachi NAS probe. However, if you still want to add the Hitachi NAS probe to the Analyzer probe server, run the following command on the machine:

update-crypto-policies --set DEFAULT:SHA1

Note: Enabling the SHA-1 crypto policy weakens the security of the system.

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes list, select Hitachi NAS.
3. On the Add Hitachi NAS Probe window, in the Provide SMU details section, provide the following details, then click Next:
IP address The IP address of the Hitachi NAS System Management Unit (SMU).
User name and Password User credentials of the SMU user.
Note: Maximum length for password: 16 characters
4. In the Validation window, click Next.
5. Based on the SMU IP address, the Provide REST API server details or Provide controller details window opens.
External SMU: The Provide REST API server details window lists all the Hitachi NAS servers managed by the SMU. Select the Hitachi NAS server and Admin EVS IP
address, and enter the REST API server details. Click Next.
Note: You can select multiple Hitachi NAS servers; each is added as an individual probe in the Analyzer probe. (The probe is added as an SMU-Hitachi NAS server
combination.)
Internal SMU: The Provide controller details window lists all the controllers managed by the SMU. Type the username and password of the controller that you want to
add. (The default port is 8444 and cannot be changed.)
Note: You can select multiple controllers and a single probe is added. (The probe is added as an SMU-Controller combination.) If you provide the details of one
controller, then the configuration data is collected from all controllers managed by the SMU. However, to collect the performance data, you must provide the details of
each controller from which you want to collect performance data.
6. In the Validation window, click Next, then click OK.
7. In the Status window, in Action, click Start to start collecting data.

Adding Hitachi NAS (REST API) probe

Hitachi NAS (REST API) probe collects configuration and performance data for the Hitachi NAS platform using the REST API v8.0 (at minimum).

It supports the Hitachi NAS Server configured as a cluster, single node cluster, or standalone (non-clustered) server.
Note:

If you are already using the Hitachi NAS probe to monitor a target Hitachi NAS storage system with REST API v4 or v7, and you want to use the Hitachi NAS (REST API)
probe instead, you must upgrade the REST API version to 8 (at minimum), delete the existing Hitachi NAS probe. and then add the Hitachi NAS (REST API) probe.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 86/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If you plan to upgrade the Hitachi NAS storage system or the node configuration, you must stop the Hitachi NAS (REST API) probe. After the process is complete, restart the
probe.

Make sure that you have a valid Enterprise Virtual Server (EVS) IP address with admin services type (Admin EVS IP address).
The REST API server connection can be authenticated based on an API key or user credentials:
If you plan to use a key for authentication, make sure an API key with read access is generated on the REST API server.
If you plan to use a password for authentication, make sure a user with the "USER" role is available on the Hitachi NAS REST API server to run the REST API calls.
By default, the Hitachi NAS (REST API) probe does not collect the Hitachi NAS File System resource snapshot size data. To collect this data, you must enable collection on
the Analyzer probe, which might cause a Hitachi NAS system restart problem. For best results, enable snapshot size data collection only if the system restart problem has
been fixed in your target Hitachi NAS system. See Enabling snapshot size data collection using the Hitachi NAS (REST API) probe for more information.

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes list, select Hitachi NAS (REST API).
3. On the Add Hitachi NAS (REST API) Probe window, provide the following details, then click Next:
REST API Server (Admin EVS) IP Address: Admin EVS IP address to connect to the REST API server.
Connection Type: HTTPS (Only HTTPS connection is supported).
Connection Port: 8444 (Default port)
Authentication Type: The REST API server connection can be authenticated either using a REST API key or user credentials.
Key-Based: Enter the API key that you generated on the REST API server.
Password-Based: Enter a username with read-only permission and the password.
4. In the Validation window, click Next, then click OK.
5. In the Status window, in Action, click Start to start collecting data.

Adding VMware probe

VMware probe collects data from the VMware vCenter server and standalone VMware ESXi host.

1. From the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes drop-down list, select VMware.
3. In the Add VMware Probe section, provide the following details, then click Next:

vCenter Server: Host name or IP address of the VMware vCenter Server Appliance or VMware ESXi host IP address.

User name: Any user with access to VMware vCenter Server (read-only privileges are sufficient). Ensure that the user has access to all the ESXi hosts (within the
VMware vCenter Server) that you want to monitor.

Password: Password associated with the user name.

4. In the Validation window, click Next.

Note: If you have entered the standalone VMware ESXi host details, skip to step 6.
5. In the Choose Hosts for Data Collection window, select the hosts that you want to monitor.
Note: When a new host is added to the VMware vCenter server, the probe begins collecting data automatically. To override this setting, clear Include hosts that are added in
the future.

You can also add the hosts using the Import CSV option, which allows you to add a large number of hosts with a flexibility of adding only those hosts that you want to
monitor. For example, if you have 100 hosts in a vCenter server and out of these you want to monitor 60, you can specify these hosts in the CSV file and import it to the
probe.

a. Select the Select hosts for data collection using csv file import option.
b. Ensure the CSV file is in a specific format. Download a sample file by clicking the Export option.
c. Edit the CSV file details offline based on your requirements. In the CSV file, you can add only those hosts that you want to monitor or type No for each host that you
do not want to monitor.
d. Import the CSV file by clicking the Import option. The imported hosts are listed in the Select hosts for data collection section.
e. Track the status of the hosts in the Uploaded Host CSV Record Status window. To view the status, click the Details option. Refer to Viewing the host CSV file import
status for more information.
6. Click Next, and then click OK.
7. In the Status window, in Action, click Start to start collecting data.

Viewing the host CSV file import status

The details link shows the following status of the imported CSV file.

The following figure shows an example status of an imported CSV file and the resources monitored:

Valid: Total number of valid records (Monitored and Not monitored)

Monitored: The list of records from which the data is collected.
Not monitored: The list of records that are marked as No in the CSV file.
Invalid: Total number of invalid records that cannot be added.
Note: You can edit the invalid records and reimport the CSV file. To view the details of the invalid records, click View.
Bad Record: The list of records with incorrect values, which cannot be read by Analyzer probe server.
Unknown state: The list of records with incorrect monitored status in the CSV file. The monitored status in the CSV file must be either Yes or No.

Adding IBM Power Systems probe

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 87/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The IBM Power Systems probe collects configuration and performance data from one or more IBM Power Systems. It connects to the Hardware Management Console (HMC) using
the HMC REST API.

The HMC FQDN or IP address must be accessible from the Analyzer probe server.
The user must have the hmcviewer role.
HMC Performance and Capacity Monitoring (PCM) must be enabled .

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes menu, select IBM Power Systems.
3. In the Add IBM Power Systems Probe window, type the following details, and then click Next:
HMC FQDN/IP Address: IP address or FQDN of the HMC.
User name and Password: User name and password of the HMC.
Connection Type: HTTPS (Only HTTPS connection is supported)
Connection Port: 12443 (Default port)
4. In the Validation window, click Next.
5. In the Select IBM Power Systems window, select the target IBM Power Systems for which you want to collect data.
6. Click Next and then click OK.
7. In the Status window, a separate probe is added for each selected IBM Power System. In the Action column, click Start to begin collecting data.
Note: If you later add another IBM Power System to the same HMC, add an additional probe using the same procedure.

Editing IBM Power Systems probe details

You can change the username, password, or port if these details change on the target HMC. If you have added probes for multiple IBM Power Systems, make sure you update the
details for each probe instance.

1. In the Status window, stop the IBM Power Systems probe and then click Edit.
2. In the Edit IBM Power Systems Probe window, edit the username, password, or port and then click Next.
3. In the Validation window, click Next, and then click OK.
4. In the Status window, in the Action column, click Start to begin collecting data.

Adding Brocade FC Switch probe

The Brocade FC Switch probe collects performance and configuration data from the individual Brocade FC switch using one of the following methods:

CLI (using SSH connection)

REST API (for Fabric OS firmware v8.2.0 or higher)

Note:

As a best pracrice, use the REST API method for data collection.
When you upgrade the firmware for an existing Brocade FC switch probe, you must restart the probe in the Analyzer probe UI.

To collect data using the REST API

A user with “admin” or “user” role-based access control (RBAC) role permissions is required. (FOS REST API function calls are permitted or denied based on user
privilege configurations determined by the RBAC functionality in Fabric OS.)
Make sure that a valid HTTPS certificate is available on the target switch if you want to collect data using the HTTPS connection.
A REST API session is used for data collection. Make sure that the number of sessions are configured accordingly.
To collect data using the CLI
A user with read-only permissions on the target switch is required. Additionally, Observer and Modify (OM) permission for "Nocheck" RBAC class is required. (This
permission is required to collect the data for virtual switches).

Note: Switch port performance data is not collected for the Virtual Ethernet (VE) ports because the portStatShow command is not supported for the VE ports. Use the REST
API data collection method instead of CLI if the target switch is using the VE ports.

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Select Probe Type menu, select Brocade FC Switch.
3. In the Provide Brocade FC Switch Details window, select the data collection method (CLI or REST API).
Note: As a best practice, use the REST API method for data collection.
4. In the Add Switch Details section select any of the following options to add the target switches:
Add Device: You can add the range of switch IP addresses with the same credentials under one data center. The switches are shown under this data center in the
Analyzer detail view Resource tree.
Data Center: Name of the data center; you can enter any name.
Note: The switch is displayed under this data center in the Analyzer detail view Resource tree.
Start IP Address and End IP Address: You can enter one IP address or a range of IP addresses for the switch.
Note: If you have entered a range for addresses, the username and password must be the same for all switches.
User Name: User name of the target switch.
Password: Password of the user.
Protocol: Select the communication protocol (HTTP or HTTPS)
Note: This field is displayed only for the REST API data collection method.
Port: Depending on the data collection method and protocol, enter the port numbers. The default are:
REST API: 80 (HTTP) or 443 (HTTPS)
CLI: 22 (SSH)
Upload CSV: You can add a range of switch IP addresses with different credentials and group the switches based on the data center. When adding multiple data
centers, make sure that each has a unique name. (The switches are shown under data center in the Analyzer detail view resource tree.)
Select Upload CSV to upload the switch details in a CSV file, and then click Import CSV.

The CSV file must be in a specific format. You can download a sample file by clicking Download Sample CSV File.

Scroll down to view the list of switches. You can also add more switches or delete a switch before adding the probe.

5. To add more Brocade FC Switch IP addresses, click Add More.

Note: You can add multiple switches that use the same data collection method at one time.
6. Click Next.
The system scans the switch IP addresses and adds the valid switches to the system.
7. In the Switch Validation window, click Next, and then OK.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 88/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Each valid switch IP address is added as an individual probe.
8. In the Status window, in Action, click Start to start collecting data.

Adding Cisco FC Switch (DCNM) probe

The Cisco FC Switch (DCNM) probe collects data from the Cisco Data Center Network Manager v11.0 or later using the REST API through the HTTPS protocol.

Note:

If the Cisco DCNM version is upgraded from 10.x (or earlier) to 11.x for an existing probe, the Cisco DCNM probe stops collecting data. You must add the probe again using
the REST API data collection method.
Do not use both the Cisco FC Switch (DCNM) and Cisco FC Switch (CLI) probe to collect data for the same switch.
Cisco DCNM REST API collects the data for the FC port that is part of a port channel or connected to an end device (host or storage).

To collect data from DCNM by running REST APIs, a DCNM user with “Network-operator” role is required.
Note: The REST API data collection method only supports the HTTPS protocol.

1. From the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes drop-down list, select Cisco FC Switch (DCNM).
3. In the Add Cisco FC Switch (DCNM) Probe window, select the following Data Collection Method and then click Next:
REST API: Use this option to collect data from the Cisco switches with DCNM v11.0 or later.
a. Enter the following details:
IP Address: IP address of DCNM.
Username and password for DCNM. The user must have access to the DCNM web client.
b. In the Validation window, click Next.
c. In the Choose switches for data collection window, select the switch that you want to monitor.
Note: When a new switch is added to the Cisco Data Center Network Manager, the probe begins collecting data automatically. To override this setting, clear
Include Switches that are added in the future.
4. Click Next, and then click OK.
5. In the Status window, under Action, click Start to begin collecting data.

Adding Cisco FC Switch (CLI) probe

Cisco FC Switch (CLI) probe collects performance and configuration data using the CLI commands from Cisco SAN switches.

Note: Do not use both the Cisco FC Switch (DCNM) and Cisco FC Switch (CLI) probe to collect data for the same switch.

By default, the Secure Hash Algorithm 1 (SHA-1) crypto policy is disabled on Oracle Linux 9.x and Red Hat Enterprise Linux 9.x. Therefore, an error occurs when adding the
Cisco FC Switch (CLI) probe. Make sure you do the following on the machine:
1. Run the following command:

update-crypto-policies --set DEFAULT:SHA1

Note: Enabling the SHA-1 crypto policy weakens the security of the system.
2. Restart the machine.

reboot

3. Add the following setting in the /etc/ssh/ssh_config file:

Host *
RequiredRSASize 1024

4. Restart the Secure Shell Daemon (sshd) service:

service sshd restart

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes menu, select Cisco FC Switch (CLI).
3. In the Add Switch Details section, select one of the following options to add the target switches:
Select Add Device, type the following details, and then click Add Switch:
Data Center: Name of the data center; you can enter any name.
Note: The switch is displayed under this data center in the Analyzer detail view Resources tree.
Start IP Address and End IP Address: Range of the IP address from which to start collecting data. This scans all the switch IP addresses in that range.
Note: If you have entered a range for addresses, the username and password must be the same for all switches.
User Name: User name with the network-operator role (at minimum)
Password: Password of the user
SSH Port: The port number (default: 22)
Upload CSV: You can add the range of switch IP addresses with different credentials and group the switches based on the data center. While adding multiple data
centers, make sure that each has a unique name. The switches are shown under the respective data center in the Analyzer detail view Resources tree.
Select Upload CSV to upload the switch details in a CSV file, and then click Import CSV.

The CSV file must be in a specific format. You can download a sample file by clicking Download Sample CSV File.

Upload Encrypted CSV: The upload encrypted CSV works similar to the upload CSV option. However, it is useful when you want to provide the switch details,
including login credentials, that must be kept confidential.
Select Upload Encrypted CSV to upload details in an encrypted CSV file, and then click Import CSV.

The Encrypted CSV file must be in a specific format. You can download the sample file by clicking Download Sample CSV File. Refer to Encrypting the CSV
file for more information.

Encrypted Random Key: Select an encrypted random key.

Upload Encrypted CSV: Upload an encrypted CSV.

Scroll down to view the list of switches. You can also add more switches or delete a switch before adding the probe.

4. To add more Cisco SAN switch IP addresses, click Add More.

5. Click Next.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 89/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The system scans the switch IP addresses and adds the valid switches to the system.
6. In the Switch Validation window, click Next, and then OK.
Each valid switch IP address is added as an individual probe.
7. In the Status window, in Action, click Start to start collecting data.

Encrypting the CSV file

Before uploading the CSV file you must encrypt it using the public key.

1. Contact customer support for the public key.

2. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
3. Create the temporary folder in the /data folder and save the public key.
4. Generate the random key using the following command:

openssl rand -base64 32 > randomkey.bin

5. Encrypt the random key by using the public key, using the following command:

openssl rsautl -encrypt -inkey public-key.pem -pubin -in randomkey.bin -out randomkey.bin.enc

6. Encrypt the CSV file by using the random key (not encrypted):

openssl enc -aes-256-cbc -salt -in <name of the CVS file that you want to encrypt> -out <outputfilename.CSV> -pass file:./randomkey.bin

For example, openssl enc -aes-256-cbc -salt -in BrocadeSANSwitchProbeSample.csv -out BrocadeSANSwitchProbeEncrypted.csv -pass file:./randomke
y.bin

7. Download the encrypted random file and encrypted CSV file to your local machine.
8. Provide the encrypted random file and CSV file when adding the probe.

Adding Linux probe

The Linux probe allows you to monitor the overall health of the Linux environment. The Linux probe collects performance and configuration data from individual Linux machines. This
can help you analyze performance and configuration related problems.

The Analyzer probe UI requires an IP address, user credentials, and installation directory path of the target Linux machine to add each target machine as an individual probe in the
Analyzer probe UI.

The Analyzer probe logs in to the target machine using an SSH connection with user-specified credentials, saves the data collection scripts, and configures a cron job to collect
configuration and performance data. The data is saved in the installation directory on the target machine. The linuxDataDownloader script on the Analyzer probe server
periodically connects to the installation directory on the target machine to collect data.

The following diagram illustrates the data collection flow:

Note:

If you are planning to upgrade the operating system on the Linux host for an existing Linux probe, make sure you stop the Linux probe in the Analyzer probe UI before the
upgrade and restart it after the upgrade.
If you have added a Linux probe for a target where the Analyzer probe or Analyzer detail view application is running, for best results you should stop the application before
upgrading the operating system.

Make sure that the rsync package is installed on the Analyzer probe server machine.
The following is required on each target machine or host to be monitored:
Packages:
Install the following RPM packages:
nvme-cli
openssh-clients
perl
rsync
sysstat
zip
Install the following Perl modules:
File::Path, Getopt::Std
HTTP::Request::Common
IO::Select
IO::Handle
LWP::UserAgent
Time::HiRes
Note: When you install the perl modules, be sure to install them in a common location (accessible to all users). Refer to Installing the perl module for more
information.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 90/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Installation directory: Create an installation directory (where the collection scripts and data will be stored).
Note: The directory name is restricted to alphanumeric, hyphen, and underscore characters only.
User:
A user account to add the Linux probe with read, write, and execute permissions. This user must also have the following:
Privilege to access the cron job on each target machine.
Read, write, and execute permissions for the installation directory (that you will create on target machine).
Execute permission for Perl modules (that you will install on the target machine).
Note:
As a best practice, set a non-expiring password for the user. If the password on the target Linux machine expires or changes after adding the probe,
you must update it immediately in the Analyzer probe UI for the associated Linux probe.
Do not remove the account that you will use to add the Linux probe to collect data from the target Linux machine.
Data for the following resources are collected only if you add the Linux probe as the root user:
Host Volume Group
Host Logical Volume
Host Physical Volume
Note:
The Linux probe does not collect multipath information.
By default, the Linux probe does not collect processes data. See Enabling the Linux host processes data collection for more information.

1. On the Analyzer probe home page, click Add Probe.

2. In the Add Probe window, from the Probes list, select Linux.
3. In the Add Host Details section, type the following details, and then click Next:
HOST IP ADDRESS: IP address of the target Linux machine
USERNAME: User on the target Linux host or machine
Note: Do not remove the account that was used to add the Linux probe.
PASSWORD: User password
INSTALLATION DIRECTORY: Installation directory path on the target machine or host
4. To add multiple targets, click Add More. Otherwise, click Next to continue.

The Host Validation section opens and validates the host IP address.

5. Click Next.
The Script Deployment section opens and data collection scripts are deployed on the target machine or host.
6. Click Next, and then click OK.
7. In the Status window, in Action, click Start to start collecting data.
Each target machine is added as an individual Linux probe in the Analyzer probe.
Note: If the password on the target Linux machine is expired or changed after adding the probe, you must immediately update it by using the probe UI for the Analyzer probe
that monitors the target.

Installing the perl module

The perl module must be installed on the virtual machine (or host) to be monitored by the Linux probe. Make sure that you install the perl module at a common location that is
accessible to all users.

1. Verify if the perl module is installed by using one of the following methods.
Using the perl command:

perl -e "use Date::module name"

For example: perl -e "use Date::Gregorian"

If the perl module is not installed, the following output is shown:

Can't locate Date/Gregorian.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/shar
e/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at -e line 1.

Using the find command:

find `perl -e 'print "@INC"'` -name '*.pm' -print |grep -i module name

For example: find `perl -e 'print "@INC"'` -name '*.pm' -print |grep -i Gregorian

If the perl module is not installed, then the output is blank.

2. Install the perl module using the following command:

cpan -i module name

For example, cpan -i Date::Gregorian

Note: You might be prompted for additional instructions.

3. Verify if the installation is successful by using one of the following methods.
Using the find command:

find `perl -e 'print "@INC"'` -name '*.pm' -print | grep -i module_name

For example: find `perl -e 'print "@INC"'` -name '*.pm' -print |grep -i Gregorian

If the installation is successful, the output will be similar to the following:

/usr/local/share/perl5/Date/Gregorian/Business.pm
/usr/local/share/perl5/Date/Gregorian/Exact.pm
/usr/local/share/perl5/Date/Gregorian.pm
./.cpan/build/Date-Gregorian-0.12-PmPHQp/lib/Date/Gregorian/Business.pm
./.cpan/build/Date-Gregorian-0.12-PmPHQp/lib/Date/Gregorian/Exact.pm
./.cpan/build/Date-Gregorian-0.12-PmPHQp/lib/Date/Gregorian.pm
./.cpan/build/Date-Gregorian-0.12-PmPHQp/blib/lib/Date/Gregorian/Business.pm

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 91/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
./.cpan/build/Date-Gregorian-0.12-PmPHQp/blib/lib/Date/Gregorian/Exact.pm
./.cpan/build/Date-Gregorian-0.12-PmPHQp/blib/lib/Date/Gregorian.pm

Using the perl command:

perl -e "use Date::module_name"

For example: perl -e "use Date::Gregorian"

If the installation is successful, the output is blank.

Adding third-party storage probes (add-on package)

In addition to the Hitachi storage probes, you can also collect data about third-party storage systems by installing the third-party add-on package.

The third-party storage probes require a separate license and a Hitachi Professional Services engagement. The software is delivered in a third-party add-on package, which you can
download from Support Connect. For information on licensing, contact your Hitachi Vantara sales representative.

Initial setup after adding a probe

After adding a probe, check if the Analyzer detail view server is collecting data.

1. Open a web browser, and then enter the following URL in the address bar to log on to the Analyzer detail view server :
https://IP-address-of-Analyzer-detail-view-server:8443/
2. In the logon window, enter the user name and password used to set up the Analyzer detail view server.
3. Click the Server Status icon.
4. Verify that the added probe appears in Last Configuration Import Time and Last Performance Import Time of Data Import Status, and that data is collected.
Note: After a probe is added, it might take some time before the probe appears in the Analyzer detail view server UI.
5. Open a web browser, and then enter the following URL in the address bar to log in to the Analyzer server:
http://IP-address-of-the-Analyzer-server:22015/Analytics/login.htm
6. Enter the following information to log on:

User ID: system

Password: manager (This is the default password that should be changed during installation.)

7. In the Administration tab, select Resource Management.

8. Verify that the resources monitored by the probe appear and are ready to be analyzed by the Analyzer server.
Note: After a probe is added, it might take some time before the registered resources appear in the Analyzer server UI.

Installing Analyzer Windows probe

Analyzer Windows probe collects performance and configuration data from the Windows host and Hyper-V machines. You can install this probe using Analyzer Windows probe
installer.

Installing the Analyzer Windows probe

Install the Analyzer Windows probe by using the installer.

Review the Analyzer Windows probe requirements (hardware and software).

1. Obtain the Analyzer Windows probe installer from the installation media (Analyzer ISO or Probe OVA ISO).
2. Mount the ISO file:
a. In File Explorer, select the ISO file, then at the top of the window, select the Disc Image Tools tab.
b. In the Disc Image Tools tab, select Mount.
3. From the ISO image, navigate to the DCAWINPROBE folder and run the Analyzer Windows probe installer.
4. To continue installation, click Next.
5. In the Log on Information window, type the Domain Administrator or Local user name and password for the Windows machine in the format specified in the window, and click
Next.
Note: The user must have the Administrator privileges and Logon as a Service permission.
6. In the Choose Destination Location window, browse to select the installation folder, and click Next.
7. In the Ready to Install the Program window, click Install to complete the installation.
8. Click Finish.
Note: If you deselect the Launch Ops Center Analyzer Windows Probe check box, double-click the Ops Center Analyzer Windows Probe icon on the desktop. If you do not
see the icon on the desktop, then open a command prompt and enter the following to refresh the icon in the database:

ie4uinit.exe –ClearIconCache

9. In the License tab, browse to the license file and click Submit to register the license.

Data collection methods

You can use one of the following methods to collect data for Windows hosts and Hyper-V servers using the Analyzer Windows probe:

Note: Method 3 collects all metrics and is mandatory for using the Analyzer UI. Methods 1 and 2 collect a subset of metrics and apply only to viewing metrics in Analyzer detail view.
Refer to the Hitachi Ops Center Analyzer detail view Metrics Reference Guide for a list of metrics collected by methods 1 and 2.

Method 1: Data collection from System Center Operation Manager (SCOM) and System Center Configuration Manager (SCCM).

Performance data is collected from SCOM

Configuration data is collected from SCCM

Note: Method 1 does not collect the relation between the Windows physical disk and logical disk.

Prerequisites

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 92/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
SCOM

Target Windows machines must be configured in the SCOM server.

A user with Advanced Operator or Administrator role with the permission to log on remotely to the SCOM server.
Remote registry service must be running on the machine that is configured in the SCOM server.
Import Management Pack in the SCOM server to configure the performance rules. You must copy the Management Pack from Analyzer-Windows-probe-installation-
folder\bin\SCOM Management Pack and import it to the SCOM server.
Add the following DLLs to the Analyzer-Windows-probe-installer\bin folder:

Microsoft.EnterpriseManagement.Core.dll

Microsoft.EnterpriseManagement.OperationsManager.dll

Microsoft.EnterpriseManagement.Runtime.dll

The above DLLs are located in the SDK Binaries folder on Windows machines:

Example SCOM 2016 installation folder path: SCOM-installation-location\Microsoft System Center 2016\Operations Manager\Server\SDK Binaries

SCCM

Target Windows machines must be configured in the SCCM server.

Hardware Inventory Client Agent of SCCM must be running on the target machines. This agent collects required configuration data and stores it in the SCCM database.
A user from the db_datareader group in the SQL Server who can access the SCCM database.

Method 2: Data collection from the System Center Operation Manager (SCOM) and WMI query

Performance data is collected from the SCOM.

Configuration data is collected from the individual machine using WMI query.

Prerequisites

SCOM

Target Windows machines must be configured in the SCOM server.

A user with Advanced Operator or Administrator role with the permission to log on remotely to the SCOM server.
Remote registry service must be running on the machine that is configured in SCOM server.
Import Management Pack in the SCOM server to configure the performance rules. You must copy the Management Pack from Analyzer-Windows-probe-installation-
folder\bin\SCOM Management Pack and import it to the SCOM server.
Add the following DLLs in the Analyzer-Windows-probe-installer\bin folder:

Microsoft.EnterpriseManagement.Core.dll

Microsoft.EnterpriseManagement.OperationsManager.dll

Microsoft.EnterpriseManagement.Runtime.dll

The above DLLs are located in the SDK Binaries folder on Windows machines:

Example SCOM 2016 installation directory path: SCOM-installation-folder\Microsoft System Center 2016\Operations Manager\Server\SDK Binaries

WMI Query

You must be a user who has been assigned the Domain Administrator role and has permission to access WMI namespaces (ROOT\WMI, ROOT, and ROOT\CIMV2) on the
target host.

The Execute Methods and Remote Enable permissions are required for the namespaces.

The authentication information (user name and password) on the Analyzer Windows probe server and the monitoring target server must match.
Firewall exceptions must be added for the WMI on the target machine. Run the following commands on the target machine:
netsh advfirewall firewall set rule group="remote administration" new enable=yes
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
For workgroup computers, change the settings for the Remote User Account Control (UAC) LocalAccountTokenFilterPolicy registry entry.

Method 3: Data collection using Perfmon API and WMI query

Performance and configuration data is collected from individual machines using the Perfmon API and WMI query.

Prerequisites

The probe machine and the target machines must be part of either the same workgroup or the same domain.
Firewall exceptions must be added for the WMI and Perfmon on the target machine. To add the firewall exceptions, run the following commands on the target machine:
netsh firewall set service RemoteAdmin
netsh firewall set service type=fileandprint mode=enable profile=all scope=all
To connect to Windows machines remotely, the following must exist:
The remote registry service must be running on the target machine.
The Local Service on the target machine must have read permissions for the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Users designated for this method must be added to the Local Group Policy on the target machine and the machine on which the Analyzer Windows probe is installed:

Execute the Local Group Policy Editor (gpedit.msc), select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment, and
then add the users to the Log on as a service and Allow log on locally policy settings. In addition, make certain that the users are not present in the Deny log on locally setting
(which would prevent them from logging in).

In addition, make sure that the following default rights (policy settings) are assigned to the designated user:
Access this computer from the network
Adjust memory quotas for a process
Allow log on through Remote Desktop Services
Back up files and directories

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 93/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create global objects
Create symbolic links
Debug programs
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Impersonate a client after authentication
Increase scheduling priority
Load and unload device drivers
Log on as a batch job
Manage auditing and security log
Modify firmware environment values
Perform volume maintenance tasks
Profile system performance
Profile single process
Remove computer from docking station
Restore files and directories
Shut down the system
Take ownership of files or other objects
The authentication information (user name and password) on the Analyzer Windows probe server and the monitoring target server must match.
Distributed COM must be enabled in Component Services on the target machine and the machine on which the Analyzer Windows probe is installed. To enable distributed
COM, perform the following procedure:

Execute Component Services (dcomcnfg.exe), and then select Component Services > Computers. When My Computer is displayed, right-click My Computer, and then
select Properties. After that, select the Default Properties tab, and then select Enable Distributed COM on this computer.

For domain computers: A user with the Domain Administrator role or local administrator group of the target machine and the machine on which the Analyzer Windows probe
is installed.
For workgroup computer: The following settings are required if you are not using the built-in administrator for connections:
You must be a user who has been assigned the Domain Administrator role and has permission to access WMI namespaces (ROOT\WMI, ROOT, and ROOT\CIMV2)
on the target host.

Execute Methods and Remote Enable permissions are required for the namespaces.

Change the settings for the Remote User Account Control (UAC) LocalAccountTokenFilterPolicy registry entry. For more information, see
http://support2.microsoft.com/kb/942817/en-us.
The Computer Browser service must be running on the target machine.

Analyzer functions supported by each data collection method

The following table shows the support for monitoring targets by each method of the Windows probe in the Ops Center Analyzer functions. Note that Method 3 (data collection using
Perfmon API and WMI query) can collect data for monitoring targets in all Ops Center Analyzer functions. Use Method 3 when monitoring Windows hosts and Hyper-V on the
Analyzer server.

Method 1 (SCCM + SCOM) Method 2 (WMI + SCOM)

Analyzer functions
Windows Host Hyper-V Windows Host Hyper-V

Hypervisor VM Hypervisor VM

Identify the resource -- Supported Supported Supported

Partially supported Partially supported
information in Resource
Management screen 1 1

Receive threshold Supported Supported -- Supported Supported --

violation

Check the summary of Supported Supported Supported Supported

Partially supported Partially
data center in dashboard
supported
2
2

Check the End correlation -- -- -- Supported Supported Supported

in E2E view

Execute troubleshooting in -- -- -- Supported Supported --

E2E view

Display performance Supported Supported -- Supported Supported --

information in Predictive
analysis

Legend:

--: Not supported

Note:

1. IP address is not displayed.

2. The number of alerts and VMs are not counted in the dashboard.

Configuring Analyzer Windows probe

After installing the Analyzer Windows probe, you must configure a collection method, set up an FTP or HTTPS server, and start the service for that probe.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 94/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Configuring the data collection method

You must register the Analyzer Windows probe and select the data collection method for that Analyzer Windows probe.

1. On the Analyzer Windows probe console, click the Collection tab, and configure the collection method settings based on your requirements:

Method 1: Data collection from SCOM and SCCM

a. In the Performance section, select Use SCOM and type the following details:

SCOM Server: SCOM server IP address

User Name (Advanced Operator): SCOM server user name

Password: SCOM server password

b. In the Configuration section, select Use SCCM and type the following details:

SCCM Database Server: SCCM Server IP address or the name

Database Name: SCCM database name

SQL Server User Name: SCCM database user name

SQL Server Password: SCCM database password

Note: If you select the Trusted Connection check-box, then the SQL Server User Name and SQL Server Password fields are disabled.

Method 2: Data collection from SCOM and WMI

a. In the Performance section, select Use SCOM and type the following details:

SCOM Server: SCOM server IP address

User Name (Advanced Operator): SCOM server user name

Password: SCOM server password

b. In the Configuration section, select Use WMI and type the following details:

User Name (Administrator): Domain administrator user name

Password: Domain administrator user name password

Method 3: Data collection through WMI and PerfMon

a. In the Performance section, select Use Perfmon.

This enables the Use WMI option automatically.

b. Type the following details for Use Perfmon and Use WMI options:

i. User name (Administrator):

In Workgroup environment: Machine Name\User

Computer Name: Machine name on which the Analyzer Windows probe is installed.

User: A user with an Administrator role.

In the Active Directory environment: Domain Name\User

Domain Name: Name of the domain.

User: A user with the Domain Administration role.

ii. Password

c. In the Performance section, select the Collect Process Data box if you want to collect process data.

2. On the Collection tab, in the right-most side section:

Click Discover Hosts to discover the hosts available in the current domain. You can then select the target host that you want to monitor.

Click Add Hosts and type the host names manually. The Add Hosts window opens. Enter a comma-separated list of Windows machines (host names or IP
addresses).

3. Click Validate & Save to establish the connection, and click OK.

Configuring the SFTP or HTTPS server

You must configure the SFTP or HTTPS server for the Analyzer Windows probe to send data.

1. On the Analyzer Windows probe console, click the Upload Settings tab.
2. On the Upload Settings tab, select the protocol SFTP or HTTPS. For the supported ciphers, refer to Supported ciphers for Analyzer Windows probe.
3. Type the following details:

SFTP Server or HTTPS Server: Type the Analyzer detail view server IP address where you want to upload the data.

Port: Port number. Default ports: SFTP: 22 and HTTPS: 7443

User: meghadata

Password: The default password is meghadata123

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 95/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: To enhance security for the SFTP account, you must change the meghadata user default password. Refer to Changing the megha and meghadata passwords
for more information.
4. To use a proxy server, select the Use Proxy check box and type the following details:
Note: The SFTP protocol does not support data uploading through proxy.

Proxy Server: Name or IP address of the proxy server.

Proxy Type: HTTP (Only HTTP proxy type is supported).

Port: Proxy port.

Login and Password: User name and Password of the proxy server.

5. Click Validate & Save.

6. Start the Analyzer Windows probe service.
Note: The Analyzer Windows probe must be installed on a Windows machine with the System Locale as English.

Starting the Analyzer Windows probe service

Start the probe service from the Status tab in the Analyzer Windows probe console.

1. On the Analyzer Windows probe console, click the Status tab.

The Status tab list the details of the upload information and service information.
2. Verify the upload and service information, and click Start.
Note: When you change the time zone of the Windows machine on which the Analyzer Windows probe is installed, restart the Analyzer Windows probe console to update the
Analyzer Windows probe with this new time zone.

Downloading the Analyzer Windows probe diagnostic data

The Analyzer Windows probe collects various log files that are useful for troubleshooting. The Diagnostic Data feature provides the facility to download these files in an archive file. If
you cannot resolve the problem, send the generated data file with the error messages to customer support for analysis.

To download diagnostic data, you must have the Administrator privileges.

Make sure that minimum 1 GB free disk space is available on the C drive.

1. On the Analyzer Windows probe console, click the Diagnostic Data tab.
2. Click Download.
The diagnostic data generation process begins.
3. In the Save As window, choose any location to save the file and then click Save.
Sample diagnostic data file name: Analyzer-Windows-probe_diag_20190611192343.zip

Analyzer Windows probe configuration backup

The Analyzer Windows probe configuration is automatically backed up at midnight to the following location on the SFTP server:

Probe-appliance-ID/probeConfigBackup/WindowsProbeConfigurationBackup_Probeversion.zip.enc

The time of the last backup is displayed in the Status tab. For example:

Last Backup Upload Time: 15 Nov 2017 00:30:50

The backup data can be used to migrate the Analyzer Windows probe to another machine if it is corrupted or inaccessible. However, the backup can only be restored by contacting
customer support.

Initial setup after adding a probe

After adding a probe, check if the Analyzer detail view server is collecting data.

1. Open a web browser, and then enter the following URL in the address bar to log on to the Analyzer detail view server :
https://IP-address-of-Analyzer-detail-view-server:8443/
2. In the logon window, enter the user name and password used to set up the Analyzer detail view server.
3. Click the Server Status icon.
4. Verify that the added probe appears in Last Configuration Import Time and Last Performance Import Time of Data Import Status, and that data is collected.
Note: After a probe is added, it might take some time before the probe appears in the Analyzer detail view server UI.
5. Open a web browser, and then enter the following URL in the address bar to log in to the Analyzer server:
http://IP-address-of-the-Analyzer-server:22015/Analytics/login.htm
6. Enter the following information to log on:

User ID: system

Password: manager (This is the default password that should be changed during installation.)

7. In the Administration tab, select Resource Management.

8. Verify that the resources monitored by the probe appear and are ready to be analyzed by the Analyzer server.
Note: After a probe is added, it might take some time before the registered resources appear in the Analyzer server UI.

Removing (uninstalling) the Analyzer Windows probe

To remove the Analyzer Windows probe, use the uninstall function of Windows.

1. Go to the Control Panel of the Windows machine.

2. In Programs, click Uninstall a program.
3. Select the Analyzer Windows probe to uninstall.
To uninstall the Analyzer Windows probe, you must have the Domain Administrator or Local user with Administrator privileges.
4. Click Uninstall/Change.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 96/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
5. Confirm the uninstall by clicking Yes.
6. When the completion status message is shown, confirm it by selecting OK.
The following files or directories of the Analyzer Windows probe are not deleted after uninstalling the probe. (You can remove them manually.)
C:\Temp\HDCA\ProbeDataStatus.properties
C:\Temp\WindowProbeInstallerOutput.txt
C:\Temp\HDCA\diagData
C:\Temp\Collected configuration and performance files which are not uploaded

The following files or directories of the Analyzer Windows probe are not deleted after uninstalling the probe. (You can remove them manually.)

C:\Temp\HDCA\ProbeDataStatus.properties
C:\Temp\WindowProbeInstallerOutput.txt
C:\Temp\HDCA\diagData
C:\Temp\Collected configuration and performance files which are not uploaded

Upgrade your Ops Center Analyzer environment

You can upgrade Ops Center Analyzer components.

Upgrade workflow

Upgrade the following components:

Analyzer server
Analyzer detail view server
Analyzer probe server (the RAID Agent and the Virtual Storage Software Agent on the same host)
RAID Agent (Windows)
Analyzer Windows probe

Use the installer to perform an upgrade regardless of whether you used the OVA or the installer when you performed the original installation.

The following figure shows the sequence of tasks for upgrading Ops Center Analyzer. Note that you must also follow this sequence of tasks if you are upgrading to Ops Center
Analyzer from Infrastructure Analytics Advisor.

Preparing for an upgrade

Before upgrading each component, back up Ops Center Analyzer and stop the services.

Review the requirements for the following components (hardware and software):

Analyzer server
Analyzer detail view server
Analyzer probe server
RAID Agent (Windows)

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 97/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Analyzer Windows probe

1. Back up Ops Center Analyzer in case the upgrade fails. For details, see Backing up Ops Center Analyzer.
2. Stop each service in the following order:
a. Analyzer server
Stopping the Analyzer server services
b. Analyzer detail view server
Stopping the Analyzer detail view server or Analyzer probe server services
c. Analyzer probe server
Stopping the Analyzer detail view server or Analyzer probe server services
d. RAID Agent
Stopping the RAID Agent services
e. Virtual Storage Software Agent
Stopping the Virtual Storage Software Agent services
f. On-demand real time monitoring module
Stopping the On-demand real time monitoring module services
g. Analyzer Windows probe

Installing or updating the prerequisite RPM packages

You can obtain the prerequisite RPM packages from the Linux OS media or the distribution website, such as for Red Hat Enterprise Linux.

You can check which RPM packages are missing by running the precheck tool (analytics_precheck.sh).

If the libstdc++ package is already installed in the environment in which the Analyzer probe server:

Protected multilib versions: libstdc++-xx.xx.xx-xx.xx.el6.i686 != libstdc++-yy.yy.yy-yy.yy.el6.x86_64

This error occurs because the version of the x86_64 package (the 64-bit library) differs from that of the i686 package (the 32-bit compatibility library). If this happens, update the x86
_64 (the 64-bit library), and then retry the installation of libstdc++.i686:

yum update libstdc++.x86_64

Installing or updating the RPM packages by using the Linux OS media

The following describes how to install or update the RPM packages by using the Linux OS media.

1. Mount the Linux OS media and obtain the RPM packages:

mkdir /media/OSImage
mount /dev/cdrom /media/OSImage

2. Configure the yum repository.

touch /etc/yum.repos.d/OSImage.repo
echo [dvd-baseos]>>/etc/yum.repos.d/OSImage.repo
echo name=dvd-baseos>>/etc/yum.repos.d/OSImage.repo
echo baseurl=file:///media/OSImage/BaseOS/>>/etc/yum.repos.d/OSImage.repo
echo gpgcheck=0>>/etc/yum.repos.d/OSImage.repo
echo enabled=1>>/etc/yum.repos.d/OSImage.repo
echo >>/etc/yum.repos.d/OSImage.repo
echo [dvd-appstream]>>/etc/yum.repos.d/OSImage.repo
echo name=dvd-appstream>>/etc/yum.repos.d/OSImage.repo
echo baseurl=file:///media/OSImage/AppStream/>>/etc/yum.repos.d/OSImage.repo
echo gpgcheck=0>>/etc/yum.repos.d/OSImage.repo
echo enabled=1>>/etc/yum.repos.d/OSImage.repo

3. Run the yum command to install or update the packages and package group:
For packages

yum install package-to-install

For the package group

yum group install package-group-to-install

4. Unmount the Linux OS media:

umount /media/OSImage/
rm /etc/yum.repos.d/OSImage.repo

Installing or updating the RPM packages using the distribution website

The following describes how to install or update the RPM packages by using the distribution website.

1. Specify the repository to which the yum command is to connect.

For Red Hat Enterprise Linux, register the system by using Red Hat Subscription Management. For details, see https://access.redhat.com/articles/11258.
For Oracle Linux, the initial settings are set by default (the file repo is already located in the directory /etc/yum.repos.d). For details, see http://yum.oracle.com/getting-
started.html.
2. If you are using a proxy, specify the proxy for the yum command:
a. Add the following information to the /etc/yum.conf file:

proxy=http://host-name:port-number
proxy_username=user-name
proxy_password=password

b. Clear the cache for the yum command.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 98/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
yum clean all
3. Run the yum command to install or update the packages and package group.
For packages

yum install package-to-install

For the package group

yum group install package-group-to-install

Upgrading the Analyzer detail view and the Analyzer servers

You can upgrade the Analyzer server and the Analyzer detail view server individually, or upgrade both servers together. (analytics_install.sh).

The installer starts and stops the crond service. Therefore, do not run any operations that use the crond service when the installer is running.

Verify the following prerequisites before upgrading the Analyzer server and Analyzer detail view server.

Common prerequisites for the Analyzer server and the Analyzer detail view server:

Review the Analyzer server and the Analyzer detail view server requirements (hardware and software).
Verify that you have root permission to run the installer and the precheck tool.
If the Analyzer detail view server is connected to the Analyzer server, you must upgrade the Analyzer detail view server and the Analyzer server at the same time.
Regardless of whether the Analyzer detail view server and the Analyzer server are installed on the same host, you must upgrade the Analyzer detail view server before you
upgrade the Analyzer server.
Check Port requirements, and change the firewall and network settings so that the required ports can communicate.
Do not set the COLUMNS environment variable.

Analyzer server requirements:

If you are upgrading from a version earlier than version 10.0.0, make sure there is 5 GB of free space in the /var directory on the installation-destination host.
Make sure that the following directories are not mounted with the noexec option:
/opt
/var/opt

Analyzer detail view server requirements:

Verify that you have a registered license.

If you are upgrading from a version earlier than version 10.0.0, make sure there is 5 GB of free space in both the root directory and the installation-destination directory on
the installation-destination host.
Make sure that the time on the Analyzer detail view server machine is synchronized with the UTC time. For example, when the time in UTC is 23:00, then time in the Analyzer
detail view server machine in the PST time zone must be 15:00.

Procedure

1. Log on to the host where the components to upgrade are installed.

2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Mount the Hitachi Ops Center installation media and copy the directories and files in the ANALYTICS directory from the installation media to a directory on the Linux host.
Note:
You must use only the following characters in the directory path to which the installer is copied: A-Z a-z 0-9 - . _
Do not use spaces.

In the following example, if the /root/ANALYTICS directory already exists, create a new directory, and then perform the subsequent steps in the new directory.

mkdir /media/OpsImage
mount /dev/cdrom /media/OpsImage
mkdir /root/ANALYTICS
cp -rT /media/OpsImage/ANALYTICS /root/ANALYTICS

4. Move to the /root/ANALYTICS directory.

cd /root/ANALYTICS

5. Run the precheck tool as a root user to check whether Analyzer server and Analyzer detail view server can be installed:

sh ./analytics_precheck.sh

If OK is displayed in [ Check results ], you can start the installation. If NG is displayed, make sure the system requirements have been met.

Output example when the Ops Center Analyzer version is 10.0.0:

============================================================
Analytics Precheck ver. 10.0.0-00
============================================================

[ Check results ]
Ops Center Analyzer detail view server [10.0.0-00] [OK]
Ops Center Analyzer server [10.0.0-00] [OK]

[ Details ]
Check premise OS version. [OK]

If the following message is shown, refer to the release notes.

An Analyzer server earlier than v10.7.0, Hitachi Ops Center Automator earlier than v10.8.0, or Hitachi Command Suite earlier than v8.8.3 is
already installed on this server. Make sure to upgrade the relevant products by referring to the Release Notes.

If the following message is displayed, you must change the JDK used by the Analyzer detail view server. For details, see Resolving a JDK-related error for the Analyzer detail
view server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 99/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
JDK environment is invalid (invalid-settings).

For invalid-settings, one or more of the following values is displayed: java, keytool, jstack, jre_1.8.0, or java_home.
Note:
When you run the precheck tool, it checks the static information of the system environment.
If the -v option is specified, information such as the installed version of Analyzer server and Analyzer detail view server, the host name, and the OS name is also
displayed.
6. Run the following command as root to start the upgrade:

sh ./analytics_install.sh VUP

A message is displayed confirming that you want to upgrade the Analyzer detail view server and Analyzer server.

Do not change the size of the device window while the command is running. If you change the size of the window, the installation fails.

7. Enter y, and then specify the components that you want to upgrade.

Do you want to install the Ops Center Analyzer detail view server? (y/n) [n]: y

Do you want to install the Ops Center Analyzer server? (y/n) [n]: y

[Confirmation]
------------------------------------------------------------
Installation Product
(1) Ops Center Analyzer detail view server
(2) Ops Center Analyzer server
------------------------------------------------------------
Do you want to install the server listed above? (y/n) [n]: y

If the following message is shown, refer to the release notes.

An Analyzer server earlier than v10.7.0, Hitachi Ops Center Automator earlier than v10.8.0, or Hitachi Command Suite earlier than v8.8.3 is
already installed on this server. Make sure to upgrade the relevant products by referring to the Release Notes.

If the following message is displayed, you must change the JDK used by the Analyzer detail view server. For details, see Resolving a JDK-related error for the Analyzer detail
view server.

[ERR] JDK environment is invalid (invalid-settings).

For invalid-settings, one or more of the following values is displayed: java, keytool, jstack, jre_1.8.0, or java_home.
Note: The Analyzer detail view server uses the crond service. If the crond service is disabled or stopped, enable and start it.

As a best practice, you should set the crond service to start automatically when the OS starts.

8. Refresh the browser cache.

Upgrading the Analyzer probe server

When you upgrade the Analyzer probe server, the RAID agent and Virtual Storage Software Agent on the same host are automatically upgraded, but Ops Center API Configuration
Manager and other Ops Center products are not upgraded. If you are upgrading the Analyzer probe server from version 10.8.1 or earlier, you can choose whether to perform a new
installation of Virtual Storage Software Agent.

The installer (dcaprobe_install.sh) starts and stops the crond service. Therefore, do not run any operations that use the crond service when the installer is running.

Verify that you have root permission to run the installer and the precheck tool.
To upgrade the Analytics probe server from a version earlier than 4.0.0, you must first upgrade the Analyzer probe server to version 4.0.0.
A license for the Analyzer probe server must be registered.
Review the Analyzer probe server requirements (hardware and software).
When upgrading from a version earlier than 10.0.0, make sure that both the root directory and the installation directory of the host on which you plan to install the Analyzer
probe server has 5 GB of free space.
During the upgrade, /opt/jp1pc/htnm/HBasePSB/hjdk/jdk might be deleted. If you have created files under this directory, move them elsewhere before starting the upgrade. If
any settings (such as htnm_httpsd.conf) reference a file under this directory, revise them to use the new location.
Make sure that the following directories are not mounted with the noexec option:
/tmp
/var
Note: After a successful installation, do not add the noexec option to the /tmp directory. (It might prevent the service from running properly.)
Check Port requirements, and change the firewall and network settings so that the required ports can communicate.
Do not set the COLUMNS environment variable.
Make sure that the time on the Analyzer probe server machine is synchronized with the UTC time. For example, when the time in UTC is 23:00, then time in the Analyzer
probe server machine in the PST time zone must be 15:00.

Procedure

1. Log on to the host where the component to upgrade is installed.

2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Mount the Hitachi Ops Center installation media and copy the directories and files in the DCAPROBE directory from the installation media to a directory on the Linux host.
Note:
You must use only the following characters in the directory path to which the installer is copied: A-Z a-z 0-9 - . _
Do not use spaces.

In the following example, if the /root/DCAPROBE directory already exists, create a new directory, and then perform the subsequent steps in the new directory.

mkdir /media/OpsImage
mount /dev/cdrom /media/OpsImage
mkdir /root/DCAPROBE
cp -rT /media/OpsImage/DCAPROBE /root/DCAPROBE

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 100/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
4. Move to the /root/DCAPROBE directory.

cd /root/DCAPROBE

5. Run the precheck tool as a root user to check whether Analyzer probe server can be installed:

sh ./dcaprobe_precheck.sh

If OK is displayed in [ Check results ], you can start the installation. If NG is displayed, make sure the system requirements have been met.

Output example when the Ops Center Analyzer version is 10.0.0:

============================================================
Ops Center Analyzer probe Precheck ver. 10.0.0-00
============================================================

[ Check results ]
Ops Center Analyzer probe server [10.0.0-00] [OK]

[ Details ]
Check resolved hostname. [host-name (IP-address)] [OK]
Check premise OS version. [OK]

If the following message is displayed, you must change the JDK used by the Analyzer probe server. For details, see Resolving a JDK-related error for the Analyzer probe
server.

JDK environment is invalid (invalid-settings).

For invalid-settings, one or more of the following values is displayed: java, keytool, jstack, jre_1.8.0, or java_home.
Note:
When you run the precheck tool, it checks the static information of the system environment.
If the -v option is specified, information such as the installed version of Analyzer probe server and the OS name is also displayed.
6. Run the following command as root to start the upgrade:

sh ./dcaprobe_install.sh VUP

Do not change the size of the device window while the command is running. If you change the size of the window, the installation fails.
If the following message is displayed, you must change the JDK used by the Analyzer probe server. For details, see Resolving a JDK-related error for the Analyzer
probe server.

[ERR] JDK environment is invalid (invalid-settings).

For invalid-settings, one or more of the following values is displayed: java, keytool, jstack, jre_1.8.0, or java_home.

If you are upgrading the Analyzer probe server from version 10.8.1 or earlier, you can choose whether to perform a new installation of Virtual Storage Software Agent.

Do you want to install the Virtual Storage Software Agent server?(y/n) [n]:y

7. If your settings are complete, enter y.

Do you want to continue the installation? (y/n) [n]: y

Note: The Analyzer probe server uses the crond service. If the crond service is disabled or stopped, enable and start it.

As a best practice, you should set the crond service to start automatically when the OS starts.

8. Refresh the browser cache.

Note: If you are upgrading from a version earlier than 10.9.1 and automatic starting of RAID Agent is currently enabled, both automatic starting and stopping will be enabled after the
upgrade. If initially set to disabled, both automatic starting and stopping are disabled. After the upgrade, you cannot enable or disable them independently.

Upgrading RAID Agent (Windows)

You can upgrade the RAID Agent on a Windows host by using the RAID Agent installer.

You must Administrator permission to run the installer.

Check the system requirements for the RAID Agent you are installing on Windows.

During the upgrade, RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\hjdk\jdk might be deleted. If you have created files under this folder, move them
elsewhere before starting the upgrade. If any settings (such as htnm_httpsd.conf) reference a file under this folder, revise them to use the new location.

1. Log in to the host where to upgrade RAID Agent.

2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Run Setup.exe in the installation media to start the installer.
4. Follow the displayed prompts to complete the upgrade.

Upgrading Analyzer Windows probe

You can upgrade the Analyzer Windows probe by using the Analyzer Windows probe installer.

The user must have the Administrator privileges and Logon as a Service permission.
The Analyzer Windows probe must be installed on a Windows machine with one of the following English system locales:

English (Australia), English (Belize), English (Canada), English (Caribbean), English (India), English (Ireland), English (Jamaica), English (Malaysia), English (New Zealand),
English (Philippines), English (Singapore), English (South Africa), English (Trinidad and Tobago), English (United Kingdom), English (United States), English (Zimbabwe).

The Display language and Input Method language on a Windows machine must be set to English.
If you are using data collection Method 1 and Method 2, then verify that the following DLLs are present in the Analyzer Windows probe installer\bin folder:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 101/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Microsoft.EnterpriseManagement.Core.dll

Microsoft.EnterpriseManagement.OperationsManager.dll

Microsoft.EnterpriseManagement.Runtime.dll

If the above DLLs are not available, then you can copy it from the following folder on Windows machine and save it in the Analyzer Windows probe installer\bin folder:

Sample installation directory path: SCOM Installation Directory\Microsoft System Center 2016\Operations Manager\Server\SDK Binaries

1. Download the Analyzer Windows probe installer to your machine.

2. Double-click on the Analyzer Windows probe installer, and then follow the instructions.
The Analyzer Windows probe is installed at the following default location:
C:\Program Files\HDCA\HDCA Windows Probe
If you are upgrading the Analyzer Windows probe earlier than version 9.2.0-00 installed on a Windows 64-bit machine, the upgrade process creates a backup of the current
Analyzer Windows probe configuration file in the installation folder.

The following directory of the Analyzer Windows probe is not deleted after the upgrade, so you must remove it manually:

C:\Temp\HDCA\diagData

Checking the settings after an upgrade

After a successful upgrade, certain custom settings may require resetting so that all items are displayed correctly in the Ops Center Analyzer web user interface.

Check the following:

Refreshing the browser cache

After upgrading to the Analyzer detail view server and Analyzer probe server, sometimes the UI is distorted. To fix this issue, refresh the browser cache.

Initializing the browser settings

If any tables are missing content or display content incorrectly, select File > Clear Settings, and then click OK to clear the settings saved in the browser.

This procedure also clears the following information:

Table configuration information (column settings, column widths, column sorting status, filtering status)
History of search keywords
Connection settings with Ops Center Automator

If you upgrade the components from version 3.1.0-01 or earlier, the connection settings with Ops Center Automator are disabled. If you are using the I/O control configuration
function using Ops Center Automator, perform the procedure for Reconfiguring the connection with Ops Center Automator after an upgrade.

Data collection method

If you upgrade the components from a version earlier than 4.1.0, you can choose the data collection method by specifying the Access Type in the instance information for all
RAID Agent instances. Access Type corresponds to Method for collecting in versions earlier than 4.1.0. For best results, revise the settings because, in addition to Acc
ess Type, other items in the instance information are also changed.

If you change the value of Access Type, make sure that the value of the collection interval for RAID Agent and the value of the collection interval for the Hitachi Enterprise
Storage probe are the same. If these values do not match, change one or both of the values so that the specified collection intervals are the same.

If you want to use Common Services with Analyzer after an upgrade, check the following:

Security communication settings

To use Common Services, the SSL settings are required. If you did not enable SSL communication during the use of Infrastructure Analytics Advisor, see Configuring an SSL
certificate (Analyzer server) and Configuring an SSL certificate (Common Services). If you enabled SSL communication during the use of Infrastructure Analytics Advisor, see
Configuring an SSL certificate (Common Services).

Initial settings for using Common Services

When you use Common Services for the first time, perform the procedures in Registering Ops Center Analyzer in Common Services and Assigning Analyzer permissions to
Ops Center user groups.

If you want to use Common Services with Analyzer detail view after an upgrade, check the following:

Initial settings for using Common Services

When you use Common Services for the first time, perform the procedures in Registering Analyzer detail view server with Common Services and Assigning Analyzer detail
view roles to Ops Center user groups.

If you want to use Common Services with Analyzer probe after an upgrade, check the following:

Initial settings for using Common Services

When you use Common Services for the first time, perform the procedures in Registering Analyzer probe server with Common Services.

Reconfiguring the connection with Ops Center Automator after an upgrade

If you upgrade the components from version 3.1.0-01 or earlier, and want to continue to use the I/O control settings functionality that uses Ops Center Automator, you must
reconfigure the connection with Ops Center Automator.

This procedure is necessary if all of the following conditions exist:

The I/O control configuration function that uses Ops Center Automator was used before upgrading the components.
The components were upgraded from version 3.1.0-01 or earlier.

1. Revise the Common component settings.

For more information, see Initial setup for connecting with Ops Center Automator.
2. In Ops Center Analyzer, download the service templates.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 102/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
a. On the Administration tab, select System Settings > Automator Server.
b. Click the link to download the service template.
The name of the service template is AnalyticsServiceTemplate.zip.
3. Register the storage system in Ops Center Automator.
a. On the Administration tab, select Connection Settings > Web Service Connections.
b. Click Add, and then specify the following information about the storage systems with Server Priority Manager:
Category: Specify "ConfigurationManager".
Name: Device number of the storage system
IPAddress/HostName: IP address or host name of the host on which the Ops Center API Configuration Manager is installed
Protocol: http or https
Port: Port number used by the Ops Center API Configuration Manager
User ID and password: User account with permission to access the logical devices and ports that you want to operate (user ID that was specified when the storage
system was registered to the Ops Center API Configuration Manager)

Assigned Infrastructure Groups: Infrastructure group to which the target storage system is registered

If you are not using the infrastructure group functionality, specify "IG_Default Service Group".

Note:

If a name other than "ConfigurationManager" was specified for the category before the upgrade, for best results, you should continue to use the same name.

If any name other than "ConfigurationManager" is specified for the category, you must edit the file config_user.properties.

If any name other than "ConfigurationManager" is specified, an error message is displayed when you connect with the Ops Center API Configuration Manager by
clicking the Test button. Despite this error message, the I/O control settings functionality operates normally when the correct value is registered to each field.
4. Import the service templates in Ops Center Automator.
a. Unzip the file AnalyticsServiceTemplate.zip to a location of your choice.
b. On the Service Templates tab, click Import.
c. Click Browse, and then specify one of the following zip files:
If you are using Automation Director version 8.5.2 or a later version: ServiceTemplate_03.20.00.zip
If you are using Automation Director version 8.5.0: ServiceTemplate_03.00.02.zip
These zip files contain two service templates:
com.hitachi.software.dna.analytics_DeleteIoControlSettings_version.st - This template disables an I/O control task.
com.hitachi.software.dna.analytics_ModifyIoControlSettings_version.st - This template enables or modifies an I/O control task.
d. Click OK.
Tip: If you do not see the I/O control settings service templates, sort service template files by using Registered, and the latest imported templates will appear with the New
tag.
Note: If you import the file ServiceTemplate_03.00.02.zip, "OUTDATED" might be displayed in the imported service template, indicating that the version has expired. If
"OUTDATED" is displayed, do not update the service template. If you update the file, the service template will become unusable.
5. Use the service templates to create the services for Server Priority Manager:
a. On the Administration tab, select Resources and Permissions > Service Groups.
b. Select the service group that was used for the I/O control settings functionality.
c. On the Services tab, click Create.
d. Select the service templates, and then click Create Service.
e. Verify or specify the following information using the best practice names to create the service:
Name of the service for updating Server Priority Manager settings: Modify IO Control Settings for Volume
Name of the service for deleting Server Priority Manager settings: Delete IO Control Settings for Volume
Status: Release
Note: Do not modify the I/O control settings. These fields are autopopulated by the information entered on the Ops Center Analyzer user interface when you submit
an I/O control task.
f. Click Save and Close to close the window.
6. Assign an infrastructure group to the service group to which you registered the services.
a. On the Resources tab, click Assign.
b. From Available Infrastructure Groups, select an infrastructure group, and then click Add.
If you are not using the infrastructure group functionality, specify "IG_Default Service Group".
c. Confirm that the selected infrastructure group has been moved to Assigned Infrastructure Groups, and then click OK.
7. Edit the config_user.properties file.
This step is not required if you use the recommended name for the service group name, category name, or service name. If you use a name other than the recommended
name, specify, in the config_user.properties file, the name set in Ops Center Automator.
The location of the config_user.properties file is as follows:

Analyzer-server-installation-directory/Analytics/conf

Specify the following keys and values:

automation.parameter.serviceGroupName: Service group name specified in Ops Center Automator
automation.parameter.productName: Category name specified in Ops Center Automator
automation.parameter.serviceName.ioControl.modify: Service name set in Ops Center Automator as the name of the service for updating Server Priority
Manager settings
automation.parameter.serviceName.ioControl.delete: Service name set in Ops Center Automator as the name of the service for deleting Server Priority
Manager settings
8. If you edited the config_user.properties file, restart the Analyzer server services.

The setup procedure for controlling storage resources is now complete.

Check the connection between Ops Center Analyzer and Ops Center Automator.

Configure external user authentication

You can set user authentication on an external authentication server.

If you use Common Services for user authentication, you can use external user authentication (LDAP authentication or Kerberos authentication). For details, see the Hitachi Ops
Center Installation and Configuration Guide.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 103/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
External user authentication overview

Analyzer server supports external authentication using LDAP, RADIUS, and Kerberos servers.

External authentication servers can be used to authenticate the users who log on to the Ops Center Analyzer. The built-in administrator accounts cannot be authenticated by external
authentication servers. The user credentials are managed by the external authentication servers.

Analyzer server users can be assigned privileges using an external authorization server such as LDAP directory server (Active Directory). The user privileges can be managed using
Active Directory groups (authorization groups) registered on the external authorization server.

To perform user authentication for Ops Center Analyzer by using an external authentication server, you must configure settings for external user authentication on both the Analyzer
server and the Analyzer probe server.

Note:

Configuring the settings for external user authentication for the Analyzer detail view server is optional.

You must configure the settings for external user authentication only if you want to log on to the Analyzer detail view server by using Active Directory user accounts.

When the Analyzer detail view UI is launched from the Ops Center Analyzer UI, you do not need to configure settings for external user authentication on the Analyzer detail view
server because internal user accounts are used.

Analyzer probe server and Analyzer detail view server support connection to LDAP directory servers (Active Directory) for use as external authentication servers.

Note:

In Analyzer server, the encryption types listed below can be used for Kerberos authentication.

AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
AES128-SHA2
AES256-SHA2

Configuring multiple external authentication servers

The Analyzer server supports external user authentication using multiple external authentication servers in a redundant configuration or in a multi-domain configuration.

In a redundant configuration each external authentication server manages the same user information. If a failure occurs on one external authentication server, user authentication
can be performed by using another external authentication server.

A multi-domain configuration is used to manage different user information for each external authentication server. If a user logs on with a user ID that includes a domain name, the
user will be authenticated by an external authentication server in the domain whose name is included in the user ID. When a Kerberos server is used as an external authentication
server, you can create a configuration similar to a multi-domain configuration by managing different user information for each realm.

The following table shows external authentication servers for which redundant configurations and multi-domain configurations are supported.

External authentication server Redundant configuration Multi-domain configuration

LDAP directory server Y1 Y1

RADIUS server Y N

Kerberos server Y Y2

Legend:

Y: Supported

N: Not supported

Notes:

1. You can use either a redundant configuration or a multi-domain configuration. If the global catalog for Active Directory is set, you can use both a redundant configuration
and a multi-domain configuration.
2. By managing different user information for each realm, you can create a configuration that is similar to a multi-domain configuration.

When an LDAP directory server is used for user authentication in a multi-domain configuration, the user authentication process varies depending on whether you log on by entering
a user ID that includes a domain name.

If you log on with a user ID that includes a domain name, as in the following figure, user authentication will be performed by using the LDAP directory server of the specified domain.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 104/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

If you log on with a user ID that does not include a domain name, user authentication is performed sequentially on all LDAP directory servers until the user is authorized, as shown in
the figure below. In an environment that includes a large number of LDAP directory servers, user authentication will take a long time. For best results, you should log on with a user
ID that includes a domain name.

Configuring LDAP authentication for Analyzer server

To use LDAP authentication for the Analyzer server, you must configure the following settings.

Workflow for configuring LDAP authentication

The workflow for connecting to the LDAP directory server varies depending on whether only an external authentication server is used or both an external authentication server and
an external authorization server are used.

The following figure shows the workflow for connecting to the LDAP directory server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 105/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Note: To use STARTTLS to communicate between the LDAP directory server and the Analyzer server, you must set up an environment specifically for this purpose to ensure secure
communications.

Configuring the LDAP directory server

On the LDAP directory server, create a user account for the Analyzer server. Next, check the configuration details of the LDAP directory server, and then create an LDAP search
user account.

Creating user accounts on an LDAP directory server

On an LDAP directory server, you must create user accounts (user IDs and passwords) to use on the Analyzer server.

For details about how to create user accounts on an LDAP directory server, see the documentation of the LDAP directory server.

User IDs and passwords must satisfy the following conditions:

They are within 256 bytes.

They use no characters other than the following:

A to Z

a to z

0 to 9

! # $ % & ' ( ) * + - . = @ \ ^ _ |

In Analyzer server, user IDs are not case-sensitive. The combination of character types for passwords must follow the settings in the external authentication server.

Checking the LDAP directory server settings

To use the LDAP directory server as an external authentication server or external authorization server, you must check the LDAP directory server settings in advance.

Check the following two settings:

BaseDN

A BaseDN is the entry point from where a server starts searching for users during authentication or authorization. The BaseDN must be an entry from which the Analyzer
server can search for all users that it needs to authenticate or authorize.

Data structure of user entries (only when the LDAP directory server is used as an external authentication server)

There are two types of data structures for user entries on the LDAP directory server: the hierarchical structure model and the flat model.

You will need information about these settings when you edit the exauth.properties file on the Analyzer server. Note that, depending on data structure of the user entries, you must
perform different tasks on the Analyzer server.

For details about how to check the information about the settings, see the documentation for the LDAP directory server that you are using.

The following describes BaseDN in the hierarchical structure model and in the flat model.

In the hierarchical structure model:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 106/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The hierarchical structure model is a data structure in which the hierarchy below BaseDN branches out, and user entries are registered under each of these hierarchies.

If the hierarchical structure model is used, the entries in the hierarchy below BaseDN are searched for an entry that has the same logon ID and user attribute value.

The following figure shows an example of the hierarchical structure model.

The user entries enclosed by the dotted line can be authenticated. In this example, BaseDN is cn=group,dc=example,dc=com, because the target user entries extend
across two departments (cn=sales and cn=development).

In the flat model:

The flat model is a data structure where there are no branches in the hierarchy below BaseDN, and where user entries are registered in the hierarchy directly below BaseDN.

If the flat model is used, the entries in the hierarchy below BaseDN are searched for an entry that has the DN that consists of a combination of the logon ID and BaseDN. If
such a value is found, the user is authenticated.

The following figure shows an example of the flat model.

The user entities enclosed by the dotted line can be authenticated. In this example, BaseDN is ou=people,dc=example,dc=com, because all of the user entries are located
just below ou=people.

However, even if the flat model is being used, if either of the following conditions is satisfied, you must specify the settings by following the explanation for the hierarchical
structure model:

A user attribute value other than the RDN attribute value (such as a Windows logon ID) is used as the user ID of the Analyzer server.

The RDN attribute value of a user entry includes a character that cannot be used in a user ID for the Analyzer server.

Creating an LDAP search user account

An LDAP search user account is used when an account needs to be authenticated or authorized, or when searching for information within an LDAP directory server.

You must create an LDAP search user account for the following use cases:

When an LDAP directory server is used as an external authentication server and the data structure is the hierarchical structure model

When an LDAP directory server is used as an external authorization server

When registering an authorization group in Analyzer server by using the web client, if you want to check whether the distinguished name of the authorization group is
registered on the external authorization server by using a user ID such as the System account registered in Analyzer server, you must register a user account used to search
for LDAP user information on the Analyzer server.

Assign the LDAP search user account, the necessary permissions so that the account can access all entries under the BaseDN to be referenced on the Analyzer server, and all
attributes specified for those entries.

For details about how to create user accounts on an LDAP directory server, see the documentation of the LDAP directory server.

Connecting to the LDAP directory server

To connect to the LDAP directory server, you must perform the following operations on the Analyzer server.

You must have root permission.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 107/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You must create two LDAP user accounts on LDAP directory server:
An LDAP user account for accessing the Analyzer server
An LDAP search user account for querying the LDAP directory server

If no external authorization servers are used, and if a flat model data structure is used, you do not need to create an LDAP search user account.

Check the following information. This information is necessary for editing the file exauth.properties.
Method for connecting to the LDAP directory server

The properties to be specified depend on whether information about the LDAP directory server is to be directly specified, or whether information about the connection-
destination LDAP directory server is to be obtained from the DNS server.

Data structures of the LDAP directory servers

Settings for properties depend on whether the hierarchical structure model or the flat model is used.

Machine information about the LDAP directory server (Host name or IP address, Port number)
BaseDN
Domain name for external authorization servers managed by the LDAP directory server (when connecting to an external authorization server)
Domain name for multi-domain configurations managed by the LDAP directory server (for a multi-domain configuration)

1. Edit the exauth.properties file.

a. Make a copy of the exauth.properties file template, which is stored in the following location, and place the copy in another directory.

Common-component-installation-directory/sample/conf/exauth.properties

b. In the copy of the exauth.properties file, specify the required information.

c. Save the exauth.properties file in the following location:

Common-component-installation-directory/conf

d. If the values of the property auth.ocsp.enable or the property auth.ocsp.responderURL have been changed, restart the Analyzer server service.
2. Register, to the Analyzer server, an LDAP search user account that was created on the LDAP directory server.
Skip this step if no external authorization servers are used and if the data structure of the LDAP directory servers is a flat model.
a. Run the hcmds64ldapuser command to register the LDAP search user account.

Common-component-installation-directory/bin/hcmds64ldapuser -set -dn DN-of-user-account-used-to-search-for-LDAP-user-info -name name

b. To view a list of LDAP directory servers for which LDAP search user accounts are registered, run the following command.

Common-component-installation-directory/bin/hcmds64ldapuser -list

Tip:

To delete the LDAP search user account from the Analyzer server, run the hcmds64ldapuser command with the delete option.

3. Run the hcmds64checkauth command to confirm whether connections to the external authentication server and the external authorization server can be established properly.

Common-component-installation-directory/bin/hcmds64checkauth [-summary]

4. On the web client, specify the following settings.

When an LDAP directory server is configured for external user authentication:

Create an user account.

Make sure that the user ID is the same as the user ID that was created on the external authentication server.

Change the user authentication method.

Specify the operation permissions for the user.

When an LDAP directory server is configured for external user authentication and authorization:

Register an authorization group.

Specify the operation permissions for the authorization group.

For details about how to perform these operations on the web client, see the Hitachi Ops Center Analyzer User Guide.

Note:

If you are using both an external authentication server and an external authorization server, and the user ID created on the external authentication server is registered on the
Analyzer server, the user account is authenticated internally by the Analyzer server.

If the current configuration uses only an external authentication server and you want to use both an external authentication server and an external authorization server, you
must remove the user ID that was created with the same name on the Analyzer server.

LDAP configuration properties

In the exauth.properties file, set the type of the external authentication server to use the server identification name, and the machine information about the external authentication
server.

Items to be configured in the exauth.properties file differ depending on the LDAP directory server environment. Use the following table to check the configuration items
corresponding to your LDAP directory server environment.

External authorization server used Server connection method Reference

Settings for connecting directly to an LDAP directory

No Directly specify information about the LDAP directory
server
server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 108/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

External authorization server used Server connection method Reference

Settings for using DNS to connect to an LDAP directory

Obtain LDAP directory server information from the DNS server
server.

Settings for connecting directly to an LDAP directory

Yes Directly specify information about the LDAP directory
server and an authorization server
server.

Settings for using DNS to connect to an LDAP directory

Obtain LDAP directory server information from the DNS server and an authorization server
server.

Note:

Be sure to distinguish between uppercase and lowercase letters for property settings.
To use STARTTLS for communication between the Analyzer server and the LDAP directory server, you must directly specify information about the LDAP directory server in
the exauth.properties file.
If you use a DNS server to look up the LDAP directory server to connect to, it might take longer for users to log on.
If the LDAP directory server to which you want to connect is in a multi-domain configuration, you will not be able to look up the LDAP directory server by using the DNS
server.

Settings for connecting directly to an LDAP directory server

To use an LDAP directory server as an external authorization server by directly specifying the LDAP directory information in the exauth.properties file, specify the settings in the
exauth.properties file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify ldap.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of LDAP directory servers. You can specify any name for this property in order to
identify which LDAP directory servers the settings such as the port number and the protocol for connecting to the LDAP
directory server are applied to. ServerName has been set as the initial value. You must specify at least one name. To specify
multiple server identification names, delimit the server identification names by using commas (,). Do not register the same
server identification name more than once.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.ldap.multi_domain
When specifying multiple server identification names for LDAP directory servers, specify the configuration to use for each
server.

Specify true to use a multi-domain configuration.

Specify false to use a redundant configuration.

Default value: false

auth.ldap.default_domain
Specify settings for the Active Directory global catalog. Specify the domain name of the default server configuration to use for
authentication when no domain name is specified in the logon ID. If you specify multiple servers in auth.server.name, a multi-
domain configuration will be used, and a redundant configuration will not be used.

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.ocsp.enable
Specify whether or not to verify the validity of an LDAP directory server electronic signature certificate by using an OCSP
responder when the LDAP directory server and STARTTLS are used for communication.

If you want to verify the validity of certificates, specify true. To not verify the validity of certificates, specify false.

Default value: false

auth.ocsp.responderURL
Specify the URL of an OCSP responder if you want to use an OCSP responder that is not the one written in the AIA field of the
electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP
responder written in the AIA field is used.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 109/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
Default value: none

auth.ldap.auth.server.name-property-valu
e.protocol Specify the protocol for connecting to the LDAP directory server. This attribute is required.

When communicating in cleartext, specify ldap. When using STARTTLS communication, specify tls.

Before specifying tls, you must specify the security settings of Common component. In addition, make sure that one of the
following encryption methods can be used on the LDAP directory server:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

Specifiable values: ldap or tls

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the host name or IP address of the LDAP directory server. If you specify the host name, make sure beforehand that the
e.host
host name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. When
specifying an IPv6 address, enclose it in square brackets ([ ]). This attribute is required.

To use a redundant configuration when the global catalog is enabled (auth.ldap.default_domain is specified), specify
multiple host names or IP addresses, delimited by commas.

When using STARTTLS as the protocol for connecting to the LDAP directory server, in the host attribute specify the same host
name as the value of CN in the LDAP directory server certificate. You cannot use an IP address.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port
e.port
number on the LDAP directory server. To use a redundant configuration when the global catalog is enabled (auth.ldap.defau
lt_domain is specified), specify multiple port numbers, delimited by commas. Make sure that the number of ports is the same
as the number of host names or IP addresses specified in host.

Specifiable values: 1 to 65535

Default value: 389 (when the global catalog is disabled), 3268 (when the global catalog is enabled)

auth.ldap.auth.server.name-property-valu
Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify 0, the system
e.timeout
waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.ldap.auth.server.name-property-valu
Specify the attribute (Attribute Type) to use as the user ID during authentication.
e.attr

For the hierarchical structure model

Specify the name of the attribute containing the unique value to use for identifying the user. The value stored in this
attribute will be used as the user ID for Analyzer server. The specified attribute must not include characters that cannot
be used in a user ID of the Analyzer server.

For example, if you are using Active Directory and you want to use the Windows logon ID for the user ID of an Analyzer
server, specify the attribute name sAMAccountName in which the Windows logon ID has been defined.

For the flat model

Specify the RDN attribute name of the user entry.

For example, if the user's DN is uid=John,ou=People,dc=example,dc=com, specify the uid that is the attribute name
of the uid=John.

sAMAccountName has been set as the initial value. This attribute is required.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
e.basedn
on the LDAP directory server. The user entries that are located in the hierarchy below this DN will be checked during
authentication. If characters that must be escaped are included in the specified BaseDN, escape all of those characters
correctly because the specified value will be passed to the LDAP directory server without change.

For the hierarchical structure model

Specify the DN of the hierarchy that includes all of the user entries to be searched.

For the flat model

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 110/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
Specify the DN of the hierarchy just above the user entries to be searched.

This attribute is required. Specify the DN by following the rules defined in RFC4514. For example, if any of the following
characters are included in a DN, you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server fails.
e.retry.interval
Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.ldap.auth.server.name-property-valu
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server fails. If you specify 0, no
e.retry.times
retries are attempted.

Specifiable values: 0 to 50

Default value: 20

auth.ldap.auth.server.name-property-valu
Specify the name of a domain for multi-domain configurations managed by the LDAP directory server, or the domain name for
e.domain
the global catalog.

If you log on by using a user ID that includes the domain name specified in this attribute, the LDAP directory server that
belongs to the specified domain will be used as the authentication server.

When specifying a domain name for the server identification name of each LDAP directory server, do not specify the same
domain name more than once. This value is not case sensitive.

If the global catalog is enabled, be sure to specify the domain name that is specified in auth.ldap.default_domain as the
default server configuration to use for authentication.

This attribute is required when a multi-domain configuration is used.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify whether to use the DNS server to look up the information about the LDAP directory server. Specify false (do not look
e.dns_lookup
up the information).

Default value: false (do not look up the information)

Settings for using DNS to connect to an LDAP directory server

To use an LDAP directory server as an external authorization server by obtaining the LDAP directory information from the DNS server, specify the settings in the exauth.properties
file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify ldap.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of LDAP directory servers. You can specify any name for this property in order to
identify which LDAP directory servers the settings such as the port number and the protocol for connecting to the LDAP
directory server are applied to. ServerName has been set as the initial value. This attribute is required.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.ldap.auth.server.name-property-valu
Specify the protocol for connecting to the LDAP directory server. This attribute is required.
e.protocol

Specifiable values: ldap

Default value: none

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 111/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details

auth.ldap.auth.server.name-property-valu
Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify 0, the system
e.timeout
waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.ldap.auth.server.name-property-valu
Specify the attribute (Attribute Type) to use as the user ID during authentication.
e.attr

For the hierarchical structure model

Specify the name of the attribute containing the unique value to use for identifying the user. The value stored in this
attribute will be used as the user ID for Analyzer server. The specified attribute must not include characters that cannot
be used in a user ID of the Analyzer server.

For example, if you are using Active Directory and you want to use the Windows logon ID for the user ID of an Analyzer
server, specify the attribute name sAMAccountName in which the Windows logon ID has been defined.

For the flat model

Specify the RDN attribute name of the user entry.

For example, if the user's DN is uid=John,ou=People,dc=example,dc=com, specify the uid that is the attribute name
of the uid=John.

sAMAccountName has been set as the initial value. This attribute is required.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
e.basedn
on the LDAP directory server. The user entries that are located in the hierarchy below this DN will be checked during
authentication. If characters that must be escaped are included in the specified BaseDN, escape all of those characters
correctly because the specified value will be passed to the LDAP directory server without change.

For the hierarchical structure model

Specify the DN of the hierarchy that includes all of the user entries to be searched.

For the flat model

Specify the DN of the hierarchy just above the user entries to be searched.

This attribute is required. Specify the DN by following the rules defined in RFC4514. For example, if any of the following
characters are included in a DN, you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server fails.
e.retry.interval

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.ldap.auth.server.name-property-valu
e.retry.times Specify the number of retries to attempt when an attempt to connect to the LDAP directory server fails. If you specify 0, no
retries are attempted.

Specifiable values: 0 to 50

Default value: 20

auth.ldap.auth.server.name-property-valu
e.domain.name Specify the name of a domain managed by the LDAP directory server. This attribute is required.

Default value: none

auth.ldap.auth.server.name-property-valu
e.dns_lookup Specify whether to use the DNS server to look up the information about the LDAP directory server. Specify true (look up the
information).

However, if the following attribute values are already set, the LDAP directory server will be connected to by using the user-
specified values instead of by using the DNS server to look up the information.

auth.ldap.auth.server.name-property-value.host

auth.ldap.auth.server.name-property-value.port

Default value: false (do not look up the information)

Settings for connecting directly to an LDAP directory server and an authorization server

To use an LDAP directory server as both an external authentication server and an external authorization server by directly specifying the LDAP directory information in the
exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 112/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details

auth.server.type
Specify an external authentication server type. Specify ldap.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of LDAP directory servers. You can specify any name for this property in order to
identify which LDAP directory servers the settings such as the port number and the protocol for connecting to the LDAP
directory server are applied to. ServerName has been set as the initial value. You must specify at least one name. To specify
multiple server identification names, delimit the server identification names by using commas (,). Do not register the same
server identification name more than once.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.ldap.multi_domain
When specifying multiple server identification names for LDAP directory servers, specify the configuration to use for each
server.

Specify true to use a multi-domain configuration.

Specify false to use a redundant configuration.

Default value: false

auth.ldap.default_domain
Specify settings for the Active Directory global catalog. Specify the domain name of the default server configuration to use for
authentication when no domain name is specified in the logon ID. If you specify multiple servers in auth.server.name, a multi-
domain configuration will be used, and a redundant configuration will not be used.

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.ocsp.enable
Specify whether or not to verify the validity of an LDAP directory server electronic signature certificate by using an OCSP
responder when the LDAP directory server and STARTTLS are used for communication.

If you want to verify the validity of certificates, specify true. To not verify the validity of certificates, specify false.

Default value: false

auth.ocsp.responderURL
Specify the URL of an OCSP responder if you want to use an OCSP responder that is not the one written in the AIA field of the
electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP
responder written in the AIA field is used.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the protocol for connecting to the LDAP directory server. This attribute is required.
e.protocol

When communicating in cleartext, specify ldap. When using STARTTLS communication, specify tls.

Before specifying tls, you must specify the security settings of Common component. In addition, make sure that one of the
following encryption methods can be used on the LDAP directory server:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

Specifiable values: ldap or tls

Default value: none

auth.ldap.auth.server.name-property-valu
e.host Specify the host name or IP address of the LDAP directory server. If you specify the host name, make sure beforehand that the
host name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. When
specifying an IPv6 address, enclose it in square brackets ([ ]). This attribute is required.

To use a redundant configuration when the global catalog is enabled (auth.ldap.default_domain is specified), specify
multiple host names or IP addresses, delimited by commas.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 113/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
When using STARTTLS as the protocol for connecting to the LDAP directory server, in the host attribute specify the same host
name as the value of CN in the LDAP directory server certificate. You cannot use an IP address.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port
e.port
number on the LDAP directory server. To use a redundant configuration when the global catalog is enabled (auth.ldap.defau
lt_domain is specified), specify multiple port numbers, delimited by commas. Make sure that the number of ports is the same
as the number of host names or IP addresses specified in host.

Specifiable values: 1 to 65535

Default value: 389 (when the global catalog is disabled), 3268 (when the global catalog is enabled)

auth.ldap.auth.server.name-property-valu
e.timeout Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify 0, the system
waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.ldap.auth.server.name-property-valu
Specify the attribute (Attribute Type) to use as the user ID during authentication.
e.attr

For the hierarchical structure model

Specify the name of the attribute containing the unique value to use for identifying the user. The value stored in this
attribute will be used as the user ID for Analyzer server. The specified attribute must not include characters that cannot
be used in a user ID of the Analyzer server.

For example, if you are using Active Directory and you want to use the Windows logon ID for the user ID of an Analyzer
server, specify the attribute name sAMAccountName in which the Windows logon ID has been defined.

For the flat model

Specify the RDN attribute name of the user entry.

For example, if the user's DN is uid=John,ou=People,dc=example,dc=com, specify the uid that is the attribute name
of the uid=John.

sAMAccountName has been set as the initial value. This attribute is required.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
e.basedn
on the LDAP directory server. The user entries that are located in the hierarchy below this DN will be checked during
authentication. If characters that must be escaped are included in the specified BaseDN, escape all of those characters
correctly because the specified value will be passed to the LDAP directory server without change.

For the hierarchical structure model

Specify the DN of the hierarchy that includes all of the user entries to be searched.

For the flat model

Specify the DN of the hierarchy just above the user entries to be searched.

This attribute is required. Specify the DN by following the rules defined in RFC4514. For example, if any of the following
characters are included in a DN, you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server fails.
e.retry.interval

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.ldap.auth.server.name-property-valu
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server fails. If you specify 0, no
e.retry.times
retries are attempted.

Specifiable values: 0 to 50

Default value: 20

auth.ldap.auth.server.name-property-valu
Specify the name of a domain managed by the LDAP directory server. This attribute is required.
e.domain.name
Default value: none

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 114/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details

auth.ldap.auth.server.name-property-valu
Specify the name of a domain for multi-domain configurations managed by the LDAP directory server, or the domain name for
e.domain
the global catalog.

If you log on by using a user ID that includes the domain name specified in this attribute, the LDAP directory server that
belongs to the specified domain will be used as the authentication server.

When specifying a domain name for the server identification name of each LDAP directory server, do not specify the same
domain name more than once. This value is not case sensitive.

If the global catalog is enabled, be sure to specify the domain name that is specified in auth.ldap.default_domain as the
default server configuration to use for authentication.

This attribute is required when a multi-domain configuration is used.

Default value: none

auth.ldap.auth.server.name-property-valu
e.dns_lookup Specify whether to use the DNS server to look up the information about the LDAP directory server. Specify false (do not look
up the information).

Default value: false (do not look up the information)

Settings for using DNS to connect to an LDAP directory server and an authorization server

To use an LDAP directory server as both an external authentication server and an external authorization server by obtaining the LDAP directory information from the DNS server,
specify the settings in the exauth.properties file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify ldap.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of LDAP directory servers. You can specify any name for this property in order to
identify which LDAP directory servers the settings such as the port number and the protocol for connecting to the LDAP
directory server are applied to. ServerName has been set as the initial value. This attribute is required.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.ldap.auth.server.name-property-valu
Specify the protocol for connecting to the LDAP directory server. This attribute is required.
e.protocol

Specifiable values: ldap

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify 0, the system
e.timeout
waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.ldap.auth.server.name-property-valu
Specify the attribute (Attribute Type) to use as the user ID during authentication.
e.attr

For the hierarchical structure model

Specify the name of the attribute containing the unique value to use for identifying the user. The value stored in this
attribute will be used as the user ID for Analyzer server. The specified attribute must not include characters that cannot
be used in a user ID of the Analyzer server.

For example, if you are using Active Directory and you want to use the Windows logon ID for the user ID of an Analyzer
server, specify the attribute name sAMAccountName in which the Windows logon ID has been defined.

For the flat model

Specify the RDN attribute name of the user entry.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 115/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
For example, if the user's DN is uid=John,ou=People,dc=example,dc=com, specify the uid that is the attribute name
of the uid=John.

sAMAccountName has been set as the initial value. This attribute is required.

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
e.basedn
on the LDAP directory server. The user entries that are located in the hierarchy below this DN will be checked during
authentication. If characters that must be escaped are included in the specified BaseDN, escape all of those characters
correctly because the specified value will be passed to the LDAP directory server without change.

For the hierarchical structure model

Specify the DN of the hierarchy that includes all of the user entries to be searched.

For the flat model

Specify the DN of the hierarchy just above the user entries to be searched.

This attribute is required. Specify the DN by following the rules defined in RFC4514. For example, if any of the following
characters are included in a DN, you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

Default value: none

auth.ldap.auth.server.name-property-valu
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server fails.
e.retry.interval

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.ldap.auth.server.name-property-valu
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server fails. If you specify 0, no
e.retry.times
retries are attempted.

Specifiable values: 0 to 50

Default value: 20

auth.ldap.auth.server.name-property-valu
Specify the name of a domain managed by the LDAP directory server. This attribute is required.
e.domain.name

Default value: none

auth.ldap.auth.server.name-property-valu
Specify whether to use the DNS server to look up the information about the LDAP directory server. Specify true (look up the
e.dns_lookup
information).

However, if the following attribute values are already set, the LDAP directory server will be connected to by using the user-
specified values instead of by using the DNS server to look up the information.

auth.ldap.auth.server.name-property-value.host

auth.ldap.auth.server.name-property-value.port

Default value: false (do not look up the information)

Examples of specifying settings in the exauth.properties file to use an LDAP directory server for authentication

Examples of how to set the exauth.properties file when using an LDAP directory server to perform authentication are provided below.

When directly specifying information about an LDAP directory server (when connecting to only an external authentication server):

auth.server.type=ldap
auth.server.name=ServerName
auth.group.mapping=false
auth.ocsp.enable=false
auth.ocsp.responderURL=
auth.ldap.ServerName.protocol=ldap
auth.ldap.ServerName.host=ldap.example.com
auth.ldap.ServerName.port=389
auth.ldap.ServerName.timeout=15
auth.ldap.ServerName.attr=sAMAccountName
auth.ldap.ServerName.basedn=dc=Example,dc=com
auth.ldap.ServerName.retry.interval=1
auth.ldap.ServerName.retry.times=20
auth.ldap.ServerName.dns_lookup=false

When using the DNS server to look up an LDAP directory server (when connecting to only an external authentication server):

auth.server.type=ldap
auth.server.name=ServerName

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 116/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
auth.group.mapping=false
auth.ldap.ServerName.protocol=ldap
auth.ldap.ServerName.timeout=15
auth.ldap.ServerName.attr=sAMAccountName
auth.ldap.ServerName.basedn=dc=Example,dc=com
auth.ldap.ServerName.retry.interval=1
auth.ldap.ServerName.retry.times=20
auth.ldap.ServerName.domain.name=EXAMPLE.COM
auth.ldap.ServerName.dns_lookup=true

When directly specifying information about the LDAP directory server (when also connecting to an authorization server):

auth.server.type=ldap
auth.server.name=ServerName
auth.group.mapping=true
auth.ocsp.enable=false
auth.ocsp.responderURL=
auth.ldap.ServerName.protocol=ldap
auth.ldap.ServerName.host=ldap.example.com
auth.ldap.ServerName.port=389
auth.ldap.ServerName.timeout=15
auth.ldap.ServerName.attr=sAMAccountName
auth.ldap.ServerName.basedn=dc=Example,dc=com
auth.ldap.ServerName.retry.interval=1
auth.ldap.ServerName.retry.times=20
auth.ldap.ServerName.domain.name=EXAMPLE.COM
auth.ldap.ServerName.dns_lookup=false

When using the DNS server to look up the LDAP directory server (when also connecting to an authorization server):

auth.server.type=ldap
auth.server.name=ServerName
auth.group.mapping=true
auth.ldap.ServerName.protocol=ldap
auth.ldap.ServerName.timeout=15
auth.ldap.ServerName.attr=sAMAccountName
auth.ldap.ServerName.basedn=dc=Example,dc=com
auth.ldap.ServerName.retry.interval=1
auth.ldap.ServerName.retry.times=20
auth.ldap.ServerName.domain.name=EXAMPLE.COM
auth.ldap.ServerName.dns_lookup=true

When using a redundant configuration:

auth.server.type=ldap
auth.server.name=ServerName1,ServerName2
auth.ldap.multi_domain=false
auth.group.mapping=false
auth.ldap.ServerName1.protocol=ldap
auth.ldap.ServerName1.host=ldap1.example.com
auth.ldap.ServerName1.port=389
auth.ldap.ServerName1.timeout=15
auth.ldap.ServerName1.attr=sAMAccountName
auth.ldap.ServerName1.basedn=dc=Example,dc=com
auth.ldap.ServerName1.retry.interval=1
auth.ldap.ServerName1.retry.times=20
auth.ldap.ServerName2.protocol=ldap
auth.ldap.ServerName2.host=ldap2.example.com
auth.ldap.ServerName2.port=389
auth.ldap.ServerName2.timeout=15
auth.ldap.ServerName2.attr=sAMAccountName
auth.ldap.ServerName2.basedn=dc=Example,dc=net
auth.ldap.ServerName2.retry.interval=1
auth.ldap.ServerName2.retry.times=20

When using a multi-domain configuration:

auth.server.type=ldap
auth.server.name=ServerName1,ServerName2
auth.ldap.multi_domain=true
auth.group.mapping=false
auth.ldap.ServerName1.protocol=ldap
auth.ldap.ServerName1.host=ldap1.example.com
auth.ldap.ServerName1.port=389
auth.ldap.ServerName1.timeout=15
auth.ldap.ServerName1.attr=sAMAccountName
auth.ldap.ServerName1.basedn=dc=Example,dc=com
auth.ldap.ServerName1.retry.interval=1
auth.ldap.ServerName1.retry.times=20
auth.ldap.ServerName1.domain=example.com
auth.ldap.ServerName2.protocol=ldap
auth.ldap.ServerName2.host=ldap2.example.com
auth.ldap.ServerName2.port=389
auth.ldap.ServerName2.timeout=15

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 117/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
auth.ldap.ServerName2.attr=sAMAccountName
auth.ldap.ServerName2.basedn=dc=Example,dc=net
auth.ldap.ServerName2.retry.interval=1
auth.ldap.ServerName2.retry.times=20
auth.ldap.ServerName2.domain=example.net

When the global catalog is enabled:

auth.server.type=ldap
auth.server.name=ServerName1,ServerName2
auth.ldap.default_domain=example.com
auth.ldap.ServerName1.protocol=ldap
auth.ldap.ServerName1.host=ldap.example1.com,ldap.example2.com
auth.ldap.ServerName1.port=3268,3268
auth.ldap.ServerName1.timeout=15
auth.ldap.ServerName1.attr=sAMAccountName
auth.ldap.ServerName1.basedn=dc=Example,dc=com
auth.ldap.ServerName1.retry.interval=1
auth.ldap.ServerName1.retry.times=20
auth.ldap.ServerName1.domain=example.com
auth.ldap.ServerName2.protocol=ldap
auth.ldap.ServerName2.host=ldap.example1.com,ldap.example2.com
auth.ldap.ServerName2.port=3268,3268
auth.ldap.ServerName2.timeout=15
auth.ldap.ServerName2.attr=sAMAccountName
auth.ldap.ServerName2.basedn=dc=Example,dc=net
auth.ldap.ServerName2.retry.interval=1
auth.ldap.ServerName2.retry.times=20
auth.ldap.ServerName2.domain=example.net

Configuring RADIUS authentication for Analyzer server

To use RADIUS authentication for the Analyzer server, you must configure the following settings.

Workflow for configuring RADIUS authentication

The workflow for connecting to the RADIUS server varies depending on whether only an external authentication server is used or both an external authentication server and an
external authorization server (LDAP directory server) are used.

The following figure shows the workflow for connecting to the RADIUS server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 118/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: To use STARTTLS to communicate between the LDAP directory server and the Analyzer server, you must set up an environment specifically for this purpose to ensure secure
communications.

Configuring the RADIUS server

On the RADIUS server, create a user account for the Analyzer server. To use an external authorization server (LDAP directory server), check the configuration details of the LDAP
directory server, and then create an LDAP search user account.

Creating user accounts on the RADIUS server

On the RADIUS server, you must create user accounts (user IDs and passwords) to use on the Analyzer server.

For details about how to create user accounts on the RADIUS server, see the documentation of the RADIUS server.

User IDs and passwords must satisfy the following conditions:

They are within 256 bytes.

They use no characters other than the following:

A to Z

a to z

0 to 9

! # $ % & ' ( ) * + - . = @ \ ^ _ |

In Analyzer server, user IDs are not case-sensitive. The combination of character types for passwords must follow the settings in the external authentication server.

Configuring LDAP directory server as external authorization server

To use the LDAP directory server as an external authorization server, you must configure the LDAP directory server.

For details about how to configure the LDAP directory server, see the following descriptions:

Checking the LDAP directory server settings

Check the BaseDN for the LDAP directory server. You will need the BaseDN information when you edit the exauth.properties file of the Analyzer server.

Creating an LDAP search user account

On the LDAP directory server, create an LDAP search user account. This user account is necessary when the Analyzer server connects to the LDAP directory server to
acquire user information and other information.

Connecting to the RADIUS server

To connect to the RADIUS server, you must perform the following operations on the Analyzer server.

You must have root permission.

On the RADIUS server, create a user account to use on the Analyzer server.
Check the following information. This information is necessary for editing the file exauth.properties.
Machine information about the RADIUS server (Host name or IP address, Port number)
Authentication protocol for the RADIUS server
Host name or IP address of the Analyzer server

If you also want to connect to an external authorization server (an LDAP directory server), check the following requirements.

Create a user account on the LDAP directory server for searching for user information.
Check the following information. This information is necessary for editing the file exauth.properties.
Method for connecting to the LDAP directory server

The properties to be specified depend on whether information about the LDAP directory server is to be directly specified, or whether information about the connection-
destination LDAP directory server is to be obtained from the DNS server.

Machine information about the LDAP directory server (Host name or IP address, Port number)
BaseDN
Domain name for external authorization servers managed by the LDAP directory server

1. Edit the exauth.properties file.

a. Make a copy of the exauth.properties file template, which is stored in the following location, and place the copy in another directory.

Common-component-installation-directory/sample/conf/exauth.properties

b. In the copy of the exauth.properties file, specify the required information.

c. Save the exauth.properties file in the following location:

Common-component-installation-directory/conf

d. If the values of the property auth.ocsp.enable or the property auth.ocsp.responderURL have been changed, restart the Analyzer server service.
2. If a connection also needs to be established with an external authorization server (an LDAP directory server), register on the Analyzer server a user account to use for
retrieving user information.
a. Run the hcmds64ldapuser command to register the LDAP search user account.

Common-component-installation-directory/bin/hcmds64ldapuser -set -dn DN-of-user-account-used-to-search-for-LDAP-user-info -name name

b. To view a list of LDAP directory servers for which LDAP search user accounts are registered, run the following command.

Common-component-installation-directory/bin/hcmds64ldapuser -list

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 119/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Tip:

To delete the LDAP search user account from the Analyzer server, run the hcmds64ldapuser command with the delete option.
3. Register to the Analyzer server a shared secret for communicating with the RADIUS server.
a. Use the hcmds64radiussecret command to register the shared secret of the RADIUS server. When you run the command, enter the shared secret in response to the
prompt.

Common-component-installation-directory/bin/hcmds64radiussecret -name RADIUS-server-identification-name

b. You can use the following command to list RADIUS servers for which shared secrets are registered:

Common-component-installation-directory/bin/hcmds64radiussecret -list

Tip:

To delete shared secrets that have been registered to the Analyzer server, run the hcmds64radiussecret command with the delete option specified.

4. Run the hcmds64checkauth command to confirm whether connections to the external authentication server and the external authorization server can be established properly.

Common-component-installation-directory/bin/hcmds64checkauth [-summary]

5. On the web client, specify the following settings.

When a RADIUS server is configured for external user authentication:

Create an user account.

Make sure that the user ID is the same as the user ID that was created on the external authentication server.

Change the user authentication method.

Specify the operation permissions for the user.

When a RADIUS server is configured for external user authentication and an LDAP directory server is configured for authorization:

Register an authorization group.

Specify the operation permissions for the authorization group.

For details about how to perform these operations on the web client, see the Hitachi Ops Center Analyzer User Guide.

Note:

If you are using both an external authentication server and an external authorization server, and the user ID created on the external authentication server is registered on the
Analyzer server, the user account is authenticated internally by the Analyzer server.

If the current configuration uses only an external authentication server and you want to use both an external authentication server and an external authorization server, you
must remove the user ID that was created with the same name on the Analyzer server.

RADIUS configuration properties

In the exauth.properties file, set the type of the external authentication server to use, the server identification name, and the machine information about the external authentication
server.

Items to be configured in the exauth.properties file differ depending on the RADIUS server environment. Use the following table to check the configuration items corresponding to
your RADIUS server environment.

External authorization server used Server connection method Reference

Settings for connecting directly to a RADIUS server

No Directly specify information about the RADIUS server.

Settings for connecting directly to a RADIUS server and

Yes Directly specify information about the external
an authorization server
authorization server (the LDAP directory server).

Settings for using DNS to connect to a RADIUS server

Obtain external authorization server (LDAP directory
and an authorization server
server) information from the DNS server.

Note:

Be sure to distinguish between uppercase and lowercase letters for property settings.
To use STARTTLS for communication between the Analyzer server and the LDAP directory server, you must directly specify information about the LDAP directory server in
the exauth.properties file.
If you use a DNS server to look up the LDAP directory server to connect to, it might take longer for users to log on.

Settings for connecting directly to a RADIUS server

To use a RADIUS server as an external authentication server, specify the settings in the exauth.properties file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify radius.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of RADIUS servers. You can specify any name for this property in order to identify
which RADIUS servers the settings such as the port number and the protocol for connecting to the RADIUS server are applied

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 120/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
to. ServerName has been set as the initial value. You must specify at least one name. When configuring a redundant
configuration, separate the server identification name of each server with a comma (,). Do not register the same server
identification name more than once.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.radius.auth.server.name-property-va
Specify the protocol for RADIUS server authentication. This attribute is required.
lue.protocol

Specifiable values: PAP or CHAP

Default value: none

auth.radius.auth.server.name-property-va
Specify the host name or IP address of the RADIUS server. If you specify the host name, make sure beforehand that the host
lue.host
name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. To specify
an IPv6 address, enclose it in square brackets ([ ]). This attribute is required.

To connect to an external authorization server (LDAP directory server) that is running on the same computer and to use
STARTTLS as the protocol for connecting to the LDAP directory server, in the host attribute, specify the same host name as
the value of CN in the LDAP directory server certificate. You cannot use an IP address.

Default value: none

auth.radius.auth.server.name-property-va
lue.port Specify the port number for RADIUS server authentication. Make sure beforehand that the port you specify is set as the listen
port number on the RADIUS server.

Specifiable values: 1 to 65535

Default value: 1812

auth.radius.auth.server.name-property-va
lue.timeout Specify the amount of time to wait before timing out when connecting to the RADIUS server.

Specifiable values: 1 to 65535 (seconds)

Default value: 1

auth.radius.auth.server.name-property-va
Specify the number of retries to attempt when an attempt to connect to the RADIUS server fails. If you specify 0, no retries are
lue.retry.times
attempted.

Specifiable values: 0 to 50

Default value: 3

auth.radius.auth.server.name-property-va
Specify the IPv4 address of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server.
lue.attr.NAS-IP-Address

If the format of the address is invalid, this property is disabled.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Default value: none

auth.radius.auth.server.name-property-va
lue.attr.NAS-IPv6-Address Specify the IPv6 address of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server.
Enclose the IPv6 address in square brackets ([ ]).

If the format of the address is invalid, this property is disabled.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Default value: none

auth.radius.auth.server.name-property-va
Specify the host name of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server. The
lue.attr.NAS-Identifier
host name of the Analyzer server has been set as the initial value.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Specifiable values: Specify no more than 253 bytes of the following characters:

A to Z

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 121/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
a to z

0 to 9

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

Default value: none

Settings for connecting directly to a RADIUS server and an authorization server

To use a RADIUS server as an external authentication server and to use an LDAP directory server as an external authorization server by directly specifying the LDAP directory
information in the exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify radius.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of RADIUS servers. You can specify any name for this property in order to identify
which RADIUS servers the settings such as the port number and the protocol for connecting to the RADIUS server are applied
to. ServerName has been set as the initial value. You must specify at least one name. When configuring a redundant
configuration, separate the server identification name of each server with a comma (,). Do not register the same server
identification name more than once.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.ocsp.enable
Specify whether or not to verify the validity of an LDAP directory server electronic signature certificate by using an OCSP
responder when the LDAP directory server and STARTTLS are used for communication.

If you want to verify the validity of certificates, specify true. To not verify the validity of certificates, specify false.

Default value: false

auth.ocsp.responderURL
Specify the URL of an OCSP responder if you want to use an OCSP responder that is not the one written in the AIA field of the
electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP
responder written in the AIA field is used.

Default value: none

auth.radius.auth.server.name-property-va
Specify the protocol for RADIUS server authentication. This attribute is required.
lue.protocol

Specifiable values: PAP or CHAP

Default value: none

auth.radius.auth.server.name-property-va
lue.host Specify the host name or IP address of the RADIUS server. If you specify the host name, make sure beforehand that the host
name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. To specify
an IPv6 address, enclose it in square brackets ([ ]). This attribute is required.

To connect to an external authorization server (LDAP directory server) that is running on the same computer and to use
STARTTLS as the protocol for connecting to the LDAP directory server, in the host attribute, specify the same host name as
the value of CN in the LDAP directory server certificate. You cannot use an IP address.

Default value: none

auth.radius.auth.server.name-property-va
Specify the port number for RADIUS server authentication. Make sure beforehand that the port you specify is set as the listen
lue.port
port number on the RADIUS server.

Specifiable values: 1 to 65535

Default value: 1812

auth.radius.auth.server.name-property-va
Specify the amount of time to wait before timing out when connecting to the RADIUS server.
lue.timeout

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 122/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
Specifiable values: 1 to 65535 (seconds)

Default value: 1

auth.radius.auth.server.name-property-va
Specify the number of retries to attempt when an attempt to connect to the RADIUS server fails. If you specify 0, no retries are
lue.retry.times
attempted.

Specifiable values: 0 to 50

Default value: 3

auth.radius.auth.server.name-property-va
Specify the IPv4 address of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server.
lue.attr.NAS-IP-Address

If the format of the address is invalid, this property is disabled.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Default value: none

auth.radius.auth.server.name-property-va
Specify the IPv6 address of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server.
lue.attr.NAS-IPv6-Address
Enclose the IPv6 address in square brackets ([ ]).

If the format of the address is invalid, this property is disabled.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Default value: none

auth.radius.auth.server.name-property-va
Specify the host name of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server. The
lue.attr.NAS-Identifier
host name of the Analyzer server has been set as the initial value.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Specifiable values: Specify no more than 253 bytes of the following characters:

A to Z

a to z

0 to 9

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

Default value: none

auth.radius.auth.server.name-property-va
Specify the name of a domain managed by the LDAP directory server (external authorization server). This attribute is required.
lue.domain.name

Default value: none

auth.radius.auth.server.name-property-va
Specify whether to use the DNS server to look up the information about the LDAP directory server (external authorization
lue.dns_lookup
server). Specify false (do not look up the information).

Default value: false (do not look up the information)

auth.group.domain-name.protocol
Specify the protocol for connecting to the LDAP directory server (external authorization server).

When communicating in cleartext, specify ldap. When using STARTTLS communication, specify tls.

Before specifying tls, you must specify the security settings of Common component. In addition, make sure that one of the
following encryption methods can be used on the LDAP directory server:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

Specifiable values: ldap or tls

Default value: ldap

auth.group.domain-name.host
If the external authentication server and the external authorization server (LDAP directory server) are running on different
computers, specify the host name or IP address of the LDAP directory server. If you specify the host name, make sure
beforehand that the host name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or
IPv6 address. When specifying an IPv6 address, enclose it in square brackets ([ ]).

If you omit this attribute, the external authentication server and the external authorization server are assumed to be running on
the same computer.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 123/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
When the external authentication server and the external authorization server are running on different computers and when
using STARTTLS as the protocol for connecting to the LDAP directory server, in the host attribute specify the same host name
as the value of CN in the LDAP directory server certificate. You cannot use an IP address.

Default value: none

auth.group.domain-name.port
Specify the port number of the LDAP directory server (external authorization server). Make sure beforehand that the port you
specify is set as the listen port number on the LDAP directory server.

Specifiable values: 1 to 65535

Default value: 389

auth.group.domain-name.basedn
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
on the LDAP directory server (external authorization server). The user entries that are located in the hierarchy below this DN
will be checked during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched.

Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN,
you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the
specified value will be passed to the LDAP directory server without change.

If you omit this attribute, the value specified in the defaultNamingContext property of Active Directory is assumed as the
BaseDN.

Default value: none

auth.group.domain-name.timeout
Specify the amount of time to wait before timing out when connecting to the LDAP directory server (external authorization
server). If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.group.domain-name.retry.interval
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server (external authorization
server) fails.

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.group.domain-name.retry.times
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server (external authorization
server) fails. If you specify 0, no retries are attempted.

Specifiable values: 0 to 50

Default value: 20

Note:

For domain-name, specify the value specified for auth.radius.auth.server.name-property-value.domain.name.

Settings for using DNS to connect to a RADIUS server and an authorization server

To use a RADIUS server as an external authentication server and to use an LDAP directory server as an external authorization server by obtaining the LDAP directory information
from the DNS server, specify the settings in the exauth.properties file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify radius.

Default value: internal (do not connect to an external authentication server)

auth.server.name
Specify the server identification names of RADIUS servers. You can specify any name for this property in order to identify
which RADIUS servers the settings such as the port number and the protocol for connecting to the RADIUS server are applied
to. ServerName has been set as the initial value. You must specify at least one name. When configuring a redundant
configuration, separate the server identification name of each server with a comma (,). Do not register the same server
identification name more than once.

Specifiable values: No more than 64 bytes of the following characters:

A to Z

a to z

0 to 9

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 124/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
! # ( ) + - . = @ [ ] ^ _ { } ~

Default value: none

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.radius.auth.server.name-property-va
Specify the protocol for RADIUS server authentication. This attribute is required.
lue.protocol

Specifiable values: PAP or CHAP

Default value: none

auth.radius.auth.server.name-property-va
Specify the host name or IP address of the RADIUS server. If you specify the host name, make sure beforehand that the host
lue.host
name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. To specify
an IPv6 address, enclose it in square brackets ([ ]). This attribute is required.

To connect to an external authorization server (LDAP directory server) that is running on the same computer and to use
STARTTLS as the protocol for connecting to the LDAP directory server, in the host attribute, specify the same host name as
the value of CN in the LDAP directory server certificate. You cannot use an IP address.

Default value: none

auth.radius.auth.server.name-property-va
lue.port Specify the port number for RADIUS server authentication. Make sure beforehand that the port you specify is set as the listen
port number on the RADIUS server.

Specifiable values: 1 to 65535

Default value: 1812

auth.radius.auth.server.name-property-va
lue.timeout Specify the amount of time to wait before timing out when connecting to the RADIUS server.

Specifiable values: 1 to 65535 (seconds)

Default value: 1

auth.radius.auth.server.name-property-va
Specify the number of retries to attempt when an attempt to connect to the RADIUS server fails. If you specify 0, no retries are
lue.retry.times
attempted.

Specifiable values: 0 to 50

Default value: 3

auth.radius.auth.server.name-property-va
Specify the IPv4 address of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server.
lue.attr.NAS-IP-Address

If the format of the address is invalid, this property is disabled.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Default value: none

auth.radius.auth.server.name-property-va
lue.attr.NAS-IPv6-Address Specify the IPv6 address of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server.
Enclose the IPv6 address in square brackets ([ ]).

If the format of the address is invalid, this property is disabled.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Default value: none

auth.radius.auth.server.name-property-va
Specify the host name of the Analyzer server. The RADIUS server uses this attribute value to identify the Analyzer server. The
lue.attr.NAS-Identifier
host name of the Analyzer server has been set as the initial value.

You must specify exactly one of the following: attr.NAS-IP-Address, attr.NAS-IPv6-Address, or attr.NAS-Identifier.

Specifiable values: Specify no more than 253 bytes of the following characters:

A to Z

a to z

0 to 9

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

Default value: none

auth.radius.auth.server.name-property-va
lue.domain.name Specify the name of a domain managed by the LDAP directory server (external authorization server). This attribute is required.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 125/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
Default value: none

auth.radius.auth.server.name-property-va
Specify whether to use the DNS server to look up the information about the LDAP directory server (external authorization
lue.dns_lookup
server). Specify true (look up the information).

However, if the following attribute values are already set, the LDAP directory server will be connected to by using the user-
specified values instead of by using the DNS server to look up the information.

auth.group.domain-name.host

auth.group.domain-name.port

Default value: false (do not look up the information)

auth.group.domain-name.protocol
Specify the protocol for connecting to the LDAP directory server (external authorization server).

Specifiable values: ldap

Default value: ldap

auth.group.domain-name.basedn
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
on the LDAP directory server (external authorization server). The user entries that are located in the hierarchy below this DN
will be checked during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched.

Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN,
you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the
specified value will be passed to the LDAP directory server without change.

If you omit this attribute, the value specified in the defaultNamingContext property of Active Directory is assumed as the
BaseDN.

Default value: none

auth.group.domain-name.timeout
Specify the amount of time to wait before timing out when connecting to the LDAP directory server (external authorization
server). If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.group.domain-name.retry.interval
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server (external authorization
server) fails.

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.group.domain-name.retry.times
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server (external authorization
server) fails. If you specify 0, no retries are attempted.

Specifiable values: 0 to 50

Default value: 20

Note:

For domain-name, specify the value specified for auth.radius.auth.server.name-property-value.domain.name.

Examples of specifying settings in the exauth.properties file to use a RADIUS server for authentication

Examples of how to set the exauth.properties file when using a RADIUS server to perform authentication are provided below.

When connecting to only an external authentication server:

auth.server.type=radius
auth.server.name=ServerName
auth.group.mapping=false
auth.radius.ServerName.protocol=PAP
auth.radius.ServerName.host=radius.example.com
auth.radius.ServerName.port=1812
auth.radius.ServerName.timeout=1
auth.radius.ServerName.retry.times=3
auth.radius.ServerName.attr.NAS-Identifier=host_A

When directly specifying information about an external authorization server:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 126/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
auth.server.type=radius
auth.server.name=ServerName
auth.group.mapping=true
auth.ocsp.enable=false
auth.ocsp.responderURL=
auth.radius.ServerName.protocol=PAP
auth.radius.ServerName.host=radius.example.com
auth.radius.ServerName.port=1812
auth.radius.ServerName.timeout=1
auth.radius.ServerName.retry.times=3
auth.radius.ServerName.attr.NAS-Identifier=host_A
auth.radius.ServerName.domain.name=EXAMPLE.COM
auth.radius.ServerName.dns_lookup=false
auth.group.EXAMPLE.COM.protocol=ldap
auth.group.EXAMPLE.COM.host=ldap.example.com
auth.group.EXAMPLE.COM.port=389
auth.group.EXAMPLE.COM.basedn=dc=Example,dc=com
auth.group.EXAMPLE.COM.timeout=15
auth.group.EXAMPLE.COM.retry.interval=1
auth.group.EXAMPLE.COM.retry.times=20

When using the DNS server to look up an external authorization server:

auth.server.type=radius
auth.server.name=ServerName
auth.group.mapping=true
auth.radius.ServerName.protocol=PAP
auth.radius.ServerName.host=radius.example.com
auth.radius.ServerName.port=1812
auth.radius.ServerName.timeout=1
auth.radius.ServerName.retry.times=3
auth.radius.ServerName.attr.NAS-Identifier=host_A
auth.radius.ServerName.domain.name=EXAMPLE.COM
auth.radius.ServerName.dns_lookup=true
auth.group.EXAMPLE.COM.protocol=ldap
auth.group.EXAMPLE.COM.basedn=dc=Example,dc=com
auth.group.EXAMPLE.COM.timeout=15
auth.group.EXAMPLE.COM.retry.interval=1
auth.group.EXAMPLE.COM.retry.times=20

When using a redundant configuration:

auth.server.type=radius
auth.server.name=ServerName1,ServerName2
auth.group.mapping=false
auth.radius.ServerName1.protocol=PAP
auth.radius.ServerName1.host=radius1.example.com
auth.radius.ServerName1.port=1812
auth.radius.ServerName1.timeout=1
auth.radius.ServerName1.retry.times=3
auth.radius.ServerName1.attr.NAS-IP-Address=127.0.0.1
auth.radius.ServerName2.protocol=PAP
auth.radius.ServerName2.host=radius2.example.com
auth.radius.ServerName2.port=1812
auth.radius.ServerName2.timeout=1
auth.radius.ServerName2.retry.times=3
auth.radius.ServerName2.attr.NAS-IP-Address=127.0.0.1

Configuring Kerberos authentication for Analyzer server

To use Kerberos authentication for the Analyzer server, you must configure the following settings.

Workflow for configuring Kerberos authentication

The workflow for connecting to the Kerberos server varies depending on whether only an external authentication server is used or both an external authentication server and an
external authorization server (LDAP directory server) are used.

The following figure shows the workflow for connecting to the Kerberos server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 127/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Note: To use STARTTLS to communicate between the LDAP directory server and the Analyzer server, you must set up an environment specifically for this purpose to ensure secure
communications.

Configuring the Kerberos server

On the Kerberos server, create a user account for the Analyzer server. To use an external authorization server (LDAP directory server), check the configuration details of the LDAP
directory server, and then create an LDAP search user account.

Creating user accounts on the Kerberos server

On the Kerberos server, you must create user accounts (user IDs and passwords) to use on the Analyzer server.

For details about how to create user accounts on the Kerberos server, see the documentation of the Kerberos server.

User IDs and passwords must satisfy the following conditions:

They are within 256 bytes.

They use no characters other than the following:

A to Z

a to z

0 to 9

! # $ % & ' ( ) * + - . = @ \ ^ _ |

In Analyzer server, user IDs are not case-sensitive. The combination of character types for passwords must follow the settings in the external authentication server.

Configuring LDAP directory server as external authorization server

To use the LDAP directory server as an external authorization server, you must configure the LDAP directory server.

For details about how to configure the LDAP directory server, see the following descriptions:

Checking the LDAP directory server settings

Check the BaseDN for the LDAP directory server. You will need the BaseDN information when you edit the exauth.properties file of the Analyzer server.

Creating an LDAP search user account

On the LDAP directory server, create an LDAP search user account. This user account is necessary when the Analyzer server connects to the LDAP directory server to
acquire user information and other information.

Connecting to the Kerberos server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 128/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
To connect to the Kerberos server, you must perform the following operations on the Analyzer server.

You must have root permission.

On the Kerberos server, create a user account to use on the Analyzer server.
Check the following information. This information is necessary for editing the file exauth.properties.
Method for connecting to the Kerberos server

The properties to be specified depend on whether information about the Kerberos server is to be directly specified, or whether information about the connection-
destination Kerberos server is to be obtained from the DNS server.

Machine information about the Kerberos server (Host name or IP address, Port number)
Realm name

If you also want to connect to an external authorization server (an LDAP directory server), check the following requirements.

Create a user account on the LDAP directory server for searching for user information.
Check the following information. This information is necessary for editing the file exauth.properties.
Method for connecting to the LDAP directory server

The properties to be specified depend on whether information about the LDAP directory server is to be directly specified, or whether information about the connection-
destination LDAP directory server is to be obtained from the DNS server.

Machine information about the LDAP directory server (Host name or IP address, Port number)
BaseDN
Domain name for external authorization servers managed by the LDAP directory server

1. Edit the exauth.properties file.

a. Make a copy of the exauth.properties file template, which is stored in the following location, and place the copy in another directory.

Common-component-installation-directory/sample/conf/exauth.properties

b. In the copy of the exauth.properties file, specify the required information.

c. Save the exauth.properties file in the following location:

Common-component-installation-directory/conf

d. If the values of the property auth.ocsp.enable or the property auth.ocsp.responderURL have been changed, restart the Analyzer server service.
2. If a connection also needs to be established with an external authorization server (an LDAP directory server), register on the Analyzer server a user account to use for
retrieving user information.
a. Run the hcmds64ldapuser command to register the LDAP search user account.

Common-component-installation-directory/bin/hcmds64ldapuser -set -dn DN-of-user-account-used-to-search-for-LDAP-user-info -name name

b. To view a list of LDAP directory servers for which LDAP search user accounts are registered, run the following command.

Common-component-installation-directory/bin/hcmds64ldapuser -list

Tip:

To delete the LDAP search user account from the Analyzer server, run the hcmds64ldapuser command with the delete option.

3. Run the hcmds64checkauth command to confirm whether connections to the external authentication server and the external authorization server can be established properly.

Common-component-installation-directory/bin/hcmds64checkauth [-summary]

4. On the web client, specify the following settings.

When a Kerberos server is configured for external user authentication:

Create an user account.

Make sure that the user ID is the same as the user ID that was created on the external authentication server.

Change the user authentication method.

Specify the operation permissions for the user.

When a Kerberos server is configured for external user authentication and an LDAP directory server is configured for authorization:

Register an authorization group.

Specify the operation permissions for the authorization group.

For details about how to perform these operations on the web client, see the Hitachi Ops Center Analyzer User Guide.

Note:

If you are using both an external authentication server and an external authorization server, and the user ID created on the external authentication server is registered on the
Analyzer server, the user account is authenticated internally by the Analyzer server.

If the current configuration uses only an external authentication server and you want to use both an external authentication server and an external authorization server, you
must remove the user ID that was created with the same name on the Analyzer server.

Kerberos configuration properties

In the exauth.properties file, set the type of the external authentication server to use, the server identification name, and the machine information about the external authentication
server.

Items to be configured in the exauth.properties file differ depending on the Kerberos server environment. Use the following table to check the configuration items corresponding to
your Kerberos server environment.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 129/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

External authorization server used Server connection method Reference

Settings for connecting directly to a Kerberos server

No Directly specify information about the Kerberos server.

Settings for using DNS to connect to a Kerberos server

Obtain Kerberos server information from the DNS server.

Settings for connecting directly to a Kerberos server and

Yes Directly specify information about the Kerberos server.
an authorization server

Settings for using DNS to connect to a Kerberos server

Obtain Kerberos server information from the DNS server.
and an authorization server

Note:

Be sure to distinguish between uppercase and lowercase letters for property settings.
To use STARTTLS for communication between the Analyzer server and the LDAP directory server, you must directly specify information about the LDAP directory server in
the exauth.properties file.
If you use a DNS server to look up the LDAP directory server to connect to, it might take longer for users to log on.

Settings for connecting directly to a Kerberos server

To use a Kerberos server as an external authorization server by directly specifying the Kerberos server information in the exauth.properties file, specify the settings in the
exauth.properties file as shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.kerberos.default_realm
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is
authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc
Specify whether to use the DNS server to look up the information about the Kerberos server. Specify false (do not look up the
information).

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes
Specify the encryption type used for Kerberos authentication.

auth.kerberos.clockskew
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference
exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits
until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

auth.kerberos.realm_name
Specify the realm identification names. You can specify any name for this attribute in order to identify which realms the property
attribute settings are applied to. You must specify at least one name. When specifying multiple realm identification names,
separate the names with commas (,). Do not register the same realm identification name more than once.

Default value: none

auth.kerberos.auth.kerberos.realm_name-p
roperty-value.realm Specify the name of the realm set in the Kerberos server. This attribute is required.

Default value: none

auth.kerberos.auth.kerberos.realm_name-p
roperty-value.kdc Specify the information about the Kerberos server in the following format:

host-name-or-IP-address[:port-number]

This attribute is required.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 130/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
host-name-or-IP-address

If you specify the host name, make sure beforehand that the name can be resolved to an IP address.

If you specify the IP address, use an IPv4 address. In an IPv6 environment, you must specify the host name. Note that
you cannot specify the loopback address (localhost or 127.0.0.1).

When using STARTTLS as the protocol for connecting to the external authorization server (LDAP directory server),
specify the same host name as the value of CN in the external authorization server certificate. You cannot use an IP
address.

port-number

Make sure beforehand that the port you specify is set as the listen port number on the Kerberos server. If you do not
specify a port number or the specified port number cannot be used in a Kerberos server, 88 is assumed.

When configuring the Kerberos server in redundant configuration, separate the servers with commas (,) as follows:

host-name-or-IP-address[:port-number],host-name-or-IP-address[:port-number], ...

Settings for using DNS to connect to a Kerberos server

To use a Kerberos server as an external authorization server by obtaining the Kerberos server information from the DNS server, specify the settings in the exauth.properties file as
shown in the following table.

Property names Details

auth.server.type
Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.kerberos.default_realm
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is
authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc
Specify whether to use the DNS server to look up the information about the Kerberos server. Specify true (look up the
information). This attribute is required.

However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS
server.

auth.kerberos.realm_name

auth.kerberos.auth.kerberos.realm_name-property-value.realm

auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes
Specify the encryption type used for Kerberos authentication.

auth.kerberos.clockskew
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference
exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits
until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

Settings for connecting directly to a Kerberos server and an authorization server

To use an LDAP directory server as an external authorization server and to use a Kerberos server as an external authentication server by directly specifying the Kerberos server
information in the exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 131/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details

auth.server.type
Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.ocsp.enable
Specify whether or not to verify the validity of an LDAP directory server electronic signature certificate by using an OCSP
responder when the LDAP directory server and STARTTLS are used for communication.

If you want to verify the validity of certificates, specify true. To not verify the validity of certificates, specify false.

Default value: false

auth.ocsp.responderURL
Specify the URL of an OCSP responder if you want to use an OCSP responder that is not the one written in the AIA field of the
electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP
responder written in the AIA field is used.

Default value: none

auth.kerberos.default_realm
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is
authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc
Specify whether to use the DNS server to look up the information about the Kerberos server. Specify false (do not look up the
information).

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes
Specify the encryption type used for Kerberos authentication.

auth.kerberos.clockskew
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference
exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits
until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

auth.kerberos.realm_name
Specify the realm identification names. You can specify any name for this attribute in order to identify which realms the property
attribute settings are applied to. You must specify at least one name. When specifying multiple realm identification names,
separate the names with commas (,). Do not register the same realm identification name more than once.

Default value: none

auth.kerberos.auth.kerberos.realm_name-p
Specify the name of the realm set in the Kerberos server. This attribute is required.
roperty-value.realm

Default value: none

auth.kerberos.auth.kerberos.realm_name-p
Specify the information about the Kerberos server in the following format:
roperty-value.kdc

host-name-or-IP-address[:port-number]

This attribute is required.

host-name-or-IP-address

If you specify the host name, make sure beforehand that the name can be resolved to an IP address.

If you specify the IP address, use an IPv4 address. In an IPv6 environment, you must specify the host name. Note that
you cannot specify the loopback address (localhost or 127.0.0.1).

When using STARTTLS as the protocol for connecting to the external authorization server (LDAP directory server),
specify the same host name as the value of CN in the external authorization server certificate. You cannot use an IP
address.

port-number

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 132/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details
Make sure beforehand that the port you specify is set as the listen port number on the Kerberos server. If you do not
specify a port number or the specified port number cannot be used in a Kerberos server, 88 is assumed.

When configuring the Kerberos server in redundant configuration, separate the servers with commas (,) as follows:

host-name-or-IP-address[:port-number],host-name-or-IP-address[:port-number], ...

auth.group.realm-name.protocol
Specify the protocol for connecting to the LDAP directory server (external authorization server).

When communicating in cleartext, specify ldap. When using STARTTLS communication, specify tls.

Before specifying tls, you must specify the security settings of Common component. In addition, make sure that one of the
following encryption methods can be used on the LDAP directory server:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

Specifiable values: ldap or tls

Default value: ldap

auth.group.realm-name.port
Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port
number on the LDAP directory server.

Specifiable values: 1 to 65535

Default value: 389

auth.group.realm-name.basedn
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information
on the LDAP directory server (external authorization server). The user entries that are located in the hierarchy below this DN
will be checked during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched.

Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN,
you must use a backslash (\) to escape each character.

Spaces # + ; , < = > \

If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the
specified value will be passed to the LDAP directory server without change.

If you omit this attribute, the value specified in the defaultNamingContext property of Active Directory is assumed as the
BaseDN.

Default value: none

auth.group.realm-name.timeout
Specify the amount of time to wait before timing out when connecting to the LDAP directory server (external authorization
server). If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.group.realm-name.retry.interval
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server (external authorization
server) fails.

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.group.realm-name.retry.times
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server (external authorization
server) fails. If you specify 0, no retries are attempted.

Specifiable values: 0 to 50

Default value: 20

Note:

For realm-name, specify the value specified for auth.kerberos.auth.kerberos.realm_name-property-value.realm.

Settings for using DNS to connect to a Kerberos server and an authorization server

To use an LDAP directory server as an external authorization server and to use a Kerberos server as an external authentication server by obtaining the Kerberos server information
from the DNS server, specify the settings in the exauth.properties file as shown in the following table.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 133/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Property names Details

auth.server.type
Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping
Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.kerberos.default_realm
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is
authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc
Specify whether to use the DNS server to look up the information about the Kerberos server. Specify true (look up the
information). This attribute is required.

However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS
server.

auth.kerberos.realm_name

auth.kerberos.auth.kerberos.realm_name-property-value.realm

auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes
Specify the encryption type used for Kerberos authentication.

auth.kerberos.clockskew
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference
exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits
until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

Examples of specifying settings in the exauth.properties file to use a Kerberos server for authentication

Examples of how to set the exauth.properties file when using a Kerberos server to perform authentication are provided below.

When directly specifying information about a Kerberos server (when not connecting to an external authorization server):

auth.server.type=kerberos
auth.group.mapping=false
auth.kerberos.default_realm=EXAMPLE.COM
auth.kerberos.dns_lookup_kdc=false
auth.kerberos.clockskew=300
auth.kerberos.timeout=3
auth.kerberos.realm_name=RealmName
auth.kerberos.RealmName.realm=EXAMPLE.COM
auth.kerberos.RealmName.kdc=kerberos.example.com:88

When using the DNS server to look up a Kerberos server (when not connecting to an external authorization server):

auth.server.type=kerberos
auth.group.mapping=false
auth.kerberos.default_realm=EXAMPLE.COM
auth.kerberos.dns_lookup_kdc=true
auth.kerberos.clockskew=300
auth.kerberos.timeout=3

When directly specifying information about a Kerberos server (when also connecting to an external authorization server):

auth.server.type=kerberos
auth.group.mapping=true
auth.ocsp.enable=false
auth.ocsp.responderURL=
auth.kerberos.default_realm=EXAMPLE.COM
auth.kerberos.dns_lookup_kdc=false
auth.kerberos.clockskew=300
auth.kerberos.timeout=3

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 134/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
auth.kerberos.realm_name=RealmName
auth.kerberos.RealmName.realm=EXAMPLE.COM
auth.kerberos.RealmName.kdc=kerberos.example.com:88
auth.group.EXAMPLE.COM.protocol=ldap
auth.group.EXAMPLE.COM.port=389
auth.group.EXAMPLE.COM.basedn=dc=Example,dc=com
auth.group.EXAMPLE.COM.timeout=15
auth.group.EXAMPLE.COM.retry.interval=1
auth.group.EXAMPLE.COM.retry.times=20

When using the DNS server to look up a Kerberos server (when also connecting to an external authorization server):

auth.server.type=kerberos
auth.group.mapping=true
auth.kerberos.default_realm=EXAMPLE.COM
auth.kerberos.dns_lookup_kdc=true
auth.kerberos.clockskew=300
auth.kerberos.timeout=3

When using a redundant configuration:

auth.server.type=kerberos
auth.group.mapping=false
auth.kerberos.default_realm=EXAMPLE.COM
auth.kerberos.dns_lookup_kdc=false
auth.kerberos.clockskew=300
auth.kerberos.timeout=3
auth.kerberos.realm_name=S1
auth.kerberos.S1.realm=EXAMPLE.COM
auth.kerberos.S1.kdc=kerberos.example.com:88,kerberos.example.net:88

When specifying multiple realm identifiers:

auth.server.type=kerberos
auth.group.mapping=false
auth.kerberos.default_realm=EXAMPLE.COM
auth.kerberos.dns_lookup_kdc=false
auth.kerberos.clockskew=300
auth.kerberos.timeout=3
auth.kerberos.realm_name=S1,S2
auth.kerberos.S1.realm=EXAMPLE.COM
auth.kerberos.S1.kdc=kerberos1.example.com:88,kerberos1.example.net:88
auth.kerberos.S2.realm=EXAMPLE.NET
auth.kerberos.S2.kdc=kerberos2.example.com:88,kerberos2.example.net:88

Configuring external user authentication on the Analyzer probe server and the Analyzer detail view server

To authenticate users by using an external authentication server (Active Directory), you must configure settings on the Analyzer probe server and the Analyzer detail view server.

The procedure for configuring settings on the Analyzer probe server and on the Analyzer detail view server is the same.

Note:

Configuring the settings for external user authentication for the Analyzer detail view server is optional.

You must configure the settings for external user authentication only if you want to log on to the Analyzer detail view server by using Active Directory user accounts.

When the Analyzer detail view UI is launched from the Ops Center Analyzer UI, you do not need to configure settings for external user authentication on the Analyzer detail view
server because internal user accounts are used.

The supported authentication and communication protocols for Active Directory are:

Authentication protocol: LDAP

Communication protocols:
TLS/SSL: LDAPS
Without SSL: Plain text (non-TLS)

Configuring the SSL port

The SSL port is enabled and the non-SSL port is disabled while connecting to the Active Directory server.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. From the Analyzer detail view server or Analyzer probe server, verify the domain name of the Active Directory using the command:

nslookup domain-name

3. If you cannot resolve the domain name, then add an entry of the following form in the /etc/hosts file:
Active-Directory-server-IP-address domain-name
4. Import one of the following certificates into the Analyzer detail view server or Analyzer probe server keystore:
Note: The password for the keystore is changeit.
Active Directory Server certificate (CER format).
Microsoft Public Key Infrastructure (MSPKI) chain Certificate (CER format), one file that contains all the keys.
5. Upload the CER file at the following location /tmp on the Analyzer detail view server or Analyzer probe server using an FTP client (like WinSCP).

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 135/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
6. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

7. If the jssecacerts file does not exist, create it.

8. Import the certificate into the Analyzer detail view server or Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file Active_Direct
ory_Server_certificate_or_MSPKI_chain_certificate_file_path

Note: You can define any unique alias name for the certificate.
For example:

keytool -importcert -alias detailviewAD -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/LAB_chain.cer

9. Make sure that the megha user has the read permission for the jssecacerts file. If not, change the permission as follows.

For example:

chmod o+r jssecacerts

10. Stop the crond service and verify the status:

service crond stop

service crond status

11. Stop the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh stop

/usr/local/megha/bin/megha-jetty.sh status

12. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

13. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied to the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file. If not, set it as in this example:

chmod o+r jssecacerts

14. Access the Analyzer detail view or Analyzer probe UI as an administrator user, and then add the Active Directory users.

Verifying the Active Directory domain name

Before you can add an Active Directory user, the Active Directory domain name must be resolved by the Analyzer detail view server or Analyzer probe server.

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Verify the domain name of the Active Directory using the following command:

nslookup domain-name

3. If you cannot resolve the domain name, then add an entry of the following form in the /etc/hosts file:
Active-Directory-server-IP-address domain-name

Matching non-default Active Directory server settings

If you are using a non-default setting to connect to the Active Directory server, you must follow this procedure to change the settings on the Analyzer detail view server and Analyzer
probe server

The default non-SSL port is 389 and the SSL port is 636.

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. List the details of the properties using the command:

cat /usr/local/megha/conf/sys/ad.properties

The default values are:

ad.ssl.port=636
ad.non.ssl.port=389
ad.auth.type=simple
ad.connect.timeout=5000
ad.connect.retry.interval=1000
ad.connect.retry.times=2
Note: The simple authentication type is supported for ad.auth.type property.
3. Note any property value that needs to be changed. For example, ad.ssl.port=123.
4. Enter the command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 136/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
cd /usr/local/megha/conf
5. Create a new custom directory as follows:

mkdir custom

6. Create a file custom.properties in the new folder you just created (/usr/local/megha/conf/custom).
7. In the custom.properties file, add the property you noted earlier. For example: ad.ssl.port=123.
8. Change the owner of the new files and folders:

chown -R megha:megha /usr/local/megha/conf/custom

9. Stop the megha service:

/usr/local/megha/bin/megha-jetty.sh stop

10. Confirm the megha service has stopped:

/usr/local/megha/bin/megha-jetty.sh status

11. Restart the megha service:

/usr/local/megha/bin/megha-jetty.sh start

Setting an explicit domain name for Active Directory

To enhance the security, you can use an explicit User Principal Name (UPN) domain name on the Analyzer detail view server and Analyzer probe server.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server or Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

5. Go to the /usr/local/megha/conf directory:

cd /usr/local/megha/conf

6. (If the custom directory does not exist) create it as follows:

mkdir custom

7. (If the custom.properties file does not exist), create it in the custom directory.
8. Change ownership of the custom directory:

chown -R megha:megha /usr/local/megha/conf/custom

9. Open the custom.properties file and add the ad.domain.mappings property with the implicit and explicit domain name:

ad.domain.mappings=Explicit_Domain:Implicit_Domain

For example:

ad.domain.mappings=marsh.com:domain1.com

To map multiple explicit domain names, separate them with commas:

For example:

ad.domain.mappings=marsh.com:domain1.com,marsh1.com:domain1.com

10. Save the changes.

11. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

12. Start the crond service using the following command:

service crond start

Managing Active Directory groups

You can add Active Directory groups to the Analyzer detail view or Analyzer probe. (To log on to the server Ops Center Analyzer detail view as an Active Directory user, the Active
Directory user must be a member of the Active Directory group and domain).

1. Log on to the Ops Center Analyzer detail view as the admin user and make the appropriate selection:
Analyzer detail view: In the application bar, click the Manage menu.
Analyzer probe: Click the Manage menu.
2. In the Administration section, click the Manage Active Directory Groups link.
3. In the Manage Active Directory Groups window, click Add Active Directory Group.
4. Type the Active Directory group name and domain name.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 137/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: If you have configured an explicit domain name for Active Directory using the ad.domain.mapping property, make sure that you enter the explicit domain name in the
Domain Name field. Refer to Setting an explicit domain name for Active Directory for more information.
5. Type the user name (with the fully qualified domain name) and the password. You must type the username in the following format:

user-name@FQDN

For example: [email protected]

Note: The Active Directory group user can log in to the Analyzer detail view or Analyzer probe using the user-name@FQDN and FQDN\user-name formats. The NetBIOS-Name
\user-name format is not supported.
All users from the specified Active Directory group are registered with Analyzer detail view (as Normal users) or Analyzer probe (as Admin users) and can access the UI by
using the Active Directory logon credentials.
6. Click Submit.

Editing the Active Directory group domain name

You can edit the Active Directory group domain name on the Analyzer detail view or Analyzer probe servers. (To log on to the Analyzer detail view server as an Active Directory user,
the user must be a member of the Active Directory groups and domains).

1. Log on to the Ops Center Analyzer detail view as the admin user and make the appropriate selection:
Analyzer detail view: In the application bar, click the Manage menu.
Analyzer probe: Click the Manage menu.
2. In the Administration section, click the Manage Active Directory Groups link.
3. In the Manage Active Directory Groups window, click Edit in the Action column.
4. Edit the domain name.
Note: If you have configured an explicit domain name for Active Directory using the ad.domain.mapping property, make sure that you enter the explicit domain name in the
Domain Name field. Refer to Setting an explicit domain name for Active Directory for more information.
5. Type the user name (with the fully qualified domain name) and the password. You must type the username in the following format:

user-name@FQDN

For example: [email protected]

Note: The Active Directory group user can log in to the Analyzer detail view or Analyzer probe using the user-name@FQDN and FQDN\user-name formats. The NetBIOS-Name
\user-name format is not supported.
All users from the specified Active Directory group are registered with Analyzer detail view (as Normal users) or Analyzer probe (as Admin users) and can access the UI by
using the Active Directory logon credentials.
6. Click Submit.

Configure secure communications

You can configure secure communications between each of the servers and clients.

You can use the Common Services cssslsetup command to create a common private key and server certificate, and configure SSL communications for Ops Center products
installed on the same host. For details, see the Hitachi Ops Center Installation and Configuration Guide.

About security settings

In Ops Center Analyzer, you can use SSL and SSH to ensure secure network communications. In SSL and SSH communications, communication routes are encrypted to prevent
information leakage and detect any data manipulation during transfer. You can further enhance security using authentication.

The following shows the security communication routes for Ops Center Analyzer.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 138/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

The following shows the security communication routes that can be used in Ops Center Analyzer and the supported protocols for each route that is used. Note that the number in the
table corresponds with the number in the figure.

Route Server (program) Client Protocol

1 Analyzer server* HTTPS

Web client

2 Analyzer server* HTTPS

Analyzer command

3 Analyzer detail view server* HTTPS

Web client

4 Analyzer detail view server* Analyzer server* HTTPS

5 Analyzer detail view server* Analyzer probe server HTTPS

SFTP

6 Analyzer detail view server* HTTPS

Windows host

7 Analyzer probe server* HTTPS

Web client

8 RAID Agent* Analyzer server* HTTPS

SSH

9 RAID Agent* Analyzer probe server* HTTPS

10 Virtual Storage Software Agent * * HTTPS

Analyzer probe server

11 On-demand real time monitoring module* Analyzer detail view server * WSS (Web Socket over TLS)

12 Common Services* Analyzer server* HTTPS

13 Common Services* Analyzer detail view server* HTTPS

14 Common Services * * HTTPS

Analyzer probe server

15 Ops Center API Configuration Manager* Analyzer probe server * HTTPS

16 Ops Center Automator* Analyzer server* HTTPS

17 LDAP directory server Analyzer server* STARTTLS

18 Ops Center API Configuration Manager * * HTTPS

Ops Center Automator

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 139/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Route Server (program) Client Protocol

19 mail server Analyzer server SMTPS, STARTTLS

* You can configure this component by using the cssslsetup command if the products are installed on the same management server as Common Services.

If the products are installed on a different management server than Common Services, you can configure SSL communication for this component by using the cssslsetup
command by obtaining the cssslsetup command file from the Common Services installation media or the Express installers.

For details, see the section about the cssslsetup command in the Hitachi Ops Center Installation and Configuration Guide.

By default, server certificates are not verified. For secure communication, enable verification.

If you use a certificate issued by a certificate authority, use the information in this module to enhance security.

Note: To use Ops Center Analyzer with security settings enabled, the server certificate must be valid. If the server certificate has expired, you cannot connect to Ops Center Analyzer
using a secure connection.

For communication route 1, HTTP (port: 22015) and HTTPS (port: 22016) are available by default. During initial setup after installation, HTTPS communication can be
performed by using the default self-signed certificate. The default self-signed certificate is created by running the hcmds64ssltool command with no arguments specified. If
you want to use a new self-signed certificate or a certificate issued by a certificate authority, perform the procedure in this topic.
For security settings for communication route 8, see Initial setup for enabling Granular Data Collection.
For security settings for communication route 18, see the Hitachi Ops Center API Configuration Manager REST API Reference Guide.

Workflow for configuring secure communications

The following figure describes the workflow for configuring secure communication in the Ops Center Analyzer environment.

Configuration workflow for secure communication between the Analyzer server and the web client

Analyzer server procedures:

Creating a private key and a certificate signing request for Analyzer server
Submitting a certificate signing request (CSR) for Analyzer server
Enabling SSL communication for Analyzer server

Configuration workflow for secure communication between the Analyzer server and the Analyzer command

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 140/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Analyzer server procedures:

Creating a private key and a certificate signing request for Analyzer server
Submitting a certificate signing request (CSR) for Analyzer server
Enabling SSL communication for Analyzer server
Importing Analyzer server certificates to the Analyzer server truststore

Configuration workflow for secure communication between the Analyzer detail view server and the web client

Analyzer detail view server procedures:

Configuring a CA signed SSL certificate (Analyzer detail view server)

Configuring a self-signed SSL certificate (Analyzer detail view server)
Exporting a self-signed certificate for the Analyzer detail view server

Configuration workflow for secure communication between the Analyzer detail view server and the Analyzer server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 141/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Analyzer detail view server procedures:

Configuring a CA signed SSL certificate (Analyzer detail view server)

Configuring a self-signed SSL certificate (Analyzer detail view server)
Exporting a self-signed certificate for the Analyzer detail view server

Analyzer server procedures:

Importing Analyzer detail view server certificates to the Analyzer server truststore

Configuration workflow for secure communication between the Analyzer probe server and the web client

Analyzer probe server procedures:

Configuring a CA signed SSL certificate (Analyzer probe server)

Configuring a self-signed SSL certificate (Analyzer probe server)
Exporting a self-signed certificate for the Analyzer probe server

Configuration workflow for secure communication between the RAID Agent server and Analyzer server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 142/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

RAID Agent server procedures:

Creating a private key and a certificate signing request for RAID Agent server
Submitting a certificate signing request (CSR) for RAID Agent
Enabling SSL communication for RAID Agent

Analyzer server procedures:

Importing RAID Agent certificates to the Analyzer server truststore

Configuration workflow for secure communication between the RAID Agent server and Analyzer probe server

RAID Agent server procedures:

Creating a private key and a certificate signing request for RAID Agent server
Submitting a certificate signing request (CSR) for RAID Agent
Enabling SSL communication for RAID Agent

Analyzer probe server procedures:

Enabling TLS certificate verification for connecting to RAID Agent in Analyzer probe server

Configuration workflow for secure communication between Virtual Storage Software Agent server and Analyzer probe server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 143/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Virtual Storage Software Agent procedures:

Creating a private key and a certificate signing request for Virtual Storage Software Agent server
Submitting a certificate signing request (CSR) for Virtual Storage Software Agent
Enabling SSL communication for Virtual Storage Software Agent

Analyzer probe server procedures:

Enabling TLS certificate verification for connecting to Virtual Storage Software Agent in Analyzer probe server

Configuration workflow for secure communication between the VSP One SDS Block and Virtual Storage Software Agent

Virtual Storage Software Agent procedures:

Importing VSP One SDS Block certificates to the Virtual Storage Software Agent truststore

Configuration workflow for secure communication between the Analyzer server and Common Services

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 144/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Analyzer server procedures:

Importing Common Services certificates to the Analyzer server truststore

Configuration workflow for secure communication between the Analyzer detail view server and Common Services

Analyzer detail view server procedures:

Enabling TLS certificate verification for connecting to Common Services

Configuration workflow for secure communication between the Analyzer probe server and Common Services

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 145/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Analyzer probe server procedures:

Enabling TLS certificate verification for connecting to Common Services

Configuration workflow for secure communication between the Ops Center Automator and Analyzer server

Analyzer server procedures:

Importing Ops Center Automator certificates to the Analyzer server truststore

Configuration workflow for secure communication between the LDAP directory server and Analyzer server

Analyzer server procedures:

Importing LDAP directory server certificates to the Analyzer server truststore

Configuring an SSL certificate (Analyzer server)

Configure the Analyzer server as an SSL server by creating a private key and a certificate signing request, applying for a server certificate, and configuring secure communication.

Note: For an upgrade installation, the SSL settings from before the upgrade are inherited.

Creating a private key and a certificate signing request for Analyzer server

Use the hcmds64ssltool command to create a private key and a certificate signing request (CSR) for Analyzer server.

You must have root permission.

Check with the certificate authority regarding the requirements for the certificate signing request.
Make sure that the signature algorithm of the server certificate is supported by the version of the web browser.
When recreating a private key, certificate signing request, or self-signed certificate, send the output to a new location. (If a file of the same name exists in the output location,
the file cannot be recreated.)

Run the hcmds64ssltool command to create private keys, certificate signing requests, and self-signed certificates that support RSA cryptography and elliptic curve cryptography
(ECC).
The certificate signing request is created in PEM format.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 146/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: By default, the self-signed certificate and private key that are created by running the hcmds64ssltool command with no arguments are applied. Use a self-signed certificate
only to test encrypted communications.

Submitting a certificate signing request (CSR) for Analyzer server

In general, applications for server certificates are submitted online. You must create a certificate signing request (CSR) for Analyzer server, and send it to the certificate authority to
obtain a digital signature.

Create a certificate signing request for Analyzer server.

You must have a server certificate in X.509 PEM format issued by the certificate authority. For details on how to apply, see the website of your certificate authority. In addition, make
sure the certificate authority supports the signature algorithm.

1. Send the certificate signing request to the certificate authority.

2. Save the server certificate issued by the certificate authority in Analyzer server.
Note: Use the hcmds64checkcerts command to verify the expiration date of the certificate.

Enabling SSL communication for Analyzer server

To enable SSL communication, edit the user_httpsd.conf file and the command_user.properties file.

Create a private key for the Analyzer server.

Prepare the Analyzer server certificate file issued by the certificate authority.

For best results, copy the file to the following location:

Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server

Verify the host name specified for Common Name in the certificate signing request.

1. Stop the Analyzer server services.

2. Edit the user_httpsd.conf file.

Common-component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

The following is an example of how to edit the user_httpsd.conf file.

ServerName Analyzer-server-host-name
#Listen [::]:22015
Listen 22015
#Listen 127.0.0.1:22015
SSLEngine Off
#Listen [::]:22016
Listen 22016
<VirtualHost *:22016>
ServerName Analyzer-server-host-name
SSLEngine On
SSLProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES25
6-GCM-SHA384:AES128-GCM-SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateKeyFile "Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem"
SSLCertificateFile "Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsd.pem"
SSLCertificateKeyFile "Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem"
SSLCertificateFile "Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem"
# SSLCACertificateFile "Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/anycert.pem"
# Header set Strict-Transport-Security max-age=31536000
</VirtualHost>
HWSLogSSLVerbose On

Uncomment the lines from #Listen 22016 to #HWSLogSSLVerbose On, by removing the hash mark (#). For the SSLCipherSuite directive, uncomment only one of these
lines depending on the encryption set to be used. For example, if you want to use only the encryption set that corresponds to PFS (Perfect Forward Secrecy), uncomment
the second of these lines.

Note:
Keep the lines #Listen [::]:22015 and #Listen [::]:22016 commented out, because Ops Center Analyzer does not support IPv6.
Even if you enable SSL communication, do not remove or comment out the line Listen 22015.
To interrupt non-SSL communication, add a hash mark (#) to the beginning of the line Listen 22015 to comment it out, then uncomment the line #Listen 127.0.0.
1:22015.
SSLCipherSuite TLSv1.3 is for TLS 1.3 and SSLCipherSuite is for TLS 1.2.
For the ServerName directive in the first line and the ServerName directive inside the <VirtualHost> tags, enter the Analyzer server host name that you specified for
Common Name in the certificate signing request. (Host names are case sensitive.)
Specify the absolute paths of the private key and the server certificate of Analyzer server for the following directives.
SSLCertificateKeyFile
SSLCertificateFile
If the server certificate for Analyzer server originated from an intermediate certificate authority, remove the hash mark (#) from the beginning of the line of the SSLCACe
rtificateFile directive, and then specify the absolute path of all server certificates issued by the intermediate certificate authorities. You can include multiple
certificates in a single file by using a text editor to chain those certificates.
Do not remove the hash mark (#) from the beginning of the following line:

# Header set Strict-Transport-Security max-age=31536000

Note: If the Analyzer server was upgraded, user_httpsd.conf might not include the required directives. In this case, copy the lines relevant to those directives from the sample
file stored in the following location:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 147/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Common-component-installation-directory/sample/httpsd/conf/user_httpsd.conf

Note the following:

Do not edit the httpsd.conf , hsso_httpsd.conf, or user_hsso_httpsd.conf files.

Do not specify the same directive twice. However, the SSLCertificateFile and SSLCertificateKeyFile directives can be specified twice, once for RSA
cryptography and once for ECC.
Do not enter a line break in the middle of a directive.
When specifying paths in the directives listed below, do not specify symbolic links or junction points.
When specifying certificates and private keys in the directives listed below, specify PEM-format files.
3. Edit the command_user.properties file.

Analyzer-server-installation-directory/Analytics/conf/command_user.properties

Change the value of the command.ssl property from false to true.

command.ssl = true

4. Start the Analyzer server services.

5. If Ops Center Automator is connected with the Analyzer server and the Analyzer server is set as the primary server, perform the following procedure on the Ops Center
Automator host.

To apply the changed port number:

a. Run the hcmds64prmset command with sslport option to change the Common component settings.
b. Restart Ops Center Automator.
Note: You must also set up SSL communication on Ops Center Automator. For details, see the section describing how to set up SSL in the Hitachi Ops Center Automator
Installation and Configuration Guide.

Checking the expiration date of the certificate for Analyzer server

Use the hcmds64checkcerts command to check the expiration date of the Analyzer server certificate and the certificate issued by a certificate authority.

The paths to the following certificates must be specified in the user_httpsd.conf file:
Server certificate for Analyzer server

When the certificate for both the RSA cryptography and the elliptic curve cryptography is used, the path of both certificates must be specified.

All certificates issued by intermediate certificate authorities

You must have root permission.

Run the following command:

Common-component-installation-directory/bin/hcmds64checkcerts { [-days number-of-days] [-log] | -all }

The options are:

days

Specify the period (in days). The range of days is 30 to 3,652 (10 years). This options displays expired certificates and those due to expire during the specified period. (When
you omit this option, the command displays certificates due to expire in 30 days.)

log

Specify this option if you want to regularly check the expiration dates of certificates as an operating system task. When certificates are displayed, a warning message is
output to syslog.

all

Specify the expiration date to display for all certificates listed in the user_httpsd.conf file.

Deleting a certificate from the Analyzer server truststore

You can delete a certificate that was imported into Analyzer server.

You must have root permission.

Run the following command to delete the certificate that was imported to Analyzer server.

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -delete -alias alias-name -keystore truststore-file-name -storepass truststore-pa

ssword

Note:

For the alias-name, specify the alias name that was specified when the server certificate was imported to the truststore.
For the truststore-file-name, specify the absolute path to the location where the truststore file is stored.

The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Importing Analyzer server certificates to the Analyzer server truststore

To enable the Analyzer server to verify Analyzer server certificates, import the Analyzer server certificates to the Analyzer server truststore.

Enabling the verification of certificates makes it possible to use HTTPS for communication for the following commands.

encryptpassword
reloadtemplate

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 148/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Prepare the Analyzer server certificates.
You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import the Analyzer server certificates to the truststore:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

For the alias-name, specify the name of the host on which the certificate is located.
For the certificate-file-name, specify the absolute path to the certificate.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type.
3. Change the following properties in the config_user.properties file.
Location:

Analyzer-server-installation-directory/Analytics/conf

To enable the verification of server certificates:

Key: cert.verify.enabled
Value: true
4. Change the following properties in the command_user.properties file.
Location:

Analyzer-server-installation-directory/Analytics/conf

To set the host name of the Analyzer server that is accessed by Analyzer commands:

Key: command.hostname
Value: Analyzer-server-host-name
5. Start the Analyzer server services.

Configuring an SSL certificate (Analyzer detail view server)

Configure an SSL certificate to initiate a secure browser sessions. You can either configure the CA signed or self-signed SSL certificate.

Configuring a CA signed SSL certificate (Analyzer detail view server)

Configure a CA signed SSL certificate to initiate a secure browser sessions by creating a private key, creating a certificate signing request (CSR), and applying the server certificate.

Creating a private key and a certificate signing request

Create a certificate signing request (CSR) for Analyzer detail view server and send it to the certificate authority to obtain the certificate file.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Navigate to the /usr/local/megha/jetty/etc directory:

cd /usr/local/megha/jetty/etc

3. Create a private key using one of the following algorithms:

RSA:

openssl genrsa -out jettyPrivate.key

ECDSA:

openssl ecparam -out jettyPrivate.key -name prime256v1 -genkey

4. Create a certificate signing request (CSR):

openssl req -new -key jettyPrivate.key -out /tmp/certreq.csr

Follow the instructions displayed on the console to enter the details for your certificate request. When requested to provide the common name, make sure that you enter a
fully qualified host name.

Enter the default password for CSR: megha.jeos

Note: If you provide a password of your choice, note it. You will need this when applying server certificates.
5. Copy the certificate request file from /tmp/certreq.csr and submit it to the certificate authority to create the certificate file.

Applying server certificates

The certificate authority creates the following three certificate files:

Root
Intermediate
Host

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Upload the certificate files to the Analyzer detail view server. (For example, /usr/local/megha/jetty/etc).
2. Navigate to the /usr/local/megha/jetty/etc directory:

cd /usr/local/megha/jetty/etc

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 149/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
3. Combine the chain of certificates by concatenating them into a single file (in the order indicated). For example:

cat host.cer imd.cer root.cer > cert-chain.cer

4. Combine the private key and certificate in the jetty.pkcs12 file using the following command:

openssl pkcs12 -export -inkey jettyPrivate.key -in cert-chain.cer -out jetty.pkcs12 -name jetty

5. Enter the password that you provided when creating the CSR (default: megha.jeos).
6. Stop the crond service using the command:

service crond stop

7. Stop all the running services using the following command:

/usr/local/megha/bin/stop-all-services.sh

8. Verify that the megha and crond services are stopped by entering these commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

9. Create a backup of the existing keystore file using the following command:

mv /usr/local/megha/jetty/etc/keystore /usr/local/megha/jetty/etc/keystore-orig

10. Create a backup of an existing userKeystoreConfig file using the following command:

cp /usr/local/megha/jetty/etc/userKeystoreConfig.xml /usr/local/megha/jetty/etc/userKeystoreConfig-orig.xml

11. Import the pkcs12 file (using keytool) using the following command:

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore -deststoretype PKCS12

12. Enter the password that you provided when creating the CSR (default: megha.jeos).
Note: If you provided a password of your choice when creating the CSR, make sure you change the following fields in the /usr/local/megha/jetty/etc/userKeystoreCo
nfig.xml file.

KeyStorePassword
KeyManagerPassword
TrustStorePassword

If the password includes the following special characters, you must replace them as indicated when editing these fields:
Replace ' " ' with '&quot;'
Replace ' ' ' with '&apos;'
Replace ' < ' with '&lt;'
Replace ' > ' with '&gt;'
Replace ' & ' with '&amp;'
For example:
Replace abc"123 with abc&quot;123
Replace abc'123 with abc&apos;123
Replace abc&"123 with abc&amp;&quot;123

(Optional): If you want an encrypted password for security purpose, you can convert the password into OBF format using the following command and provide the converted
password in the userKeystoreConfig.xml file:

java -cp /usr/local/megha/jetty/lib/jetty-util-<Jetty Version>.jar org.eclipse.jetty.util.security.Password "password_provided_when_creatin

g_CSR"

For example:

java -cp /usr/local/megha/jetty/lib/jetty-util-12.0.4.jar org.eclipse.jetty.util.security.Password "abc&123"

If the password contains " quotation mark, provide the password within ' ' quotation marks in the above command. For example: 'abc"123'

13. Change the ownership and permission of the keystore file:

chown megha:megha /usr/local/megha/jetty/etc/keystore

chmod og-rwx /usr/local/megha/jetty/etc/keystore

14. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

15. Start the crond service using the following command:

service crond start

16. (Optional) Remove the certreq.csr, cert-chain.cer, and jetty.pkcs12 files if you will not need them in the future:

rm /tmp/certreq.csr
rm /usr/local/megha/jetty/etc/cert-chain.cer
rm /usr/local/megha/jetty/etc/jetty.pkcs12

Configuring a self-signed SSL certificate (Analyzer detail view server)

You can configure a self-signed SSL certificate for browser sessions for test purpose by creating a private key, a certificate signing request (CSR), and applying the server certificate.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Create a temporary directory and open it:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 150/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
mkdir /tmp/SelfSignedCertificate

cd /tmp/SelfSignedCertificate
3. Create a private key using one of the following algorithms:
RSA:

openssl genrsa -out jettyPrivate.key

ECDSA:

openssl ecparam -out jettyPrivate.key -name prime256v1 -genkey

4. Create a certificate signing request (CSR):

openssl req -new -key jettyPrivate.key -out certreq.csr

Follow the instructions displayed on the console to enter the details for your certificate request (including the CSR password). For the common name, make sure that you
enter the fully qualified host name.

5. Generate a self-signed certificate from the CSR:

openssl x509 -req -days 365 -in certreq.csr -signkey jettyPrivate.key -out certreq.cer

6. Combine the private key and certificate in the jetty.pkcs12 file as shown in the following example:

openssl pkcs12 -export -inkey jettyPrivate.key -in certreq.cer -out jetty.pkcs12 -name jetty

Enter the export password. (The default is megha.jeos)

Note: If you do not use the default password, you must edit the userKeystoreConfig.xml file as follows:
a. Open the userKeystoreConfig.xml file:

vi /usr/local/megha/jetty/etc/userKeystoreConfig.xml

b. Update the following fields and save the file:

KeyStorePassword
KeyManagerPassword
TrustStorePassword

If the password includes the following special characters, you must replace them as indicated when editing these fields:
Replace ' " ' with '&quot;'
Replace ' ' ' with '&apos;'
Replace ' < ' with '&lt;'
Replace ' > ' with '&gt;'
Replace ' & ' with '&amp;'
For example:
Replace abc"123 with abc&quot;123
Replace abc'123 with abc&apos;123
Replace abc&"123 with abc&amp;&quot;123

(Optional): If you want an encrypted password for security purpose, you can convert the password into OBF format using the following command and provide the
converted password in the userKeystoreConfig.xml file:

java -cp /usr/local/megha/jetty/lib/jetty-util-<Jetty Version>.jar org.eclipse.jetty.util.security.Password "password_provided_when_c

reating_CSR"

For example:

java -cp /usr/local/megha/jetty/lib/jetty-util-12.0.4.jar org.eclipse.jetty.util.security.Password "abc&123"

If the password contains " quotation mark, provide the password within ' ' quotation marks in the above command. For example: 'abc"123'

7. Stop the crond service:

service crond stop

8. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

9. Create a backup of the existing keystore file using the following command:

mv /usr/local/megha/jetty/etc/keystore /usr/local/megha/jetty/etc/keystore-orig

10. Import jetty.pkcs12 into the keystore to import the self-signed certificate using the following command:

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore /usr/local/megha/jetty/etc/keystore -deststoretype PKC
S12

Enter the destination and source keystore passwords you used in step 6.

11. Change the ownership and permission of the keystore file:

chown megha:megha /usr/local/megha/jetty/etc/keystore

chmod og-rwx /usr/local/megha/jetty/etc/keystore

12. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

13. Start the crond service:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 151/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond start
14. (Optional) Remove the SelfSignedCertificate directory if you will not need it in the future:

cd /tmp

rm -rf /tmp/SelfSignedCertificate

Exporting a self-signed certificate for the Analyzer detail view server

Use the keytool command to export self-signed certificates.

Run the following command to export the certificate for the Analyzer detail view server:

keytool –export –keystore /usr/local/megha/jetty/etc/keystore –alias alias-name –file certificate-file-name

Note:

For the alias-name, specify jetty to export the default self-signed certificate.
For certificate-file-name, specify the absolute path to the export destination of the self-signed certificate.

For example:
keytool –export –keystore /usr/local/megha/jetty/etc/keystore –alias jetty –file /root/test/Certificate

Checking the expiration dates of certificates for Analyzer detail view server

Check the expiration dates of the server certificates and Certificate Authority certificates for Analyzer detail view server.

Run the following command to check the expiration date:

keytool -list -v -keystore /usr/local/megha/jetty/etc/keystore

Note: You must use the keystore password of the Analyzer detail view server.
Sample output:
Valid from: Thu Nov 27 04:43:53 EST 2014 until: Tue Nov 26 04:43:53 EST 2024

Changing the SSL or HTTPS port number of the Analyzer detail view server

To change the port number for SSL or HTTPS communication, you must change the port numbers specified in the definition file, and then open the new port in the firewall settings.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server through an SSH client (like putty) as the root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the megha and crond services are stopped by entering these commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

5. Make a backup of the server.ini file:

cp /usr/local/megha/jetty/start.d/server.ini /usr/local/megha/jetty/start.d/org_server.ini.backup

6. Change the port number in the /usr/local/megha/jetty/start.d/server.ini file. For example:

jetty.httpConfig.securePort=9443

jetty.ssl.port=9443

7. Start the crond service using the following command:

service crond start

8. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

9. After changing the port number, make sure you change the firewall settings accordingly.

If you are using the Common Services, make sure that you also update the port number using the setupcommonservice command to update the port number in Common Services.

Deleting an SSL certificate from the Keystore

You can delete a previously imported or exipred SSL certificate from the keystore.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 152/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond stop
3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the megha and crond services are stopped by entering these commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

5. Go to the /usr/local/megha/jetty/etc directory and run the following command to get the list of all SSL certificates from the keystore file:

keytool -list -v -keystore Keystore_File_Name

6. Check the expired status of the certificates and note the alias name of expired certificates that you want to delete.
7. Run the following command to delete the certificate from the keystore.

keytool -delete -alias Alias_Name -keystore Keystore_File_Name

Note: You must use the keystore password of Analyzer detail view server or Analyzer probe server.
8. Run the following command to verify that the certificate is deleted from keystore file:

keytool -list -v -keystore Keystore_File_Name

9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the command:

service crond start

Importing Analyzer detail view server certificates to the Analyzer server truststore

To enable the Analyzer server to verify Analyzer detail view server certificates, import self-signed certificates exported by the Analyzer detail view server or server certificates issued
by a certificate authority to the Analyzer server truststore, and edit the config_user.properties file.

You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import the certificates for the Analyzer detail view server to the truststore file:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note:
For the alias-name, specify a name to identify which host server has the certificate.
For the certificate-file-name, specify the absolute path.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type of the truststore.
3. To enable the verification of server certificates, change the following properties in the config_user.properties file:
Location:

Analyzer-server-installation-directory/Analytics/conf

Key: cert.verify.enabled
Value: true
4. (Optional) To add cipher suites for communication with the Analyzer detail view server, do the following:
a. Open the config_user.properties file from the following location.
/opt/hitachi/Analytics/conf/config_user.properties
Note: The cipher suite settings apply to communication from the Analyzer server to all of the following components and servers. The settings cannot be configured for
individual components or servers.
Analyzer detail view server
RAID Agent
Virtual Storage Software Agent
Common Services
Ops Center Automator
b. Add or edit the ssl.ClientProtocol and ssl.ClientCipherSuites line (default value) as follows.

ssl.ClientProtocol = TLSv1.3, TLSv1.2

ssl.ClientCipherSuites = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SH
A384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

c. At the end of the ssl.ClientCipherSuites line, add any additional TLS 1.2 or TLS 1.3 cipher suites, using commas to separate the values.
5. Start the Analyzer server services.

Configuring an SSL certificate (Analyzer probe server)

Configure an SSL certificate to initiate secure browser sessions. You can either configure the CA signed or self-signed SSL certificate.

Configuring a CA signed SSL certificate (Analyzer probe server)

Configure an SSL certificate to initiate secure browser sessions by creating a private key, creating a certificate signing request (CSR), and applying the server certificate.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 153/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Creating a private key and a certificate signing request

Create a certificate signing request (CSR) for Analyzer probe server and send it to the certificate authority to obtain the certificate file.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Navigate to the /usr/local/megha/jetty/etc directory:

cd /usr/local/megha/jetty/etc

3. Create a private key using one of the following algorithms:

RSA:

openssl genrsa -out jettyPrivate.key

ECDSA:

openssl ecparam -out jettyPrivate.key -name prime256v1 -genkey

4. Create a certificate signing request (CSR):

openssl req -new -key jettyPrivate.key -out /tmp/certreq.csr

Follow the instructions displayed on the console to enter the details for your certificate request. When requested to provide common name, make sure that you enter a fully
qualified host name.
Enter default password for CSR: megha.jeos
Note: If you provide a password of your choice, note it. You will need this when applying server certificates.
5. Copy the certificate request file from /tmp/certreq.csr and submit it to the certificate authority to create the certificate file.

Applying server certificates

The certificate authority creates the following three certificate files:

Root
Intermediate
Host

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Upload the certificate files to the Analyzer probe server. (For example, (/usr/local/megha/jetty/etc).
2. Navigate to the /usr/local/megha/jetty/etc directory:

cd /usr/local/megha/jetty/etc

3. Combine the chain of certificates by concatenating them into a single file (in the order indicated):

cat Host-Certificate Intermediate-Certificate Root-Certificate > cert-chain.cer

For example:

cat host.cer imd.cer root.cer > cert-chain.cer

4. Combine the private key and certificate in the jetty.pkcs12 file using the following command:

openssl pkcs12 -export -inkey jettyPrivate.key -in cert-chain.cer -out jetty.pkcs12 -name jetty

5. Enter the password that you provided when creating the CSR. The default password is: megha.jeos
6. Stop the crond service using the command:

service crond stop

7. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

8. Verify that the megha and crond services are stopped by entering these commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

9. Take a backup of an existing keystore file using the command:

mv /usr/local/megha/jetty/etc/keystore /usr/local/megha/jetty/etc/keystore-orig

10. Take a backup of an existing userKeystoreConfig file using the command:

cp /usr/local/megha/jetty/etc/userKeystoreConfig.xml /usr/local/megha/jetty/etc/userKeystoreConfig-orig.xml

11. Import the pkcs12 file (using keytool) with the following command:

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore -deststoretype PKCS12

12. Enter the password that you provided when creating the CSR. The default password is:megha.jeos
Note: If you provided a password of your choice when creating the CSR, make sure you change the following fields in the /usr/local/megha/jetty/etc/userKeystoreCo
nfig.xml file:

KeyStorePassword
KeyManagerPassword
TrustStorePassword

If the password includes the following special characters, you must replace them as indicated when editing these fields:
Replace ' " ' with '&quot;'

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 154/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Replace ' ' ' with '&apos;'
Replace ' < ' with '&lt;'
Replace ' > ' with '&gt;'
Replace ' & ' with '&amp;'
For example:
Replace abc"123 with abc&quot;123
Replace abc'123 with abc&apos;123
Replace abc&"123 with abc&amp;&quot;123

(Optional): If you want an encrypted password for security purpose, you can convert the password into OBF format using the following command and provide the converted
password in the userKeystoreConfig.xml file:

java -cp /usr/local/megha/jetty/lib/jetty-util-<Jetty Version>.jar org.eclipse.jetty.util.security.Password "password_provided_when_creatin

g_CSR"

For example:

java -cp /usr/local/megha/jetty/lib/jetty-util-12.0.4.jar org.eclipse.jetty.util.security.Password "abc&123"

If the password contains " quotation mark, provide the password within ' ' quotation marks in the above command. For example: 'abc"123'
13. Change the ownership and permission of the keystore file:

chown megha:megha /usr/local/megha/jetty/etc/keystore

chmod og-rwx /usr/local/megha/jetty/etc/keystore

14. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

15. Start the crond service using the following command:

service crond start

16. (Optional) Remove the certreq.csr, cert-chain.cer, and jetty.pkcs12 files if you will not need them in the future:

rm /tmp/certreq.csr
rm /usr/local/megha/jetty/etc/cert-chain.cer
rm /usr/local/megha/jetty/etc/jetty.pkcs12

Configuring a self-signed SSL certificate (Analyzer probe server)

You can configure a self-signed SSL certificate for browser sessions for test purpose by creating a private key, a certificate signing request (CSR), and applying the server certificate.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Create a temporary directory and open it:

mkdir /tmp/SelfSignedCertificate

cd /tmp/SelfSignedCertificate

3. Create a private key using one of the following algorithms:

RSA:

openssl genrsa -out jettyPrivate.key

ECDSA:

openssl ecparam -out jettyPrivate.key -name prime256v1 -genkey

4. Create a certificate signing request (CSR):

openssl req -new -key jettyPrivate.key -out certreq.csr

Follow the instructions displayed on the console to enter the details for your certificate request including the CSR password. For the common name, make sure that you enter
the fully qualified host name.

5. Generate a self-signed certificate from the CSR:

openssl x509 -req -days 365 -in certreq.csr -signkey jettyPrivate.key -out certreq.cer

6. Combine the private key and certificate in the jetty.pkcs12 file as in the following example:

openssl pkcs12 -export -inkey jettyPrivate.key -in certreq.cer -out jetty.pkcs12 -name jetty

Enter the export password. (The default is megha.jeos)

Note: If you do not use the default password, you must edit the userKeystoreConfig.xml file as follows:
a. Open the userKeystoreConfig.xml file:

vi /usr/local/megha/jetty/etc/userKeystoreConfig.xml

b. Update the following fields and save the file:

KeyStorePassword
KeyManagerPassword
TrustStorePassword

If the password includes the following special characters, you must replace them as indicated when editing these fields:
Replace ' " ' with '&quot;'
Replace ' ' ' with '&apos;'
Replace ' < ' with '&lt;'

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 155/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Replace ' > ' with '&gt;'
Replace ' & ' with '&amp;'
For example:
Replace abc"123 with abc&quot;123
Replace abc'123 with abc&apos;123
Replace abc&"123 with abc&amp;&quot;123

(Optional): If you want an encrypted password for security purpose, you can convert the password into OBF format using the following command and provide the
converted password in the userKeystoreConfig.xml file:

java -cp /usr/local/megha/jetty/lib/jetty-util-<Jetty Version>.jar org.eclipse.jetty.util.security.Password "password_provided_when c

reating_CSR"

For example:

java -cp /usr/local/megha/jetty/lib/jetty-util-12.0.4.jar org.eclipse.jetty.util.security.Password "abc&123"

If the password contains " quotation mark, provide the password within ' ' quotation marks in the above command. For example: 'abc"123'
7. Stop the crond service:

service crond stop

8. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

9. Take a backup of the existing keystore file using the command:

mv /usr/local/megha/jetty/etc/keystore /usr/local/megha/jetty/etc/keystore-orig

10. Import jetty.pkcs12 into the keystore to import self-signed certificate in keystore with the following command:

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore /usr/local/megha/jetty/etc/keystore -deststoretype PKC
S12

Enter the destination and source keystore passwords you used in step 6.

11. Change the ownership and permission of the keystore file:

chown megha:megha /usr/local/megha/jetty/etc/keystore

chmod og-rwx /usr/local/megha/jetty/etc/keystore

12. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

13. Start the crond service:

service crond start

14. (Optional) Remove the SelfSignedCertificate directory if you will not need it in the future:

cd /tmp

rm -rf /tmp/SelfSignedCertificate

Exporting a self-signed certificate for the Analyzer probe server

Use the keytool command to export self-signed certificates.

Run the following command to export the certificate for the Analyzer probe server:

keytool –export –keystore /usr/local/megha/jetty/etc/keystore –alias alias-name –file certificate-file-name

Note:

For the alias-name, specify jetty to export the default self-signed certificate.
For certificate-file-name, specify the absolute path to the export destination of the self-signed certificate.

Checking the expiration dates of certificates for Analyzer probe server

Check the expiration dates of the server certificates and Certificate Authority certificates for Analyzer probe server.

Run the following command to check the expiration date:

keytool -list -v -keystore /usr/local/megha/jetty/etc/keystore

Note: You must use the keystore password of the Analyzer probe server.
Sample output: Valid from: Thu Nov 27 04:43:53 EST 2014 until: Tue Nov 26 04:43:53 EST 2024

Changing the SSL or HTTPS port number of the Analyzer probe server

To change the port number for SSL or HTTPS communication, you must change the port numbers specified in the definition file, and then open the new port in the firewall settings.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 156/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond stop
3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the megha and crond services are stopped by entering these commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

5. Make a backup of the server.ini file:

cp /usr/local/megha/jetty/start.d/server.ini /usr/local/megha/jetty/start.d/org_server.ini.backup

6. Change the port number in the /usr/local/megha/jetty/start.d/server.ini file. For example:

jetty.httpConfig.securePort=9443

jetty.ssl.port=9443

7. Start the crond service using the following command:

service crond start

8. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

9. After changing the required port number, make sure you open the new port number in the firewall settings.

If you are using the Common Services, make sure that you also update the port number using the setupcommonservice command to update the port number in Common Services.

Enabling strict host name checking between the Analyzer probe server and Analyzer detail view server

When you are connecting the Analyzer probe server to the Analyzer detail view server over HTTPS, you can enable strict host name checking by editing the custom.properties
file.

After enabling this option, the Analyzer probe server verifies whether the connection destination (IP address or host name) is the same as the subject alternate name or common
name of the SSL certificate that is installed on the Analyzer detail view server. For details on setting up this connection, refer to Setting up Analyzer probe server.

Verify the following:

A valid SSL certificate is installed on the Analyzer detail view server in the keystore file (/usr/local/httpProxy/jetty/etc/).
If you are connecting to the Analyzer detail view server using the IP address:
The IP address is listed in subject alternate name of the SSL certificate on the Analyzer detail view server.
If the subject alternate name is not provided in the SSL certificate, the IP address must exist in common name.
If you are connecting to the Analyzer detail view server using the host name:
The host name exists in subject alternate name of the SSL certificate on the Analyzer detail view server.
If the subject alternate name is not provided in the SSL certificate, the host name must exist in common name.
If the Analyzer probe server cannot resolve the host name, add the valid Analyzer detail view server IP address and host name in the /etc/hosts file.
If you install a new SSL certificate or make any changes to the default SSL certificate, then you must restart the HTTP proxy service. Refer to Restarting the HTTP proxy
service.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the following services are stopped by entering these commands:
Megha

/usr/local/megha/bin/megha-jetty.sh status

Crond

service crond status

5. Go to the /usr/local/megha/conf/custom.properties file, add the following property, and save the file:

https.strict.hostname.check=true

6. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

7. Start the crond service using the following command:

service crond start

Deleting an SSL certificate from the Keystore

You can delete a previously imported or exipred SSL certificate from the keystore.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 157/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the megha and crond services are stopped by entering these commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

5. Go to the /usr/local/megha/jetty/etc directory and run the following command to get the list of all SSL certificates from the keystore file:

keytool -list -v -keystore Keystore_File_Name

6. Check the expired status of the certificates and note the alias name of expired certificates that you want to delete.
7. Run the following command to delete the certificate from the keystore.

keytool -delete -alias Alias_Name -keystore Keystore_File_Name

Note: You must use the keystore password of Analyzer detail view server or Analyzer probe server.
8. Run the following command to verify that the certificate is deleted from keystore file:

keytool -list -v -keystore Keystore_File_Name

9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the command:

service crond start

Enabling verification of TLS certificates for monitored devices (Analyzer probe server)

Enabling TLS certificate verification for connecting to the VMware vCenter Server

The TLS certificate verification enables secure communication between the Analyzer probe server and the VMware vCenter Server.

Obtain a valid TLS certificate from the VMware vCenter Server and save it in the /tmp directory on the Analyzer probe server.
Identify and note the Java keystore path on the Analyzer probe server machine.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

vmware.verify.tls.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the VMware vCenter Server TLS certificate into the Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias VMwareServerCert -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.cer

11. Make sure that the megha user has the read permission for the jssecacerts file. If not, change the permissions as follows:

For example:

chmod o+r jssecacerts

12. Verify whether the certificate is imported:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 158/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
keytool -list -v -alias Alias_name -keystore Truststore_file_path

For example:

keytool -list -v -alias VMwareServerCert -keystore jssecacerts

Sample output:

Alias name: VMwareServerCert

Creation date: Nov 25, 2022
Entry type: trustedCertEntry
13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file. If megha user does not have read permission, provide the
permission.

For example:

chmod o+r jssecacerts

Enabling TLS certificate verification for connecting to the Hitachi NAS REST API server

TLS certificate verification enables secure communication between the Analyzer probe server and the Hitachi NAS REST API server.

Obtain a valid TLS certificate from the Hitachi NAS REST API server and save it in the /tmp directory on the Analyzer probe server.
Identify and note the Java keystore path on the Analyzer probe server machine.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

hnas.rest.verify.tls.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the Hitachi NAS REST API server TLS certificate into the Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias HNASRestServerCert -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.cer

11. Make sure that the megha user has the read permission for the jssecacerts file. If not, change the permissions as follows:

For example:

chmod o+r jssecacerts

12. Verify whether the certificate is imported:

keytool -list -v -alias Alias_name -keystore Truststore_file_path

For example:

keytool -list -v -alias HNASRestServerCert -keystore jssecacerts

Sample output:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 159/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Alias name: HNASRestServerCert
Creation date: Nov 25, 2022
Entry type: trustedCertEntry
13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file. If megha user does not have read permission, provide the
permission.

For example:

chmod o+r jssecacerts

Enabling TLS certificate verification for connecting to the HMC

The TLS certificate verification enables secure communication between the Analyzer probe server and the Hardware Management Console (HMC).

Obtain a valid TLS certificate (for example, server.cer file) for HMC in x509 format and save it in the /tmp directory on the Analyzer probe server.

TLS certificate verification is a global setting. If there are multiple HMCs, make sure you obtain the TLS certificates for all the HMCs.

Identify and note the Java keystore path on the Analyzer probe server machine.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

ips.verify.ssl.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the TLS certificate into the Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias aliasName -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.cer

11. If there are multiple HMCs, repeat step 10 for each HMC.
12. Make sure that the megha user has the read permission for the jssecacerts file. If not, set it as in this example:

chmod o+r jssecacerts

13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 160/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Configuring SSL certificates (Analyzer detail view server and Analyzer probe server)

Configuring an SSL certificate (HTTP Proxy)

Configure an SSL certificate to initiate a secure connection while transferring the data from the Analyzer probe server to the Analyzer detail view server by creating a private key,
creating a certificate signing request (CSR), and applying the server certificate.

Creating a private key and a certificate signing request

Create a certificate signing request (CSR) for Analyzer detail view server and send it to the certificate authority to obtain the certificate file.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Navigate to the /usr/local/httpProxy/jetty/etc directory:

cd /usr/local/httpProxy/jetty/etc

3. Create a private key:

openssl genrsa -out jettyPrivate.key

4. Create a certificate signing request (CSR):

openssl req -new -key jettyPrivate.key -out /tmp/certreq.csr

Follow the instructions displayed to enter the details for your certificate request. When requested to provide common name, make sure that you enter a fully qualified host
name.
Enter the default password for the CSR: megha.jeos.
Note: If you provide a password of your choice, note it. You will need this when applying server certificates.
5. Copy the certificate request file from /tmp/certreq.csr and submit it to the certificate authority to create the certificate file.

Applying server certificates

The certificate authority creates the following three certificate files:

Root
Intermediate
Host

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Upload the certificate files to the Analyzer detail view server. (For example, cd /usr/local/httpProxy/jetty/etc/keystore).
2. Navigate to the /usr/local/httpProxy/jetty/etc directory:

cd /usr/local/httpProxy/jetty/etc

3. Combine the chain of certificates by concatenating them into a single file (in the order indicated):

cat Host-Certificate Intermediate-Certificate Root-Certificate > cert-chain.cer

For example:

cat host.cer imd.cer root.cer > cert-chain.cer

4. Combine the private key and certificate in the jetty.pkcs12 file using the following command:

openssl pkcs12 -export -inkey jettyPrivate.key -in cert-chain.cer -out jetty.pkcs12 -name jetty

5. Enter the password that you provided when creating the CSR. The default password is: megha.jeos
6. Stop the crond service using the command:

service crond stop

7. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

8. Verify that the httpProxy and crond services are stopped by entering these commands:

/usr/local/httpProxy/bin/megha-jetty.sh status

service crond status

9. Take a backup of an existing keystore file using the command:

mv /usr/local/httpProxy/jetty/etc/keystore /usr/local/httpProxy/jetty/etc/keystore-orig

10. Import the pkcs12 file (using keytool) with the following command:

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore -deststoretype PKCS12

11. Take a backup of an existing userKeystoreConfig file using the command:

cp /usr/local/httpProxy/jetty/etc/userKeystoreConfig.xml /usr/local/httpProxy/jetty/etc/userKeystoreConfig-orig.xml

12. Enter the password that you provided when creating the CSR. The default password is: megha.jeos
Note: If you provided a password of your choice when creating the CSR, make sure you change the following fields in the /usr/local/httpProxy/jetty/etc/userKeysto
reConfig.xml file:

KeyStorePassword
KeyManagerPassword

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 161/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
TrustStorePassword

If the password includes the following special characters, you must replace them as indicated when editing these fields:
Replace ' " ' with '&quot;'
Replace ' ' ' with '&apos;'
Replace ' < ' with '&lt;'
Replace ' > ' with '&gt;'
Replace ' & ' with '&amp;'
For example:
Replace abc"123 with abc&quot;123
Replace abc'123 with abc&apos;123
Replace abc&"123 with abc&amp;&quot;123

(Optional): If you want an encrypted password for security purpose, you can convert the password into OBF format using the following command and provide the converted
password in the userKeystoreConfig.xml file:

java -cp /usr/local/megha/jetty/lib/jetty-util-<Jetty Version>.jar org.eclipse.jetty.util.security.Password "password_provided_when creatin

g_CSR"

For example:

java -cp /usr/local/megha/jetty/lib/jetty-util-12.0.4.jar org.eclipse.jetty.util.security.Password "abc&123"

If the password contains " quotation mark, provide the password within ' ' quotation marks in the above command. For example: 'abc"123'
13. Change the ownership and permission of the keystore file:

chown megha:megha /usr/local/httpProxy/jetty/etc/keystore

chmod og-rwx /usr/local/httpProxy/jetty/etc/keystore

14. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

15. Start the crond service using the following command:

service crond start

16. (Optional) Remove the certreq.csr, cert-chain.cer, and jetty.pkcs12 files if you will not need them in the future:

rm /tmp/certreq.csr
rm /usr/local/httpProxy/jetty/etc/cert-chain.cer
rm /usr/local/httpProxy/jetty/etc/jetty.pkcs12

Configuring an SSL certificate (real time data collection)

Enable SSL encryption to securely collect the real time data. You can either configure a CA-signed or self-signed SSL certificate.

Enabling SSL encryption for real time data collection using a CA-signed certificate

Follow these procedures as a root user to enable SSL encryption for real-time data communication between the Analyzer probe server and Analyzer detail view server using a CA-
signed certificate:

1. Stop the services and data collection on the servers

2. Configure the Analyzer detail view server
3. Configure the Analyzer probe server
4. Restart the services

Stop the services and data collection on the servers

Follow these steps on both the Analyzer probe server and Analyzer detail view server:

1. Stop the crond services:

service crond stop

2. Stop all the services using the command:

/usr/local/megha/bin/stop-all-services.sh

3. Stop the data collection for System Diagnostics:

/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value false

Configure the Analyzer detail view server

Follow these steps on the Analyzer detail view server:

1. Make backup copies of the following files located in /usr/local/megha/kafka/config:

consumer.properties
producer.properties
server.properties
2. (Optional) Enable host name verification as follows:
a. Create new entries in the following property files:
/usr/local/megha/conf/sys/server.realtime.properties:

server.realtime.ssl.endpoint.identification.algorithm=https

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 162/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
sds.realtime.ssl.endpoint.identification.algorithm=https
b. Run the following command to identify the FQDN:

hostname -f

c. Add the Analyzer detail view server FQDN and IP address to the /etc/hosts file in the following format:

IP-address output-of-the-command-in-step-b

For example:

192.168.10.11 ssltest.company.com
3. Create a certificate signing request on the Analyzer detail view server:
a. Create a temporary directory and open it:

mkdir /tmp/RealtimeSSLCertificate

chmod og-rwx /tmp/RealtimeSSLCertificate

cd /tmp/RealtimeSSLCertificate

b. Run the following command to identify the FQDN:

hostname -f

c. Create the san.cnf file to define Subject Alternate Name (SAN) and add the details.

# san.cnf file to define Subject alternative Name

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]
C = Country Name
ST = State or Province
L = City
O = Company Name
OU = Department
CN = Common Name

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @SAN

[SAN]
DNS.1 = Analyzer_detail_view_server_host_name
IP.1 = Analyzer_detail_view_server_IP_address

For example:

# san.cnf file to define Subject alternative Name

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]
C = Country Name
ST = State or Province
L = City
O = Company Name
OU = Department
CN = Common Name

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @SAN

[SAN]
DNS.1 = ssltest.company.com
IP.1 = 192.168.33.198

d. Create a certificate signing request using the following command:

openssl req -newkey rsa:Length_of_RSA -nodes -keyout /tmp/RealtimeSSLCertificate/private.key -Length_of_SHA -out /tmp/RealtimeSSLCert
ificate/Certificate_File_Name -config SAN_file_Name

For example:

openssl req -newkey rsa:2048 -nodes -keyout /tmp/RealtimeSSLCertificate/private.key -SHA256 -out /tmp/RealtimeSSLCertificate/detail-v
iew-server.csr -config /tmp/RealtimeSSLCertificate/san.cnf

e. Submit the certificate request file to the certificate authority.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 163/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The certificate authority creates the following certificate files:
Host
Intermediate1
Intermediate2
Note: Some authorities might issue only one intermediate file.
f. Upload the certificate files to the /tmp/RealtimeSSLCertificate directory on the Analyzer detail view server.
g. Combine the chain of certificates by concatenating them into a single file (in the order indicated). For example:

cat host.cer imd-1.cer imd-2.cer > certChain.cer

Note: Some authorities might issue root CA certificate file also. In such instance, the root CA certificate file name must be part of the command. For example:

cat host.cer imd-1.cer root.cer > certChain.cer

h. Combine the chain of certificates without the host.cer into a single file (in the order indicated). For example:

cat imd-1.cer imd-2.cer > certChain_WithoutHostCert.cer

Note: Some authorities might issue root CA certificate file also. In such instance, the root CA certificate file name must be part of the command. For example:

cat imd-1.cer root.cer > certChain_WithoutHostCert.cer

i. Combine the private key and certificate in the keystore.pkcs12 file using the following command:

openssl pkcs12 -export -name localhost -in certChain.cer -inkey private.key -out keystore.pkcs12

Note: For the password, enter changeit (default). If you provide a password of your choice, note it. You will need it in next steps. Also, do the following to update it:
i. Run the following command:

/usr/local/megha/bin/changeSSLCertificatePassword.sh

ii. Enter the password and confirm.

In rest of this procedure, when prompted for the keystore password or for the the PEM pass phrase, make sure you enter the password configured in this step.

j. Import the CA signed certificate into the keystore:

keytool -importkeystore -destkeystore server.keystore.jks -deststoretype JKS -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -alias
localhost

k. Add the CA certificate to the clients truststore so that client can trust this certificate:

keytool -keystore client.truststore.jks -storetype JKS -alias CARoot -import -file certChain_WithoutHostCert.cer

For trusting the certificate, enter Yes.

keytool -keystore server.truststore.jks -storetype JKS -alias CARoot -import -file certChain_WithoutHostCert.cer

For trusting the certificate, enter Yes.

l. Copy the generated truststore (client and server) and keystore to /usr/local/megha/conf/kafka:

cp client.truststore.jks server.keystore.jks server.truststore.jks /usr/local/megha/conf/kafka/

m. Change the ownership to megha and permissions of the following files:

chown megha:megha /usr/local/megha/conf/kafka/client.truststore.jks

chown megha:megha /usr/local/megha/conf/kafka/server.truststore.jks

chown megha:megha /usr/local/megha/conf/kafka/server.keystore.jks

chmod og-rwx /usr/local/megha/conf/kafka/server.truststore.jks

chmod og-rwx /usr/local/megha/conf/kafka/client.truststore.jks

chmod og-rwx /usr/local/megha/conf/kafka/server.keystore.jks

chmod og-rwx /usr/local/megha/kafka/config/server.properties

chmod og-rwx /usr/local/megha/kafka/config/consumer.properties

chmod og-rwx /usr/local/megha/kafka/config/producer.properties

4. Edit the property files as follows:
/usr/local/megha/conf/sys/server.realtime.properties:

Change the value of the server.realtime.security.protocol property to SASL_SSL.

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

Change the value of the sds.realtime.security.protocol property to SASL_SSL.

Change the permissions:

chmod og-rwx /usr/local/megha/conf/sys/server.realtime.properties

chmod og-rwx /usr/local/megha/dbgUtils/conf/sds.realtime.properties

5. Delete temporary directory and files:

cd /tmp

rm -rf /tmp/RealtimeSSLCertificate

Configure the Analyzer Probe server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 164/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Follow these steps on the Analyzer probe server:

1. (Optional) Do the following if you have enabled host name verification on the Analyzer detail view server.
a. Add new entries to the following property files to enable hostname verification.
/usr/local/megha/conf/sys/probe.realtime.properties:

probe.realtime.ssl.endpoint.identification.algorithm=https

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

sds.realtime.ssl.endpoint.identification.algorithm=https

b. Add the host name and IP address of the Analyzer detail view server to the /etc/hosts file in the following format:

IP-address host-name

2. Copy the client.truststore.jks from the Analyzer detail view server to the /usr/local/megha/conf/kafka directory on the Analyzer probe server.
Note: The client.truststore.jks file is available at the /usr/local/megha/conf/kafka/ on the Analyzer detail view server.
3. If you have configured the password of your choice in Analyzer detail view server when combining private key and certificate in the keystore.pkcs12 file (step 3h), make
sure you configure the same password in Analyzer probe server also. Do the following:
a. Run the following command:

/usr/local/megha/bin/changeSSLCertificatePassword.sh

b. Enter the same password that you have provided in Analyzer detail view server when combining private key and certificate in the keystore.pkcs12 file.
4. Change the ownership of the truststore file to megha and change its permission:

chown megha:megha /usr/local/megha/conf/kafka/client.truststore.jks

chmod og-rwx /usr/local/megha/conf/kafka/client.truststore.jks

5. Edit the property files as follows:

/usr/local/megha/conf/sys/probe.realtime.properties:

Remove the # symbol from the beginning of the probe.realtime.security.protocol property.

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

Change the value of the sds.realtime.security.protocol property to SASL_SSL.

Change the permissions:

chmod og-rwx /usr/local/megha/conf/sys/probe.realtime.properties

chmod og-rwx /usr/local/megha/dbgUtils/conf/sds.realtime.properties

Restart the services

1. On the Analyzer probe server and Analyzer detail view server:

a. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

b. The megha service also starts the real time service. Run the following command on the Analyzer detail view server to verify the status:

/usr/local/megha/bin/manage-kafka.sh status

c. Start the crond service and verify the status:

service crond start

service crond status

d. Enable the data collection for System Diagnostics and verify the status:

/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value true

/usr/local/megha/dbgUtils/bin/manage-sds.sh start

/usr/local/megha/dbgUtils/bin/manage-sds.sh status

Enabling SSL encryption for real time data collection using a self-signed certificate

Follow these procedures while logged on as a root user:

1. Stop the services and data collection on the servers

2. Configure the Analyzer detail view server
3. Configure the Analyzer Probe server
4. Restart the services

Stop the services and data collection on the servers

Follow these steps on both the Analyzer probe server and Analyzer detail view server:

1. Stop the crond service using the command:

service crond stop

2. Stop all services using the command:

/usr/local/megha/bin/stop-all-services.sh

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 165/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
3. Stop the data collection for System Diagnostics:

/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value false

Configure the Analyzer detail view server

Follow these steps on the Analyzer detail view server:

1. Make backup copies of the following files located in /usr/local/megha/kafka/config:

consumer.properties
producer.properties
server.properties
2. (Optional) Enable host name verification as follows:
a. Create new entries in the following property files:
/usr/local/megha/conf/sys/server.realtime.properties:

server.realtime.ssl.endpoint.identification.algorithm=https

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

sds.realtime.ssl.endpoint.identification.algorithm=https

b. Run the following command to identify the FQDN:

hostname -f

c. Add the Analyzer detail view server FQDN and IP address to the /etc/hosts file in the following format:

IP-address output-of-the-command-in-step-b

3. Create the keystore file on the Analyzer detail view server:

a. Create a temporary directory, change the permissions, and open it:

mkdir /tmp/RealtimeSSLCertificate

chmod og-rwx /tmp/RealtimeSSLCertificate

cd /tmp/RealtimeSSLCertificate

b. On the Analyzer probe server, identify the connection setting to Kafka server from custom.properties :

probe.realtime.messaging.server.ip=FQDN-or-Host-name

c. Create the keystore file:

keytool -keystore server.keystore.jks -storetype JKS -alias localhost -validity validity_in_days -genkey -keyalg RSA -ext SAN=DNS:Ana
lyzer_detail_view_server_host_name,IP:Analyzer_detail_view_server_IP_address

For example:

keytool -keystore server.keystore.jks -storetype JKS -alias localhost -validity 365 -genkey -keyalg RSA -ext SAN=DNS:test.ssl.com,IP:
192.168.33.123

Respond to the prompts as follows:

For the password, enter changeit (default). If you change this password, make a note of it because you will need it in next steps. To update the password:
i. Run the following command:

/usr/local/megha/bin/changeSSLCertificatePassword.sh

ii. Enter the password and confirm.

In rest of this procedure, when prompted for the keystore password or for the the PEM pass phrase, make sure you enter the password configured in this step.

For the common name (first and last name), enter a fully qualified host name.
For the key password for common name, press Enter.
d. Export Analyzer detail view server's signer certificate:

keytool -export -alias localhost -keystore server.keystore.jks -file cert-file

e. Create the truststore for the real time data collection client (Analyzer probe server) and add the generated certificate to the client truststore:

keytool -keystore client.truststore.jks -storetype JKS -alias localhost -import -file cert-file

cp ./client.truststore.jks ./server.truststore.jks

When prompted for trusting the certificate, enter Yes.

f. Copy the generated truststore (client and server) and keystore to /usr/local/megha/conf/kafka:

cp client.truststore.jks server.keystore.jks server.truststore.jks /usr/local/megha/conf/kafka/

g. Change the ownership to megha and also change the permissions for the following files:

chown megha:megha /usr/local/megha/conf/kafka/client.truststore.jks

chown megha:megha /usr/local/megha/conf/kafka/server.truststore.jks

chown megha:megha /usr/local/megha/conf/kafka/server.keystore.jks

chmod og-rwx /usr/local/megha/conf/kafka/server.truststore.jks

chmod og-rwx /usr/local/megha/conf/kafka/client.truststore.jks

chmod og-rwx /usr/local/megha/conf/kafka/server.keystore.jks

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 166/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
chmod og-rwx /usr/local/megha/kafka/config/server.properties

chmod og-rwx /usr/local/megha/kafka/config/consumer.properties

chmod og-rwx /usr/local/megha/kafka/config/producer.properties

4. Edit the property files and change the permissions as follows:
/usr/local/megha/conf/sys/server.realtime.properties:

Change the value of the server.realtime.security.protocol property to SASL_SSL.

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

Change the value of the sds.realtime.security.protocol property to SASL_SSL.

Change the permissions:

chmod og-rwx /usr/local/megha/conf/sys/server.realtime.properties

chmod og-rwx /usr/local/megha/dbgUtils/conf/sds.realtime.properties

5. Delete the temporary directory and files:

cd /tmp

rm -rf /tmp/RealtimeSSLCertificate

Configure the Analyzer Probe server

Follow these steps on the Analyzer probe server:

1. (Optional) If you have enabled host name verification on the Analyzer detail view server, do the following:
a. Add new entries to the following property files to enable hostname verification.
/usr/local/megha/conf/sys/probe.realtime.properties:

probe.realtime.ssl.endpoint.identification.algorithm=https

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

sds.realtime.ssl.endpoint.identification.algorithm=https

b. Add the host name and IP address of the Analyzer detail view server to the /etc/hosts file in the following format:

IP-address host-name

2. Copy the client.truststore.jks from the Analyzer detail view server to the /usr/local/megha/conf/kafka directory on the Analyzer probe server.
Note: The client.truststore.jks file is available on the Analyzer detail view server in the /usr/local/megha/conf/kafka/ directory.
3. Change the ownership to megha and also the permissions for the truststore file:

chown megha:megha /usr/local/megha/conf/kafka/client.truststore.jks

chmod og-rwx /usr/local/megha/conf/kafka/client.truststore.jks

4. If you changed the default password for the Analyzer detail view server Keystore file in the previous procedure (step 3C), make sure that you also configure the same
password on the Analyzer probe server as follows:
a. Run the following command:

/usr/local/megha/bin/changeSSLCertificatePassword.sh

b. Enter the same password.

5. Edit the property files and change their permissions as follows:
/usr/local/megha/conf/sys/probe.realtime.properties:

Remove the # symbol from the beginning of the probe.realtime.security.protocol property.

/usr/local/megha/dbgUtils/conf/sds.realtime.properties:

Change the value of the sds.realtime.security.protocol property to SASL_SSL.

Change the permissions:

chmod og-rwx /usr/local/megha/conf/sys/probe.realtime.properties

chmod og-rwx /usr/local/megha/dbgUtils/conf/sds.realtime.properties

Restart the services

1. On the Analyzer probe server and Analyzer detail view server:

a. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

The megha service also starts the real time service.

b. Run the following command on the Analyzer detail view server to verify the status:

/usr/local/megha/bin/manage-kafka.sh status

c. Start the crond service and verify the status:

service crond start

service crond status

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 167/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
d. Enable System Diagnostics data collection and verify the status:

/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value true

/usr/local/megha/dbgUtils/bin/manage-sds.sh start

/usr/local/megha/dbgUtils/bin/manage-sds.sh status

Updating TLS properties for real time data collection

The Analyzer detail view server supports TLS v1.3, by default. If you want to use TLS v1.2, follow this procedure.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server and Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the following services on the Analyzer probe server and Analyzer detail view server:
a. Stop the crond service using the command:

service crond stop

b. Stop all services using the command:

/usr/local/megha/bin/stop-all-services.sh

c. Stop the data collection for System Diagnostics:

/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value false

3. Do the following:
On the Analyzer detail view server, update the following property files:
/usr/local/megha/bin/manage-kafka.sh:
Remove the TLSv1.3, value from the KAFKA_SSL_ENABLED_PROTOCOL_PROP property.
Change the value of the KAFKA_SSL_DEFAULT_PROTOCOL_PROP property to TLSv1.2.
/usr/local/megha/kafka/config/server.properties:

Remove the ssl.enabled.protocols and ssl.protocol properties.

On the Analyzer detail view server and Analyzer probe server, update the following property files:
/usr/local/megha/conf/sys/server.realtime.properties:
Remove the TLSv1.3, value from the ssl.enabled.protocols property.
Change the value of the ssl.protocol property to TLSv1.2.
/usr/local/megha/conf/sys/probe.realtime.properties:
Remove the TLSv1.3, value from the ssl.enabled.protocols property.
Change the value of the ssl.protocol property to TLSv1.2.
/usr/local/megha/dbgUtils/conf/sds.realtime.properties:
Remove the TLSv1.3, value from the ssl.enabled.protocols property.
Change the value of the ssl.protocol property to TLSv1.2.
4. Start the following services on the Analyzer probe server and Analyzer detail view server:
a. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

The megha service also starts the real time service.

b. Run the following command on the Analyzer detail view server to verify the status:

/usr/local/megha/bin/manage-kafka.sh status

c. Start the crond service and verify the status:

service crond start

service crond status

d. Enable System Diagnostics data collection and verify the status:

/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value true

/usr/local/megha/dbgUtils/bin/manage-sds.sh start

/usr/local/megha/dbgUtils/bin/manage-sds.sh status

Setting SSL cipher suites (Analyzer detail view server and Analyzer probe server)

You can set an SSL cipher suites for communication.

Setting an SSL cipher suite for the Analyzer detail view server or Analyzer probe server

The Analyzer detail view server and Analyzer probe server use SSL cipher suites for communication. You can include or exclude cipher suites on the Analyzer probe server or
Analyzer detail view server as described here.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server or Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 168/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
3. Stop the Analyzer detail view server or Analyzer probe server using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify that the services (including crond) are stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Make a backup of the /usr/local/megha/jetty/etc/userCipherConfig.xml file:

cp /usr/local/megha/jetty/etc/userCipherConfig.xml /usr/local/megha/jetty/etc/userCipherConfig.xml.orig

6. Edit the /usr/local/megha/jetty/etc/userCipherConfig.xml file.

vi /usr/local/megha/jetty/etc/userCipherConfig.xml

7. Do the following:
To exclude enabled ciphers:
a. In the addExcludeCipherSuites set, remove the <!-- from the beginning and --> from the end of the Item tag.
b. Add or update the cipher suites in the Item tag:

Examples:

<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>

You can also exclude the cipher suites (with the same pattern) using regular expressions.

Example:

<Item>TLS_RSA.*</Item>

The above entry excludes the cipher suites such as TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256 and so on.

Note: The following cipher suites cannot be used for the Analyzer detail view server and Analyzer probe server:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
To set the ciphers for communication:
a. Remove the <!-- from the beginning and --> from the end of the IncludeCipherSuites set.
b. Add or update the cipher suites in the Item tag:
Examples:

<Item>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</Item>

<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>

You can also add the cipher suites (with the same pattern) using regular expressions.

Example:

<Item>TLS_ECDHE.*</Item>

The above entry excludes the cipher suites, such as TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and so on.

Note: Either of the following cipher suites must be enabled on the Analyzer detail view server:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
8. Start the Analyzer detail view server or Analyzer probe server using the command:

/usr/local/megha/bin/megha-jetty.sh start

9. Start the crond service using the following command:

service crond start

Setting an SSL cipher suite for the HTTP proxy service

The HTTP proxy service uses SSL cipher suites for communication. You can include or exclude cipher suites on the Analyzer detail view server as described here.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Stop the HTTP proxy service using the command:

/usr/local/httpProxy/bin/megha-jetty.sh stop

5. Verify that the crond, megha, and HTTP proxy services are stopped using the commands:

service crond status

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 169/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/usr/local/megha/bin/megha-jetty.sh status

/usr/local/httpProxy/bin/megha-jetty.sh status
6. Make a backup of the /usr/local/httpProxy/jetty/etc/userCipherConfig.xml file:

cp /usr/local/httpProxy/jetty/etc/userCipherConfig.xml /usr/local/httpProxy/jetty/etc/userCipherConfig.xml.orig

7. Edit the /usr/local/httpProxy/jetty/etc/userCipherConfig.xml file.

vi /usr/local/httpProxy/jetty/etc/userCipherConfig.xml

8. Do the following:
To exclude enabled ciphers:
a. In the addExcludeCipherSuites set, remove the <!-- from the beginning and --> from the end of the Item tag.
b. Add or update the cipher suites in the Item tag:

Examples:

<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>

You can also exclude the cipher suites (with the same pattern) using regular expressions.

Example:

<Item>TLS_RSA.*</Item>

The above entry excludes the cipher suites such as TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256 and so on.

To set the ciphers for communication:

a. Remove the <!-- from the beginning and --> from the end of the IncludeCipherSuites set.
b. Add or update the cipher suites in the Item tag:
Examples:

<Item>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</Item>

<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>

You can also add the cipher suites (with the same pattern) using regular expressions.

Example:

<Item>TLS_ECDHE.*</Item>

The above entry excludes the cipher suites, such as TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and so on.

9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the HTTP proxy service using the command:

/usr/local/httpProxy/bin/megha-jetty.sh start

11. Start the crond service using the following command:

service crond start

Setting an SSL cipher suite for the real time data collection service

You can include or exclude SSL cipher suites for real-time data collection service on the Analyzer detail view server as described here.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

Make sure that the SSL encryption is enabled for real-time data import. Refer to Enabling SSL encryption for real time data collection using a self-signed certificate for more
information.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Stop the real time data collection service using the command:

/usr/local/megha/bin/manage-kafka.sh stop

5. Verify that the crond, megha, and real time data collection services are stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

/usr/local/megha/bin/manage-kafka.sh status

6. Make a backup of the /usr/local/megha/kafka/config/server.properties file:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 170/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
cp /usr/local/megha/kafka/config/server.properties /usr/local/megha/kafka/config/server.properties.orig
7. Edit the /usr/local/megha/kafka/config/server.properties file.

vi /usr/local/megha/kafka/config/server.properties

8. (If the ssl.cipher.suites property does not exist), add it and enter one or comma separated values of cipher suites:

For example:

ssl.cipher.suites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the following command:

service crond start

11. Start the real-time data collection service:

/usr/local/megha/bin/manage-kafka.sh start

Setting up SSL communication (RAID Agent)

To initiate a secure session with a host that uses the RAID Agent services, you must create a private key and a certificate signing request (CSR), apply the server certificate, and
configure secure communications.

Creating a private key and a certificate signing request for RAID Agent server

Use the htmssltool command to create a private key and a certificate signing request (CSR) for RAID Agent.

You must have root permission (Linux) or Administrator permission (Windows).

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.
The certificate signing request is created in PEM format. Check with the certificate authority regarding the requirements for the request.
When recreating a private key, certificate signing request, or self-signed certificate, send the output to a new location. (If a file of the same name exists in the output location,
the command will fail.)

1. Log on to the host where the RAID Agent is installed. For a Linux host, use an SSH client.
2. Run the following command to create private keys, certificate signing requests, and self-signed certificates.
In Linux

/opt/jp1pc/htnm/bin/htmssltool -key private-key-file-name -csr CSR-file-name -cert self-signed-certificate-file-name -certtext name-of-the-

content-file-of-the-self-signed-certificate

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmssltool -key private-key-file-name -csr CSR-file-name -cert self-signed-certifi

cate-file-name -certtext name-of-the-content-file-of-the-self-signed-certificate

Example (Linux):

/opt/jp1pc/htnm/bin/htmssltool -key /root/htnmkey.key -csr /root/htnmkey.csr -cert /root/htnmkey.cert -certtext /root/htnmkey.cert.txt

Example of response input:

Enter Server Name [default=MyHostname]:example.com

Enter Organizational Unit:Analyzer
Enter Organization Name [default=MyHostname]:HITACHI
Enter your City or Locality:Santa Clara
Enter your State or Province:California
Enter your two-character country-code:US
Is CN=example.com,OU=Analyzer,O=HITACHI,L=Santa Clara,ST=California,C=US
correct? (y/n) [default=n]:y

Tip:

As a best practice, you should only use a self-signed certificate to test encrypted communications.

Submitting a certificate signing request (CSR) for RAID Agent

In general, applications for server certificates are submitted online. You must create a certificate signing request (CSR) for RAID Agent, and send it to the certificate authority to
obtain a digital signature.

Create a certificate signing request for RAID Agent.

You must have a server certificate in X.509 PEM format issued by the certificate authority. For details on how to apply, see the website of your certificate authority. In addition, make
sure the certificate authority supports the signature algorithm.

1. Send the certificate signing request to the certificate authority.

2. Save the server certificate issued by the certificate authority on the host where RAID Agent is installed.
Note: For details on how to check the expiration date, see Checking the expiration date of the RAID Agent certificate.

Enabling SSL communication for RAID Agent

To enable SSL communication using the RAID Agent services, edit the htnm_httpsd.conf file.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 171/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Prepare the private key and the server certificate issued by the certificate authority for RAID Agent.

For best results, copy the file to the following location:

Private key and Server certificate for RAID Agent (if you are using a self-signed certificate for testing purposes.)

In Linux

/opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/server

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\httpsd\conf\ssl\server

Server certificate for RAID Agent (if you are using a certificate issued by a certificate authority)

In Linux

/opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/cacert

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\httpsd\conf\ssl\cacert

Verify the host name specified for Common Name in the certificate signing request.

1. Run the following command to stop the RAID Agent services.

htmsrv stop -all

2. Edit the htnm_httpsd.conf file.

The htnm_httpsd.conf file is stored in the following location.

In Linux

/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\Rest\config\htnm_httpsd.conf

The following is an example of how to edit the htnm_httpsd.conf file.

ServerName RAID-Agent-server-host-name
Listen 24221
#Listen [::]:24221
SSLEngine Off
Listen 24222
#Listen [::]:24222
HWSLogSSLVerbose On
<VirtualHost *:24222>
ServerName RAID-Agent-server-host-name
SSLEngine On
SSLProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#SSLProtocol TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateFile /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/server/httpsd.pem
SSLCertificateKeyFile /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/server/httpsdkey.pem
SSLCertificateFile /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/server/ecc-httpsd.pem
SSLCertificateKeyFile /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem
#SSLCACertificateFile /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/cacert/anycert.pem
</VirtualHost>

Remove the hash mark (#) on the following lines to uncomment the lines.

Listen 24222
HWSLogSSLVerbose On
The VirtualHost tag and the following directives in the tag
ServerName
SSLEngine
SSLProtocol

Note: The line that specifies +TLSv1.2 +TLSv1.3

SSLCipherSuite
SSLCertificateFile
SSLCertificateKeyFile
Note:
Keep the lines #Listen [::]:24221 and #Listen [::]:24222 commented out, because Ops Center Analyzer does not support IPv6.
If you want to block non-SSL communication, comment out the lines Listen 24221 and SSLEngine Off.
SSLCipherSuite TLSv1.3 is for TLS 1.3 and SSLCipherSuite is for TLS 1.2.
For the ServerName directive in the first line and the ServerName directive in the VirtualHost tag, enter the host name that you specified for Common Name in the
certificate signing request. (Host names are case sensitive.)

Specify the absolute paths of the private key and the server certificate of RAID Agent for the following directives.

SSLCertificateKeyFile
SSLCertificateFile

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 172/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If the server certificate for RAID Agent originated from an intermediate certificate authority, remove the hash mark (#) from the beginning of the line of the
SSLCACertificateFile directive, and then specify the absolute path of all server certificates issued by the intermediate certificate authorities. You can include multiple
certificates in a single file by using a text editor to chain those certificates.

Note the following:

Do not edit the httpsd.conf file.

Do not specify the same directive twice. However, the SSLCertificateFile and SSLCertificateKeyFile directives can be specified twice, once for RSA
cryptography and once for ECC.
Do not enter a line break in the middle of a directive.
When specifying paths in the directives listed below, do not specify symbolic links or junction points.
When specifying certificates and private keys in the directives listed below, specify PEM-format files.
Do not edit the SSLProtocol TLSv1.3 directive.
Do not change any value in a line that you only comment out or uncomment. This includes adding or removing unnecessary spaces and tabs.
3. Run the following command to start the RAID Agent services.

htmsrv start -all

Checking the expiration date of the RAID Agent certificate

To check the expiration date of the RAID Agent server certificate or a certificate issued by a certificate authority, use the keytool command.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

Check the expiration date.

In Linux

/opt/jp1pc/htnm/HBasePSB/jdk/bin/keytool -printcert -v -file certificate-file-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\jdk\bin\keytool -printcert -v -file certificate-file-name

For certificate-file-name, specify the location of the certificate file as an absolute path.

Example:

keytool -printcert -v -file /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/cacert/htnmcert.crt

Importing RAID Agent certificates to the Analyzer server truststore

To enable the Analyzer server to verify RAID Agent certificates, import the RAID Agent certificates to the Analyzer server truststore, and edit the config_user.properties file.

You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import the certificates for RAID Agent to the truststore file:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note the following:

For the alias-name, specify a name that identifies whether the certificate is the certificate for RAID Agent.
For the certificate-file-name, specify the absolute path.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type of the truststore.
3. To enable the verification of server certificates, change the following properties in the config_user.properties file:
Location:

Analyzer-server-installation-directory/Analytics/conf

Key: cert.verify.enabled
Value: true
4. (Optional) To add cipher suites for communication with RAID Agent, do the following:
a. Open the config_user.properties file from the following location.
/opt/hitachi/Analytics/conf/config_user.properties
Note: The cipher suite settings apply to communication from the Analyzer server to all of the following components and servers. The settings cannot be configured for
individual components or servers.
Analyzer detail view server
RAID Agent
Virtual Storage Software Agent
Common Services
Ops Center Automator
b. Add or edit the ssl.ClientProtocol and ssl.ClientCipherSuites line (default value) as follows.

ssl.ClientProtocol = TLSv1.3, TLSv1.2

ssl.ClientCipherSuites = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SH
A384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

c. At the end of the ssl.ClientCipherSuites line, add any additional TLS 1.2 or TLS 1.3 cipher suites, using commas to separate the values.
5. Start the Analyzer server services.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 173/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Enabling TLS certificate verification for connecting to RAID Agent in Analyzer probe server

The TLS certificate verification enables secure communication between the Analyzer probe server and the RAID Agent for collecting data using the Hitachi Enterprise Storage probe.

Obtain a valid TLS certificate (for example, server.crt file) for RAID Agent and save it in the /tmp directory on the Analyzer probe server.

TLS certificate verification is a global setting. If there are multiple RAID Agents, make sure you obtain TLS certificates for all the RAID Agents.

Identify and note the Java keystore path on the Analyzer probe server machine.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

hesp.verify.tls.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the TLS certificate into the Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias RATLSCert -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.crt

11. If there are multiple RAID Agents, repeat step 10 for each RAID Agent.
12. Make sure that the megha user has the read permission for the jssecacerts file. If not, set it as in this example:

chmod o+r jssecacerts

13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file.

Setting up SSL communication (Virtual Storage Software Agent)

To initiate a secure session with a host that uses Virtual Storage Software Agent services, you must create a private key and a certificate signing request (CSR), apply the server
certificate, and configure secure communications. When performing a new installation of Virtual Storage Software Agent or upgrading it from version 10.8.2 or earlier, create and
revise the server certificate.

Creating a private key and a certificate signing request for Virtual Storage Software Agent server

You must have root permission.

The certificate signing request is created in PEM format. Check with the certificate authority regarding the requirements for the request.
When recreating a private key or certificate signing request, send the output to a new location. (If a file of the same name exists in the output location, the command will fail.)

1. Log on to the Analyzer probe server.

2. Run the keytool command to create a keystore file containing the private key for Virtual Storage Software Agent and a server certificate.

/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/bin/keytool -genkeypair -keystore keystore-file-name -alias alias-name -v -keyalg RSA [-keysize

key-size] [-validity expiration-date]

For example:

/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/bin/keytool -genkeypair -keystore keystore -alias virtualstoragesoftwareagent -v -keyalg RSA -k

eysize 2048 -validity 365

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 174/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Restrict permissions for the created keystore file, so that only the root user can read from or write to the file.

For example:

chown root: keystore-file-name

chmod 600 keystore-file-name
3. Run the keytool command to create a certificate signing request (CSR).

/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/bin/keytool -certreq -keystore keystore-file-name -alias alias-name -file CSR-file-name -ext sa

n=dns:host-name

Submitting a certificate signing request (CSR) for Virtual Storage Software Agent

In general, applications for server certificates are submitted online. You must create a certificate signing request (CSR) for Virtual Storage Software Agent and send it to the
certificate authority to obtain a digital signature.

Create a certificate signing request for Virtual Storage Software Agent.

You must have a server certificate in X.509 PEM format issued by the certificate authority. For details on how to apply, see the website of your certificate authority. In addition, make
sure the certificate authority supports the signature algorithm.

1. Send the certificate signing request to the certificate authority.

2. Run the following command to import the server certificate to the keystore file:

/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/bin/keytool -import -keystore keystore-file-name -alias alias-name -file certificate-file-name

Enabling SSL communication for Virtual Storage Software Agent

To enable SSL communication that uses Virual Storage Software Agent services, edit the userconfig-setting.yaml file.

1. Check and, if necessary, revise the settings in the following definition file:

/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/config/userconfig-setting.yaml

protocol: The protocol for Virtual Storage Software Agent. Make sure this setting is set to https.
port: The port number for Virtual Storage Software Agent. Specify a number in the range 1-65535. The specified port will be used as the port for Virtual Storage
Software Agent to which the Hitachi VSP One SDS Block probe connects.
keyStorePath: The file path of the keystore to which the server certificate was imported.
keyStorePassword: The password for the keystore to which the server certificate was imported.

For example:

serverSettings:
protocol: https
port: 24081
keyStorePath: /home/usr/.ssh/keystore
keyStorePassword: pass!23

virtualStorageSoftwareAccessSettings:
verifyingSsl: false

2. Restart the Virtual Storage Software Agent services by running the following command:

systemctl restart virtualstoragesoftware-agent.service

Enabling TLS certificate verification for connecting to Virtual Storage Software Agent in Analyzer probe server

The TLS certificate verification enables secure communication between the Analyzer probe server and the Virtual Storage Software Agent for collecting data using the Hitachi VSP
One SDS Block probe.

Obtain a valid TLS certificate (for example, server.crt file) for Virtual Storage Software Agent and save it in the /tmp directory on the Analyzer probe server.

TLS certificate verification is a global setting. If there are multiple Virtual Storage Software Agents, make sure you obtain TLS certificates for all the Virtual Storage Software
Agents.

Identify and note the Java keystore path on the Analyzer probe server machine.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

vssb.verify.tls.certificate=true

7. Save the custom.properties file.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 175/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the TLS certificate into the Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias vssbCert -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.cer

11. If there are multiple Virtual Storage Software Agents, repeat step 10 for each instance.
12. Make sure that the megha user has the read permission for the jssecacerts file. If not, set it as in this example:

chmod o+r jssecacerts

13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has read permission.

Importing VSP One SDS Block certificates to the Virtual Storage Software Agent truststore

To enable Virtual Storage Software Agent to verify the VSP One SDS Block certificates, import the VSP One SDS Block certificates to the Virtual Storage Software Agent truststore.

Prepare the VSP One SDS Block certificates. For details, see the section describing how to set up SSL in the documentation for your storage system.
You must have root permission.

1. Run the following command to import the VSP One SDS Block certificates to the truststore:

keytool -import -alias alias-name -file certificate-file-name -keystore truststore-file-name -storepass truststore-password -storetype JKS

Note:

Note the following when specifying a unique name in the truststore, the truststore file name, and the password:

Do not use the following symbols in the file name:

: , ; * ? " < > | -

Specify the file name as a character string of no more than 255 bytes.
Do not include double quotation marks (") in the unique name in the truststore or the password.
For the alias-name, specify the name of the host on which the certificate is located.
For the certificate-file-name, specify the absolute path to the certificate.
The truststore file is stored in the following location:

/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type.
2. To enable the verification of server certificates, change the following properties in the userconfig-setting.yaml file.
Location: /var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/config
Key: verifyingSsl
Value: true
3. Restart the Virtual Storage Software Agent services by running the following command:

systemctl restart virtualstoragesoftware-agent.service

Configuring an SSL certificate (On-demand real time monitoring)

Creating a private key and a certificate signing request for the On-demand real time monitoring module

To create a private key and certificate signing request (CSR) for the On-demand real time monitoring module, use the openssl command (Linux) or the htmssltool command
(Windows).

You must have root permission (Linux) or Administrator permission (Windows).

The certificate signing request is created in PEM format. Check with the certificate authority regarding the requirements for the request.
When recreating a private key or certificate signing request, send the output to a new location. If a file of the same name exists in the output location, the command will fail.
Ensure that only the root user (Linux) or the Administrator user (Windows) has access to the directory or folder where the private key and certificate signing request are
stored.

Procedure

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 176/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
In Linux

1. Log on to the host where the RAID Agent is installed.

2. Run the following openssl commands. For the key size, you can specify 4096 or less.
Run the following command to create the private key:

openssl genrsa key-size private-key-file-name

Run the following command to create a certificate signing request with the private key:

openssl req -new -key private-key-file-name certificate-signing-request-file-name

In Windows

1. Log on to the host where the RAID Agent is installed.

2. Run the htmssltool command to create a certificate signing request (CSR) with the private key for the On-demand real time monitoring module. For details, see htmssltool.
3. Remove unnecessary files from among the generated files, except for the private key and certificate issuance request that you will use.

Submitting a certificate signing request (CSR) for On-demand real time monitoring module

In general, applications for server certificates are submitted online. You must create a certificate signing request (CSR) for On-demand real time monitoring module and send it to the
certificate authority to obtain a digital signature.

Create a certificate signing request for On-demand real time monitoring module.
You must have a server certificate in X.509 PEM format issued by the certificate authority. For details on how to apply, see the website of your certificate authority. In addition,
make sure the certificate authority supports the signature algorithm.

1. Send the certificate signing request to the certificate authority.

2. Save the server certificate issued by the certificate authority on the host where RAID Agent is installed. For details, see Replacing the HTTPS server certificate of the On-
demand real time monitoring module.
Note: To check the expiration date of a certificate, use the Linux openssl command, or double-click the certificate file in Windows.

Replacing the HTTPS server certificate of the On-demand real time monitoring module

The On-demand real time monitoring module uses a self-signed certificate by default. Before using the module, change the setting to use a certificate issued by a certificate
authority.

You must have root permission (Linux) or Administrator permission (Windows).

Acquire a certificate and a key file issued by a certificate authority.

1. Log on to the host where the RAID Agent is installed.

2. Stop the On-demand real time monitoring module service.

In Linux

systemctl stop analyzer-granular-data-collection-api

In Windows

In the Windows Services window, right-click On-demand real time monitoring module and then select Stop to stop the service.

3. Change the certificate and key file issued by the certificate authority:
If you are using the default location:
a. Copy the acquired certificate and key file into the following directory.

In Linux

/opt/hitachi/Analytics/granular-data-collection-api/cert

In Windows

RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\cert

b. Use the following file names:

server.crt: Server certificate
server.key: Private key
If you are using another location:
a. Open the following user-granular-data-collection-api.conf file.

In Linux

/opt/hitachi/Analytics/granular-data-collection-api/conf/user-granular-data-collection-api.conf

In Windows

RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\conf\user-granular-data-collection-api.conf

b. Change the following properties, which specify the server certificate and private key:
GRANULAR_DATA_COLLECTION_API_TLS_CRT_FILE
GRANULAR_DATA_COLLECTION_API_TLS_KEY_FILE
4. Start the On-demand real time monitoring module service.

In Linux

systemctl start analyzer-granular-data-collection-api

In Windows

In the Windows Services window, right-click On-demand real time monitoring module and then select Start to start the service.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 177/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Enabling TLS certificate verification for the On-demand real time monitoring

The TLS certificate verification enables secure communication between the Analyzer detail view server and the RAID Agent server (usually, the host on which the Analyzer probe
server is installed) for On-demand real time monitoring.

Obtain a valid TLS certificate (for example, server.crt file) from the RAID Agent server and save it in the /tmp directory on the Analyzer detail view server.

TLS certificate verification is a global setting. If there are multiple RAID Agent servers available in the Analyzer detail view server, make sure you obtain the TLS certificates
for all the RAID Agent servers.

Identify and note the Java keystore path on the Analyzer detail view server machine.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

realtimemonitoring.verify.tls.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the TLS certificate into the Analyzer detail view server using the keytool command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias aliasName -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.crt

11. If there are multiple RAID Agent servers, repeat step 10 for each instance.
12. Make sure that the megha user has the read permission for the jssecacerts file. If not, change the permissions as in this example:

chmod o+r jssecacerts

13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has read permission for the jssecacerts file.

Configuring an SSL certificate (Common Services)

To use Analyzer server to specify settings for SSL communication with Common Services, you must first enable SSL for Common Services. For details, see the description of SSL
communication settings in the Hitachi Ops Center Installation and Configuration Guide.

Importing Common Services certificates to the Analyzer server truststore

To enable the Analyzer server to verify Common Services certificates, import the Common Services certificates to the Analyzer server truststore.

Prepare the Common Services certificates. For details, see the description of SSL communication settings in the Hitachi Ops Center Installation and Configuration Guide.
You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import the Common Services certificates to the truststore:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note:
For the alias-name, specify the name of the host on which the certificate is located.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 178/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
For the certificate-file-name, specify the absolute path to the certificate.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type.
3. To enable the verification of server certificates, change the following properties in the config_user.properties file.
Location:

Analyzer-server-installation-directory/Analytics/conf

Key: cert.verify.enabled
Value: true
4. (Optional) To add cipher suites for communication with Common Services, do the following:
a. Open the config_user.properties file from the following location.
/opt/hitachi/Analytics/conf/config_user.properties
Note: The cipher suite settings apply to communication from the Analyzer server to all of the following components and servers. The settings cannot be configured for
individual components or servers.
Analyzer detail view server
RAID Agent
Virtual Storage Software Agent
Common Services
Ops Center Automator
b. Add or edit the ssl.ClientProtocol and ssl.ClientCipherSuites line (default value) as follows.

ssl.ClientProtocol = TLSv1.3, TLSv1.2

ssl.ClientCipherSuites = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SH
A384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

c. At the end of the ssl.ClientCipherSuites line, add any additional TLS 1.2 or TLS 1.3 cipher suites, using commas to separate the values.
5. Start the Analyzer server services.

Enabling TLS certificate verification for connecting to Common Services

TLS certificate verification enables secure communication between the Analyzer detail view server or Analyzer probe server and the Common Services server.

Obtain a valid TLS certificate from the Common Services server and save it in the /tmp directory on the Analyzer detail view server or Analyzer probe server.
Identify and note the Java keystore path on the Analyzer detail view server or Analyzer probe server machine.

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

commonservice.verify.tls.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the Common Services server TLS certificate into the Analyzer detail view server or Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias CSServerCert -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.cer

11. Make sure that the megha user has the read permission for the jssecacerts file. If not, change the permissions as follows:

For example:

chmod o+r jssecacerts

12. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

13. Start the crond service and verify the status:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 179/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond start
service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file. If megha user does not have read permission, provide the
permission.

For example:

chmod o+r jssecacerts

Configuring an SSL certificate (Ops Center API Configuration Manager)

Enabling TLS certificate verification for connecting to Hitachi Ops Center API Configuration Manager

The TLS certificate verification enables secure communication between the Analyzer probe server and the Hitachi Ops Center API Configuration Manager for collecting data using
the Hitachi Enterprise Storage probe.

Obtain a valid TLS certificate (for example, server.crt file) for Hitachi Ops Center API Configuration Manager and save it in the /tmp directory on the Analyzer probe
server.

TLS certificate verification is a global setting. If there are multiple Hitachi Ops Center API Configuration Managers, make sure you obtain TLS certificates for each instance.

Identify and note the Java keystore path on the Analyzer probe server machine.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties

5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Add a new entry in the property file:

cmrest.verify.tls.certificate=true

7. Save the custom.properties file.

8. Navigate to the Java keystore directory. For example:

/usr/lib/jvm/java-17-amazon-corretto/lib/security

9. If the jssecacerts file does not exist, create it.

10. Import the TLS certificate into the Analyzer probe server using the command:

keytool -importcert -alias Alias_name -keystore Truststore_file_path -storetype jks -storepass Truststore_file_password -file TLS_certifica
te_file_path

Note: You can define any unique alias name for TLS certificate.
For example:

keytool -importcert -alias CMTLSCert -keystore jssecacerts -storetype jks -storepass changeit -file /tmp/server.crt

11. If there are multiple Hitachi Ops Center API Configuration Managers, repeat step 10 for each Virtual Hitachi Ops Center API Configuration Manager.
12. Make sure that the megha user has the read permission for the jssecacerts file. If not, set it as in this example:

chmod o+r jssecacerts

13. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start
/usr/local/megha/bin/megha-jetty.sh status

14. Start the crond service and verify the status:

service crond start

service crond status

Note: If you upgrade the JDK in the future, make sure that the jssecacerts file is copied in the upgraded JDK directory.

For example: If you upgrade JDK from v1.8.0 to v17, copy the jssecacerts file from/usr/java/jdk1.8.0_291-amd64/jre/lib/security to /usr/lib/jvm/java-17-am
azon-corretto/lib/security.

After copying the jssecacerts file, make sure that megha user has the read permission for the jssecacerts file.

Configuring an SSL certificate (Ops Center Automator)

To use Analyzer server to specify settings for SSL communication with Ops Center Automator, you must first enable SSL on Ops Center Automator. For details, see the section
describing how to set up SSL in the Hitachi Ops Center Automator Installation and Configuration Guide.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 180/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Importing Ops Center Automator certificates to the Analyzer server truststore

To enable the Analyzer server to verify Ops Center Automator certificates, import the Ops Center Automator certificates to the Analyzer server truststore.

Prepare the Ops Center Automator certificates. For details, see the section describing how to set up SSL in the Hitachi Ops Center Automator Installation and Configuration
Guide.
You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import the Ops Center Automator certificates to the truststore:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note:

Note the following when specifying a unique name in the truststore, the truststore file name, and the password:

Do not use the following symbols in the file name:

: , ; * ? " < > | -

Specify the file name as a character string of no more than 255 bytes.
Do not include double quotation marks (") in the unique name in the truststore or the password.
For the alias-name, specify the name of the host on which the certificate is located.
For the certificate-file-name, specify the absolute path to the certificate.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type.
3. To enable the verification of server certificates, change the following properties in the config_user.properties file.
Location:

Analyzer-server-installation-directory/Analytics/conf

Key: cert.verify.enabled
Value: true
4. (Optional) To add cipher suites for communication with Ops Center Automator, do the following:
a. Open the config_user.properties file from the following location.
/opt/hitachi/Analytics/conf/config_user.properties
Note: The cipher suite settings apply to communication from the Analyzer server to all of the following components and servers. The settings cannot be configured for
individual components or servers.
Analyzer detail view server
RAID Agent
Virtual Storage Software Agent
Common Services
Ops Center Automator
b. Add or edit the ssl.ClientProtocol and ssl.ClientCipherSuites line (default value) as follows.

ssl.ClientProtocol = TLSv1.3, TLSv1.2

ssl.ClientCipherSuites = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SH
A384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

c. At the end of the ssl.ClientCipherSuites line, add any additional TLS 1.2 or TLS 1.3 cipher suites, using commas to separate the values.
5. Start the Analyzer server services.

Configuring an SSL certificate (LDAP directory server)

To set up SSL communication with the LDAP directory server in Ops Center Analyzer, you must configure the SSL server on the LDAP directory server and then specify settings in
the Analyzer server. For details about SSL configuration on the LDAP directory server, see the manuals about the LDAP directory server.

Importing LDAP directory server certificates to the Analyzer server truststore

To enable the Analyzer server to verify LDAP directory server certificates, import the LDAP directory server certificates to the Analyzer server truststore.

Note: If the server certificate was issued by a well-known certificate authority, the certificate of the certificate authority might already be imported to the truststore (jssecacerts). In
this case, you do not need to import the certificate into the truststore.

The environment settings for connecting with an external authentication server must be completed. For details, see Configuring LDAP authentication for Analyzer server.
Prepare an LDAP directory server certificate.

The certificates issued by all the authorities from the authority that issued an LDAP directory server certificate to the root certificate authority must form a certificate chain.
The certificate must satisfy the product requirements for Analyzer server.

You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import certificates for the LDAP directory server to the truststore:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note:

Note the following when specifying a unique name in the truststore, the truststore file name, and the password:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 181/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Do not use the following symbols in the file name:

: , ; * ? " < > | -

Specify the file name as a character string of no more than 255 bytes.
Do not include double quotation marks (") in the unique name in the truststore or the password.
For the alias-name, specify the name of the host on which the certificate you want to use is located.
For the certificate-file-name, specify the absolute path to the location where the certificate is stored.
For the truststore-file-name, specify the absolute path to the location where the truststore file is stored. If the specified file does not exist, the file is automatically
created.

For best results, import LDAP directory server certificates into ldapcacerts. If you want to share a certificate with other programs, you can import the certificate into
jssecacerts.

The truststore file is stored in the following location:

ldapcacerts

Common-component-installation-directory/conf/sec/ldapcacerts

jssecacerts

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type of the truststore.
3. Start the Analyzer server services.
4. Edit the exauth.properties file so that Analyzer server can communicate with LDAP directory server by using STARTTLS.

Requirements for an LDAP directory server certificate

To use STARTTLS to communicate between the Analyzer server and an LDAP directory server, check that the obtained LDAP directory server certificate satisfies the following
requirements:

The CN (in the Subject line) of the LDAP directory server certificate matches the value of the following specified attributes in the exauth.properties file.
When the server uses LDAP for the authentication method

auth.ldap.value-specified-for-auth.server.name.host

When the server uses RADIUS for the authentication method and connects with an external authorization server

When an external authentication server and the authorization server are running on the same computer:

auth.radius.value-specified-for-auth.server.name.host

When the external authentication server and authorization server are running on different computers:

auth.group.domain-name.host

When the server uses Kerberos for the authentication method and connects with an external authorization server

auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Configuring an SSL certificate (mail server)

To set up SSL communication with the mail server in Ops Center Analyzer, you must configure the SSL server on the mail server and then specify settings in the Analyzer server. For
details about SSL configuration on the mail server, see the manuals about the mail server.

Importing mail server certificates to the Analyzer server truststore

To enable TLS communication with the mail server, you must import self-signed certificates used by the mail server or server certificates issued by a certificate authority to the
Analyzer server truststore.

You must have root permission.

1. Stop the Analyzer server services.

2. Run the following command to import the certificates for the mail server to the truststore file:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note:
For the alias-name, specify a name to identify which host server has the certificate.
For the certificate-file-name, specify the absolute path.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type of the truststore.
3. Start the Analyzer server services.

Other security settings

Enabling host header validation for the Analyzer probe or Analyzer detail view servers

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 182/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
To enhance security, you can enable host header validation. This ensures the Analyzer probe server or Analyzer detail view server can only be accessed by the IP address (where
they are installed). In addition, you can enable access using host name or domain name by defining them in the allowlist.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server or Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

5. Go to the /usr/local/megha/conf/custom.properties file, add the following properties, and save the file:
To enable host header validation and allow access with IP address and port:

host.header.validation.enabled=true

[Optional]: To allow access with host-name or domain-name, add the following additional property:

host.header.allowlist=host-name or domain-name

6. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

7. Start the crond service using the following command:

service crond start

Changing the Analyzer detail view server and Analyzer probe server UI session timeout

By default, all Analyzer detail view server and Analyzer probe server UI sessions are closed after 20 minutes of idle time. However, you can change the session timeout using a
property in the /usr/local/megha/conf/custom.properties file.

Note: If you have registered the Analyzer detail view server and Analyzer probe server with Common Services, do not follow this procedure. Instead, change the session timeout in
the Ops Center portal. The portal timeout setting applies to all Ops Center products and overrides the settings on the Analyzer detail view server and Analyzer probe server .
Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

5. Add the following property to the /usr/local/megha/conf/custom.properties file:

user.session.expiry.timeout.in.secs=Time-in-seconds

Minimum value (in seconds): 60

6. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

7. Start the crond service using the following command:

service crond start

Configuring key-based authentication between Analyzer detail view server and Analyzer probe server

You can configure the key-based authentication to transfer data directly (without an intermediate FTP or FTPS server) from the Analyzer probe server to the Analyzer detail view
server using the SFTP protocol with the meghadata user. You can also configure key-based authentication to download this data to the Analyzer detail view server.

Configuring key-based authentication to transfer data directly from Analyzer probe server to Analyzer detail view server

Key-based authentication helps you to transfer data directly (without an intermediate FTP or FTPS server) from the Analyzer probe server to the Analyzer detail view server using the
SFTP protocol with the meghadata user.
Note: For best results:

Use unique SSH host keys for every host that is using SSH.
Implement a SSH key management solution.

Follow these procedures to configure key-based authentication:

1. Configure the Analyzer probe server

2. Configure the Analyzer detail view server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 183/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Configure the Analyzer Probe server

Follow these steps:

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Change ownership and permission of the .ssh directory available under the Analyzer probe server installation directory.

chown megha:megha /Installation_directory/megha/.ssh

chmod 700 /Installation_directory/megha/.ssh

For example:

chown megha:megha /home/megha/.ssh

chmod 700 /home/megha/.ssh

3. Switch to the megha user:

su - megha

4. Generate a key for the megha user using one of the following algorithms:
RSA:

ssh-keygen -t rsa -b key_length

Note: Key length can be 2048 or 4096.

For example:

ssh-keygen -t rsa -b 2048

ECDSA:

ssh-keygen -t ecdsa -b 256

5. Press Enter to save the key in the folllowing location:

RSA:

/Installation_directory/megha/.ssh/id_rsa

For example:

/home/megha/.ssh/id_rsa

ECDSA:

/Installation_directory/megha/.ssh/id_ecdsa

For example:

/home/megha/.ssh/id_ecdsa

6. (Optional) Enter a passphrase and confirm it.

Note: If you decide to use a passphrase, make sure you note it. You will need this when configuring the following settings on the Analyzer probe server to transfer data:
Configuring data transfer settings when setting up the Analyzer probe server
Adding a secondary Analyzer detail view server
Editing an Analyzer detail view server (primary and secondary)
7. Copy the public key to the Analyzer detail view server:

ssh-copy-id meghadata@Analyzer_detail_view_server_IP_address_or_hostname

For example:

ssh-copy-id [email protected]

8. When prompted for the password, enter the meghadata user password (default: meghadata123).
9. (If you are using the ECDSA algorithm), do the following:
a. Stop the crond service using the command:

service crond stop

b. Stop the Analyzer probe server using the command:

/usr/local/megha/bin/megha-jetty.sh stop

c. Verify that the services (including crond) are stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

d. Add the ssh.private.key.file property in the custom.properties file:

ssh.private.key.file=/Installation_directory/megha/.ssh/id_ecdsa

For example:

ssh.private.key.file=/usr/local/megha/.ssh/id_ecdsa

e. Start the crond service using the command:

service crond start

f. Start the Analyzer probe server using the command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 184/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/usr/local/megha/bin/megha-jetty.sh start
g. Verify that the services (including crond) are started using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status
Note: If you want to switch from the ECDSA algorithm to RSA algorithm in the future, add a comment symbol (#) at the beginning of the following line in the custom.properties
file:

ssh.private.key.file=/usr/local/megha/.ssh/id_ecdsa

Configure the Analyzer detail view server

Follow these steps on the Analyzer detail view server:

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Configure the SELinux security context in the /etc/selinux/targeted/contexts/files/file_contexts.local file for the following directories available under the
Analyzer detail view server installation directory (default: /data).
a. /Installation_directory/meghadata/.ssh directory:
For example:

semanage fcontext -a -t ssh_home_t /data/meghadata/.ssh

b. /Installation_directory/meghadata/.ssh/authorized_keys file:

For example:

semanage fcontext -a -t ssh_home_t /data/meghadata/.ssh/authorized_keys

3. Change file type to ssh_home_t for the following directories available under the Analyzer detail view server installation directory (default: /data):
a. /Installation_directory/meghadata/.ssh directory:
For example:

restorecon -R -v /data/meghadata/.ssh

b. /Installation_directory/meghadata/.ssh/authorized_keys file:

For example:

restorecon -R -v /data/meghadata/.ssh/authorized_keys

c. Verify if the type has been changed to ssh_home_t:

ls -Z -a /Installation_directory/meghadata/.ssh

Make sure that you switch to the key-based authentication and SFTP protocol in the Analyzer probe UI (select Reconfigure > Analyzer detail view server > Server Details).

Configuring key-based authentication for the Analyzer detail view server

You can configure the key-based authentication to download data on the Analyzer detail view server when data is directly uploaded to the Analyzer detail view server (without an
intermediate FTP server).

Note: For best results:

Use unique SSH host keys for every host that is using SSH.
Implement an SSH key management solution.

If the SFTP server subsystem setting is configured as sftp internal-sftp in the /etc/ssh/sshd_config file, make sure that the following entry is also present in this file:

Match User meghadata

ForceCommand internal-sftp -u 2

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Switch to the megha user:

su - megha

3. Generate a key for the megha user:

ssh-keygen -t rsa -b key_length

Note: Key length can be 2048 or 4096.

4. Press Enter to save the key in the folllowing directory under the installation directory (default: /data):

/Installation_directory/megha/.ssh/id_rsa

For example:

/data/megha/.ssh/id_rsa

5. (Optional) Enter a passphrase and confirm it.

Note:
You cannot use quotation marks or spaces at the beginning or end of a passphrase, nor can you use contiguous multiple spaces within a passphrase.
If you decide to use a passphrase, make sure you note it. You will need it when updating the data download settings.
If you do not want to enter passphrase, press Enter and confirm it. A blank value is set.
6. Copy the public key:

ssh-copy-id meghadata@localhost

7. When prompted for the password, enter the meghadata user password (default: meghadata123).
8. Switch to the root user:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 185/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
su - root
9. Configure the SELinux security context in the /etc/selinux/targeted/contexts/files/file_contexts.local file for the following directories available under the
Analyzer detail view server installation directory (default: /data).
/Installation_directory/meghadata/.ssh directory:
For example:

semanage fcontext -a -t ssh_home_t /data/meghadata/.ssh

/Installation_directory/meghadata/.ssh/authorized_keys file:

For example:

semanage fcontext -a -t ssh_home_t /data/meghadata/.ssh/authorized_keys

10. Use the restorecon command to change file type to ssh_home_t for the following directories available under the Analyzer detail view server installation directory (default: /d
ata):
/Installation_directory/meghadata/.ssh directory:
For example:

restorecon -R -v /data/meghadata/.ssh

/Installation_directory/meghadata/.ssh/authorized_keys file:

For example:

restorecon -R -v /data/meghadata/.ssh/authorized_keys

Verify the type has been changed to ssh_home_t:

ls -Z -a /Installation_directory/meghadata/.ssh

For example:

ls -Z -a /data/meghadata/.ssh

11. Restart the sshd service:

service sshd restart

By default, password-based authentication is configured for downloading data to the Analyzer detail view server. If you want to switch to key-based authentication, see Updating the
downloader on the Analyzer detail view server.

Restricting SMTPS and STARTTLS TLS versions in Analyzer detail view server

Follow this procedure if you want to use a specific TLS version for SMTPS and STARTTLS communication.

Note:

The Analyzer detail view server supports TLS versions 1.0, 1.1, 1.2, and 1.3 for SMTPS and STARTTLS.
The following communication methods are supported:
SSL: SMTPS
TLS: STARTTLS

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify that the crond and megha services are stopped:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the custom.properties file using the following command:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/backup_custom_backup.properties

6. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

7. Add the following properties as required:

If you want to use the SMTPS protocol, add the following property:

ssl.mail.smtp.encryption.protocols=Protocol_version_1 Protocol_version_n

For example:

ssl.mail.smtp.encryption.protocols=TLSv1.1 TLSv1.2

If you want to use the STARTTLS protocol, add the following property:

tls.mail.smtp.encryption.protocols=Protocol_version_1 Protocol_version_n

For example:

tls.mail.smtp.encryption.protocols=TLSv1.2

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 186/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
8. Save the file and exit.
9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the following command:

service crond start

11. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

Note: Red Hat Enterprise Linux 8 and Oracle Linux 8 have disabled TLS 1.0 and TLS 1.1 protocols in the default crypto policies. If you want to enable TLS 1.0 or TLS 1.1,
refer to the Operating System documentation for more information.

Updating TLS version for Analyzer detail view server UI alerts

By default, the Analyzer detail view server supports TLS v1.3 for SMTPS and STARTTLS protocols for the UI alerts. If you want to use TLS v1.2, v1.1, or v1.0, follow this procedure.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server and Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the following services on the Analyzer probe server and Analyzer detail view server:
a. Stop the crond service using the command:

service crond stop

b. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

c. Verify that the crond and megha services are stopped:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

3. Do the following on the Analyzer detail view server and the Analyzer probe server:
a. Open the smtp.properties file:

vi /usr/local/megha/conf/sys/smtp.properties

b. Remove the TLSv1.3 value from the following properties:

tls.mail.smtp.encryption.protocols
ssl.mail.smtp.encryption.protocols
4. Start the following services on the Analyzer probe server and Analyzer detail view server:
a. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

b. Start the crond service using the command:

service crond start

c. Verify that the crond and megha services are started:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

Restricting SMTPS and STARTTLS TLS versions for AAM alerts in Analyzer detail view server and Analyzer probe
server

Follow this procedure if you want to use a specific TLS version for SMTPS and STARTTLS communication for AAM alerts.

Note:

The Analyzer detail view server supports TLS versions 1.0, 1.1, 1.2, and 1.3 for SMTPS and STARTTLS.
The following communication methods are supported:
SSL: SMTPS
TLS: STARTTLS

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Stop the AAM service using command:

/usr/local/megha/dbgUtils/bin/manage-aam.sh stop

5. Verify that the crond, megha, and AAM services are stopped:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 187/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond status

/usr/local/megha/bin/megha-jetty.sh status

/usr/local/megha/dbgUtils/bin/manage-aam.sh status
6. Navigate to the /usr/local/megha/dbgUtils/conf/ directory.
7. Create a backup of the aam.system.properties and hdebug.system.properties files using the following commands:

cp /usr/local/megha/dbgUtils/conf/aam.system.properties /usr/local/megha/dbgUtils/conf/backup20220906_aam_backup.system.properties

cp /usr/local/megha/dbgUtils/conf/hdebug.system.properties /usr/local/megha/dbgUtils/conf/backup20220906_hdebug_backup.system.properties

8. Edit the aam.system.properties and hdebug.system.propertiesfiles and add the following properties as required:
If you want to use the SMTPS protocol, add the following property:

ssl.mail.smtp.encryption.protocols=Protocol_version_1 Protocol_version_n

For example:

ssl.mail.smtp.encryption.protocols=TLSv1.2 TLSv1.1

If you want to use the STARTTLS protocol, add the following property:

tls.mail.smtp.encryption.protocols=Protocol_version_1 Protocol_version_n

For example:

tls.mail.smtp.encryption.protocols=TLSv1.2 TLSv1.1

9. Save the files and exit.

10. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

11. Start the AAM service using command:

/usr/local/megha/dbgUtils/bin/manage-aam.sh start

12. Start the crond service using the following command:

service crond start

13. Verify that the crond, megha, and AAM services are started:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

/usr/local/megha/dbgUtils/bin/manage-aam.sh status

Note: Red Hat Enterprise Linux 8 and Oracle Linux 8 have disabled TLS 1.0 and TLS 1.1 protocols in the default crypto policies. If you want to enable TLS 1.0 or TLS 1.1,
refer to the Operating System documentation for more information.

Updating TLS version for Analyzer detail view server and Analyzer probe server AAM alerts

By default, the Analyzer detail view server and Analyzer probe server support TLS v1.3 for the SMTPS and STARTTLS protocols for AAM alerts. If you want to use TLS v1.2, v1.1, or
v1.0, follow this procedure.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer detail view server and Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the following services on the Analyzer probe server and Analyzer detail view server:
a. Stop the crond service using the command:

service crond stop

b. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

c. Stop the AAM service using command:

/usr/local/megha/dbgUtils/bin/manage-aam.sh stop

d. Verify that the crond, megha, and AAM services are stopped:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

/usr/local/megha/dbgUtils/bin/manage-aam.sh status

3. Do the following on the Analyzer detail view server and the Analyzer probe server:
a. Open the hdebug.system.properties file:

/usr/local/megha/dbgUtils/conf/hdebug.system.properties

b. Remove the TLSv1.3 value from the following properties:

tls.mail.smtp.encryption.protocols
ssl.mail.smtp.encryption.protocols
c. Open the aam.system.properties file:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 188/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/usr/local/megha/dbgUtils/conf/aam.system.properties
d. Remove the TLSv1.3 value from the following properties:
tls.mail.smtp.encryption.protocols
ssl.mail.smtp.encryption.protocols
4. Start the following services on the Analyzer probe server and Analyzer detail view server:
a. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

b. Start the AAM service using command:

/usr/local/megha/dbgUtils/bin/manage-aam.sh start

c. Start the crond service using the command:

service crond start

d. Verify that the crond, megha, and AAM services are started:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

/usr/local/megha/dbgUtils/bin/manage-aam.sh status

Restricting SFTP client parameters for Analyzer Windows probe

By default, the Analyzer Windows probe supports the following SFTP client parameters for communication:

Kex algorithm: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sh

a1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Host key algorithm: ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ssh-rsa, ssh-dss

Encryption algorithm: aes128-cbc 3des-cbc aes192-cbc, aes256-cbc, aes128-ctr, 3des-ctr, aes192-ctr, aes256-ctr

MAC algorithm: [email protected], [email protected], hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hma
c-md5-96

Compression algorithm: [email protected], zlib, none

If you want to use a specific subset of supported SFTP client parameters, you must follow this procedure.

1. On the Analyzer Windows probe console, click the Status tab.

2. On the Status tab, click the Stop button.
3. Close the Analyzer Windows probe console.
4. Open the app.properties file present under the installation directory.

For example: C:\Program Files\HDCA\HDCA Windows Probe\bin\Conf\app.properties

5. Enter the SFTP client parameters that you want to use for the communication.
For example:
Kex algorithm:

sftp.keyexchangealgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Host key algorithm:

sftp.hostkeyalgorithms=ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-rsa

Encryption algorithm:

sftp.ciphers=aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,3des-ctr,aes192-ctr,aes256-ctr

MAC algorithm:

sftp.macs=hmac-sha2-512,hmac-sha2-256

Compression algorithm:

sftp.negotiatecompression=false

6. Open the Analyzer Windows probe console.

7. On the Analyzer Windows probe console, click the Status tab.
8. On the Status tab, click the Start button.

Changing Ops Center Analyzer system settings

You can start and stop Ops Center Analyzer services, change, and enable system account locking.

Starting and stopping the Ops Center Analyzer services

Start and stop the Ops Center Analyzer services with the hcmds64srv command.

Starting the Analyzer server services

To start the Analyzer server services, run the hcmds64srv command.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 189/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You must have root permission.

Run the following command:

Common-component-installation-directory/bin/hcmds64srv -start

For details on the command, see hcmds64srv.

Note:

To stop or start only the Analyzer server services when the Common component services are running, specify -server AnalyticsWebService.
When you restart the Analyzer server services, the status of monitored resources can be delayed for 5 minutes or longer. During this time, the status displays as Unknown.

Stopping the Analyzer server services

To stop the services, run the hcmds64srv command.

You must have root permission.

Run the following command:

Common-component-installation-directory/bin/hcmds64srv -stop -server server-name

For details on the command, see hcmds64srv.

Note:

To stop or start only the Analyzer server services when the Common component service is running, specify -server AnalyticsWebService.
When you restart the Analyzer server services, the status of monitored resources can be delayed for 5 minutes or longer. During this time, the status displays as Unknown.

Starting the Analyzer detail view server or Analyzer probe server services

Start the Analyzer detail view server or Analyzer probe server services by editing crontab.

Make sure that the following disk space is available:

Analyzer probe server:
Installation directory: More than 5 GB or 5% available of the total disk space
/etc: 100 MB (Available)
Note: The Analyzer probe server retrieves the partition details where the directories are mounted and checks the free disk space. Make sure that the required disk
space is available on partition in case multiple directories are mounted on it.
Analyzer detail view server:
Installation directory: More than 5 GB or 5% of the total disk space
Log on to the Analyzer detail view server or Analyzer probe server as the megha user.

1. Run the crontab -e command.

2. Delete the hash marks (#) from the beginning of each line as shown in this example:

*/5 * * * * F=/usr/local/megha/cron.5min; test -f $F && sudo $F

*/5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (sudo $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R megha:me
gha /usr/local/megha/logs/sys)

3. Start the megha service using the command:

sudo /usr/local/megha/bin/megha-jetty.sh start

4. Confirm the megha service has started:

/usr/local/megha/bin/megha-jetty.sh status

Stopping the Analyzer detail view server or Analyzer probe server services

Stop the Analyzer detail view server or Analyzer probe server services by editing crontab.

Log on to the Analyzer detail view server or Analyzer probe server as the megha user.

1. Run the crontab -e command.

2. At the beginning of each line add a hash mark (#) to comment out a line as shown in this example:

# */5 * * * * F=/usr/local/megha/cron.5min; test -f $F && sudo $F

# */5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (sudo $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R megha:
megha /usr/local/megha/logs/sys)

3. Stop all services using the command:

sudo /usr/local/megha/bin/stop-all-services.sh

4. Confirm the megha service has stopped:

/usr/local/megha/bin/megha-jetty.sh status

Starting the RAID Agent services

Start the RAID Agent services when creating or deleting an instance environment for RAID Agent.

Log on as root permission (Linux) or Administrator permission (Windows) to the host where RAID Agent is installed.
For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

Procedure

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 190/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
To start services manually:

1. Run the following command.

In Linux

/opt/jp1pc/htnm/bin/htmsrv start -all

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv start -all

2. If you are starting the services after performing a restore operation, check the RAID Agent log file htmRestDbEngineMessage<number>.log to make sure that the
KATR13248-E message is not logged before the KATR13244-I message is generated.

Note that it might take about one hour from when the RAID Agent service starts until the KATR13244-I message is generated.

If the KATR13248-E message is logged, RAID Agent restoration might have failed. Check whether the prerequisites for restoration are met. If there is a problem,
restore the entire RAID Agent system again.

The htmRestDbEngineMessage<number>.log file is stored in the following location.

In Linux

/opt/jp1pc/htnm/logs

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\logs

To start services automatically (Linux only):

When setting RAID Agent to automatically start in Linux, use the following procedure as reference.

Setting automatic starting and stopping of the RAID Agent services (Linux)

Note: For RAID Agent (Windows), automatic service start is enabled by default.

To disable automatic service start (Windows only):

1. From the Windows Start menu, select Administrative Tools > Services.
2. Select the windows service whose settings you want to change. To disable automatic service start, you must change the following service settings:
Ops Center Analyzer RAID Agent - Status Server
Ops Center Analyzer RAID Agent - Action Handler
Ops Center Analyzer RAID Agent - Agent REST Web Service
Ops Center Analyzer RAID Agent - Agent REST Application Service
Ops Center Analyzer RAID Agent instance-name*
Ops Center Analyzer RAID Agent Store instance-name*

* Displayed only when you created an instance.

3. Select the startup type. To cancel automatic startup, select Manual.

Note: Do not change the service account settings. If you do, the service might not operate properly.

Stopping the RAID Agent services

You can stop the RAID Agent services manually or automatically.

Log on as root permission (Linux) or Administrator permission (Windows) to the host where RAID Agent is installed.
For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

Procedure

To stop services manually:

Run the following command.

In Linux

/opt/jp1pc/htnm/bin/htmsrv stop -all

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv stop -all

To stop services automatically:

When setting RAID Agent to automatically stop in Linux, use the following procedure as reference.

Setting automatic starting and stopping of the RAID Agent services (Linux)

Note: For RAID Agent (Windows), automatic service stop is enabled by default.

Setting automatic starting and stopping of the RAID Agent services (Linux)

Use the following procedure to enable or disable automatic starting and stopping of the RAID Agent services.

If you enable automatic stopping of the services, you must also enable automatic starting. Also, if you enable automatic starting of the services, you must also enable automatic
stopping.

Log on as root permission (Linux) to the host where RAID Agent is installed.

Procedure

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 191/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
To enable automatic starting and stopping:

1. Run the following command to stop the RAID Agent services:

/opt/jp1pc/htnm/bin/htmsrv stop -all

2. Run the following command and verify that the services have stopped.

/opt/jp1pc/htnm/bin/htmsrv status -all

3. Set up the service automatic start script file (jpc_start) for the RAID Agent by copying the .model file (jpc_start.model) of the service automatic start script and
adding execute permission as follows:

cp -a /opt/jp1pc/jpc_start.model /opt/jp1pc/jpc_start
chmod 500 /opt/jp1pc/jpc_start

4. Set up the service automatic stop script file (jpc_stop) for the RAID Agent by copying the .model file (jpc_stop.model) of the service automatic stop script and
adding execute permission as follows:

cp -a /opt/jp1pc/jpc_stop.model /opt/jp1pc/jpc_stop
chmod 500 /opt/jp1pc/jpc_stop

5. Run the following command to enable automatic starting and stopping of the RAID Agent REST Application Service and the RAID Agent REST Web Service.

/opt/jp1pc/htnm/bin/htmsrv starttype auto -webservice

6. Run the following command to stop the RAID Agent services:

systemctl stop jp1_pc.service

/opt/jp1pc/htnm/bin/htmsrv stop -webservice

7. Run the following command to start the RAID Agent services:

systemctl start jp1_pc.service

/opt/jp1pc/htnm/bin/htmsrv start -webservice

To disable automatic starting and stopping:

1. Run the following command to stop the RAID Agent services:

systemctl stop jp1_pc.service

/opt/jp1pc/htnm/bin/htmsrv stop -all

2. Run the following command and verify that the services have stopped.

/opt/jp1pc/htnm/bin/htmsrv status -all

3. Run the following command to disable automatic starting and stopping the following services:
Agent Collector, Agent Store, Status Server, Action Handler

/bin/rm /opt/jp1pc/jpc_start
/bin/rm /opt/jp1pc/jpc_stop

4. Run the following command to disable automatic starting and stopping of RAID Agent REST Application Service and RAID Agent REST Web Service.

/opt/jp1pc/htnm/bin/htmsrv starttype manual -webservice

5. Run the following command to start the RAID Agent services:

/opt/jp1pc/htnm/bin/htmsrv start -webservice

Starting the Virtual Storage Software Agent services

To start the Virtual Storage Software Agent services:

1. Log on as root on the host where Virtual Storage Software Agent is installed.
2. Run the following command:

systemctl start virtualstoragesoftware-agent.service

Stopping the Virtual Storage Software Agent services

To stop the Virtual Storage Software Agent services:

1. Log on as root on the host where Virtual Storage Software Agent is installed.
2. Run the following command:

systemctl stop virtualstoragesoftware-agent.service

Starting the On-demand real time monitoring module services

You can start the On-demand real time monitoring services.

You must have root permission (Linux) or Administrator permission (Windows).

1. Log on to the host where the RAID Agent is installed.

2. Start the On-demand real time monitoring module services.

In Linux

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 192/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
systemctl start analyzer-granular-data-collection-api

In Windows
a. Open the Windows Services window.
b. Right-click On-demand real time monitoring module and then select Start.

Stopping the On-demand real time monitoring module services

To stop the On-demand real time monitoring services:

You must have root permission (Linux) or Administrator permission (Windows).

1. Log on to the host where the RAID Agent is installed.

2. Stop the On-demand real time monitoring module services:

In Linux

systemctl stop analyzer-granular-data-collection-api

In Windows

a. Open the Windows Services window.

b. Right-click On-demand real time monitoring module and then select Stop.

Changing the system information of Analyzer server

For a host where Analyzer server is installed, you can change the host name, IP address, time settings, format of syslog output, and the port number used for connecting with the
Analyzer server.

Changing the Analyzer server host name

After stopping Analyzer server services by running the hcmds64srv command, change the host name of the Analyzer server.

You must have root permission.

1. To stop the Analyzer server services, run the hcmds64srv command with the stop option.
2. Change the host name on the OS of the Analyzer server.
3. Change the host name specified in ServerName in the following file.

Common-component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

4. Change the host name specified in command.hostname in the following file.

Analyzer-server-installation-directory/Analytics/conf/command_user.properties

5. If Ops Center Analyzer is registered with Common Services by using a host name, run the setupcommonservice command to update the host name:

setupcommonservice -appHostname new-host-name

6. Restart the OS of the host on which the Analyzer server is installed.

7. Verify that the IP address can be resolved from the host name of the Analyzer server.
8. If a RADIUS server is used to perform user authentication and the host name before the change is set for the attr.NAS-Identifier property in the exauth.properties file,
change the host name to the new host name.
The exauth.properties file is stored in the following location:

Common-component-installation-directory/conf/exauth.properties

9. If Ops Center Automator is connected with the Analyzer server and the Analyzer server is set as the primary server, perform the following procedure on the host on which
Ops Center Automator is installed to apply the changed host name.
a. Run the hcmds64prmset command to change the Common component settings.
b. Restart Ops Center Automator.

Changing the Analyzer server IP address

After stopping Analyzer server services by running the hcmds64srv command, change the IP address of the Analyzer server.

You must have root permission.

1. To stop Analyzer server services, run the hcmds64srv command with the stop option.
2. Change the IP address on the OS of the Analyzer server.
3. If Ops Center Analyzer is registered with Common Services by using an IP address, run the setupcommonservice command to update the IP address.

setupcommonservice -appHostname new-IP-address

4. Restart the OS of the host on which the Analyzer server is installed.

5. Verify that the IP address can be resolved from the host name of the Analyzer server.
6. If a RADIUS server is used to perform user authentication and the IP address before the change is set for the attr.NAS-IP-Address property in the exauth.properties file,
change the IP address to the new IP address.
The exauth.properties file is stored in the following location:

Common-component-installation-directory/conf/exauth.properties

7. If Ops Center Automator is connected with the Analyzer server and the Analyzer server is set as the primary server, perform the following procedure on the host on which
Ops Center Automator is installed to apply the changed IP address.
a. Run the hcmds64prmset command to change the Common component settings.
b. Restart Ops Center Automator.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 193/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Changing the port number used between Analyzer server and the web browser

To change the port number used between Analyzer server and the web browser, change the port numbers specified in the definition files, then register the firewall exceptions.

If SSL communication is used between the Analyzer server and the web browser, see Changing the SSL port number between the Analyzer server and a web browser.

You must have root permission.

1. To stop Analyzer server services, run the hcmds64srv command with the stop option.
2. Change the port numbers in the following definition files:
Common-component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

Change the following three lines. The default port number is 22015.

#Listen [::]:22015
Listen 22015
#Listen 127.0.0.1:22015

Analyzer-server-installation-directory/Analytics/conf/command_user.properties

Change the following line:

command.http.port = 22015

3. Register the firewall exceptions.

Use the firewall-cmd command to specify the port number used by the Analyzer server for the port that has the zone applied.
a. Specify the service name to enable for the port that has the zone applied.

The following shows an example of specifying the service name in the default zone and enabling the settings even after the OS is restarted:

firewall-cmd --permanent --add-service=service-name

Note: For service-name, specify http.

b. For the port that has the zone applied, specify a combination of the port number to use for the Analyzer server and the protocol.

The following shows an example of specifying a combination of the port number and protocol in the default zone and enabling the settings even after the OS is
restarted:

firewall-cmd --permanent --add-port=port-number/protocol

Note:
For port-number, specify the port number to use in Analyzer server.
For protocol, specify tcp or udp.
4. To start the Analyzer server services, run the hcmds64srv command with the start option.
5. If Ops Center Automator is connected with the Analyzer server and the Analyzer server is set as the primary server, perform the following procedure on the host on which
Ops Center Automator is installed to apply the changed port number.
a. To change the Common component settings, run the hcmds64prmset command.
b. Restart Ops Center Automator.

Changing the SSL port number between the Analyzer server and a web browser

To change the port number for SSL Communication, change the port numbers specified in the definition files, then register the firewall exceptions.

You must have root permission.

1. To stop the Analyzer server services, run the hcmds64srv command with the stop option.
2. Change the port numbers in the following definition files:
Common-component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

Change the following three lines. The default port number is 22016.

#Listen [::]:22016
Listen 22016
<VirtualHost *:22016>

Analyzer-server-installation-directory/Analytics/conf/command_user.properties

Change the following line:

command.https.port = 22016

3. Register the firewall exceptions.

Use the firewall-cmd command to specify the port number used by the Analyzer server for the port that has the zone applied.
a. Specify the service name to enable for the port that has the zone applied.

The following shows an example of specifying the service name in the default zone and enabling the settings even after the OS is restarted:

firewall-cmd --permanent --add-service=service-name

Note: For service-name, specify https.

b. For the port that has the zone applied, specify a combination of the port number to use for the Analyzer server and the protocol.

The following shows an example of specifying a combination of the port number and protocol in the default zone and enabling the settings even after the OS is
restarted:

firewall-cmd --permanent --add-port=port-number/protocol

Note:
For port-number, specify the port number to use in Analyzer server.
For protocol, specify tcp or udp.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 194/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
4. If you are using Common Services, run the setupcommonservice command to update the port number.

setupcommonservice -appPort new-port-number

5. To start the Analyzer server services, run the hcmds64srv command with the start option.
6. If Ops Center Automator is connected with the Analyzer server and the Analyzer server is set as the primary server, perform the following procedure on the host on which
Ops Center Automator is installed to apply the changed port number.
a. Run the hcmds64prmset command to change the Common component settings.
b. Restart Ops Center Automator.

Changing the port number used between Analyzer server and Common component

To change the port number used between the Analyzer server and Common component, edit the definition files.

You must have root permission.

1. To stop the Analyzer server services, run the hcmds64srv command with the stop option.
2. Edit the following definition files:
Common-component-installation-directory/uCPSB11/httpsd/conf/reverse_proxy.conf

Change the port number (27100) in the following lines to a port number that is not used for anything else:

ProxyPass /Analytics/ http://127.0.0.1:27100/Analytics/ timeout=3600

ProxyPassReverse /Analytics/ http://127.0.0.1:27100/Analytics/

Common-component-installation-directory/uCPSB11/CC/server/usrconf/ejb/AnalyticsWebService/usrconf.properties

Change the port numbers (27100, 27102, 27103, and 27104) in the following lines to a port number that is not used for anything else:

webserver.connector.nio_http.port=27100
ejbserver.http.port=27102
ejbserver.rmi.remote.listener.port=27103
ejbserver.rmi.naming.port=27104

3. To start the Analyzer server services, run the hcmds64srv command with the start option.

Changing the port number between Analyzer server and the SMTP server

You can change the port number used between Analyzer server and the SMTP server in the Email Server Settings window.

Make sure you have the Admin permission of Analyzer server.

1. In the Administration tab, select Notification Settings > Email Server.

2. Click Edit Settings and enter the new port number in Port Number, and then click Save Settings.

Changing the time settings of the Analyzer server

Stop the Analyzer server services using the hcmds64srv command, and then change the time settings of the Analyzer server.

You must have root permission.

1. To stop the Analyzer server services, run the hcmds64srv command with the stop option.
2. Change the time setting of the Analyzer server.
If you change the server time to a time that is earlier than the current server time, wait until the new server time exceeds the previous server time (the server time before you
changed the settings).
3. To start the Analyzer server services, run the hcmds64srv command with the start option.

Change the format of syslog output

When using Analyzer server, you can output records of user operations to syslog.

Syslogs are saved in the following format:

syslog-header-message message-part

The format of the syslog-header-message differs depending on the OS environment settings. If necessary, change the settings.

For example, if you use rsyslog and specify the following in /etc/rsyslog.conf, messages are output in a format corresponding to RFC5424:

$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

Moving an Analyzer server installation to another host

You can use the backup and restore functions to migrate Analyzer components to a different host.

For details, see Overview of Ops Center Analyzer backup and restore.

Changing the primary server information

When the host where Ops Center Automator is installed is set as the primary server and Analyzer server is the secondary server, if you change the host name, IP address, or port
number of the primary server, you must also change this information the secondary server.

You must have root permission.

1. Run the hcmds64prmset command to change the settings of the Common component.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 195/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
When changing the host name or IP address:

Common-component-installation-directory/bin/hcmds64prmset -host host-name-or-IP-address-of-Ops-Center-Automator

When changing the port number:

Common-component-installation-directory/bin/hcmds64prmset {-port port-number-for-non-SSL-communication | -sslport port-number-for-SSL

-communication}

Specify either the port option or the sslport option according to the SSL communication setting of Ops Center Automator.
2. Stop and restart the services:
a. Run the hcmds64srv command with the stop option to stop the Analyzer server services.
b. Run the hcmds64srv command with the start option to start the Analyzer server services.

Setting the domain to permit cross-domain access

Access to Ops Center Analyzer is only permitted from domains for which communication is explicitly permitted by using the Cross-Origin Resource Sharing (CORS) mechanism. You
do not have to be aware of the settings to directly access Analyzer server using a web browser. However, if you must use cross-domain access, such as when configuring your own
system or services by using the REST API for Ops Center Analyzer, you must use CORS to configure settings for the domain for which communication is to be permitted.

1. Open the following CORS settings file:

Analyzer-server-installation-directory/Analytics/conf/config_cors_origin.txt

2. Enter each domain for which access is to be permitted on a separate line, such as in the following format. To permit access for all domains, specify an asterisk (*).

http-or-https://host-name-or-IP-address:port-number

Example settings:

http://172.30.195.118:80
https://host2:8080

3. Restart the Analyzer server services.

Changing the system information of the Analyzer detail view server

You can change the IP address of the host on which Analyzer detail view server is installed, or the port number that is used to connect to Analyzer probe server.

Changing the IP address of the Analyzer detail view server

After you change the IP address of the Analyzer detail view server, you must reconfigure the connections with the Analyzer probe server and the Analyzer server.

You must have root permission.

1. Change the IP address of the Analyzer detail view server.

If the Analyzer detail view server and the Analyzer server are installed on the same host:

Change the IP address. For details, see Changing the Analyzer server IP address.

If the Analyzer detail view server and the Analyzer server are installed on different hosts:

Change the IP address on the OS of the Analyzer detail view server.

2. Reconfigure the connection with the Analyzer probe server. For details, see Updating Analyzer detail view server connection details on the Analyzer probe server.
3. Reconfigure the connection with the Analyzer server. For details, see Reconfiguring the connection with Analyzer detail view server.
4. If Analyzer detail view server is registered with Common Services by using an IP address, run the setupcommonservice command to update the IP address.

setupcommonservice -appHostname new-IP-address -appPort port-number

Updating Analyzer detail view server connection details on the Analyzer probe server

When the Analyzer detail view server IP address is changed, make sure that you update the new IP address on the Analyzer probe UI. After you update the IP address, the Analyzer
probe server can transfer the data to the Analyzer detail view server. You can also update the authentication type to switch between password-based authentication and key-based
authentication.

1. Log on to the Analyzer probe.

2. In the Status window, click Reconfigure.
3. In the Reconfigure window, click the Analyzer detail view server tab.
4. In the Server Details section, Click Edit.
5. In the Edit Primary Analyzer detail view server Details window, provide the host details of the Analyzer detail view server.
Protocol: FTP, FTPS, SFTP, or HTTPS.
Note:
For the SFTP protocol, you can use key-based or password-based authentication. If you plan to use key-based, make sure that it is configured. Key-based
authentication is supported for sending data directly from the Analyzer probe server to the Analyzer detail view server (without an intermediate FTP or FTPS
server) using the meghadata user. Refer to Configuring key-based authentication to transfer data directly from Analyzer probe server to Analyzer detail view
server. After configuring key-based authentication, select the SFTP protocol and then click Key-Based. If you have configured a passphrase, enter it when
prompted.
The System Diagnostics data for the Analyzer probe server is not collected in case of HTTPS protocol.
Host: Analyzer detail view server IP address.
Port: Based on the selected protocol.
User: User name for the host. For an Analyzer detail view server the user name is: meghadata
Password: Password for the host. For an Analyzer detail view server the default password is: meghadata123
6. In the Advanced Settings section, update the Real-Time Server IP address to match the Analyzer detail view server IP address.
7. Click Save.

Reconfiguring the connection with Analyzer detail view server

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 196/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If you change the IP address or host name of the Analyzer detail view server, you must reconfigure the connections with the Analyzer server and the Analyzer detail view server.

1. In the Administration tab, select System Settings > Analyzer detail view Server.
2. Click Edit Settings, and specify the Analyzer detail view server information.
Note: Specify the built-in administrator account. If you want to use a different account, specify the account created during the initial setup of the Analyzer detail view server. If
you change the password of the specified user on the Analyzer detail view server, you must also change the same password in Password of the Edit Settings dialog box.
3. Click Check Connection to confirm that the server is connected properly.
If you cannot access the Analyzer detail view server, verify the following:
The certificate is correctly specified on the Analyzer server.
The certificate is not expired.
4. Click OK.

The Analyzer detail view server is connected.

Changing the default SSH port on the Analyzer detail view server

When you are using the HTTPS protocol to transfer data from the Analyzer probe server to the Analyzer detail view server, if you have configured non-default SSH port on the
machine where the Analyzer detail view server is installed, make sure that you configure the same non-default port in Analyzer detail view server to download the Analyzer probe
server data.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the HTTP proxy service by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh stop

3. Confirm the HTTP proxy service has stopped by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh status

4. Open the ftp.properties file:

vi /usr/local/httpProxy/conf/target/ftp.properties

5. Enter the non-default SSH port.

FtpPort=Non-default-SSH-Port

For exmaple:

FtpPort=23

6. Start the HTTP proxy service by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh start

7. Confirm whether the HTTP proxy service has started by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh status

Upgrading the JDK for the Analyzer detail view server

If you want to use a newer version of Amazon Corretto 17, complete the following procedure to upgrade.

Check the Release Notes for the Amazon Corretto 17 versions supported by the Analyzer detail view server.

1. Check the Amazon Corretto 17 version installed on the Analyzer detail view server host.
Note:
If another product on the same host also uses Amazon Corretto 17, verify which versions are supported and whether an upgrade will cause an issue. If a problem
might occur, do not upgrade Amazon Corretto. Alternatively, install the Analyzer detail view server on a different host.
If the version is the latest supported by the Analyzer detail view server, you do not need to do anything.
2. From the Amazon Corretto site, download the latest JDK version supported by the Analyzer detail view server.
3. If Common Services v10.9.2 or later is installed on the same host as the Analyzer detail view server, stop the services of Common Services.

systemctl stop csportal

4. If another product that uses Amazon Corretto 17 is installed on the same host, stop it as needed.
5. Stop the Analyzer server and the Analyzer detail view server services.
Note: If you are using Analyzer viewpoint, also stop the Analyzer viewpoint services.
6. Run the RPM command to upgrade Amazon Corretto 17:

rpm -Uvh the-Amazon-Corretto-17-rpm-file-path

7. Start the Analyzer server and the Analyzer detail view server services.
Note: If you are using Analyzer viewpoint, also start the Analyzer viewpoint services.
8. If Common Services v10.9.2 or later is installed on the same host as the Analyzer detail view server, start the services of Common Services.

systemctl start csportal

9. If another product that uses Amazon Corretto 17 is installed on the same host, start it as needed.

Changing default timeout value for Global search

When searching resources in the Global search field, the operation might time out if it takes longer than the default time (15 minutes) to display the result. Follow this procedure to
increase the default timeout value on the Analyzer detail view server.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 197/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
service crond stop
3. Stop all the services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Confirm the crond and megha services have been stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the custom.properties file.

For example:

cp /usr/local/megha/conf/custom.properties backup_custom_backup.properties

6. Open the custom.properties file.

vi /usr/local/megha/conf/custom.properties

7. Add the tree.search.timeout property:

tree.search.timeout=Timeout_value_in_milliseconds

For example:

tree.search.timeout=1200000

Note: The timeout value must be more than 900000 milliseconds (15 minutes).
8. Save the file and exit.
9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the command:

service crond start

11. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

Enabling snapshot size data collection using the Hitachi NAS probe

By default, the Hitachi NAS probe does not collect the Hitachi NAS File System resource snapshot size data from Analyzer probe v10.8.0-00 or later. To collect the snapshot size
data, you must enable data collection on the Analyzer probe. However, enabling the data collection might cause the Hitachi NAS system reboot problem. For best results, enable
snapshot size data collection only if the system reboot problem has been fixed in your target Hitachi NAS system.

To enable the snapshot size data collection, configure the properties described here.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Confirm the crond and megha services have been stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the custom.properties file using the following command:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/backup_custom_backup.properties

6. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

7. Add the following property:

hnas_snapshot-size.data.collection=true

8. Save the file and exit.

9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the command:

service crond start

11. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status
service crond status

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 198/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Enabling snapshot size data collection using the Hitachi NAS (REST API) probe

By default, the Hitachi NAS (REST API) probe does not collect the Hitachi NAS File System resource snapshot size data. To collect the snapshot size data, you must enable data
collection on the Analyzer probe.
Note: Enabling the data collection might cause the Hitachi NAS system reboot problem. For best results, enable snapshot size data collection only if the system reboot problem has
been fixed in your target Hitachi NAS system.

To enable the snapshot size data collection, configure the properties described here.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Confirm the crond and megha services have been stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the custom.properties file using the following command:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/backup_custom_backup.properties

6. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

7. Add the following property:

hnas.rest.snapshot.size.data.collection=true

8. Save the file and exit.

9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the command:

service crond start

11. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status
service crond status

Changing the port for On-demand real time monitoring of Hitachi Enterprise Storage

By default, port 24262 is used for communication between the Analyzer detail view server and RAID Agent server for On-demand real time monitoring. To change this default, you
must configure properties in the Analyzer detail view server.

If the Analyzer detail view server is receiving data from multiple RAID Agent servers and you want to configure a separate port for each server, you need to know the RAID Agent
server IP addresses available in the Analyzer detail view server. To identify the IP addresses, do the following:

1. Log on to the Analyzer detail view UI.

2. From the left pane, click Reports > Build.

The Build window opens.

3. Click Create Using MQL.

4. Enter the following query in the MQL box using the following format:

raidStorage[=serialNumber rx serialNumber]/raidAgentInstance[=raHost rx .*]

For example:

raidStorage[=serialNumber rx 421358]/raidAgentInstance[=raHost rx .*]

5. Click View Result.

The View Result window opens.

6. In the View Result window, click the desired resource in the Resource column.

The RAID Agent server IP address is displayed in the RAID Agent Host column.

7. Copy the IP address.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Make a backup of the custom.properties file:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 199/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/custom_orig.properties
5. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

6. Change the port as follows:

If you want to use one port to communicate with all RAID Agent servers available in Analyzer detail view server, add the following property:

default.raidAgent.port=port_Number

For example:

default.raidAgent.port=25663

If you want to use a different port to communicate with each RAID Agent server, add a separate entry for each server as follows:

RAID_Agent_Server_IP_address.raidAgent.port=Port_Number

For example:

192.168.100.52.raidAgent.port=80
192.168.20.27.raidAgent.port=89

7. Save the custom.properties file.

8. Start the megha service and verify the status:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

9. Start the crond service and verify the status:

service crond start

service crond status

Changing the system information of the Analyzer probe server

Use these procedures to change system information such as the host name of the Analyzer probe server, the IP address of the Analyzer probe server, the port number used by the
RAID Agent, or the port number used by the RAID Agent REST Web Service.

Changing the Analyzer probe server host name when the Hitachi Enterprise Storage probe is added

Change the host name of the host where the Analyzer probe server is installed. Because RAID Agent is also installed on the host where the Analyzer probe server is installed, you
must also change the host name by performing the following procedure if the Hitachi Enterprise Storage probe is added.

1. Perform the following steps to stop the Analyzer probe server services:
a. Run the following command:

crontab -e

b. At the beginning of each line in the standard schedule that was output for the Analyzer probe server, add a hash mark (#) to comment out each line:

# */5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

# */5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R
megha:megha /usr/local/megha/logs/sys)

c. Run the following command to stop the services:

/usr/local/megha/bin/megha-jetty.sh stop

2. Run the following command to stop the RAID Agent services.

/opt/jp1pc/htnm/bin/htmsrv stop -all

3. Change the monitoring host name of the RAID Agent. The monitoring host name refers to the unique host name that is used to identify internal RAID Agent services.

Run the jpcconf host hostname command to change the monitoring host name.

The following example of the command changes the physical host name to host02:

/opt/jp1pc/tools/jpcconf host hostname -newhost host02 -d /root/backup

Do not run any other commands while running the jpcconf host hostname command.

Tip: If the command fails, the RAID Agent configuration file is stored in the directory specified for the -d option of the jpcconf host hostname command. Collect all of the
stored configuration files, and then contact the system administrator or Hitachi Vantara Support.
4. Edit the htnm_httpsd.conf file to specify the new host name of the Analyzer probe server for the ServerName directive in the first line and the ServerName directive in the Vir
tualHost tag. Make sure that you specify the same name (case sensitive) for the physical host.

The htnm_httpsd.conf file is stored in the following location:

/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf

5. If the servers that can access RAID Agent are limited (the access source restriction function is configured), change the host name of the Analyzer probe server defined in the
htnm_httpsd.conf file to the new host name.
6. Change the physical host name of the host on which Analyzer probe server is installed.
7. The IP address must be able to be resolved from the host name of the host on which Analyzer probe server is installed. After changing the physical host name, check the
hosts file or the domain name system (DNS) server configuration of the host on which Analyzer probe server is installed.
8. If Analyzer probe server is registered with Common Services by using a host name, run the setupcommonservice command to update the host name:

setupcommonservice -appHostname new-host-name -appPort port-number

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 200/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
9. Run the following command to start the RAID Agent services.
Note: If the service automatic startup script is configured, when you restart the OS after changing the host name, the services will start automatically.

/opt/jp1pc/htnm/bin/htmsrv start -all

10. Perform the following steps to start the Analyzer probe server services:
a. Run the following command:

crontab -e

b. Delete the hash marks (#) from the beginning of each line in the standard schedule that generates output for the Analyzer probe server:

*/5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

*/5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R me
gha:megha /usr/local/megha/logs/sys)

c. Run the following command:

Note: If the service automatic startup script is configured, when you restart the OS after changing the host name, the services will start automatically.

/usr/local/megha/bin/megha-jetty.sh start

11. Change the settings of Hitachi Enterprise Storage probe as follows:

a. On the Analyzer probe server home page, stop the target probe and click Edit.
b. In the Edit Hitachi Enterprise Storage Probe section, enter the host name of the machine on which the RAID Agent is installed in the RAID Agent Hostname field.
Then, click Next.
c. In the Validating Hitachi Enterprise Storage Probe details window, click Next, and then click OK
d. In the Status window, in ACTION, click Start to start collecting data.
12. To use the API functions that access RAID Agent, manually refresh the Agent list from the API client. For details, see the Hitachi Ops Center Analyzer REST API Reference
Guide.
13. Log on to Analyzer detail view server, and then verify that data is collected.
a. Log on to Analyzer detail view server.
b. Click the Server Status icon.
c. Verify that the probe appears in Last Configuration Import Time and Last Performance Import Time of Data Import Status, and that data is collected.
Note: It might take some time before the probe appears in the Analyzer detail view server GUI.
14. Log on to Analyzer server, and then verify that the resources are ready to be analyzed.
a. Log on to Analyzer server.
b. In the Administration tab, select Resource Management.
c. Verify that the resources collected by the probe appear and are ready to be analyzed by Analyzer server.
Note: It might take some time before the resources collected by the probe appear in the Analyzer server GUI.

Changing the Analyzer probe server host name when the Hitachi Enterprise Storage probe is not added

Use this procedure only if the probe is not added.

1. Perform the following steps to stop the Analyzer probe server services:
a. Run the following command:

crontab -e

b. At the beginning of each line in the standard schedule that was output for the Analyzer probe server, add a hash mark (#) to comment out each line:

# */5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

# */5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R
megha:megha /usr/local/megha/logs/sys)

c. Run the following command to stop the services:

/usr/local/megha/bin/megha-jetty.sh stop

2. Change the physical host name of the host on which Analyzer probe server is installed.
3. (Optional) Edit the htnm_httpsd.conf file to specify the new host name of the Analyzer probe server for the ServerName directive in the first line and the ServerName directive
in the VirtualHost tag.
In preparation for adding the Hitachi Enterprise Storage probe in the future, perform this step for best results. Make sure that you specify the same host name (case
sensitive).

The htnm_httpsd.conf file is stored in the following location:

/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf

4. If Analyzer probe server is registered with Common Services by using a host name, run the setupcommonservice command to update the host name:

setupcommonservice -appHostname new-host-name -appPort port-number

5. Perform the following steps to start the Analyzer probe server services:
a. Run the following command:

crontab -e

b. Delete the hash marks (#) from the beginning of each line in the standard schedule that generates output for the Analyzer probe server:

*/5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

*/5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R me
gha:megha /usr/local/megha/logs/sys)

c. Run the following command:

Note: If the service automatic startup script is configured, when you restart the OS after changing the host name, the services will start automatically.

/usr/local/megha/bin/megha-jetty.sh start

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 201/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
6. Log on to Analyzer detail view server, and then verify that data is collected.
a. Log on to Analyzer detail view server.
b. Click the Server Status icon.
c. Verify that the probe appears in Last Configuration Import Time and Last Performance Import Time of Data Import Status, and that data is collected.
Note: It might take some time before the probe appears in the Analyzer detail view server GUI.
7. Log on to Analyzer server, and then verify that the resources are ready to be analyzed.
a. Log on to Analyzer server.
b. In the Administration tab, select Resource Management.
c. Verify that the resources collected by the probe appear and are ready to be analyzed by Analyzer server.
Note: It might take some time before the resources collected by the probe appear in the Analyzer server GUI.

Changing the Analyzer probe server IP address when the Hitachi Enterprise Storage probe is added

Change the IP address of the host where the Analyzer probe server is installed. Because RAID Agent is also installed on the host where the Analyzer probe server is installed,
change the IP address by performing the following procedure if the Hitachi Enterprise Storage probe is added.

1. Perform the following steps to stop the Analyzer probe server services:
a. Run the following command:

crontab -e

b. At the beginning of each line in the standard schedule that was output for the Analyzer probe server, add a hash mark (#) to comment out each line:

# */5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

# */5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R
megha:megha /usr/local/megha/logs/sys)

c. Run the following command to stop the services:

/usr/local/megha/bin/megha-jetty.sh stop

2. Run the following command to stop the RAID Agent services.

/opt/jp1pc/htnm/bin/htmsrv stop -all

3. Change the IP address of the host on which Analyzer probe server is installed.
4. Verify that the IP address can be resolved from the host name of the host on which Analyzer probe server is installed.
5. When Granular Data Collection is enabled, change the IP address of the RAID Agent host defined in the storage_agent_map.txt file to the new IP address.
6. If the servers that can access RAID Agent are limited (the access source restriction function is configured), change the IP address of the Analyzer probe server defined in the
htnm_httpsd.conf file to the new IP address.
7. If Analyzer probe server is registered with Common Services by using an IP address, run the setupcommonservice command to update the IP address.

setupcommonservice -appHostname new-IP-address -addPort port-number

8. Run the following command to start the RAID Agent services.

/opt/jp1pc/htnm/bin/htmsrv start -all

9. Perform the following steps to start the Analyzer probe server services:
a. Run the following command:

crontab -e

b. Delete the hash marks (#) from the beginning of each line in the standard schedule that generates output for the Analyzer probe server:

*/5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

*/5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R me
gha:megha /usr/local/megha/logs/sys)

c. Run the following command:

/usr/local/megha/bin/megha-jetty.sh start

10. Change the settings of Hitachi Enterprise Storage probe as follows:

a. On the Analyzer probe server home page, stop the target probe and click Edit.
b. In the Edit Hitachi Enterprise Storage Probe section, enter the IP address of the machine on which the RAID Agent is installed in the RAID Agent IP address field.
Then, click Next.
c. In the Validating Hitachi Enterprise Storage Probe details window, click Next, and then click OK
d. In the Status window, in ACTION, click Start to start collecting data.
11. Log on to Analyzer detail view server, and then verify that data is collected.
a. Log on to Analyzer detail view server.
b. Click the Server Status icon.
c. Verify that the probe appears in Last Configuration Import Time and Last Performance Import Time of Data Import Status, and that data is collected.
Note: It might take some time before the probe appears in the Analyzer detail view server GUI.
12. Log on to Analyzer server, and then verify that the resources are ready to be analyzed.
a. Log on to Analyzer server.
b. In the Administration tab, select Resource Management.
c. Verify that the resources collected by the probe appear and are ready to be analyzed by Analyzer server.
Note: It might take some time before the resources collected by the probe appear in the Analyzer server GUI.

Changing the Analyzer probe server IP address

Change the IP address by performing the following procedure if the Hitachi Enterprise Storage probe is not added.

1. Perform the following steps to stop the Analyzer probe server services:
a. Run the following command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 202/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
crontab -e
b. At the beginning of each line in the standard schedule that was output for the Analyzer probe server, add a hash mark (#) to comment out each line:

# */5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

# */5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R
megha:megha /usr/local/megha/logs/sys)

c. Run the following command to stop the services:

/usr/local/megha/bin/megha-jetty.sh stop
2. Change the IP address of the host on which Analyzer probe server is installed.
3. If Analyzer probe server is registered with Common Services by using an IP address, run the setupcommonservice command to update the IP address.

setupcommonservice -appHostname new-IP-address -addPort Port Number

4. Perform the following steps to start the Analyzer probe server services:
a. Run the following command:

crontab -e

b. Delete the hash marks (#) from the beginning of each line in the standard schedule that generates output for the Analyzer probe server:

*/5 * * * * F=/usr/local/megha/cron.5min; test -f $F && bash $F

*/5 * * * * F=/usr/local/megha/bin/sysstat.sh; test -f $F && (bash $F >> /usr/local/megha/logs/sys/`date +\%Y\%m\%d`.log; chown -R me
gha:megha /usr/local/megha/logs/sys)

c. Run the following command:

/usr/local/megha/bin/megha-jetty.sh start

5. Log on to Analyzer detail view server, and then verify that data is collected.
a. Log on to Analyzer detail view server.
b. Click the Server Status icon.
c. Verify that the probe appears in Last Configuration Import Time and Last Performance Import Time of Data Import Status, and that data is collected.
Note: It might take some time before the probe appears in the Analyzer detail view server GUI.
6. Log on to Analyzer server, and then verify that the resources are ready to be analyzed.
a. Log on to Analyzer server.
b. In the Administration tab, select Resource Management.
c. Verify that the resources collected by the probe appear and are ready to be analyzed by Analyzer server.
Note: It might take some time before the resources collected by the probe appear in the Analyzer server GUI.

Setting the time zone on the Analyzer probe server

You must set the Canonical/Standard time zone on the Analyzer probe server.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Run the following command to check the time zone:

timedatectl status | grep "Time zone"

Sample output:

Time zone: Asia/Bahrain (+03, +0300)

The Asia/Bahrain time zone in the above sample output is not a Standard/Canonical time zone. Its corresponding Canonical/Standard time zone is Asia/Qatar.

3. Run the following command to set the Canonical/Standard time zone:

sudo timedatectl set-timezone Canonical_Standard_time_zone

For example:

sudo timedatectl set-timezone Asia/Qatar

4. Run the following command to verify whether the time zone is changed to Canonical/Standard time zone:

timedatectl status | grep "Time zone"

Sample output:

Time zone: Asia/Qatar (+03, +0300)

5. Stop the crond service:

service crond stop

6. Stop the megha service:

/usr/local/megha/bin/megha-jetty.sh stop

7. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

8. Start the megha service:

/usr/local/megha/bin/megha-jetty.sh start

9. Start the crond service:

service crond start

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 203/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Upgrading the JDK for the Analyzer probe server

If you want to use a newer version of Amazon Corretto 17, complete the following procedure to upgrade.

Check the Release Notes for the Amazon Corretto 17 versions supported by the Analyzer probe server.

1. Check the Amazon Corretto 17 version installed on the Analyzer probe server host.
Note:
If another product on the same host also uses Amazon Corretto 17, verify which versions are supported and whether an upgrade will cause an issue. If a problem
might occur, do not upgrade Amazon Corretto. Alternatively, install the Analyzer probe server on a different host.
If the version is the latest supported by the Analyzer probe server, you do not need to do anything.
2. From the Amazon Corretto site, download the latest JDK version supported by the Analyzer probe server.
3. If Common Services v10.9.2 or later is installed on the same host as the Analyzer probe server, stop the services of Common Services.

systemctl stop csportal

4. If another product that uses Amazon Corretto 17 is installed on the same host, stop it as needed.
5. Stop the Analyzer probe server service.
6. Run the RPM command to upgrade Amazon Corretto 17:

rpm -Uvh the-Amazon-Corretto-17-rpm-file-path

7. Start the Analyzer probe server service.

8. If Common Services v10.9.2 or later is installed on the same host as the Analyzer probe server, start the services of Common Services.

systemctl start csportal

9. If another product that uses Amazon Corretto 17 is installed on the same host, start it as needed.

Changing the port number used by the RAID Agent

To change the port number for each service used by the RAID Agent, use the jpcnsconfig port command.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to stop the RAID Agent services:

htmsrv stop -all

2. Run the jpcnsconfig port command:

In Linux

/opt/jp1pc/tools/jpcnsconfig port define all

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcnsconfig port define all

3. Configure a port number for each service. If the jpcnsconfig port command is run, the system displays the currently configured port number.
For example, the system displays the following if the port number 22285 is currently configured for the Name Server service:

Component[Name Server]
ServiceID[PN1001]
Port[22285] :

Tasks in this procedure might vary depending on how you set the port number. The following table shows port number settings and related tasks. Unless the port numbers
conflict in the system, use the port numbers which display when you run the jpcnsconfig port command.
Setting Task

When using the number displayed as a fixed port number as is Press Enter.

When changing the displayed port number

Specify a port number from 1024 to 65535. You cannot specify the port number currently in use.

When not setting a fixed port number

Specify 0. Even if 0 is specified for the following services, the default value is set:

Name Server service

Status Server service
4. Run the jpcnsconfig port command again to make sure that the port number is configured correctly.
For example, to display port numbers for all services, run the command as follows:
In Linux

/opt/jp1pc/tools/jpcnsconfig port list all

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcnsconfig port list all

If <error> is displayed in either the Services column or the Port column, it means that an invalid port number is configured. Reset the port number. If an error still results, the
following causes are possible:

The port number is not registered in the services file.

The same port number is registered more than once in the services file.
Note:
If the jpcnsconfig port command is canceled with the Ctrl +C key, the port number is not set correctly. Run the jpcnsconfig port command again and reset the port
numbers.
You do not need to change the port number for the Name Server service, because it will not be used.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 204/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If you use the jpcnsconfig port command to display the Status Server port number or to set the Status Server port number to 22350, the following message is
displayed:

For the jpcnsconfig port command with the list option specified:

KAVE05919-E The port number is not registered correctly in the services file.

For the jpcnsconfig port command with the define option specified:

KAVE05918-W The specified port number is in use by another.

In such cases, the following text is included in /etc/services:

CodeMeter 22350/tcp

This entry is the default, regardless of whether the CodeMeter is actually installed. Check whether the CodeMeter is being used. If it is not being used, comment out
the text. If the CodeMeter is being used or the port number is registered for a different product, make sure that there are no conflicting port numbers on the server.
5. Run the following command to start the RAID Agent services:

htmsrv start -all

Changing the port number of the RAID Agent REST Web Service

When a port number of the RAID Agent REST Web Service is changed, you must apply the new port number to the Hitachi Enterprise Storage probe and the Analyzer server.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to stop the RAID Agent services:

htmsrv stop -all

2. Use the table that follows to change the port number.

Note that to change the port number, open the relevant file shown in the following table by using a text editor.

Default port Procedure for changing the port number (Linux) Procedure for changing the port number (Windows)
number

Change the port number in the Listen directive in the following file: Change the port number in the Listen directive in the following file: RA
24221
/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf folder\raid_agent\jp1pc\htnm\Rest\config\ htnm_httpsd.conf
(Access port for
RAID Agent
REST Web
Service for non-
SSL
communication)

Change both the port number in the Listen directive and the port number in the VirtualHost Change both the port number in the Listen directive and the port numb
24222
tag in the following file: /opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf following file: RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\Res
(Access port for
RAID Agent
REST Web
Service for SSL
communication)

24223 Change the values for the following properties. You must specify the same value for both Change the values for the following properties. You must specify the sa
properties:
(Port number The ProxyPass and ProxyPassReverse directive property in
for RAID Agent The ProxyPass and ProxyPassReverse directive property in the folder\raid_agent\jp1pc\htnm\Rest\config\htnm_httpsd.conf file
REST /opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf file The webserver.connector.nio_http.port property in the RA
Application The webserver.connector.nio_http.port property in the folder\raid_agent\jp1pc\htnm\HBasePSB\CC\server\usrconf\ejb\
Service) /opt/jp1pc/htnm/HBasePSB/CC/server/usrconf/ejb/AgentRESTService/usrconf.properties file
file

24224 Change the value of the Change the value of the

(Port number of ejbserver.rmi.naming.port property in the ejbserver.rmi.naming.port property in the RAID-Agent-installation-

RMI registry /opt/jp1pc/htnm/HBasePSB/CC/server/usrconf/ejb/AgentRESTService/usrconf.properties file folder\raid_agent\jp1pc\htnm\HBasePSB\CC\server\usrconf\ejb\AgentR
used by RAID
Agent REST
Application
Service)

24225 Change the value for the Change the value for the

(Port number ejbserver.rmi.remote.listener.port property in the ejbserver.rmi.remote.listener.port property in the RAID-Agent-i

server /opt/jp1pc/htnm/HBasePSB/CC/server/usrconf/ejb/AgentRESTService/usrconf.properties file folder\raid_agent\jp1pc\htnm\HBasePSB\CC\server\usrconf\ejb\AgentR
management
commands
used to
communicate
with RAID
Agent REST

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 205/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Default port Procedure for changing the port number (Linux) Procedure for changing the port number (Windows)
number
Application
Service)

24226 Change the value for the Change the value for the

(Port number of ejbserver.http.port property in the ejbserver.http.port property in the RAID-Agent-installation-

the RAID Agent /opt/jp1pc/htnm/HBasePSB/CC/server/usrconf/ejb/AgentRESTService/ usrconf.properties file folder\raid_agent\jp1pc\htnm\HBasePSB\CC\server\usrconf\ejb\AgentR
REST
Application
Service simple
Web server)

3. Run the following command to start the RAID Agent services:

htmsrv start -all

4. When a port number of RAID Agent REST Web Service is changed, you must change the settings of Hitachi Enterprise Storage probe as follows:
a. On the Analyzer probe server home page, click Stop to stop the target probe, and then click Edit.
b. In the Edit Hitachi Enterprise Storage Probe section, enter the access port number of RAID Agent REST Web Service in the RAID Agent Port field. Then, click Next.
c. In the Validating Hitachi Enterprise Storage Probe details window, click Next, and then click OK.
d. In the Status window, in ACTION, click Start to start collecting data.
5. When a port number of RAID Agent REST Web Service is changed, you must perform one of the following operations in Analyzer server:

Manually refresh the RAID Agent list information for Analyzer server.

For details, see the section describing how to refresh the RAID Agent list manually in the Hitachi Ops Center Analyzer REST API Reference Guide.

Restart the Analyzer server services.

For details, see Starting and stopping the Ops Center Analyzer services.

Restricting access to servers that access RAID Agent

To enhance security, you can enable only the trusted servers to access RAID Agent. Edit the htnm_httpsd.conf file to include only the names of the servers that can access RAID
Agent data.

When the Analyzer server analyzes data, the Analyzer probe server accesses performance data in RAID Agent. In addition, when you use API functions that access RAID Agent, the
Analyzer server accesses performance data in RAID Agent.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to stop the RAID Agent services:

htmsrv stop -all

2. Open the htnm_httpsd.conf file.

The htnm_httpsd.conf file is located in the following directory:

In Linux

/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\Rest\config\htnm_httpsd.conf

3. Register information about the servers that are allowed to connect to the RAID Agent in the last line of the htnm_httpsd.conf file. Information about a server refers to the host
name or IP address of each host on which Analyzer probe server or Analyzer server is installed.
The following shows the format for registering hosts in the htnm_httpsd.conf file:

<Location /TuningAgent>
order allow,deny
allow from host [ host...]
</Location>

Make sure that hosts are written in one of the following formats:

The domain name (example: hitachi.ABCDEFG.com)

Part of the domain name (example: hitachi)
The complete IP address (example: 10.1.2.3 127.0.0.1)
Part of the IP address (example: 10.1 which, in this case, means 10.1.0.0/16)
Network/Network mask format (example: 10.1.0.0/255.255.0.0)
Network/n (CIDR notation: n is the number of bits representing the network address) (example: 10.1.0.0/16)
Note:
Multiple lines can be used to specify hosts for allow from.
If you want to specify two or more hosts in a command line for allow from, delimit the hosts with a space.
If you attempt to connect from a host on which RAID Agent is installed, you must also specify the local loop-back address (127.0.0.1 or localhost).
Make sure that you specify order according to the specified format. If extra spaces or tabs are inserted, the operation will fail.

Example of host registration:

<Location /TuningAgent>
order allow,deny
allow from 127.0.0.1 10.0.0.1

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 206/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
allow from 10.0.0.0/26
</Location>
4. Run the following command to start the RAID Agent services:

htmsrv start -all

Changing the data collection intervals of Analyzer detail view performance metrics

To set alerts for performance metrics on the Analyzer detail view server, the record collection intervals of the Hitachi Enterprise Storage probe and those of RAID Agent must be the
same as or shorter than the alert criteria. Furthermore, the record collection intervals of the Hitachi Enterprise Storage probe must be the same as those of RAID Agent.

1. Check the values that can be set as alert criteria for the Analyzer detail view server. For details, see the Analyzer detail view server Online Help.
2. For performance metrics for which you want to set alerts, refer to the Hitachi Ops Center Analyzer Detail View Metrics Reference Guide and check the record names in RAID
Agent.
3. Change the record collection intervals for the Hitachi Enterprise Storage probe. Refer to Changing the RAID Agent record collection interval for Hitachi Enterprise Storage
probe.
4. Use the collection_config command to change the record collection intervals for RAID Agent. Refer to Changing data collection intervals for RAID Agent.

Changing the RAID Agent record collection interval for Hitachi Enterprise Storage probe

You might need to change the RAID Agent record collection interval for the Hitachi Enterprise Storage probe (for example, to match the interval defined for RAID Agent). In this case,
you must edit the Hitachi Enterprise Storage probe.

1. In the Status window, stop the instance of the Hitachi Enterprise Storage probe.
2. Click the Edit link.
3. In the Edit Hitachi Enterprise Storage Probe window, click the Edit Collection Interval link and change the RAID Agent record collection interval.
4. Click Save and then click Next.
5. In the Validation window, click Next, and then click OK.
6. In the Status window, in Action, click Start.

Changing data collection intervals for RAID Agent

Use the collection_config command to change data collection intervals for RAID Agent. The data collection interval for the Hitachi Enterprise Storage probe must be the same as for
RAID Agent.

You do not need to change the collection intervals of the Hitachi Enterprise Storage probe for records that are not displayed in the configuration window of the Hitachi Enterprise
Storage probe.

Note:

In Ops Center Analyzer 4.1.0 and later, the command for changing the data collection intervals of RAID Agent is collection_config, not raid_agent_config. The command
raid_agent_config is no longer available.

You must have root permission (Linux) or Administrator permission (Windows).

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Log on to the host where the RAID Agent is installed. For a Linux host, use an SSH client.
2. Run the following command to check the current settings of data collection intervals.
In Linux

/opt/hitachi/Analytics/bin/collection_config showinterval -at AccessType

In Windows

RAID-Agent-installation-folder\raid_agent\bin\collection_config.bat showinterval -at AccessType

Output example (Linux):

[root@localhost ~]# /opt/hitachi/Analytics/bin/collection_config showinterval -at 1

#Record : Mode : Type : Current : Default : Modified
#------ : ---- : -------------------- : ------- : ------- : --------
PD : R : Collection Interval : 3600 : 3600 :
PI_LDS : RW : Collection Interval : 60 : 60 :
PI_LDS1 : R : Sync Collection With : PI_LDS : PI_LDS :
PI_PTS : RW : Collection Interval : 60 : 300 : Y
PI_LDSX : N/A : Not Collectable : - : - :
:

You can change the data collection intervals for the records displayed with RW in the Mode column.

The current settings (unit: seconds) of data collection intervals are shown in the Current column.

3. Run the following command to change data collection intervals.

In Linux

/opt/hitachi/Analytics/bin/collection_config changeinterval -at AccessType -r record-ID -i deta-collection-interval (seconds) -stop

In Windows

RAID-Agent-installation-folder\raid_agent\bin\collection_config.bat changeinterval -at AccessType -r record-ID -i deta-collection-interval

(seconds) -stop

The data collection interval is changed for all instances whose Access Type is the same as the Access Type specified in the -at option.

You can specify only one record ID for the -r option.

Specify the -stop option to stop the RAID Agent service.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 207/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note:

Values that can be specified for the -i option vary depending on the record.

For details, see collection_config.

Example (Linux):

[root@vm025254 bin]# ./collection_config changeinterval -at 1 -r PD_PLC -i 60 -stop

KATR15100-I Make sure that the services are not running.
KATR15101-I The service is stopping. (service = Agent REST Web Service).
KATR15101-I The service is stopping. (service = Agent REST Application Service).
KATR15102-I The collection interval is being changed. (access type = 1, record = PD_PLC, before = 3600, after = 60).
KATR15117-W The instance whose settings are to be updated does not exist. (access type = 1).
KATR15105-I The collection interval was changed successfully.
KATR15106-I After you finish changing the collection interval, start the services.
4. Run the following command to start RAID Agent services:

collection_config service -start

Deleting an instance environment for RAID Agent

To delete multiple instance environments, repeat the following procedure for each instance environment.
For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Log on to the host where the RAID Agent is installed. For a Linux host, use an SSH client.
2. Find the instance name of RAID Agent using this command:
In Linux

/opt/jp1pc/tools/jpcinslist agtd

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcinslist agtd

For example, if the instance name is 35053, the command displays 35053.

3. Run the following command to stop any active RAID Agent services in the instance environment:

htmsrv stop -all

4. Delete the instance environment using this command:

In Linux

/opt/jp1pc/tools/jpcinsunsetup agtd -inst instance-name

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcinsunsetup agtd -inst instance-name

The following example shows how to delete the instance environment 35053:

/opt/jp1pc/tools/jpcinsunsetup agtd -inst 35053

If the command is successful, the directories created during instance environment setup are deleted. If a service with the specified instance name is active, a message appears
asking whether the service is to be stopped. If this message appears, stop the service of the applicable instance.

Changing the configuration information collection time

If RAID Agent fails to collect performance information at the specified time, you can prevent this problem by changing the timing of configuration information collection.

By default, if the collection of RAID Agent configuration information takes a longer than a minute, the performance data to collect concurrently might be skipped. However, by
changing the timing of configuration information collection, you can ensure that the performance information collection is not skipped even if the configuration information collection
takes a minute or more.
Note:

RAID Agent collects, performance data from storage systems as follows: configuration information is collected as PD records and performance information is collected as PI
records.
To determine whether performance information collection has been skipped, check whether the KAVE00213-W message is output to the log.

Log information is stored in one of the followings:

In Linux

/opt/jp1pc/log/jpclog01 or /opt/jp1pc/log/jpclog02

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\log\jpclog01 or RAID-Agent-installation-folder\raid_agent\jp1pc\log\jpclog02

You can change the timing of RAID Agent configuration information collection by using the collection time definition file (conf_refresh_times.ini).

Example:

If you do so, you should reexamine the capacity of the virtual memory for the Analyzer probe server.

The following table shows the required capacity of the virtual memory for each monitored storage system.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 208/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Storage system to be monitored Required capacity of the virtual memory (MB)

VSP One B20 1300

VSP E series, VSP G350, G370, G700, G900, VSP G1000, G1500, VSP F350, F370, F700, F900, VSP F1500 1100

VSP G200, G400, G600, G800, VSP F400, F600, F800 450

VSP 5000 series 1300

To change the timing of configuration information collection, you must review the disk space allocated to Analyzer probe server. For each storage system being monitored, the
/opt/jp1pc directory must have 350 MB free disk space. For RAID Agent (Windows), you do not need to add disk space.

You can collect the configuration information for the following records at the time defined in the collection time definition file. For PD records other than the following, configuration
information is collected based on the Collection Interval value even if the collection time definition file is enabled:

PD
PD_ELC
PD_HGC
PD_HHGC
PD_LDC
PD_LHGC
PD_LSEC
PD_LWPC
PD_NHC
PD_NNC
PD_NNPC
PD_NSPC
PD_NSSC
PD_PTC
PD_PWPC
PD_RGC

By default, data collection starts on an hourly basis. The collected configuration information is stored in PD records that are generated at the same time.

When the collection time definition file is used, the on-the-hour collection stops, and configuration information is collected only at the times defined in the file. The collected
configuration information is used for the PD records that are generated hourly and for the real-time report until the next time configuration information is collected.

Even if configuration information is collected twice a day at 00:00 and 12:00, the PD records are generated hourly. After configuration information is collected at 00:00, the
information is used for each record generated hourly until the next time configuration information is collected (at 12:00).
CAUTION:
The following notes apply to configuration information:

Changes made to the timing of configuration information collection affects the generation of PI records. The timing of changes in the number of instances for multi-instance
records and in the number of logical devices that are aggregated using the PI_LDA record is synchronized with the timing of changes in the configuration information
collection. Note that this does not apply to PI_CLPS records.
The actual times that configuration information is collected might differ from the times defined in the collection time definition file.

If a time defined in the collection time definition file does not exactly match any of the periodic collection times determined by the Collection Interval value, the actual
collection occurs at the nearest periodic collection time after the defined time.

For example, assume that the minimum Collection Interval value is set to 300 (five minutes) and 12:02 is defined as a configuration information collection time in the
collection time definition file. In this case, configuration information is collected at 12:05 (the same time that performance information is collected).

Creating the collection time definition file

Create the collection time definition file (conf_refresh_times.ini) after setting up the instance environment but before starting RAID Agent. (You must create a file for each instance.)

Rules for specifying times in the collection time definition file

The the collection time definition files are saved in this directory or folder.

In Linux

/opt/jp1pc/agtd/agent/instance-name/

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\agtd\agent\instance-name\

You can create the collection time definition file using the sample file (conf_refresh_times.ini.sample) contained in the same directory.

Specify collection times in hh:mm format.

You can only use single-byte characters.

Hours (hh) and minutes (mm) must be specified as two digits.
The time must be specified in 24-hour format (00:00 to 23:59).
One entry per line.
There is a maximum 48 entries (times).
Anything beyond five characters (hh:mm) is ignored.
The lines beginning with a hash mark (#) are treated as comment lines.

The following notes apply to the collection time definition file:

Lines that violate the above rules are ignored.

If the collection time definition file does not contain any valid lines, collection occurs only once when RAID Agent starts and data is not collected after that time.
The definitions in the collection time definition file are disabled if the file contains a line that is, including the terminating character, is 1024 or more bytes.

#VSP G1000: 14053

02:30 #for Volume Migration 1

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 209/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
04:30 #for Volume Migration 2

Enabling the definitions in the collection time definition file

After you create the collection time definition file and save it in the specified directory, start RAID Agent.

Check the logs to determine whether the collection time definition file is enabled and whether it is functioning normally.

RAID Agent logs are stored in one of the following directories or folders.

In Linux

/opt/jp1pc/log/jpclog01 or /opt/jp1pc/log/jpclog02

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\log\jpclog01 or RAID-Agent-installation-folder\raid_agent\jp1pc\log\jpclog02

If the collection of performance information is skipped, the KAVE00213-W message is output to the log file. If you see this message, revise the settings in the collection time
definition file.

The definitions in the collection time definition file are not run if you save the file while RAID Agent is being started or after RAID Agent has started.

Changing the maximum C/T delta value monitored when analyzing Universal Replicator performance

By default, the maximum value of C/T delta is set to 3,600 seconds. If you perform monitoring with the maximum value of C/T delta set to a value greater than the default value, the
amount of memory used by the Analyzer probe server increases. To change the maximum value of C/T delta, edit the collectcommonconfig.ini file.

1. Check the amount of increase in memory usage.

You can calculate the amount of the increase by using the following formula:

6,144,000 bytes x ((maximum-value-of-C/T-delta - 3600) / 3600) x number-of-storage-systems-to-be-monitored

2. Open the collectcommonconfig.ini file.

The collectcommonconfig.ini file is stored in the following location:

/opt/jp1pc/agtd/agent

3. Specify the maximum value of C/T delta (in seconds).

Specify the following setting and value:
Setting: MAX_VALUE
Specifiable values: 3600 to 86400
For example:

[CT_DELTA]
MAX_VALUE=3600

Enabling the Linux host processes data collection

By default, the Linux probe does not collect Linux processes data for a new installation of the Analyzer probe server v10.8.0-00 and later. To collect this data, you must enable
collection on the Analyzer probe. However, enabling the collection of processes data might affect Linux probe data collection and import to Analyzer detail view server. For best
results, enable the collection of processes data if the processes running on the Linux host are not changed frequently and the total process count does not exceed 1000.

Note:

When you upgrade to the Analyzer probe server v10.8.0-00 or later and if a Linux probe is already added in the previous versions, the Linux host processes data collection is
enabled by default. Disable it, if you observe the Linux probe data collection problem.
When you upgrade to the Analyzer probe server v10.8.0-00 or later and if a Linux probe is not added in the previous versions, the Linux host processes data collection is
disabled by default. You can enable it, if required.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify that the crond and megha services are stopped:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the custom.properties file using the following command:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/backup_custom_backup.properties

6. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

7. Add one of the following property as required:

To enable the Linux host processes data collection, add the following property:

collectHostProcessResource=true

To disable the Linux host processes data collection, add the following property:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 210/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
collectHostProcessResource=false
8. Save the file and exit.
9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the following command:

service crond start

11. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

Changing the port number of the On-demand real time monitoring module

To change the port number of the On-demand real time monitoring module, perform the following procedure.

You must have root permission.

1. Log on to the Analyzer probe server.

2. Stop the On-demand real time monitoring module service:

systemctl stop analyzer-granular-data-collection-api

3. Modify the following file:

/opt/hitachi/Analytics/granular-data-collection-api/conf/user-granular-data-collection-api.conf

Change the port specified in the GRANULAR_DATA_COLLECTION_API_PORT property to the one you want to use.

4. If necessary, configure the firewall to allow use of the port.

5. Start the On-demand real time monitoring module service:

systemctl start analyzer-granular-data-collection-api

Restricting the servers that can access the On-demand real time monitoring module

To enhance security, you can specify that only trusted servers can access the On-demand real time monitoring module. To specify the name of the servers permitted to access the
module, edit the user-granular-data-collection-api.conf file.

You must have root permission.

1. Log on to the Analyzer probe server.

2. Stop the On-demand real time monitoring module service:

systemctl stop analyzer-granular-data-collection-api

3. For the following property file, specify the IP address of each Analyzer detail view server that can access the On-demand real time monitoring module:
/opt/hitachi/Analytics/granular-data-collection-api/conf/user-granular-data-collection-api.conf

Specify the IP addresses as shown in the following example. You can also use CIDR notation for each network. To specify multiple IP addresses, separate them with
commas.

Example:

GRANULAR_DATA_COLLECTION_API_ALLOWED_IP_ADDRESS=127.0.0.1, 127.0.0.2

If you specify 0.0.0.0/0, access from all hosts is permitted.

4. Start the On-demand real time monitoring module service:

systemctl start analyzer-granular-data-collection-api

Upgrading the JDK for Virtual Storage Software Agent

If you want to use a newer version of Amazon Corretto 8, complete the following procedure to upgrade.

Check the release notes for the Amazon Corretto 8 versions supported by Virtual Storage Software Agent.

1. Check the Amazon Corretto 8 version installed on the Virtual Storage Software Agent host.
Note: If the version is the latest supported by Virtual Storage Software Agent, you do not need to do anything.
2. From the Amazon Corretto site, download the latest JDK version, and then install it on the host where Virtual Storage Software Agent is installed.
3. Run the RPM command to upgrade Amazon Corretto 8.

Changing the system information of RAID Agent (Windows)

If you are using RAID Agent on a host where the Analyzer probe server is installed, see Changing the system information of the Analyzer probe server.

Changing the RAID Agent host name (Windows)

Use the following procedure to change the name of a RAID Agent host built on a Windows host.

Run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to stop the RAID Agent services.

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv stop -all

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 211/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
2. Disable automatic startup of the services:
a. From the Windows Start menu, select Administrative Tools > Services.
b. Select the windows service you want to change. To disable automatic startup, you must change the settings of the following services:
Ops Center Analyzer RAID Agent - Status Server
Ops Center Analyzer RAID Agent - Action Handler
Ops Center Analyzer RAID Agent - Agent REST Web Service
Ops Center Analyzer RAID Agent - Agent REST Application Service
Ops Center Analyzer RAID Agent instance-name*
Ops Center Analyzer RAID Agent Store instance-name*
* Displayed only when you created an instance.
c. Select the startup type. To cancel automatic startup, select Manual.
Note: Do not change the service account settings. If you do, the service might not operate properly.
3. Change the monitoring host name of the RAID Agent. The unique host name that is used to identify internal RAID Agent services.
Run the jpcconf host hostname command to change the monitoring host name.

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcconf host hostname -newhost new-host-name -d working-folder

Do not run any other commands while running the jpcconf host hostname command.
Tip: If the command fails, the RAID Agent configuration file is stored in the directory specified for the -d option of the jpcconf host hostname command. Collect all of the
stored configuration files and contact the system administrator or Hitachi Vantara Support.
4. Change the host name of the Windows host and restart the host OS.
5. Edit the htnm_httpsd.conf file to specify the new host name (case sensitive) of RAID Agent for the ServerName directive in the first line and for the VirtualHost tag.
The htnm_httpsd.conf file is stored in the following location:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\Rest\config\htnm_httpsd.conf

6. Run the following command to start the RAID Agent services:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv start -all

7. Enable automatic startup of the services as follows:

a. From the Windows Start menu, select Administrative Tools > Services.
b. Select the windows service you want to change.
c. Select the startup type. To enable automatic startup, select Automatic.
8. Change the settings of Hitachi Enterprise Storage probe as follows:
a. On the Analyzer probe server home page, stop the target probe and click Edit.
b. In the Edit Hitachi Enterprise Storage Probe section, enter the host name of the machine on which the RAID Agent is installed in the RAID Agent Hostname field.
Then, click Next.
c. In the Validating Hitachi Enterprise Storage Probe details window, click Next, and then click OK.
d. In the Status window, in ACTION, click Start to start collecting data.
9. To use the API functions that access RAID Agent, manually refresh the Agent list from the API client. For details, see the Hitachi Ops Center Analyzer REST API Reference
Guide.

Changing the RAID Agent IP address (Windows)

Use the following procedure to change the IP address of RAID Agent built on a Windows host.

Run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to stop the RAID Agent services:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv stop -all

2. Change the IP address of the host on which RAID Agent is installed.

3. Verify that the IP address can be resolved from the host name of the host where RAID Agent is installed.
4. Run the following command to start the RAID Agent services.

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv start -all

5. Change the settings of Hitachi Enterprise Storage probe as follows:

a. On the Analyzer probe server home page, stop the target probe and click Edit.
b. In the Edit Hitachi Enterprise Storage Probe section, enter the IP address of the machine on which the RAID Agent is installed in the RAID Agent IP address field.
Then, click Next.
c. In the Validating Hitachi Enterprise Storage Probe details window, click Next, and then click OK.
d. In the Status window, in ACTION, click Start to start collecting data.

Setting the RAID Agent time zone (Windows)

To set the RAID Agent time zone, perform the following procedure.

Run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to stop the RAID Agent services:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv stop -all

2. Set the standard time zone. For details, see the documentation for your OS.
3. Run the following command to start the RAID Agent services:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmsrv start -all

Changing the On-demand real time monitoring module port number (Windows)

To change the port number of the On-demand real time monitoring module, perform the following procedure.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 212/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You must have Administrator permission.

1. Log on to the host where RAID Agent is installed.

2. In the Windows Services window, right-click On-demand real time monitoring module and then select Stop to stop the service.
3. Modify the following file:
RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\conf\user-granular-data-collection-api.conf

Change the port specified in the GRANULAR_DATA_COLLECTION_API_PORT property to the one you want to use.

4. If necessary, configure your firewall to allow use of the port.

5. In the Windows Services window, right-click On-demand real time monitoring module and then select Start to start the service.

Restricting access to servers that access On-demand real time monitoring module (Windows)

To enhance security, you can specify that only trusted servers can access the On-demand real time monitoring module. To specify the name of the servers permitted to access the
module, edit the user-granular-data-collection-api.conf file.

You must have Administrator permission.

1. Log on to the host where the RAID Agent is installed.

2. In the Windows Services window, right-click On-demand real time monitoring module and then select Stop to stop the service.
3. For the following property file, specify the IP address of each Analyzer detail view server that can access the On-demand real time monitoring module:
RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\conf\user-granular-data-collection-api.conf

Specify the IP addresses as shown in the following example. You can also use CIDR notation for each network. To specify multiple IP addresses, separate them with
commas.

Example:

GRANULAR_DATA_COLLECTION_API_ALLOWED_IP_ADDRESS=127.0.0.1, 127.0.0.2

If you specify 0.0.0.0/0, access from all hosts is permitted.

4. In the Windows Services window, right-click On-demand real time monitoring module and then select Start to start the service.

Managing the Analyzer detail view server and the Analyzer probe server

You can manage individual probes as well as the servers.

Accessing the Analyzer detail view

You can access the Analyzer detail view UI from any supported browser.

For most Analyzer detail view operations, you can access the Analyzer detail view server from the Ops Center Analyzer More Actions menu. Certain management tasks require
logging into the Analyzer detail view server as the admin user instead of using the More Actions menu (which logs into the server as a general user). The management tasks
documented in this guide state when it is necessary to log in as the admin user.

1. In your browser, enter the Analyzer detail view URL:

https://server-IP-address:Port-Number

(The default port for https access is 8443.)

The Logon window appears.

2. In the Username and Password fields, type your user name and password, and then click Login.

Viewing Analyzer probe server status

The Status window displays information about all configured probes and includes controls to manage them.

Log on to the Analyzer probe to display the Status window.

Column Description

PROBE TYPE Type of probe

NAME Target from which data is being collected

STATUS The probe status is displayed in any one of the following four colors:

Stopped (Grey): Probe is stopped.

Running (Green): Probe is collecting data from targets.

Error (Red): Probe has abruptly stopped collecting data.

Processing delay (Yellow): Probe is running behind schedule.

Stopping/Monitoring Stopped (Black): Probe has stopped monitoring targets or probe is stopping .

ACTION
Displayed when the probe is stopped or started. You can perform the following tasks using links in this column:

Stop: Stops the probe

Start: Starts data collection

Edit: Let you edit the probe

Delete: Deletes the probe

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 213/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
CONFIGURATION DATA Displays the LAST COLLECTED and NEXT COLLECTION times.

PERFORMANCE DATA Displays the LAST COLLECTED and NEXT COLLECTION times.

Analyzer probe server configuration backup

The Analyzer probe server configuration is automatically backed up at midnight to the following location on the primary FTP server:

Probe-appliance-ID/probeConfigBackup/ProbeConfigurationBackup_Probe-version.zip.enc.

The backup can be used to migrate the Analyzer probe server to another VM if it is corrupted or otherwise inaccessible. The backup data can only be restored by contacting
Customer Support.

The time of the last backup is displayed in the Status window of the Analyzer probe server. For example:

Last Appliance Configuration Backup Time: 15 Nov 2017 00:30:50

Starting and stopping probes

You can start or stop data collection from the target systems.

1. Log on to the Analyzer probe server.

2. In the Status window, you can search for one or more probes by using the Search Criteria (type, name, status).
3. In the Action column, click Start or Stop.

You can select multiple probes, and then click Start or Stop. If you want to start or stop all configured probes across all the pages, click the check box in the table header row,
click Select All, and then click Start or Stop.

Editing probes

You can edit the probe details, such as the IP address or password of the target system, or select or deselect the targets for monitoring.

Note:

If any connection details (such as password, port, and so on) are changed on the target device type, the same changes must be made to the respective probes on the
Analyzer probe server to avoid data loss.
Settings may vary according to probe type.

1. Log on to the Analyzer probe.

2. In the Status window, you can search for one or more probes by using the Search Criteria (type, name, status).
3. In the Action column, stop the probe if the probe is running, and then click Edit.
4. In the Edit Probe Details window, type the probe details.
5. Click Next, and save the changes.

Deleting probes

You can delete a probe when you want to stop monitoring the target system or when the target system is removed from the environment.

Note: If you plan to delete a Hitachi Enterprise Storage probe and again add the probe for the same Hitachi Enterprise storage system target, ensure you provide the same Probe
Name you provided earlier.

1. Log on to the Analyzer probe.

2. In the Status window, you can search for one or more probes by using the Search Criteria (type, name, status).
3. In the Action column, stop the probe if it is already running, and then click Delete.
You can select the multiple probes and then click Delete. If you want to delete all configured probes across all the pages, click the check box in the table header row, click
Select All, and then click Delete.
4. The confirmation message appears. Click OK.

Viewing and updating the Analyzer detail view license

You can view the current license information (including the licensed monitoring capacity), or add new licenses.

1. Log on to the Analyzer detail view as the admin user.

2. In the application bar, click the Manage menu.
3. In the Manage window, in the Status section, click the License Information link. The License Information window displays all the configured licenses including identifier, key
code, key limit, license usage, total license value, date range, and status. The identifier is used as a unique ID for Hitachi storage systems. The criteria for license can be
capacity or count.
You can check the Usage and Value columns to verify that you have license nodes available.
In the case of license expiration or adding a new license, you can upload the license file using the Select File and Submit buttons.
Note: If you delete a probe or stop monitoring a target, the license count in the Usage column is decreased next time the configuration data is updated.

Viewing and updating the Analyzer probe license

You can view the current license information, or add new licenses.

1. Log on to the Analyzer probe as the admin user.

2. In the application bar, click Manage.
3. In the Manage window, in the Status section, click the License Information link.
The License Information window displays all the configured licenses, and status. In the case of adding a new license, you can upload the license file using the Choose File
and Submit buttons.

Downloading the Analyzer probe server diagnostic data

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 214/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The Analyzer probe server collects various log files that are useful for troubleshooting. The Download Diagnostic Data feature provides the facility to download these files in an
archive file. If you cannot resolve the problem, send the generated data file with the error messages to the customer support for analysis.

1. Log on to the Analyzer probe.

2. On the home page, in the application menu area, click Manage.
3. In the Administration section, click Download Diagnostic Data.
4. In the Download Diagnostic Data window, click OK.
The system initiates the diagnostic data generation process.
5. Click Download.
Sample diagnostic data file name: diag_probe_20190807121514.gz

Updating the downloader on the Analyzer detail view server

You must update the downloader details on the Analyzer detail view server if any of the following conditions apply:

You are currently downloading the data from an intermediate FTP server and you need to update the connection details for the Analyzer detail view server or intermediate
FTP server.
You are directly uploading data to the Analyzer detail view server (without an intermediate FTP server) and you want to switch between password-based authentication and
key-based authentication.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify the stopped status of the megha service:

/usr/local/megha/bin/megha-jetty.sh status

5. Run the update FTP configuration script to update the FTP server details:
If you are downloading the data from an intermediate FTP server using the password-based authentication and you want to update the connection details for the
Analyzer detail view server or intermediate FTP server:
To download data of all the Analyzer probe server appliances:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Password-Based --ftpServer FTP-server-hostname-or

-IP-address --ftpMethod FTP-method-(FTP/FTPS/SFTP) --ftpPort FTP-port --ftpUsername FTP-username --ftpPassword

For example:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Password-Based --ftpServer 192.168.1.2 --ftpMetho

d SFTP --ftpPort 22 --ftpUsername abc --ftpPassword

Note:
The authType, ftpServer, and ftpUsername parameters are mandatory.
You cannot update the value of the ftpServer and ftpUsername parameters.
The value for the authType parameter must be Password-Based to download the data from an intermediate FTP server.
You can update the FTP server password, port, and FTP method. You can update all or one of these details. For example, if you want to update only
the FTP method, enter only the ftpMethod parameter and its value.
If you want to change the password, enter only the ftpPassword parameter. Do not enter any value for it. You can define the password in the next
step.
To download the data of the specific Analyzer probe server appliance:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Password-Based --ftpServer FTP-server --ftpMethod

FTP-method-(FTP/FTPS/SFTP) --ftpPort FTP-port --ftpUsername FTP-username --ftpPassword --applianceidOption ApplianceIds --appli
anceidList Appliance-ID-list-separated-by-comma

For example:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Password-Based --ftpServer 192.168.1.2 --ftpMetho

d SFTP --ftpPort 22 --ftpUsername abc --ftpPassword --applianceidOption ApplianceIds --applianceidList 1c5fbdd9-8ed3-43fe-8973-
e9cba6d103c6,39cfcb01-11b2-46b4-8fce-b4d84ea5acda

Note:
The authType, ftpServer, and ftpUsername parameters are mandatory.
You cannot update the value of the ftpServer and ftpUsername parameters.
The value for the authType parameter must be Password-Based to download the data from an intermediate FTP server.
You can add new appliance IDs or you can remove the existing appliance IDs.
You can update the FTP server password, port, and FTP method. You can update all or one of these details. For example, if you want to update only
the FTP method, enter only the ftpMethod parameter and its value.
You should use the ftpPassword parameter if you are downloading the data from an intermediate FTP server. To change the password, enter only the
ftpPassword parameter. Do not enter any value for it. You can define the password in the next step.
To switch between password-based authentication and key-based authentication:
Switching to key-based authentication:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Key-Based --ftpServer localhost --ftpMethod SFTP

--ftpPort FTP-Port --ftpUsername meghadata --keyPassphrase

For example:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Key-Based --ftpServer localhost --ftpMethod SFTP

--ftpPort 22 --ftpUsername meghadata --keyPassphrase

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 215/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Switching to password-based authentication:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Password-Based --ftpServer localhost --ftpMethod

FTP-method-(FTP/FTPS/SFTP) --ftpPort FTP-Port --ftpUsername meghadata --ftpPassword

For example:

sh /usr/local/megha/bin/createOrUpdateFTPConfiguration.sh --update --authType Password-Based --ftpServer localhost --ftpMethod

SFTP --ftpPort 22 --ftpUsername meghadata --ftpPassword
Note:
The authType, ftpServer and ftpUsername parameters are mandatory.
You cannot update the value of the ftpServer, ftpUsername, and ftpPassword parameters. If you want to change the ftpPassword of the meghadata user,
use the changePassword.sh command. See Changing the megha and meghadata passwords for more information.
Key-based authentication only supports the SFTP method
You must enter the keyPassphrase parameter when switching to key-based authentication for the first time. When configuring key-based authentication to
download data to Analyzer detail view server:
If you have provided a passphrase, you must enter it when prompted.
If you set a blank passphrase, press Enter when prompted.

See Configuring key-based authentication for the Analyzer detail view server for more information.
6. Enter the passphrase or blank value if you have provided the keyPassphrase parameter or enter the meghadata user password if you have provided the ftpPassword
parameter.
7. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

8. Start the crond service using the following command:

service crond start

Analyzer detail view audit logs

The Analyzer detail view captures various types of logs in the /usr/local/megha/logs directory. These logs are important for troubleshooting issues related to user logins, alerts,
email notifications, and so on. You can provide these log details to customer support for advanced troubleshooting.

Log file name Description Analyzer detail view server Analyzer probe server

alertApi-AuditTrail.log Alerts configured on the Analyzer detail view server. ✓

app.log Email groups ✓ ✓

appApi-AuditTrail.log Registration or deregistration of Analyzer detail view add-on ✓

applications.

appinit.log Application component initialization, including verification and ✓ ✓

status of components.

dbApi-AuditTrail.log Database API calls, such as resource and attribute definition ✓

APIs, data set and data subset APIs, and so on.

transaction.log ✓ ✓
Contains the logs of the following activities:

Operating system upgrade

Data export using Custom Reports

Time zone settings

Manage menu settings

Note: On the Analyzer probe server, the time zone details are
not logged.

upgrade.log Analyzer detail view upgrade actions including time, status, and ✓ ✓
results.

user.log User login, user creation or deletion, user validation, and so on. ✓ ✓

Increasing the maximum number of open files (Linux OS)

Before installing the Analyzer detail view server or Analyzer probe server on a Linux host, the minimum value of the system-wide and user-level limits on the number of open files
must be set to 65535 or greater.

The recommended values are:

System-wide: 327675

User-level: 262140

1. Log on as follows:
a. If you are installing the Analyzer detail view server or Analyzer probe server for the first time, log on to the Linux machine as root.
b. If you are performing this task post-installation or while upgrading, log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty)
as a root user.
2. Run the following command to check the system-wide kernel limit:
Note: The recommended kernel limit is 327675.

sysctl -a | grep fs.file-max

If the value is 65535 or greater, skip to step 3. Otherwise, do the following:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 216/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
a. Navigate to the /etc directory and create the sysctl.d directory if it does not exist:

mkdir sysctl.d

b. Navigate to the /etc/sysctl.d directory and create the sysctl.conf file if it does not exist.
c. Ensure that the fs.file-max property is present in the sysctl.conf file and the value is set to 65535 or greater.
d. Run the following command to apply the revised configuration:

sysctl -p /etc/sysctl.d/sysctl.conf
3. Run the following command to check the user-level limit:
Note: The recommended user-level limit is 262140.

ulimit -a | grep -i open

If the value is less than 65535, then do the following:

a. Navigate to the /etc/security/limits.d directory and create the 20-nproc.conf file, if it does not exist.
b. Ensure that the following two properties are present in the 20-nproc.conf file and set their values as follows:

* soft nofile 65535

* hard nofile 65535

4. If you changed the system-wide kernel or user-level limits on the Analyzer detail view machine, you must restart the machine.

Increasing the minimum password length for local users

By default, the password length for the local users must be minimum of 6 characters on the Analyzer probe server and Analyzer detail view server. However, you can increase the
minimum password length to enhance the security.

1. Log on to the Analyzer probe server and Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Verify that the crond and megha services are stopped:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the custom.properties file using the following command:

cp /usr/local/megha/conf/custom.properties /usr/local/megha/conf/backup_custom_backup.properties

6. Edit the custom.properties file.

vi /usr/local/megha/conf/custom.properties

7. Add the following property and define the minimum password length as required:

login.password.min.length=Minimum_Password_Length

Note: By default, the password length for local users must be minimum of 6 characters. It must not exceed the maximum password length of 255 characters.
8. Save the file and exit.
9. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

10. Start the crond service using the following command:

service crond start

11. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

Default meghadata user settings for Analyzer detail view server

During the RPM installation, the Analyzer detail view server checks the existing SFTP server subsystem settings in the /etc/ssh/sshd_config file and updates the settings as
follows:

If the SFTP server subsystem setting is configured as sftp /usr/libexec/openssh/sftp-server, the Analyzer detail view server adds the following entries at the end of
the file:

Match User meghadata

PasswordAuthentication yes

If the SFTP server subsystem setting is configured as sftp internal-sftp, the Analyzer detail view server adds the following entries at the end of the file:

Match User meghadata

PasswordAuthentication yes
ForceCommand internal-sftp -u 2

Note: If you make any changes for the SFTP server subsystem setting, make sure that the meghadata entries in the sshd_config file match the account settings for the meghadata
user on the Analyzer detail view server. Restart the Secure Shell Daemon (sshd) service if you make any changes in the sshd_config file.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 217/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Grouping data centers using custom attributes

Custom attributes let you group data based on your organization infrastructure. The Analyzer probe server includes four attributes: the Data Center and Location attribute at the
Analyzer probe server level, and the Organization and Cost Center attribute at each probe level. This enables you to extend the set of attributes to accommodate information based
on your organization for custom reporting and grouping.

The following figure illustrates the flow of the custom attributes.

You can query the Analyzer detail view server database using the REST API based on the following attribute IDs:

Data Center: __datacenter

Location: __location
Organization: __custattr01
Cost Center: __custattr02

Sample query:

__probe[=__datacenter rx .] [=__location rx .][=__custattr01 rx .][=__custattr02 rx .]

h[=__datacenter rx .] [=__location rx .][=__custattr01 rx .][=__custattr02 rx .]

vm[=__datacenter rx .] [=__location rx .][=__custattr01 rx .][=__custattr02 rx .]

Adding the Data Center and Location attributes

1. Log on to the Analyzer probe.

2. On the home page, click Reconfigure.
The Reconfigure Settings page opens.
3. Open the Probe Server Attributes tab and provide the Data Center and Location attributes.
4. Click Save.
Note: The new attributes are associated with all resources collected by the Analyzer probe.

Adding the Organization and Cost Center attributes

1. Log on to the Analyzer probe server.

2. On the home page, in the application menu area, click the Manage link.
3. In the Manage window, click Manage Custom Attributes.
4. In the Probe Attributes section, select one or more probes for which you want to assign the attribute.
You can use the filter option to display by Probe Name, Probe Type, or Attribute value.
5. In the Update Probe Attributes section, provide the details of the Organization and Cost Center attributes.
6. Click Save.
Note: The new attributes are associated with all resources collected by the probe.

Restarting the HTTP proxy service

If you install the new SSL certificate or make any changes to the default SSL certificate, then you must restart the HTTP proxy service.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the HTTP proxy service by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh stop

3. Confirm the HTTP proxy service has stopped by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh status

4. Start the HTTP proxy service by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh start

5. Confirm whether the HTTP proxy service has started by using the command:

sh /usr/local/httpProxy/bin/megha-jetty.sh status

Changing UID and GID on the Analyzer detail view server and Analyzer probe server

You can change the User Identifier (UID) and Group Identifier (GID) for the megha and meghadata users. When installing the Analyzer detail view server and Analyzer probe server,
the UID and GID are assigned to these users by the operating system.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 218/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
This is an optional procedure to enhance security.

Note:

The megha user is created for the Analyzer detail view server and Analyzer probe server.
The meghadata user is created only for the Analyzer detail view server.

Changing UID and GID on the Analyzer detail view server

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the megha and crond services are stopped using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

5. Change the UID and GID of the megha and meghadata users using the commands:

usermod -u UID megha

usermod -u UID meghadata

groupmod -g GID megha

Note:
Make sure that the new UID and GID is available (not assigned to any other existing user or group).
The group of the megha and meghdata users is megha.
For example:

usermod -u 1005 megha

usermod -u 1006 meghadata

groupmod -g 1005 megha

6. Verify the UID and GID of the megha and meghdata users:

id megha

id meghadata

7. Change ownership:
a. Run the following commands to change the ownership of the directories present under installation directory. By default, the Analyzer detail view server is installed at:
/data. (The megha and meghadata directories are created in it.) You must change the ownership of both directories:
megha directory:

chown -R megha:megha Installation-directory/megha

Installation-directory: Type the installation directory that was provided at the time of installation.

For example:

chown -R megha:megha /data/megha

meghadata directory:

chown -R meghadata:megha Installation-directory/meghadata

For example:

chown -R meghadata:megha /data/meghadata

b. Change the ownership of the following directoies:

chown -R meghadata:megha /home/meghadata

chown -R megha:megha /usr/local/megha

chown -R meghadata:megha /usr/local/megha/db/probe/data/*

chown -R meghadata:megha /usr/local/megha/db/probe/raw/*.zip

chown -R meghadata:megha /usr/local/megha/db/probe/raw/*.txt

chown -R megha:megha /usr/local/httpProxy

8. Verify the ownership of all the above directories:

For example:

ls –lrt /usr/local/megha

9. Start the megha service and check if it is started:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 219/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
10. Start the crond service using the command:

service crond start

Changing UID and GID on the Analyzer probe server

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the running services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Verify that the megha and crond services are stopped using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

5. Change the UID and GID of the megha user using the commands:

usermod -u UID megha

groupmod -g GID megha

Note: Make sure that the new UID and GID is available (not assigned to any other existing user or group).
For example:

usermod -u 1005 megha

groupmod -g 1005 megha

6. Verify the UID and GID of the megha user:

id megha

7. Change ownership:
a. Run the following command to change the ownership of the directory present under installation directory. By default, the Analyzer probe server is installed at: /home.
(The megha directory is created in it.) Change the ownership of this directory:

chown -R megha:megha Installation-directory/megha

Installation-directory: Type the installation directory provided at the time of installation.

For example:

chown -R megha:megha /home/megha

b. Change the ownership of the /usr/local/megha directory:

chown -R megha:megha /usr/local/megha

8. Verify the ownership of all the above directories:

For example:

ls –lrt /usr/local/megha

9. Start the megha service and check if it is started:

/usr/local/megha/bin/megha-jetty.sh start

/usr/local/megha/bin/megha-jetty.sh status

10. Start the crond service using the command:

service crond start

Managing the Analyzer detail view database size

You can manage the size of the Analyzer detail view database based on time (age of the data), current size, and amount of available disk space. You can put limits on the
performance database to purge the performance data. (You cannot purge the configuration data.)

On the Analyzer detail view server, the performance data is stored in: /usr/local/megha/db/perf/date (the date format is: YYYYMMDD).

Each date folder contains performance data for one day.

You can also manage the size of the backup and meghadata directories based on time (age of data).

Controlling the size of the performance database

You can control the size of the performance database by setting values in the /usr/local/megha/conf/sys/app.db.purge.properties file.

The database purging activity is scheduled daily at 00:00 UTC. However, the purging activity starts only when the Analyzer detail view server is not performing any of the following
operations:

REST API requests

Data batch importing
UI activities that require database access

Note: While purging activity is in progress, you cannot access the database.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 220/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You must set the following property to true when enabling purging activity:

app.db.purging.enabled

In addtion, you must set one of the following properties:

Time (app.db.time.based.purging.limit)
Size (app.db.size.based.purging.limit.in.gb)
Disk free space (app.disk.freespace.size.based.purging.limit.in.gb)

If you set more than one property, then only the highest configured criteria will be applied and further criteria will be skipped. The Disk free space purging is the highest priority. Size
purging is a higher priority than Time.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Type the following properties file path:
/usr/local/megha/conf/sys/app.db.purge.properties
3. Set the values according to the settings described in the following table.
Parameter Values Description

app.db.purging.enabled true, false Enable or disable database purging.

Default: false

app.db.time.based.purging.limit nD (days, Min: 7, Max: 3650) Purge based on database age (days, months, or years). Example:

nM (months, Min: 1, Max: 120) app.db.time.based.purging=10M

nY (years, Min:1, Max: 10) Saves the last 10 months of data.

app.db.size.based.purging.limit.in.gb Min: 50 Purge based on the database size (in GB). Deletes oldest folders in perf until
the database size limit is reached. Example:
Max: 10240
app.db.size.based.purging.limit.in.gb=100

Deletes the oldest folders until the database size is less than or equal to 100
GB.

app.disk.freespace.size.based.purging.limit.in. Min: 10 Purge database based on the amount of free disk space available (in GB).
gb Deletes the oldest folders in perf until the free disk space limit is reached.
Max: 100
Example:

app.disk.freespace.size.based.purging.limit.in.gb=20

Deletes the oldest folders until the amount of free disk space is less than or
equal to 20 GB.

Note: If you make any change in the property file, then you must restart the Analyzer detail view server. If you type an incorrect value in the property file, then the Analyzer
detail view server does not restart. The Analyzer detail view server updates the importStatus.properties file after the database purge operation and lists the correct data
availability.

Controlling the size of the backup directory

You can control the size of the backup directory by setting values in the megha_cleanup_custom.properties file. The backup directory purging activity is scheduled daily at 00:10
hours. By default, the data is retained for 30 days.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Type the following properties file path:
cd /usr/local/megha/conf/
3. Create a backup copy of the megha_cleanup_custom.properties file using the following command:

cp megha_cleanup_custom.properties bkp_megha_cleanup_custom.properties_bkp

4. Open the megha_cleanup_custom.properties file using a text editor (such as vi) and change the following properties:

cleanupapp.db.backup.root=/usr/local/megha/db/backup
cleanupapp.db.backup.enable=yes
cleanupapp.db.backup.retentiontime=30 #value in days

Controlling the size of the meghadata directory

You can control the size of the meghadata directory by setting values in the meghadata_cleanup_custom.properties file. The meghadata directory purging activity is scheduled daily
at 00:10 hours. By default, the data is retained for 90 days.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Enter the following command:

cd /usr/local/megha/conf/

3. Create a backup copy of the meghadata_cleanup_custom.properties file using the following command:

cp meghadata_cleanup_custom.properties bkp_meghadata_cleanup_custom.properties_bkp

4. Open the meghadata_cleanup_custom.properties file using a text editor (such as vi) and change the following properties:

cleanupapp.client.zip.root=/home/meghadata/*-*-*-*-*
cleanupapp.client.zip.enable=yes

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 221/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
cleanupapp.client.zip.retentiontime=90 #value in days

Note: Do not change the value of the cleanupapp.client.zip.retentiontime property to less than 5 days.

Enabling system account locking

When the Analyzer server is initially installed, the system account locking option is disabled. For security purposes, you may want to lock the system account.

Note:

Locking or unlocking an account requires user management permissions. You cannot unlock your own account on a web client, but you can unlock your own account on the
Analyzer server.

1. Stop the Analyzer server services.

2. Create a user.conf file in the following location:

Common-component-installation-directory/conf/

3. Add the property account.lock.system, and set the value to true to enable system account locking, then save the file.
If you do not want to lock the system account, specify false.
4. Start the Analyzer server services.

Required settings when using a virus detection program and process monitoring software

If a virus detection program accesses database-related files used by Ops Center Analyzer, operations such as I/O delays or file locks can cause errors. Also, if a process monitoring
software kills a Ops Center Analyzer process, Analyzer cannot work properly. To prevent these problems, exclude the following directories and files from the targets scanned and
process monitoring by the virus detection program.

Analyzer server

Exclude the following directories:

Mounted directory of the installation media

Analyzer-server-installation-directory/Analytics
Analyzer-server-installation-directory/Base64
Analyzer-server-installation-directory/common
Analyzer-server-installation-directory/HNTRLib2
/var/Analyzer-server-installation-directory
/var/opt/HPA
/etc/.hitachi

Analyzer detail view server

Exclude the following directories:

Mounted directory of the installation media

Analyzer-detail-view-server-installation-directory
/usr/local/httpProxy
/tmp/hsperfdata_megha

Exclude the following files:

/var/spool/cron/root
/var/spool/cron/megha
/var/spool/cron/meghadata
/var/mail/megha
/var/mail/meghadata
Files that are in the /tmp directory and whose owners are the megha user

Analyzer probe server

Exclude the following directory:

Mounted directory of the installation media

Analyzer-probe-server-installation-directory/megha

Exclude the following files:

/etc/xinetd.d/dataReceiverDaemon
/var/spool/cron/root
/var/spool/cron/megha
/etc/cron.d/cleanupRawData_*.cron
/etc/cron.d/hnasFCPerfDataGenerator_*.cron
/etc/cron.d/hnasPerfDataGenerator_*.cron
/etc/cron.d/processConfRawData_*.cron
/etc/cron.d/processRawData_1*.cron
Files that are in the /tmp directory and whose owners are the megha user

Analyzer Windows probe

Exclude the following folders:

Mounted folder of the installation media

Analyzer-Windows-probe-installation-folder
C:\Temp\HDCA

RAID Agent (Linux)

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 222/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Exclude the following directories:

Mounted directory of the installation media

/opt/jp1pc
/home/RAIDAgent

Exclude the following files:

/etc/systemd/system/multi-user.target.wants/jp1_pc.service
/etc/systemd/system/multi-user.target.wants/raid_agent_app.service
/etc/systemd/system/multi-user.target.wants/raid_agent_web.service
/etc/systemd/system/graphical.target.wants/jp1_pc.service
/etc/systemd/system/graphical.target.wants/raid_agent_app.service
/etc/systemd/system/graphical.target.wants/raid_agent_web.service
/usr/lib/systemd/system/jp1_pc.service
/usr/lib/systemd/system/raid_agent_app.service
/usr/lib/systemd/system/raid_agent_web.service

RAID Agent (Windows)

Exclude the following folders:

Mounted folder of the installation media

RAID-Agent-installation-folder\raid_agent\jp1pc
Hybrid Store storage-destination folder that was specified during installation
%ProgramFiles(x86)%\hitachi\jp1common

Backing up and restoring Ops Center Analyzer

You can back up and restore Ops Center Analyzer system information.

Overview of Ops Center Analyzer backup and restore

You can back up the following Ops Center Analyzer components so that they can be restored later if, for example, a failure occurs causing your system to go down:

Analyzer server
Analyzer detail view server
Analyzer probe server
RAID Agent
Virtual Storage Software Agent
On-demand real time monitoring module

You can back up and restore the entire Ops Center Analyzer system collectively, or by component product. However, to prevent data inconsistency, be sure to back up and restore
both Analyzer server and Analyzer detail view server at the same time.
Note:

You can omit restoring RAID Agent backup data if one of the following conditions is met.

Note that you need to manually reapply the same setting changes as those applied for RAID Agent.

If 48 hours or more have passed since the backup data was acquired1
If the Analyzer probe server (excluding the RAID Agent) continues to run normally and the API function that accesses the RAID Agent is not being used.2

1. Performance data that exceeds the maximum performance data retention period (48 hours) for the RAID Agent cannot be restored.
2. Performance data included in the data to be restored is not used.

Use cases

Periodic backup: Prepare for any failures by periodically backing up your data as part of your normal operations. Then, if a failure occurs, restore the backed up data to
recover from the failure.
Re-installation of the OS or a component on the same host: Migrate settings and accumulated data to the new environment.
Migration to a different host: You can use the backup and restore functions to migrate Analyzer components to a different host. Settings and accumulated data can also be
inherited.

Ops Center Analyzer does not support periodic automatic backup. Create a backup schedule that fits your requirements.

You can back up and restore components in a virtual or physical environment by performing the same procedure.

Backing up Ops Center Analyzer

You can back up the entire Ops Center Analyzer system as described in the following workflow or select individual components back up.

The general backup workflow for Ops Center Analyzer components is as follows:

1. Stop each service in the following order:

a. Analyzer server

If the Analyzer server is linked to Ops Center Automator, make sure that no tasks are running for the Analyzer server, and then stop the Analyzer server services. Do
not run any tasks for the Analyzer server before the backup processing finishes.

Stopping the Analyzer server services

b. Analyzer detail view server

Stopping the Analyzer detail view server or Analyzer probe server services

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 223/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
c. Analyzer Windows probe
d. Analyzer probe server

Stopping the Analyzer detail view server or Analyzer probe server services

e. RAID Agent

Stopping the RAID Agent services

f. Virtual Storage Software Agent

Stopping the Virtual Storage Software Agent services

g. On-demand real time monitoring module

Stopping the On-demand real time monitoring module services

2. Back up data for each of the following components:
Backing up the RAID Agent (Linux) or Backing up RAID Agent (Windows)
Backing up Virtual Storage Software Agent
Backing up the On-demand real time monitoring module (Linux) or Backing up the On-demand real time monitoring module (Windows)
Backing up the Analyzer probe server
Backing up the Analyzer detail view server
Backing up the Analyzer server
Do not start any of these services before the backup processing finishes.
3. Start each service in the following order:
a. RAID Agent

Starting the RAID Agent services

b. Virtual Storage Software Agent

Starting the Virtual Storage Software Agent services

c. On-demand real time monitoring module

Starting the On-demand real time monitoring module services

d. Analyzer probe server

Starting the Analyzer detail view server or Analyzer probe server services

e. Analyzer Windows probe

Starting the Analyzer Windows probe service

f. Analyzer detail view server

Starting the Analyzer detail view server or Analyzer probe server services

g. Analyzer server

Starting the Analyzer server services

Backing up RAID Agent

Backing up the RAID Agent (Linux)

You can back up the configuration information files and the performance data of the RAID Agent.

Stop all RAID Agent services.

1. Run the following command to back up the configuration information files.

/opt/jp1pc/htnm/bin/htmhsbackup -dir output-directory -pdonly

Note: If you want to collectively back up the configuration information files and the performance data used by API functions that access RAID Agent, run the following
command:

/opt/jp1pc/htnm/bin/htmhsbackup -dir output-directory

Make sure that the output directory has sufficient free space. Use the size of the following directory as an indication of the estimated amount of required free space:

Analyzer-probe-server-installation-directory/RAIDAgent

2. The following files for HTTPS connections are not backed up. If necessary, back up these files manually.
Server certificate
Private key

Backing up RAID Agent (Windows)

You can back up the configuration information files and the performance data of the RAID Agent.

Stop all RAID Agent services.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Run the following command to back up the configuration information files:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmhsbackup -dir output-folder -pdonly

Note: If you want to collectively back up the configuration information files and the performance data used by API functions that access RAID Agent, run the following
command:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 224/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmhsbackup -dir output-folder

Make sure that the output folder has sufficient free space. You will need the amount of space in the Hybrid Store storage destination specified during installation.
2. The following files for HTTPS connections are not backed up. If necessary, back up these files manually.
Server certificate
Private key

Backing up Virtual Storage Software Agent

You can back up the connection settings files of Virtual Storage Software Agent.

Stop all services of Virtual Storage Software Agent.

1. Back up the following files by manually copying them to a directory of your choice:
/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/system/access-points.yaml
/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/config/userconfig-setting.yaml
2. Start Virtual Storage Software Agent as needed.

Backing up the On-demand real time monitoring module

Backing up the On-demand real time monitoring module (Linux)

You can back up the configuration files and certificate files of the On-demand real time monitoring module.

Note: This procedure is for RAID Agent on a host where the Analyzer probe server is installed.

You must have root permission.

Stop the service of the On-demand real time monitoring module.

1. Log on to the Analyzer probe server.

2. Create a directory for the backup.
Example:

mkdir ./backup

3. Copy the configuration files and certificate files to the backup directory.

cp -p /opt/hitachi/Analytics/granular-data-collection-api/conf/user-granular-data-collection-api.conf ./backup
cp -p /opt/hitachi/Analytics/granular-data-collection-api/conf/system-granular-data-collection-api.conf ./backup
cp -p /opt/hitachi/Analytics/granular-data-collection-api/cert/server.crt ./backup
cp -p /opt/hitachi/Analytics/granular-data-collection-api/cert/server.key ./backup

4. Compress the backup directory into a tar.gz file.

Example:

tar -zcvf backup.tar.gz ./backup

Backing up the On-demand real time monitoring module (Windows)

You can back up the configuration files and certificate files of the On-demand real time monitoring module.

Note: This procedure is for RAID Agent installed on a Windows host.

You must have Administrator permission.

Stop the service of the On-demand real time monitoring module.

1. Log on to the host where the RAID Agent is installed.

2. Create a folder for the backup.
3. Copy the following configuration files and certificate files to the backup folder:
RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\conf\user-granular-data-collection-api.conf
RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\conf\system-granular-data-collection-api.conf
RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\cert\server.crt
RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\cert\server.key
The preceding private key and server certificate paths are the default storage locations. If you are storing private keys or server certificate files in a different location, copy
them to the backup folder.
4. Compress the backup folder.

Backing up the Analyzer probe server

You can back up the settings information of the Analyzer probe server. Information such as user passwords and SSL settings is not backed up. You must reset this information after a
restore.

Stop all Analyzer probe server services.

Make sure that the location where the backup files are to be stored has sufficient space.

The properties that are required for this utility are backed up by default. The backup of the optional properties is controlled by the /usr/local/megha/conf/backup.properties file.

Note the following when editing the file backup.properties:

Comment out lines corresponding to information that does not need to be backed up. To comment out a line, enter a hash mark (#) at the beginning of the line.
The parameter RAW_BACKUP_DATA is used to back up raw data (data normally transferred to Analyzer detail view server). It is commented out by default. To back
up raw data, delete the hash mark (#) at the beginning of the line containing this parameter.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. (Optional) Edit the file backup.properties. Delete hash marks (#) from lines that are commented out, as needed.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 225/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
3. Run the following command to perform backup.

sh /usr/local/megha/bin/backupAndRestore.sh -o backup -z zip_file_path

zip_file_path

Specify the name of the directory in which the backed-up data (a ZIP file) is to be saved.

Example:

sh /usr/local/megha/bin/backupAndRestore.sh -o backup -z /root/probe_backup

4. The following settings information is not backed up by backupAndRestore.sh. Write down this information (or record it by other means) because, after the restore, the
settings must be manually revised.
OS settings (hosts file, passwords of the megha user and meghadata user, and so on)
SSL communication settings
External user authentication settings (Connection with Active Directory)

Backing up the Analyzer detail view server

You can back up the settings information and database of the Analyzer detail view server. Information such as user passwords and SSL settings is not backed up. You must reset
this information after a restore.

Stop all Analyzer detail view server services.

Stop all services for the Analyzer probe server, the Analyzer Windows probe, and the Analyzer server that are connected to the Analyzer detail view server.
If the Analyzer detail view server is connected to the Analyzer server, make sure that the version of the Analyzer server is the same as that of the Analyzer detail view server.

Make sure that the location where the backup files are to be stored has sufficient space.

The properties that are required for this utility are backed up by default. The backup of the optional properties is controlled by the /usr/local/megha/conf/backup.properties file.

Note the following when editing the file backup.properties:

Comment out lines corresponding to information that does not need to be backed up. To comment out a line, enter a hash mark (#) at the beginning of the line.
The parameter RAW_BACKUP_DATA is used to back up raw data (data imported into the database). It is commented out by default. To back up raw data, delete the
hash mark (#) at the beginning of the line containing this parameter.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. (Optional) Edit the file backup.properties. Delete hash marks (#) from lines that are commented out, as needed.
3. Run the following command to perform backup.

sh /usr/local/megha/bin/backupAndRestore.sh -o backup -z zip_file_path

zip_file_path

Specify the name of the directory in which the backed-up data (a ZIP file) is to be saved.

Example:

sh /usr/local/megha/bin/backupAndRestore.sh -o backup -z /root/hdca_backup

4. The following settings information is not backed up by backupAndRestore.sh. Write down this information (or record it by other means) because, after the restore, the
settings must be manually revised.
OS settings (hosts file, passwords of the megha user and meghadata user, and so on)
SSL communication settings
External user authentication settings (Connection with Active Directory)
5. If the Analyzer detail view server is connected to the Analyzer server, back up the Analyzer server, because you will need the backup data to perform restore.

Backing up the Analyzer server

You can back up the settings information of the Analyzer server.

You must have root permission.

Stop all Analyzer server and Analyzer detail view server services.
Back up the Analyzer detail view server at the same time, because you will need the backup data to perform restore.
Make sure that the version of the Analyzer server is the same as that of the Analyzer detail view server.

Run the backupsystem command to back up the Analyzer server settings information.
Example:

Analyzer-server-installation-directory/Analytics/bin/backupsystem -dir output-directory -type all

To back up the data needed to perform a restore, specify all for the type option.

Do not specify the auto option, because this option starts the services of the Analyzer server.

Restoring Ops Center Analyzer

You can restore the entire Ops Center Analyzer system or individual components according to the following workflow.

The general restore workflow for Ops Center Analyzer components is as follows:

1. Stop the following services in this order:

a. Analyzer server

If the Analyzer server is linked to Ops Center Automator, make sure that no tasks are running for the Analyzer server, and then stop the Analyzer server services. Do
not run any tasks for the Analyzer server before the restore processing finishes.

Stopping the Analyzer server services

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 226/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
b. Analyzer detail view server

Stopping the Analyzer detail view server or Analyzer probe server services

c. Analyzer Windows probe

d. Analyzer probe server

Stopping the Analyzer detail view server or Analyzer probe server services

e. RAID Agent

Stopping the RAID Agent services

f. Virtual Storage Software Agent

Stopping the Virtual Storage Software Agent services

g. On-demand real time monitoring module

Stopping the On-demand real time monitoring module services

2. Restore data for each of the following components:
Restoring RAID Agent (Linux) or Restoring RAID Agent (Windows)
Restoring Virtual Storage Software Agent
Restoring the On-demand real time monitoring module (Linux) or Restoring the On-demand real time monitoring module (Windows)
Restoring the Analyzer probe server
Restoring the Analyzer detail view server
Restoring the Analyzer server
Do not start any of these services before the restore processing finishes.
3. Start the following services in this order:

a. RAID Agent

Starting the RAID Agent services

b. Virtual Storage Software Agent

Starting the Virtual Storage Software Agent services

c. On-demand real time monitoring module

Starting the On-demand real time monitoring module services

d. Analyzer probe server

Starting the Analyzer detail view server or Analyzer probe server services

e. Analyzer Windows probe

Starting the Analyzer Windows probe service

f. Analyzer detail view server

Starting the Analyzer detail view server or Analyzer probe server services

g. Analyzer server

Starting the Analyzer server services

Restoring RAID Agent

Restoring RAID Agent (Linux)

You can restore the configuration information files and the performance data of RAID Agent.

If instances with the same names as those on the backup source do not exist in the restore destination, manually create RAID Agent instances using the same instance
names as those on the backup source.
Verify that the following items are the same between the backup source host and the restore destination host:
OS (Linux or Windows）
Version number of the RAID Agent
Instance name
Hybrid Store storage destination
Stop all RAID Agent services on the restore destination host.
Verify that the restore destination has free space equal to or greater than the size of the data to be restored.

When transferring backup data to another host, make sure of the following:

Binary mode must be used to transfer backup data using FTP.

When the backup data is transferred, the data sizes at the source and destinations must match.

1. Run the following command to restore the backed-up configuration information files:

/opt/jp1pc/htnm/bin/htmhsrestore -dir storage-directory-of-the-backed-up-data

Note: If you also backed up performance data, the configuration information files and the performance data are restored.
2. Run the jpctdchkinst command to check whether the instance is monitoring the targets correctly.
3. If the instance is not properly monitoring the targets, run the jpcinssetup command to change the settings, and then run the jpctdchkinst command again to check the
monitoring status.
4. The following items cannot be restored by using the htmhsrestore command and must be changed manually:
If you changed the port numbers or SSL communication settings in the backup source environment, you must also change them in the restore destination
environment by editing the following file.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 227/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf
If you changed the port numbers specified in the following files in the backup source environment, you must also change them in the restore destination environment.
/opt/jp1pc/htnm/Rest/config/htnm_httpsd.conf
/opt/jp1pc/htnm/HBasePSB/CC/server/usrconf/ejb/AgentRESTService/usrconf.properties

Restoring RAID Agent (Windows)

You can restore the configuration information files and the performance data of RAID Agent.

Run commands from the administrator console. For details, see Command usage guidelines.
If instances with the same names as those on the backup source do not exist in the restore destination, manually create RAID Agent instances using the same instance
names as those on the backup source.
Verify that the following items are the same between the backup source host and the restore destination host:
OS (Linux or Windows）
Version number of the RAID Agent
Instance name
Hybrid Store storage destination
Stop all RAID Agent services on the restore destination host.
Verify that the restore destination has free space equal to or greater than the size of the data to be restored.
When transferring backup data to another host, make sure of the following:
Binary mode must be used to transfer backup data using FTP.
When the backup data is transferred, the data sizes at the source and destinations must match.

1. Run the following command to restore the backed-up configuration information files:

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\htmhsrestore -dir storage-folder-of-the-backed-up-data

Note: If you also backed up performance data, the configuration information files and the performance data are restored.
2. Run the jpctdchkinst command to check whether the instance is monitoring the targets correctly.
3. If the instance is not properly monitoring the targets, run the jpcinssetup command to change the settings, and then run the jpctdchkinst command again to check the
monitoring status.
4. The following items cannot be restored by using the htmhsrestore command. Update the settings files as needed.
If you changed the port numbers or SSL communication settings in the backup source environment, you must also change them in the restore destination
environment by editing the following file.

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\Rest\config\htnm_httpsd.conf

If you changed the port numbers specified in the following files in the backup source environment, you must also change them in the restore destination environment.
RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\Rest\config\htnm_httpsd.conf
RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\HBasePSB\CC\server\usrconf\ejb\AgentRESTService\usrconf.properties

Restoring Virtual Storage Software Agent

You can restore the connection settings files of Virtual Storage Software Agent.

Stop all services of Virtual Storage Software Agent.

The versions of Virtual Storage Software Agent on the backup source and on the restoration destination must be the same.

1. Copy the backup files to the following directory on the restoration destination, overwriting the existing files.
File name Restoration-destination directory

access-points.yaml /var/Virtual-Storage-Software-Agent-installation-
directory/VirtualStorageSoftwareAgent/system/

userconfig-setting.yaml /var/Virtual-Storage-Software-Agent-installation-
directory/VirtualStorageSoftwareAgent/config/
2. Start Virtual Storage Software Agent as needed.

Restoring the On-demand real time monitoring module

Restoring the On-demand real time monitoring module (Linux)

You can restore the configuration files and certificate files of the On-demand real time monitoring module.

Note: This procedure is for RAID Agent on a host where the Analyzer probe server is installed.

You must have root permission.

Stop the On-demand real time monitoring module service on the restore destination host.
The versions of the On-demand real time monitoring modules on the backup source and on the restoration destination must be the same.
Verify that the following items are the same between the backup source host and the restore destination host:
OS (Linux or Windows）
Version number of the On-demand real time monitoring module

1. Log on to the Analyzer probe server.

2. Copy the backup data to a directory of your choice on the restoration destination.
3. Decompress the backup file (a tar.gz file), and then copy it to the directory on the restoration destination.
Example:

tar -zxvf /root/backup.tar.gz ./backup

cp -p ./backup/user-granular-data-collection-api.conf /opt/hitachi/Analytics/granular-data-collection-api/conf
cp -p ./backup/system-granular-data-collection-api.conf /opt/hitachi/Analytics/granular-data-collection-api/conf
cp -p ./backup/server.crt /opt/hitachi/Analytics/granular-data-collection-api/cert
cp -p ./backup/server.key /opt/hitachi/Analytics/granular-data-collection-api/cert

Restoring the On-demand real time monitoring module (Windows)

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 228/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You can restore the configuration files and certificate files of the On-demand real time monitoring module.

Note: This procedure is for RAID Agent installed on a Windows host.

Stop the On-demand real time monitoring module service on the restore destination host.
Verify that the following items are the same between the backup source host and the restore destination host:
OS (Linux or Windows）
Version number of the On-demand real time monitoring module
Installation destination folder

1. Log on to the host where the RAID Agent is installed.

2. Copy the backup data to a folder of your choice on the restoration destination.
3. Decompress the copied backup file.

Restoring the Analyzer probe server

You can restore the settings information of the Analyzer probe server.

Stop all Analyzer probe server services on the restore destination host.
Make sure that the restore destination directory has sufficient free space.
To restore the data, you must have a new setup with settings matching the original, including the following:
Version: The base version of the Analyzer detail view server must be same.
Deployment Model: The deployment model must be the same. To verify the deployment model, navigate to Manage > Status > License Information.
Machine: The machine time zone must be the same, and the machine locale must be English.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Copy the backed-up data to any directory on the restore destination host.
3. Run the following command on the restore destination host to restore the data.

sh /usr/local/megha/bin/backupAndRestore.sh -o restore -z zip_file_path

zip_file_path

Specify the path of the backed-up data (a ZIP file) to be restored.

Example:

sh /usr/local/megha/bin/backupAndRestore.sh -o restore -z /root/probe_backup/backup-hdca-probe-9.0.0-01_18041109_201806150907.zip

4. If necessary, reset the following information based on the notes you made during the backup procedure.
OS settings
The hosts file

Add connection destination hosts if the backup source host and the restore destination host are different, or if settings were reset when the host OS was
reinstalled.

Passwords of the megha user and the meghadata user

Any other OS settings that were changed
SSL communication settings
External user authentication settings (Connection with Active Directory)
5. If you were performing monitoring by using a Linux probe and the IP addresses of the backup source host and restore destination host are different, after performing a
restore, delete the Linux probe and then add it back to the Analyzer probe server.
6. If the Analyzer probe server on the backup source host was using Common Services, run the setupcommonservice command to update the connection settings.
7. If you are using key-based authentication to transfer data, make sure that you re-configure it. Refer to Configuring key-based authentication to transfer data directly from
Analyzer probe server to Analyzer detail view server for more information. When re-configuring the key-based authentication, if you provide a new passphrase, make sure
you update the passphrase in the Analyzer probe server UI for primary (and secondary, if applicable) Analyzer detail view server.
8. If you are using the Common Services, make sure that you re-register the Analyzer probe server with Common Services. Refer to Registering Analyzer probe server with
Common Services for more information.

Restoring the Analyzer detail view server

You can restore the settings information and database of the Analyzer detail view server.

Stop all Analyzer detail view server services on the restore destination host.
Stop all services for the Analyzer probe server, the Analyzer Windows probe, and the Analyzer server that are connected to the Analyzer detail view server on the restore
destination host.
If the Analyzer detail view server is connected to the Analyzer server, make sure that the version of the Analyzer server is the same as that of the Analyzer detail view server
on the restore destination host.
Make sure that the restore destination directory has sufficient free space.
To restore the data, you must have a new setup with settings matching the original, including the following:
Version: The base version of the Analyzer detail view server must be same.
Deployment Model: The deployment model must be the same. To verify the deployment model, navigate to Manage > Status > License Information.
Machine: The machine time zone must be the same, and the machine locale must be English.

1. Log on to the Analyzer detail view server through an SSH client (like putty) as a root user.
2. Copy the backed-up data to any directory on the restore destination host.
3. Run the following command on the restore destination host to restore the data.

sh /usr/local/megha/bin/backupAndRestore.sh -o restore -z zip_file_path

zip_file_path

Specify the path of the backed-up data (a ZIP file) to be restored.

Example:

sh /usr/local/megha/bin/backupAndRestore.sh -o restore -z /root/hdca_backup/backup-hdca-server-9.0.0-01_18041109_201806131342.zip

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 229/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
4. If the Analyzer detail view server is connected to the Analyzer server, restore the Analyzer server by using the backup data that was acquired at the same time as that of the
Analyzer detail view server.
5. If necessary, reset the following information based on the notes you made during the backup procedure.
OS settings
The hosts file

Add connection destination hosts if the backup source host and the restore destination host are different, or if settings were reset when the host OS was
reinstalled.

Passwords of the megha user and the meghadata user

Any other OS settings that were changed
SSL communication settings
External user authentication settings (Connection with Active Directory)
6. Verify the settings of the SMTP server, the Syslog server, and the SNMP Manager.
7. If the IP addresses or host names of the backup source host and restore destination host are different, reset the following settings on the host connecting to the Analyzer
detail view server:
Settings of the Analyzer detail view server to which the Analyzer probe server connects
Settings of the Analyzer detail view server to which Analyzer server connects
Settings of the Analyzer detail view server to which the Windows probe connects
8. If the Analyzer detail view server on the backup source host was using Common Services, run the setupcommonservice command to update the connection settings.
9. If you are using the key-based authentication to transfer data, make sure that you re-configure the key-based authentication. Refer to Configuring key-based authentication
to transfer data directly from Analyzer probe server to Analyzer detail view server and Configuring key-based authentication for the Analyzer detail view server for more
information. When re-configuring the key-based authentication, if you provide a new passphrase, make sure you update the passphrase in the Analyzer probe server UI for
primary (and secondary, if applicable) Analyzer detail view server.
10. If you are using the Common Services, make sure that you re-register Analyzer detail view server with Common Services and re-assign the Analyzer detail view roles to Ops
Center user groups. Refer to Registering Analyzer detail view server with Common Services for more information.

Restoring the Analyzer server

You can restore the settings information of the Analyzer server. This procedure varies depending on the destination environment. Be sure to perform the procedure appropriate for
your configuration.

Restoring the Analyzer server to the same host:

Restoring the Analyzer server to the same host

Restoring the Analyzer server to a different host:

Restoring the Analyzer server to another host (when the Analyzer server is not linked with Ops Center Automator)
Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on the same host)
Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on another host as the primary server)
Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on another host as the secondary server)

Restoring the Analyzer server to the same host

You can restore the settings information of the Analyzer server. After a successful restore, specify the settings related to communication between the Analyzer server and the web
client in the new environment.

You must have root permission.

Stop all Analyzer server and Analyzer detail view server services on the restore destination host.
Make sure that the version of the Analyzer server on the restore destination host is the same as that of the Analyzer detail view server.
Make sure that the Analyzer detail view server has been restored by using the backup data that was acquired at the same time as the backup data of the Analyzer server.
Make sure that the following items are the same between the backup source host and the restore destination host:
Analyzer server installation destination directory
Version number of the installed instance of Analyzer server

You can check the version number of the Analyzer server in the Version window.

Host name
IP address
System locale

1. Run the restoresystem command to restore the settings information of Analyzer server.
Example:

Analyzer-server-installation-directory/Analytics/bin/restoresystem -dir output-directory -type Analytics

Do not specify the auto option, because this option starts the services of the Analyzer server.

2. Edit the following definition files on the restore destination host to match any information that was changed on the backup source host.

If you performed a backup by specifying Analytics for the type option, the definition files are not stored in the backup data.

Security definition file (security.conf)

Backup: backup-directory/HBase/base/conf/sec

Restore: Common-component-installation-directory/conf/sec

File for setting port numbers and host names (user_httpsd.conf)

Backup: backup-directory/HBase/base/httpsd.conf

Restore: Common-component-installation-directory/uCPSB11/httpsd/conf

3. If the maximum amount of memory that can be used by the Analyzer server was changed on the backup-source host, use the changememory command to set the maximum
amount of memory again.
4. In the restore destination environment, if HTTPS connections are used between Analyzer server and the web client, enable HTTPS connections.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 230/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
5. In the restore destination environment, if you changed the port number for communication between Analyzer server and the web client, reset the port number.
6. If you were using the function to connect with Ops Center Automator, reconfigure the primary server settings and the secondary server settings for the Common component.

Restoring the Analyzer server to another host (when the Analyzer server is not linked with Ops Center Automator)

If, on the backup source host, the Analyzer server does not link with Ops Center Automator, you can restore settings and accumulated data of the Analyzer server to a different host
by using this procedure.

You must have root permission.

Stop all Analyzer server and common component services on the restore destination host.
The versions of the Analyzer server on the backup source and restore destination hosts must be the same.

1. Transfer the settings information of the Analyzer server and the common component (information that was collected by the backup source host) to the restore destination
host.
2. On the restore destination host, perform the following procedure:
a. Run the restoresystem command to restore the settings information of Analyzer server and the common component.

Analyzer-server-installation-directory/Analytics/bin/restoresystem -dir backup-data-output-directory -type all

The user information registered in the common component on the restore destination is overwritten. If you want to retain the user information on the restore
destination, specify Analytics for the type option so that the user information registered in the common component on the backup source is not restored.

Do not specify the auto option because this option starts the services of the Analyzer server.

b. Revise the following definition files on the restore destination host based on the content that was changed on the backup source host. If you already specified settings
on the restore destination host, this step is unnecessary.
Security definition file

Common-component-installation-directory/conf/sec/security.conf

Configuration file that sets the port number and the host name

Common-component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

Note: For details on how to edit the user_httpsd.conf file, see Enabling SSL communication for Analyzer server.

c. Set up a connection with the Analyzer detail view server. For details, see Setting up a connection with Analyzer detail view server.
d. If the Analyzer server on the backup source host was using Common Services, run the setupcommonservice command to update the connection settings for
Common Services.
Tip:

After the restoration is complete, if you cannot log in to the Analyzer server, restart the server because the new authentication information might not have been
applied.

Be sure to uninstall the Analyzer server on the backup source host. Configurations where multiple instances of Analyzer reference the same Analyzer detail view server are not
supported. For details, see Removing Ops Center Analyzer and Analyzer detail view servers.

Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on the same host)

If, on the backup source host, the Analyzer server links with Ops Center Automator on the same host, you can restore settings and accumulated data of the Analyzer server to a
different host by using this procedure.

You must have root permission.

Stop all Analyzer server and common component services on the restore destination host.
The versions of the Analyzer server on the backup source and restore destination hosts must be the same.

1. Transfer the settings information of the Analyzer server and the common component (information that was collected by the backup source host) to the restore destination
host.
2. On the restore destination host, perform the following procedure:
a. Reconfigure the primary server settings and the secondary server settings for the Common component.

Common-component-installation-directory/bin/hcmds64prmset -host host-name-or-IP-address-of-the-primary-server {-port port-number-of-t

he-primary-server-(non-SSL-communication) | -sslport port-number-of-the-primary-server-(SSL-communication)}

b. Run the restoresystem command to restore the settings information of the Analyzer server:

Analyzer-server-installation-directory/Analytics/bin/restoresystem -dir backup-data-output-directory -type Analytics

Do not specify the auto option because this option starts the services of the Analyzer server.

c. Revise the following definition files on the restore destination host based on the content that was changed on the backup source host. If you already specified settings
on the restore destination host, this step is unnecessary.
Security definition file

Common-component-installation-directory/conf/sec/security.conf

Configuration file that sets the port number and the host name

Common-component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

Note: For details on how to edit the user_httpsd.conf file, see Enabling SSL communication for Analyzer server.

d. Set up a connection with the Analyzer detail view server. For details, see Setting up a connection with Analyzer detail view server.
e. If the Analyzer server on the backup source host was using Common Services, run the setupcommonservice command to update the connection settings for
Common Services.
Tip:

After the restoration is complete, if you cannot log in to the Analyzer server, restart the server because the new authentication information might not have been
applied.

3. Remove the Analyzer server on the backup source host.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 231/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
a. Run the following command to back up the Analyzer server authentication data:

Common-component-installation-directory/bin/hcmds64authmove -export -datapath backup-data-output-directory

b. Stop any security monitoring, antivirus, and process monitoring software.

c. Run the following command to remove the Analyzer server:

/opt/hitachi/Analytics/installer/analytics_uninstall.sh SYS

d. When prompted, select the components you want to remove, and then complete the removal process.
e. Run the following command to restore the Analyzer server authentication data:

Common-component-installation-directory/bin/hcmds64authmove -import -datapath backup-data-output-directory

Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on another host as the primary server)

If the backup source Analyzer server is the primary server and linked to Ops Center Automator on a different host, you can use this procedure to restore the settings and
accumulated data of the Analyzer server to another host.

Note: If the Analyzer server is configured as secondary server, see Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on
another host as the secondary server).

You must have root permission.

Stop all Analyzer server and common component services on the restore destination host.
The versions of the Analyzer server on the backup source and restore destination hosts must be the same.

1. Transfer the settings information of the Analyzer server and the common component (information that was collected by the backup source host) to the restore destination
host.
2. On the restore destination host, perform the following steps:
a. Run the hcmds64prmset command to set the common components to the primary server:

Analyzer-server-installation-directory/Base64/bin/hcmds64prmset -setprimary

b. Run the restoresystem command to restore the settings information of Analyzer server:

Analyzer-server-installation-directory/Analytics/bin/restoresystem -dir backup-data-output-directory -type all

Do not specify the auto option, because this option starts the services of the Analyzer server.
c. Revise the following definition files on the restore destination host based on the content that was changed on the backup source host. If you already specified settings
on the restore destination host, this step is unnecessary.
Security definition file:

Analyzer-server-installation-directory/Base64/conf/sec/security.conf

Port number, host name, and certificate configuration:

Analyzer-server-installation-directory/Base64/uCPSB11/httpsd/conf/user_httpsd.conf

Note: For details on how to edit the user_httpsd.conf file, see Enabling SSL communication for Analyzer server.

Audit log configuration:

Analyzer-server-installation-directory/Base64/conf/sec/auditlog.conf

Note: For details on how to edit the auditlog.conf file, see Enabling audit logging.

Configuration of the port number between Analyzer server and the common components:

Analyzer-server-installation-directory/Base64/uCPSB11/httpsd/conf/reverse_proxy.conf

Analyzer-server-installation-directory/Base64/uCPSB11/CC/server/usrconf/ejb/AnalyticsWebService/usrconf.properties

For details on how to edit the reverse_proxy.conf and usrconf.properties files, see Changing the port number used between Analyzer server and Common
component.

Configuration file related to System account locks:

Analyzer-server-installation-directory/Base64/conf/user.conf

Note: For details on how to edit the user.conf file, see Enabling system account locking.

d. If security communications are performed, import the certificate into Analyzer server's truststore. For details, see Configure secure communications.
e. If Analyzer server for the backup-source host was performing authentication of external users, configure the settings. For details, see Configure external user
authentication.
f. Run the hcmds64srv command to start Analyzer server:

Analyzer-server-installation-directory/Base64/bin/hcmds64srv -start

3. On the host where Ops Center Automator is installed, reconfigure the common components primary server. Configure the Analyzer server as the primary server and
configure Ops Center Automator as the secondary server. For details, see Hitachi Ops Center Automator Installation and Configuration Guide.
4. On the restore destination host, perform the following steps:
a. Set up a connection with the Analyzer detail view server. For details, see Setting up a connection with Analyzer detail view server.
b. If the Analyzer server on the backup source host was using Common Services, run the setupcommonservice command to update the connection settings for
Common Services.
Tip:

After the restoration is complete, if you cannot log in to the Analyzer server, restart the server because the new authentication information might not have been
applied.

Be sure to uninstall the Analyzer server on the backup source host. Configurations where multiple instances of Analyzer reference the same Analyzer detail view server are not
supported. For details, see Removing Ops Center Analyzer and Analyzer detail view servers.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 232/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Restoring the Analyzer server to another host (when the Analyzer server is linked with Ops Center Automator on another host as the secondary server)

If the backup source Analyzer server is the secondary server and linked to Ops Center Automator on a different host, you can use this procedure to restore the settings and
accumulated data of the Analyzer server to another host.

You must have root permission.

Stop all Analyzer server and common component services on the restore destination host.
The versions of the Analyzer server on the backup source and restore destination hosts must be the same.

1. Transfer the settings information of the Analyzer server and the common component (information that was collected by the backup source host) to the restore destination
host.
2. On the restore destination host, perform the following procedure:
a. If the Analyzer server of the backup-source host was performing security communications, import the Ops Center Automator certificate into the Analyzer server
truststore. For details, see Importing Ops Center Automator certificates to the Analyzer server truststore.
b. Reconfigure the primary server for common components:

Analyzer-server-installation-directory/Base64/bin/hcmds64prmset -host Analyzer-server-hostname-or-IP-address {-port Automator-server-

port-number-(non-SSLcommunications) | -sslport Automator-server-port-number-(SSL-communications)}

c. Run the restoresystem command to restore the settings information of the Analyzer server:

Analyzer-server-installation-directory/Analytics/bin/restoresystem -dir backup-data-output-directory -type Analytics

Do not specify the auto option because this option starts the services of the Analyzer server.

d. Revise the following definition files on the restore destination host based on the content that was changed on the backup source host. If you already specified settings
on the restore destination host, this step is unnecessary.
Port number, host name, and certificate configuration:

Analyzer-server-installation-directory/Base64/uCPSB11/httpsd/conf/user_httpsd.conf

Note: For details on how to edit the user_httpsd.conf file, see Enabling SSL communication for Analyzer server.

Audit log configuration:

Analyzer-server-installation-directory/Base64/conf/sec/auditlog.conf

Note: For details on how to edit the auditlog.conf file, see Enabling audit logging.

Configuration of the port number between Analyzer server and the common components:

Analyzer-server-installation-directory/Base64/uCPSB11/httpsd/conf/reverse_proxy.conf

Analyzer-server-installation-directory/Base64/uCPSB11/CC/server/usrconf/ejb/AnalyticsWebService/usrconf.properties

Note: For details on how to edit the reverse_proxy.conf and usrconf.properties files, see Changing the port number used between Analyzer server and
Common component.

e. If Analyzer server for the backup-source host was performing security communications, import the certificates other than the Ops Center Automator certificate into the
Analyzer server's truststore. For details, see Configure secure communications.
f. Run the hcmds64srv command to start Analyzer server:

Analyzer-server-installation-directory/Base64/bin/hcmds64srv -start

g. Set up a connection with the Analyzer detail view server. For details, see Setting up a connection with Analyzer detail view server.
h. If the Analyzer server on the backup source host was using Common Services, run the setupcommonservice command to update the connection settings for
Common Services.
Tip:

After the restoration is complete, if you cannot log in to the Analyzer server, restart the server because the new authentication information might not have been
applied.

Be sure to uninstall the Analyzer server on the backup source host. Configurations where multiple instances of Analyzer reference the same Analyzer detail view server are not
supported. For details, see Removing Ops Center Analyzer and Analyzer detail view servers.

Backing up and recovering using Ops Center Protector

You can schedule automatic backups for your Ops Center products by using Ops Center Protector. For information about how to use Protector to back up and restore, see the
Hitachi Ops Center Installation and Configuration Guide.

Removing Ops Center Analyzer components

Removing an Analyzer server, Analyzer detail view server, or Analyzer probe server is explained.

Removing Ops Center Analyzer and Analyzer detail view servers

You can remove Analyzer server and Analyzer detail view server. You can choose to remove Analyzer server, Analyzer detail view server, or both.

1. Log on to the Analyzer server or Analyzer detail view server by using a user account with root permission.
2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. If you are using the functionality for connecting with Ops Center Automator in the Analyzer server, reset the settings of the Common component.
If you are removing the Analyzer detail view server only, this step is not required.
4. Run the following commands:

cd /opt/hitachi/Analytics/installer
sh ./analytics_uninstall.sh SYS

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 233/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
5. When prompted, select the components you want to remove, and then complete the removal process.
Note:
The Analyzer detail view server uninstaller stops the crond service. If you are using the crond service with other programs, start the crond service.
Amazon Corretto 17 is not automatically removed even if it was installed during the installation of Analyzer detail view server.

Removing Analyzer probe server

Remove Analyzer probe server using the dcaprobe_uninstall.sh command.

1. Log on to the Analyzer probe server by using a user account with root permission.
2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Run the following commands:

cd /opt/hitachi/Analytics/installer
sh ./dcaprobe_uninstall.sh SYS

Note: If you leave the Virtual Storage Software Agent and later want to uninstall it, refer to Removing Virtual Storage Software Agent
4. If there is no problem with uninstalling the probe server, enter y.

Do you want to continue the uninstallation? (y/n) [n]: y

5. If Virtual Storage Software Agent is installed, check whether the directory needs to be deleted.

Do you want to delete the data and log directory? (y/n) [n]:

6. If there is no problem with uninstalling Virtual Storage Software Agent, enter y.

Do you want to continue the uninstallation? (y/n) [n]: y

Note:
The Analyzer probe server uninstaller stops the crond service. If you are using the crond service with other programs, start the crond service.
Amazon Corretto 17 is not automatically removed even if it was installed during the installation of Analyzer probe server.

Removing RAID Agent (Windows)

The following explains uninstalling RAID Agent on a Windows host.

You must have Administrator permission.

1. Log in to the host where you want to uninstall RAID Agent.

2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Open Control Panel, and then choose Programs and Features.
4. Select Hitachi Ops Center Analyzer RAID Agent, and then click the Uninstall button.

The following folders are not deleted during uninstallation. If necessary, delete them manually.

Folder containing the private key and certificate of the On-demand real time monitoring module
Hybrid Store storage-destination folder that was specified during installation

Troubleshooting
You can troubleshoot common problems such as unsuccessful connections to the web client or between components.

Connection to the Analyzer server web client unsuccessful

If you cannot connect to the Analyzer server web client check the operation status of Analyzer server and the port number setting.

1. Run the hcmds64srv command with the status option to check the operation status of Analyzer server.
If the services "HAnalytics Engine Web Service" and "HBase 64 Storage Mgmt SSO Service" are running, and the service "HBase 64 Storage Mgmt Web Service" is not
running, a port number might be redundant.
2. Check the log message.
If the following log entry is output, review the configuration of port numbers used by the Analyzer server:
Item Contents

Level Error

Source HitachiWebServer

Message The service named HBase 64 Storage Mgmt Web Service reported the following error: >>> (OS 10048) Only o
ne usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: cou
ld not bind to address [::]:[redundant-port-number]

3. From the web browser, confirm that communication with the Analyzer server is normal.
4. Confirm that the web browser is supported by Analyzer server.
5. If the web browser is set to refuse the use of cookies, change the settings to allow the use of cookies for Analyzer server.
6. Restart the web browser.

If you cannot access the web client even after performing the preceding steps, delete the cookies related to the IP address and host name of Analyzer server, and then
restart the web browser.

Logging on to Analyzer server unsuccessful

When you cannot log on to Analyzer server, check your user information:

1. Confirm that the user ID and password are correct.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 234/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
2. Confirm that the user is registered in Analyzer server.
3. Ask a user with User Management permissions to confirm the following:
User has required permissions
User account is not locked

Starting Analyzer server does not work

If Analyzer server cannot start, check that the resources of the Analyzer server are sufficient, and the hardware and OS are supported by Analyzer server.

1. Confirm that resources such as memory and disk space are sufficient on the Analyzer server.
2. Confirm that Analyzer server has been installed on the OS and hardware supported by Analyzer server.
3. Run the hcmds64srv command with the status option to check the operation status of Analyzer server.
4. If the Analyzer server services are not running, start the service.
5. See the log data and take appropriate actions from the error message.
6. If no error message is output to the log, or the problem is not solved, run the hcmds64getlogs command to collect the log file, and contact the administrator or Hitachi Vantara
Support Contact.

Analyzer server cannot connect to Analyzer detail view server

If the Analyzer server cannot be connected to Analyzer detail view server, check the operating status of Analyzer detail view server and the status of the connection between
Analyzer server and Analyzer detail view server.

1. Run the following command on the Analyzer detail view server to verify that the status of the service of the Analyzer detail view server is running:

/usr/local/megha/bin/megha-jetty.sh status

Output example:

Megha server is running

2. In the Administration tab of Analyzer server, select System Settings > Analyzer detail view Server.
3. Click Edit Settings to check information about the Analyzer detail view server.
4. Click Check Connection to check whether Analyzer server can be properly connected to the Analyzer detail view server.
5. Click OK.

Analyzer probe server cannot connect to Analyzer detail view server using HTTPS

If the Analyzer probe server cannot connect to Analyzer detail view server through an HTTPS connection, check the status of the HTTP proxy server on the host where Analyzer
detail view server is installed.

1. Run the following command to check the operation status of the HTTP proxy server:

/usr/local/httpProxy/bin/megha-jetty.sh status

2. If the HTTP proxy server is not running, run the following command to start it:

/usr/local/httpProxy/bin/megha-jetty.sh start

Cannot add a probe using an HTTPS connection in Analyzer probe

If a problem occurs while adding the following probes using an HTTPS connection in Analyzer probe, do the following:

Hitachi Enterprise Storage probe

Cisco FC Switch (DCNM) probe

1. Check the SSL certificate details in the target environment and the Analyzer probe server. The probes must have an SSL certificate created by the same certificate authority.
2. If the certificate authority is different, you must create an SSL certificate using the same certificate authority and apply it on the Analyzer probe server by uploading the
certificate files to /usr/local/megha/jetty/etc.

Refer to Configuring an SSL certificate (Analyzer detail view server) for more information.

Cannot start the Analyzer Windows probe service from the Windows Services panel

After installing or upgrading the Analyzer Windows probe, if you are using the Windows Services panel to start the Analyzer Windows probe service and a problem occurs while
starting the service, then do the following:

1. Check the Analyzer Windows probe logs in the WindowsProbe.log file to identify the reason for a problem. You can find the log file at the following location: Analyzer
Windows probe installer\bin\Logs

If a reason is due to a system locale.

2. Verify the system locale. Follow the Microsoft procedure to verify the system locale

If the system locale is other than the English.

3. Change the system locale to English. Follow the Microsoft procedure to change the system locale.

The following are the supported English System Locales: English (Australia), English (Belize), English (Canada), English (Caribbean), English (India), English (Ireland),
English (Jamaica), English (Malaysia), English (New Zealand), English (Philippines), English (Singapore), English (South Africa), English (Trinidad and Tobago), English
(United Kingdom), English (United States), English (Zimbabwe).

4. Start the Analyzer Windows probe service.

A similar problem can occur while starting the Analyzer Windows probe service from the Analyzer Windows probe console.

Setting the authentication values for collecting clustered shared volumes data

You must set the authentication values for collecting the clustered shared volumes data if you observe the following error in the WindowsProbe.log file for the Analyzer Windows
probe:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 235/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Exception while accessing Cluster info Access denied.

The WindowsProbe.log file can be located at the following location:

Installation_Directory\HDCA\HDCA Windows Probe\bin\Logs

1. Log on to the machine where the Analyzer Windows probe is installed.

2. Open the Analyzer Windows probe console.
3. Stop the Analyzer Windows probe service.
4. Open the app.properties file from the installation directory:
For example:

C:\Program Files\HDCA\HDCA Windows Probe\bin\Conf

5. Add the following property and its value:

wmi.authenticationLevel=PacketPrivacy

6. Start the Analyzer Windows probe service.

Verify if the error persists in the WindowsProbe.logs file. If the error persists, try the following values one after another (one at a time) for the wmi.authenticationLevel property
by following the steps 1 to 6 until the error is resolved:

Default
Call
Connect
Packet
PacketIntegrity

Connection to RAID Agent fails when the on-demand real time monitoring function is used

When the On-demand real time monitoring function is used in the GUI of the Analyzer detail view server, the connection to RAID Agent might fail and the following message might be
displayed:

Cannot connect to the RAID Agent server 'IP-address'.

Perform the following procedure to verify that communication is possible between Analyzer detail view server and the On-demand real time monitoring module:

1. On the host where RAID Agent is installed, verify that the On-demand real time monitoring module is running.
For details, see Starting the On-demand real time monitoring module services.
2. Change the firewall and network settings to enable access from the Analyzer detail view server to the On-demand real time monitoring module on the host where RAID Agent
is installed.
The default port number of the On-demand real time monitoring module is 24262.

Collecting maintenance information

If no messages are output when a problem occurs, or you are unable to correct the problem even after following the instructions in the message, collect maintenance information,
and then contact customer support.

Collecting the log file for the Analyzer server

Run the hcmds64getlogs command to collect the log file for the Analyzer server.

1. Log on to the host where the Analyzer server is installed as a user with root permission.
2. Run the hcmds64getlogs command to collect the log file for the Analyzer server.

Common-component-installation-directory/bin/hcmds64getlogs -dir output-directory-path

An archive file is output to the specified output destination.

For details about the hcmds64getlogs command, see the command reference in the Appendix.

Collecting the log file for the Analyzer detail view server and the Analyzer probe server

You can download the log files for the Analyzer detail view server and the Analyzer probe server by using a web browser.

1. In the web browser, type the Analyzer detail view server or the Analyzer probe server URL:
https://server-IP-address:Port-Number

The Logon window appears.

2. Log on to the desired server as the admin user and make the appropriate selection:
Analyzer detail view server In the application bar, click the Manage icon ( ).
Analyzer probe server Click the Manage link.
3. In the Manage window, click the Download Diagnostic Data link.
4. In the Download Diagnostic Data window, click the Download button.

Collecting the log file for the RAID Agent

Run the jpcras command to collect the log file for the RAID Agent.

For RAID Agent (Windows), run commands from the administrator console. For details, see Command usage guidelines.

1. Log on to the host where RAID Agent is installed, as a user with root permission (Linux) or Administrator permission (Windows).
2. Run the jpcras command to collect the log file for the RAID Agent.
In Linux

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 236/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/opt/jp1pc/tools/jpcras output-directory-path all all

An archive file named jpcrasYYMMDD.tar.gz or jpcrasYYMMDD.tar.Z is output to the specified output destination.

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\jpcras output-folder-path all all

The agtd.agtras and localhost folder stored in the log files are output to the specified output destination.
Note: When sending log files, send them in compressed format.

For RAID Agent (Windows), you must also collect the following information.

Dump information
To collect dump information, perform the following procedure:

1. Open the Task Manager.

2. Choose the Process tab.
3. Right-click the name of the process for which dump information is to be collected, and then choose Create dump file.

The generated dump files are stored in the following folder:

%SystemDrive%\Users\user-name\AppData\Local\Temp

If an environment variable has been changed to output dump files to a folder other than that shown in step 3, collect dump files from that folder.

Other information
Collect the following additional information:

Content of Application, System, and Security in the Windows Event Viewer

Content displayed by selecting Administrative Tools > System Information
You must also collect the log files described in Collecting the installation logs for the RAID Agent (Windows).

Collecting the installation logs for the RAID Agent (Windows)

Collect the following logs and data for the RAID Agent installer.

1. Log on to the RAID Agent host as a user with Administrator permission.

2. Run cmd.exe as Administrator.
3. Run the following commands to collect the registry information for RAID Agent.

# reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Hitachi" /s > 01_reg_Hitachi.txt

# reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\On-demand real time monitoring module" /s > 02_reg_on-demand.txt
# reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JP1PCMGR_PH" /s > 03_reg_JP1PCMGR_PH.txt
# reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JP1PCMGR_PT" /s > 04_reg_JP1PCMGR_PT.txt
# reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AgentRESTService" /s > 05_reg_AgentREST.txt

4. Exit cmd.exe and collect the files:

01_reg_Hitachi.txt
02_reg_on-demand.txt
03_reg_JP1PCMGR_PH.txt
04_reg_JP1PCMGR_PT.txt
05_reg_AgentREST.txt
5. Collect the following log files for the RAID Agent installer in %SystemDrive% folder. If there are multiple files, collect all of them:
AnalyzerRAIDAgent_Inst_mm-dd-yyyy.log
AnalyzerRAIDAgent_Uninst_mm-dd-yyyy.log
HTM_INST_LOG_AGTREST_n.log
HTM_UNINST_LOG_AGTREST_n.log
6. If the installation of RAID Agent failed and the following folders of RAID Agent installer exist, collect the folders by compressing them into ZIP or another format:
%Temp%\work_winraidagent
%SystemDrive%\work_winraidagent
C:\work_winraidagent
7. Archive the files collected in Step 4 to Step 6 into ZIP or another format.

Collecting the log files of Virtual Storage Software Agent

To collect the Virtual Storage Software Agent log files:

1. Log on as root on the host where Virtual Storage Software Agent is installed.
2. To collect the log files, use the following command:

rpm -qa > rpm_list.txt && tar -cvzf agent_diag.tar.gz directory-from-which-to-collect-log-file ./rpm_list.txt

For Example:

rpm -qa > rpm_list.txt && tar -cvzf agent_diag.tar.gz -C / opt/hitachi/VirtualStorageSoftwareAgent var/opt/hitachi/VirtualStorageSoftwareAg
ent var/log/hitachi/VirtualStorageSoftwareAgent ${PWD#/}/rpm_list.txt

Note: When specifying multiple directories from which to collect log files, separate each directory with a space.
Log files are collected from these locations:
Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent
/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent
/var/log/hitachi/VirtualStorageSoftwareAgent

An archive file named agent_diag.tar.gz is output to the directory from which you ran the command.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 237/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Collecting the log file for the On-demand real time monitoring module

Run the diag command to collect the log file for the On-demand real time monitoring module.

1. Log on to the host where RAID Agent is installed, as a user with root permission (Linux) or Administrator permission (Windows).
2. Run the diag command to collect the log file for the On-demand real time monitoring module.
In Linux

/opt/hitachi/Analytics/granular-data-collection-api/bin/diag

An archive file named diag.yyyymmdd-hhmmss.tgz is output to the directory in which you ran the command.

In Windows

RAID-Agent-installation-folder\raid_agent\granular-data-collection-api\bin\diag.bat

An archive file named diag.yyyymmdd-hhmmss.jar is output to the folder in which you ran the command.

Disabling statistics collection for Analyzer detail view System Diagnostics

By default, System Diagnostics is enabled on the Analyzer detail view server and Analyzer probe server for collection of operating statistics. You can disable the statistics collection
using this procedure.

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) using the following credentials:
User: megha
Password: megha!234
2. Run the following commands:
/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value false
/usr/local/megha/dbgUtils/bin/manage-sds.sh stop
The statistics collection is stopped. But you can still access System Diagnostics by launching it from the Analyzer detail view server UI to view historical data in reports.

Enabling statistics collection for Analyzer detail view System Diagnostics

By default, System Diagnostics is enabled on the Analyzer detail view server and Analyzer probe server for collection of operating statistics. If you have disabled collection, you can
enable it using this procedure.

Note: The System Diagnostics data is not collected for the Analyzer probe server if the HTTPS protocol is used to upload data from the Analyzer probe server to the Analyzer detail
view server.

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) using the following credentials:
User: megha
Password: megha!234
2. Run the following commands:
/usr/local/megha/dbgUtils/bin/hdebug.sh setSystemDiagnosticsConfig --key sds.enabled --value true
/usr/local/megha/dbgUtils/bin/manage-sds.sh start
The operating statistics collection is started.

Restarting a probe stuck in the Stopping state

If you are attempting to Start, Edit, or Delete a probe and it becomes stuck in the "Stopping" state on the Analyzer probe server, follow this procedure to restart the probe.

Note: If you do not want to stop the crond service, you can stop specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as
described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh stop

4. Confirm the megha service has stopped:

/usr/local/megha/bin/megha-jetty.sh status

5. Go to the probe configuration directory:

cd /usr/local/megha/conf/probe

6. Make a backup copy of the of the probe properties file using following command syntax:

cp probe_type_default.properties probe_type_default.properties_bkp

For example:

cp vmware_default.properties vmware_default.properties_bkp

For a list of the other probe properties files, see the list at the end of this procedure.
7. Open the properties file with an editor such as vi as in this example:

vi vmware_default.properties

8. Change the property start_type=auto to start_type=manual and save the file.

9. Start the megha service using the following command:

/usr/local/megha/bin/megha-jetty.sh start

10. Confirm the megha service has started:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 238/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/usr/local/megha/bin/megha-jetty.sh status
11. Start the crond service using the following command:

service crond start

12. Log in to the Analyzer probe server UI.

The affected probe should now be in the "Stopped" state. You can now Edit or Delete the probe and restart data collection.
13. After this process is complete, you should reverse the change made to the properties file (or else the probe will always remain in the "Stopped" state after a restart of the
megha service or a reboot of the Analyzer probe server).
To do this, change start_type=manual to start_type=auto.

Probe types

The properties files for each probe type are as follows:

Brocade FC Switch (BNA) - bfa_default.properties

Brocade FC Switch (CLI) - brocadesanswitch_default.properties

Cisco FC Switch (DCNM) - cfa_default.properties

Cisco FC Switch (CLI) - ciscosanswitch_default.properties

Hitachi Enterprise Storage - hitachienterprisestorage_default.properties

Hitachi NAS - hnas_default.properties

Linux - linux_default.properties

VMware - vmware_default.properties

Enabling debug logs in Analyzer detail view server and Analyzer probe server

By default, the Analyzer detail view server and the Analyzer probe server create info logs to track various activities. When you report a problem to customer support, they may
request more details about specific log messages for investigating the problem. In this case, log level should be changed from info to debug.

1. Log on to the Analyzer detail view server or Analyzer probe server through an SSH client (like putty) using the following credentials:
User: megha
Password: megha!234
2. Navigate to the conf directory.

cd /usr/local/megha/conf

3. Take a backup of the log.xml file.

cp log.xml bkp_log.xml_org

4. Open the log.xml file.

vi log.xml

5. Search for the log name and change the log level from info to debug.

For example, if the transaction log needs to be updated, then check the name="transaction" tag. The entry will be similar to this,

Edit the entry to change level="info" to level="debug".

6. Save the file.

7. Log on to the Analyzer detail view server or Analyzer probe server UI (approximately after two hours), download the diagnostic data (Manage > Download Diagnostic Data)
and send it to customer support for troubleshooting.

When the problem is resolved, make sure that you change the log level from debug back to info.

Analyzer probe server is unable to connect to SMU

When you are unable to add Hitachi NAS probe, it is important to verify whether the Analyzer probe server can connect to the SMU. Use the solutions in this section to resolve the
connection issue.

Username or password for SMU user is incorrect

Verify whether you have entered the correct username and password when adding the Hitachi NAS probe:

1. Log on to the SMU UI:

https://SMU-IP-Address/mgr/app
2. On the Login window, enter the same SMU credentials that you used when adding the Hitachi NAS probe.
3. If you cannot log in, contact the storage administrator.

User does not have SMU CLI access

Verify whether the SMU user has SMU CLI access. The following procedure applies to an external SMU. Similar procedure should be followed for internal SMU.

1. Log on to the SMU UI:

https://SMU-IP-Address/mgr/app
2. Enter the same SMU credentials that you used when adding the Hitachi NAS probe.
3. In the SMU Administration section, click the SMU Users link.
4. Check the Allow CLI Access column and verify whether or not the user has CLI access.

SMU IP is not accessible from the Analyzer probe server

Verify whether the Analyzer probe server can connect to the SMU.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 239/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Run the following command to verify the connection:
ssh HNAS-SMU-user-name@HNAS-SMU-IP
If the Analyzer probe server is unable to connect the SMU, contact the network administrator.

High network latency between Analyzer probe server and SMU

Verify the network latency between the Analyzer probe server and SMU.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Run the following command:

/usr/local/megha/lib/hnas/hnasGetConnectionData.sh SMU SMU-IP-Address username password

If there is no response from the Analyzer probe server within 30 seconds, then do the following to change the connection timeout value:
a. Navigate to the hnas directory:

cd /usr/local/megha/lib/hnas

b. Open the hnasGetConnectionData.sh file.

c. Change the set timeout property value to 60.
d. Save the file.
3. Run the following command to re-check the connection:

/usr/local/megha/lib/hnas/hnasGetConnectionData.sh SMU SMU-IP-Address username password

If you do not get response even after changing the timeout value to 60, contact the network administrator to investigate the high latency between the SMU and the Analyzer
probe server.

Cannot collect performance information from Hitachi NAS platform even after adding the Hitachi NAS probe

If you want to monitor Hitachi NAS platform release 13.9.6628.07 or later but cannot collect performance information from Hitachi NAS platform even after adding the Hitachi NAS
probe, revise the SSH session timeout value for the SMU.

1. Check the SSH session timeout setting for the SMU.

2. Set the SSH session timeout value for the SMU to 3,600 seconds or longer.
To configure the session timeout value, refer to the Hitachi NAS documentation.

Hitachi Enterprise Storage probe shows Processing delay status

In the Analyzer probe server Status window, sometimes Hitachi Enterprise Storage probe shows the Processing delay status. One reason could be that it is collecting data for a
large number of resources from the target. To resolve this problem, you can increase the default data polling interval, export interval, wait time, and data collection buffer time
threshold.
Note: By default, the performance data collection interval for the Hitachi Enterprise Storage probe is 300 seconds (5 minutes). Use the following procedure to update the interval that
the Analyzer probe server collects data from the target and uploads it to the Analyzer detail view server. For example, if you increase the data collection and export intervals from 5
minutes to 15, the data is reflected in reports after 15 minutes.

1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
2. Stop the crond service using the command:

service crond stop

3. Stop all the services using the command:

/usr/local/megha/bin/stop-all-services.sh

4. Confirm the crond and megha services have been stopped using the commands:

service crond status

/usr/local/megha/bin/megha-jetty.sh status

5. Create a backup of the Hitachi Enterprise Storage probe instance property file for which you have observed the Processing delay problem.

For example:

cp /usr/local/megha/conf/probe/HitachiEnterpriseStorage_80001_VSP5200_80001.properties /usr/local/megha/conf/probe/backup_HitachiEnterprise
Storage_80001_VSP5200_80001_backup.properties

6. Open the Hitachi Enterprise Storage probe instance property file.

For example:

vi /usr/local/megha/conf/probe/HitachiEnterpriseStorage_80001_VSP5200_80001.properties

7. Add the following properties in the instance property file:

probe.perf.collection.interval.secs=performance_data_collection_interval
_in_seconds
probe.perf.export.interval.secs=performance_data_export_interval
_in_seconds
probe.collection.buffer.time.sec=buffer_time_in_seconds

For example:

probe.perf.collection.interval.secs=900
probe.perf.export.interval.secs=900
probe.collection.buffer.time.sec=180

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 240/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: Make sure that the value for probe.perf.collection.interval.secs and probe.perf.export.interval.secs is greater than default value (300 seconds) and
value for probe.collection.buffer.time.sec is 180 seconds.
8. Save the Hitachi Enterprise Storage probe instance property file and exit.
Note: If you have observed the problem for multiple Hitachi Enterprise Storage probes, repeat step 5 to 8.
9. Create a backup of the Hitachi Enterprise Storage probe default property file:
For example:

cp /usr/local/megha/conf/probe/hitachienterprisestorage_default.properties /usr/local/megha/conf/probe/backup_hitachienterprisestorage_defa
ult.properties_backup.properties

10. Open the Hitachi Enterprise Storage probe default property file:
For example:

vi /usr/local/megha/conf/probe/hitachienterprisestorage_default.properties

11. Add the following property:

perf.threshold.time.limit.minutes=performance_data_threshold_in_minutes

For example:

perf.threshold.time.limit.minutes=30

Note: The changes in the hitachienterprisestorage_default.properties file are not preserved after upgrading the Analyzer probe server. Therefore, you must add the
perf.threshold.time.limit.minutes property again .
12. Save the Hitachi Enterprise Storage probe default property file and exit.
13. Start the megha service using the command:

/usr/local/megha/bin/megha-jetty.sh start

14. Start the crond service using the command:

service crond start

15. Confirm the crond and megha services have been started using the commands:

/usr/local/megha/bin/megha-jetty.sh status

service crond status

Reducing performance spike events

For the Analyzer server, if the performance metric for a monitoring target exceeds a threshold more than a presrcibed number of times during the threshold monitoring period, an
event is issued.

A spike is a sudden rise or drop in performance value. You can adjust the number of events issued in a spike by changing the values for the number of times a threshold is exceeded
or by changing the monitoring period (that is, by adjusting the threshold sensitivity). The following table and figure show the relationship between example settings for each threshold
sensitivity and the number of times an event is issued.
Threshold sensitivity Number of times the threshold is exceeded Monitoring period Number of times an event is issued

High 1 time 5 minutes 3 times

Medium 2 times 10 minutes 2 times

Low 3 times 15 minutes 1 time

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 241/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

If you lower the threshold sensitivity, you can reduce the number of times an event is issued, but it will take longer to notice abnormal values.

For static thresholds, Analyzer maintains separate counts for the number of times critical and warning thresholds are exceeded. When a value exceeds both the critical and warning
thresholds, only the critical threshold is counted. For example, assume a performance metric data threshold is triggered twice in 10 minutes. If the value exceeds both the critical and
warning thresholds the first time, but only exceeds the warning threshold the second time, the event is not issued. If you do not need to distinguish between the severity of spikes, for
best results you should set the same value for critical and warning thresholds. Otherwise, it is best practice to not suppress these events.
For details on the Analyzer metrics for which you can adjust threshold sensitivity, see User-specified properties file (config_user.properties). For other metrics, an event is issued one
time (the number of times the threshold is exceeded) every five minutes (the threshold monitoring period).

1. Open the user-specified properties file (config_user.properties).

The file is stored in the following location:

Analyzer-server-installation-directory/Analytics/conf

2. Add the key corresponding to the Analyzer metric for which you want to suppress the issuance of events by performance spikes.
For details about the Analyzer metrics that apply, see "Event issuance conditions" in User-specified properties file (config_user.properties).

For example, to configure settings so that an event is issued when the Hitachi Storage Total IOPS (LDEV) metric exceeds the threshold twice in 10 minutes (the threshold
monitoring period), add a key as follows:

threshold.alertCondition.RAID_VOLUME_RAIDLDEV_TOTALIOPS.numberInPeriod.number = 2
threshold.alertCondition.RAID_VOLUME_RAIDLDEV_TOTALIOPS.numberInPeriod.period = 10

Note:
Set the threshold monitoring period as an integer multiple of the data collection interval.
Starting with version 10.9.3, part of the key names to be specified in the config_user.properties file changed from dynamicThreshold to threshold. You can still
use the old key names in version 10.9.3 and later. If both the old and new key names are specified in the config_user.properties file, the value set by the new key
name will be applied.
3. Restart the Analyzer server services.

Starting RAID Agent services after logging out of the OS

If you log in to the GUI for the OS and then start the RAID Agent services, the RAID Agent instance services will stop when you log out of the OS.

If the services continue to run even after you log out of the OS, start the RAID Agent services by using one of the following methods:

Use an SSH client to remotely connect to the Linux host, and then run the command for starting services.
Restart the OS to automatically start the services. Note that this method can be used only when the RAID Agent service autostart settings are configured. If you set RAID
Agent to automatically start, see the following procedure as reference:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 242/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Setting automatic starting and stopping of the RAID Agent services (Linux)

A JDK-related error occurs during upgrade

When you upgrade a Data Center Analytics server or an Analytics probe server that was configured by using a virtual appliance with a version from 3.0.0-01 to 3.3.0-02, you may
receive a JDK-related error message. If you receive an error message while running the precheck tool or during the upgrade, complete the following procedure to change the JDK
that is used by the Analyzer detail view server or the Analyzer probe server.

Resolving a JDK-related error for the Analyzer detail view server

Change the JDK used by the Analyzer detail view server to OpenJDK or Oracle JDK by performing the following procedure.

1. Stop the Analyzer server services.

2. Log on as the root user to the Analyzer detail view server through an SSH client (like putty).
3. Use the following command to stop the crond service:

service crond stop

4. Stop all Analyzer detail view server services:

/usr/local/megha/bin/stop-all-services.sh

5. Upload the RPM package for OpenJDK or Oracle JDK to the /tmp directory.
6. Install the uploaded package:

rpm -ivh /tmp/package-name

7. Switch to the OpenJDK or Oracle JDK that you installed. Perform one or more of the required actions based on the description of invalid settings in the message.
If the error message displayed java:
a. Display the list of java versions:

alternatives --config java

b. When prompted, enter the version number of the OpenJDK or Oracle JDK that you installed:

Example of output when the Java version is changed:

There are 2 programs which provide 'java'.

Selection Command
-----------------------------------------------
+ 1 /opt/hitachi/Base64/uCPSB/jdk/bin/java
* 2 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-devel-1.8.0.262.b08-1.el7_6.x86_64/bin/java)

Enter to keep the current selection[+], or type selection number: 2

c. Run the command again, and confirm that a plus mark (+) appears next to the java version that you want to use:

alternatives --config java

If the error message displayed jre_1.8.0:

a. Display the list of jre_1.8.0 versions:

alternatives --config jre_1.8.0

b. When prompted, enter the version number of the OpenJDK or Oracle JDK that you installed:

Enter to keep the current selection[+], or type selection number:

If the OpenJDK or Oracle JDK that you added does not appear, run the following command to delete the existing jre_1.8.0 settings.

alternatives --remove jre_1.8.0 /opt/hitachi/Base64/uCPSB/jdk/jre

c. Run the command again, and confirm that a plus mark (+) appears next to the jre_1.8.0 version that you want to use:

alternatives --config jre_1.8.0

If the error message displayed jstack:

a. Display the list of jstack versions:

alternatives --config jstack

b. When prompted, enter the version number of the OpenJDK or Oracle JDK that you installed:

Enter to keep the current selection[+], or type selection number:

c. Run the command again, and confirm that a plus mark (+) appears next to the jstack version that you want to use:

alternatives --config jstack

If the error message displayed keytool:

Run the following command to delete the keytool settings:

alternatives --remove keytool /opt/hitachi/Base64/uCPSB/jdk/bin/keytool

If the error message displayed java_home:

Run the following command to delete the java_home settings:

alternatives --remove java_home /opt/hitachi/Base64/uCPSB/jdk

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 243/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
8. Run the following command to apply the settings to the OS:

alternatives --auto java

9. Run the precheck tool (analytics_precheck.sh) and confirm that no error occurs for the Java environment:

sh ./analytics_precheck.sh

Resolving a JDK-related error for the Analyzer probe server

Change the JDK used by the Analyzer probe server to OpenJDK or Oracle JDK by performing the following procedure.

1. Log on as the root user to the Analyzer probe server through an SSH client (like putty).
2. Use the following command to stop the crond service:

service crond stop

3. Stop all Analyzer probe server services:

/usr/local/megha/bin/stop-all-services.sh

4. Upload the RPM package for OpenJDK or Oracle JDK to the /tmp directory.
5. Install the uploaded package:

rpm -ivh /tmp/package-name

6. Switch to the OpenJDK or Oracle JDK that you installed. Perform one or more of the required actions based on the description of invalid settings in the message.
If the error message displayed java:
a. Display the list of java versions:

alternatives --config java

b. When prompted, enter the version number of the OpenJDK or Oracle JDK that you installed:

Example of output when the Java version is changed:

There are 2 programs which provide 'java'.

Selection Command
-----------------------------------------------
+ 1 /opt/jp1pc/htnm/HBasePSB/jdk/bin/java
* 2 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-devel-1.8.0.262.b08-1.el7_6.x86_64/bin/java)

Enter to keep the current selection[+], or type selection number: 2

c. Run the command again, and confirm that a plus mark (+) appears next to the java version that you want to use:

alternatives --config java

If the error message displayed jre_1.8.0:

a. Display the list of jre_1.8.0 versions:

alternatives --config jre_1.8.0

b. When prompted, enter the version number of the OpenJDK or Oracle JDK that you installed:

Enter to keep the current selection[+], or type selection number:

If the OpenJDK or Oracle JDK that you added does not appear, run the following command to delete the existing jre_1.8.0 settings.

alternatives --remove jre_1.8.0 /opt/jp1pc/htnm/HBasePSB/jdk/jre

c. Run the command again, and confirm that a plus mark (+) appears next to the jre_1.8.0 version that you want to use:

alternatives --config jre_1.8.0

If the error message displayed jstack:

a. Display the list of jstack versions:

alternatives --config jstack

b. When prompted, enter the version number of the OpenJDK or Oracle JDK that you installed:

Enter to keep the current selection[+], or type selection number:

c. Run the command again, and confirm that a plus mark (+) appears next to the jstack version that you want to use:

alternatives --config jstack

If the error message displayed keytool:

Run the following command to delete the keytool settings:

alternatives --remove keytool /opt/jp1pc/htnm/HBasePSB/jdk/bin/keytool

If the error message displayed java_home:

Run the following command to delete the java_home settings:

alternatives --remove java_home /opt/jp1pc/htnm/HBasePSB/jdk

7. Run the following command to apply the settings to the OS:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 244/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
alternatives --auto java
8. Run the precheck tool (dcaprobe_precheck.sh) and confirm that no error occurs for the Java environment:

sh ./dcaprobe_precheck.sh

Installing Ops Center Analyzer viewpoint

Install Ops Center Analyzer viewpoint and performing initial setup.

Overview of Analyzer viewpoint

By using Analyzer viewpoint, you can easily display and check the comprehensive operational status of data centers around the world in a single window.

With Analyzer viewpoint, you can do the following:

Check the overall status of multiple data centers.

By accessing Analyzer viewpoint from a web browser, you can collectively display and view information about supported resources in the data centers.

Even for a large-scale system consisting of multiple data centers, you can check the comprehensive status of all data centers.

Easily analyze problems related to resources.

You can display information about resources in a specific data center in a drill-down view and easily identify where a problem occurred.

In addition, you can launch the Ops Center Analyzer UI from Analyzer viewpoint, and quickly perform the tasks needed to resolve the problem.

Analyzer viewpoint system configuration

The following shows an example of an Analyzer viewpoint system configuration. You can also configure Common Services and Analyzer viewpoint on different hosts. Analyzer
viewpoint periodically collects information about each resource from Ops Center Analyzer servers running at multiple data centers. The RAID Agent of the Ops Center Analyzer
system collects the data from storage systems. The Analyzer detail view collects the data from hypervisors, hosts, and switches.

Prerequisites

To use Analyzer viewpoint, confirm the following prerequisites:

Ops Center Analyzer version is 10.8.0 or later.

If you want to monitor hypervisors, hosts, and switches, use Ops Center Analyzer version 10.8.0-01 or later.

System requirements

The following provides the Analyzer viewpoint system requirements.

System requirements for using the Analyzer viewpoint OVF

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 245/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Guest operating system settings

Oracle Linux 9.4 (Architecture x86_64)

Virtualization software

Product name Version

VMware vCenter Server

7.0, 7.0u2, 7.0u3, 8.0, 8.0u1, 8.0u2, or 8.0u3

ESXi
Use the same version as the vCenter Server.

OS changes based on security best practices (Analyzer viewpoint OVF)

The following OS setting changes are applied to the OVF to strengthen security. You can revert to the original settings if necessary. These OS settings can also be applied for the
Ops Center products installed by using the installer.

Note that Hitachi Vantara does not take responsibility for, or support any interactions between, third-party programs and these OS settings.

/etc/modprobe.d/CIS.conf

Additional settings:

install cramfs /bin/true

install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

/etc/sysctl.conf

Additional settings:

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
kernel.randomize_va_space = 2
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
fs.suid_dumpable = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_forward = 0

/etc/motd, /etc/issue, /etc/issue.net

Additional settings:

Authorized uses only. All activity may be monitored and reported.

Note: The default lines that identify the system name and kernel version for the login prompt in /etc/issue and /etc/issue.net have been removed.

System requirements for using the Analyzer viewpoint installer

The requirements for operating systems, network configuration, and RPM packages are as follows:

Supported operating systems

Red Hat Enterprise Linux 8.8, 8.10, 9.2, 9.4 (x64)

Oracle Linux 8.8, 8.10, 9.2, 9.4 (Unbreakable Enterprise Kernel) (x64)
Oracle Linux 8.8, 8.10, 9.2, 9.4 (Red Hat Compatible Kernel) (x64)

Network

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 246/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Analyzer viewpoint only supports IPv4 communication. If an IPv6 environment is included as a communication destination for Analyzer viewpoint, configure the system so that
Analyzer viewpoint establishes all communication in IPv4.

Prerequisite RPM packages

Install the following RPM packages before you install Analyzer viewpoint. You can run the precheck tool provided by Analyzer viewpoint (viewpoint_precheck.sh) to identify
missing RPM packages.

at 3.1.20 or later
bash
bash-completion 2.7 or later
chkconfig
coreutils
curl
expect 5.45 or later
fontconfig 2.13.1 or later
freetype 2.9.1 or later
gdb 8.2 or later
glibc
iproute
jq
lsof 4.93 or later
ltrace 0.7.91 or later
pcre
policycoreutils
policycoreutils-python-utils
shadow-utils
sos 4.2 or later
sqlite
strace 5.13 or later
sysstat 11.7.3 or later
systemd
systemtap-runtime 4.6 or later
tar
tcpdump 4.9.3 or later
trace-cmd 2.7 or later
unzip 6 or later
wget 1.19 or later
zip 3 or later
zlib

For Red Hat Enterprise Linux and Oracle Linux 8, the following packages are also required:

initscripts
libxcrypt

For Red Hat Enterprise Linux and Oracle Linux 9, the following packages are also required:

alternatives
initscripts-service
libxcrypt-compat

Note: For best results after you install the prerequisite packages, you upgrade the following packages to the following versions:

libsemanage 2.9-3 or later

python3-libsemanage 2.9-3 or later

Hardware requirements

For details on the number of manageable resources for each system scale, see Hardware sizing based on system scale.

Processor (cores) Memory Disk space Disk type

Monitoring storage systems only Monitoring storage systems only Monitoring storage systems, Monitoring storage systems,
hypervisors, and switches hypervisors, and switches
Small: 3 Small: 5 GB
Small + Level 1: 1 TB Small + Level 1: SSD (1,000 IOPS)
Medium: 5 Medium: 9 GB
Medium + Level 2: 1 TB Medium + Level 2: SSD (1,000 IOPS)
Large: 6 Large: 30 GB
Large + Level 3: 4 TB Large + Level 3: SSD (10,000 IOPS,
Additional processors required for Additional memory required for 1GB/sec)
monitoring hypervisors1, 2 monitoring hypervisors1, 2 Note:

Level 1: 2 Level 1: 18 GB Analyzer viewpoint retains historical data

for 378 days.
Level 2: 6 Level 2: 34 GB

Level 3: 6 Level 3: 66 GB

Additional processors required for Additional memory required for

monitoring switches1, 2 monitoring switches1, 2

Level 1: 2 Level 1: 18 GB

Level 2: 6 Level 2: 34 GB

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 247/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Processor (cores) Memory Disk space Disk type
Level 3: 6 Level 3: 66 GB

1. To monitor hypervisors or switches in addition to storage systems, you will need to increase the number of resources based on the system scale.
2. If you want to monitor both hypervisors and switches, just use the larger of the two resource requirements.

Hardware sizing based on system scale

The following tables contain guidelines for determining the size of your environment based on the number of monitoring targets. Based on the sizing and scalability guidelines, you
can identify the hardware requirements and scale your environment to meet workload demands.

Monitoring storage systems only

System scale Maximum number of resources

Storage

Volume* Storage Volume Pair

Small scale 5,000 3 300

Medium scale 20,000 19 600

Large scale 50,000 30 1,200

* Total number of volumes for all storage systems.

Note:

To manage a system larger than that described in "Large scale", please contact us separately.

The system scale requirements for just monitoring storage systems are the same for all Ops Center products. For details, see the Hitachi Ops Center System Requirements.

Monitoring hypervisors and switches

Maximum number of resources

System scale
Hypervisor FC Switch

ESX VM Switch Total Port count

Level 1 8 120 8 384

Level 2 25 375 25 1,200

Level 3 50 3,000 40 1,920

Port requirements

The port requirements are as follows.

Source IP address Target IP address Default port Protocol

User Desktop Analyzer viewpoint OVF: 443 HTTPS

*
installer: 25442

Analyzer viewpoint Analyzer server 22016 HTTPS

Analyzer viewpoint
Common Services 443 HTTPS

localhost localhost 25080, 25081, 25082, 25083, 25085, 8086, 8088 HTTPS

(internal; for best results do not open these ports for external communication.)

* If you are using the installer, you can choose this port during installation.

Supported browsers

The following browsers are supported:

Web browser Version

Firefox ESR 115

Microsoft Edge Latest version of stable channel

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 248/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Web browser Version

Chrome Browser for enterprise Latest version of the stable channel

Monitoring target storage systems

Analyzer viewpoint supports the following storage systems, which are monitored by Ops Center Analyzer, from which data is collected by using the RAID Agent.

VSP One B20

VSP E series
VSP F series
VSP G series
VSP 5000 series

Storage system data is collected by using one of the following methods:

Command device and SVP (Access Type: 1)

Command device and REST API (Access Type: 2)

For details on these data collection methods, see Selecting the data collection method.

For VSP One B20, VSP E590, E790, E1090, E590H, E790H, and E1090H storage systems, use Access Type 2.

To analyze Universal Replicator performance, use Access Type 1 for both the primary and secondary storage systems.

Analyzer viewpoint supports the analysis of Universal Replicator performance for individual consistency groups. However, configurations where one consistency group includes
multiple journal groups are not supported.

To view the performance information of NVM Host in Analyzer viewpoint, use Ops Center Analyzer 10.8.1 or later.

Monitoring target hypervisors, host, and switches

Analyzer viewpoint supports the same hypervisors, hosts, and switches that are monitored by the Ops Center Analyzer system.

For details, see the system requirements of Ops Center Analyzer.

Monitoring target hypervisors

Monitoring target hosts

Monitoring target FC switches

Installing Analyzer viewpoint using a virtual appliance

Workflow for installing Analyzer viewpoint by using a virtual appliance

The following figure shows the workflow for setting up Analyzer viewpoint when using the OVF file (Analyzer viewpoint OVF).

Deploying the OVF

By deploying the OVF, you create a virtual machine where the viewpoint server is installed.

Verify the System requirements.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 249/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Also, before you install Analyzer viewpoint, be aware of the following:

The virtual machine you create in the following procedure is to be used as the host for Analyzer viewpoint excluding Common Services. Do not use this virtual machine for
any other purpose.
After installation, do not change the system time to an earlier time, because this may cause Analyzer viewpoint to malfunction.
The time on the Analyzer viewpoint host must be synchronized with the time on other hosts running Ops Center products. For best results, configure chrony to synchronize
the time between each host and an NTP server. For details, see the step that describes how to set up the NTP server in Manually configuring the network of the virtual
machine.
By default, password-based SSH root login is disabled. If you want to enable password-based SSH root login, see the procedure in Enabling password-based SSH root
login.

Note: When Analyzer viewpoint is installed, the following RPM packages are installed:

Amazon Corretto 11

If another product that uses these RPM packages is installed on the same host as Analyzer viewpoint, check the versions of the RPM packages supported by that product and make
sure that the upgrade will not cause any problems. If the upgrade might cause a problem, install Analyzer viewpoint on a different host than that product.

1. From a VMware vSphere client, log in to the VMware ESXi server.

2. Deploy the Analyzer viewpoint OVF by selecting File > Deploy OVF Template and selecting the Analyzer viewpoint files.
For vCenter version 7.0, select the following OVF templates and files in the OVF Template Deployment Wizard:
Analyzer_viewpoint_version.ovf
Analyzer_viewpoint_version-disk1.vmdk
Analyzer_viewpoint_version-disk2.vmdk
Analyzer_viewpoint_version-file1.nvram
Tip:
By default, the format of virtual disks is set to thick provisioning. However, you can also select thin provisioning.
Analyzer viewpoint is installed in the following directory on the virtual machine.

/opt/hitachi/analyzer_viewpoint

Using VM customization specification to configure the network

As a best practice, configure the network with VM customization specification of the virtual machine. However, if you prefer not to use this specification, you can skip this procedure
and configure the network manually as described in Manually configuring the network of the virtual machine.

1. From a VMware vSphere client, log in to the VMware ESXi server.

2. Create a VM customization specification.
a. Select Menu > Policies and Profiles. In the VM Customization Specifications window, click New.
b. Follow the instructions in the New VM Guest Customization Spec window.
Note: On the Computer name screen, for best results, specify a computer name without selecting the option to append a numeric value.
c. Make sure that the VM customization specification you created appears in the list in the VM Customization Specifications window.
3. Apply the VM customization specification to the Analyzer viewpoint virtual machine to customize the guest OS.
a. Right-click the virtual machine and select Guest OS > Customize Guest OS.
b. In the Customize Guest OS window, select the VM customization specification that you created in the previous step, and then click OK.

Manually configuring the network of the virtual machine

If you do not want to use VM customization specification, manually configure the network.

You must have root privilege.

1. Start the virtual machine.

2. From a VMware vSphere Client, log on to the Analyzer viewpoint virtual machine.
3. Configure the network by using the network manager as follows:
a. Run the following command to make sure that the device named ens192 is available.

nmcli device

b. Set an IP address, gateway, DNS server, and host name. For example:

nmcli connection modify ens192 ipv4.addr 192.0.2.10/24

nmcli connection modify ens192 ipv4.gateway 192.0.2.1
nmcli connection modify ens192 ipv4.dns 192.0.2.2
nmcli general hostname host-name

As an option, you can register a second DNS server. For example:

nmcli connection modify ens192 +ipv4.dns 192.0.2.3

c. Confirm that your host name can be resolved. If your host name cannot be resolved, run the following command to edit the hosts file:

/opt/hitachi/analyzer_viewpoint/bin/edit-hosts

d. Activate the connection profile.

nmcli connection up ens192

4. Change the time zone setting to your local time zone.

a. Run the following command to check the available time zones:

timedatectl list-timezones

b. Change the time zone to your local time zone. For example:

timedatectl set-timezone America/Los_Angeles

c. Confirm the time zone and the current date and time.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 250/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
timedatectl
5. (Optional) If you want to specify the NTP server to synchronize, set up the NTP service.
a. Modify the configuration file.

vi /var/opt/hitachi/analyzer_viewpoint/system/chrony.conf

b. Specify the NTP server or the NTP Pool that you want to use. For example:

#pool 2.pool.ntp.org iburst

server NewNTPServer iburst

c. Restart the NTP service.

systemctl restart chronyd

d. Confirm the settings.

chronyc sources

6. Restart the virtual machine.

reboot

Enabling password-based SSH root login

If you want to enable password-based SSH root login, which is disabled by default, complete the following procedure.

You must have root privilege.

1. From a VMware vSphere Client, log on to the Analyzer viewpoint virtual machine.
2. Run the following command to create the configuration file for password-based SSH login:

echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf

3. Restart the SSH service:

systemctl restart sshd.service

Installing Analyzer viewpoint by using the installer

Workflow for installing Analyzer viewpoint by using the installer

The following figure shows the workflow for setting up Analyzer viewpoint when using the installer. As part of the initial setup, you must register Analyzer viewpoint with Common
Services.

* If you are already using an instance of Common Services, you do not need to perform this procedure.

Installing or updating the prerequisite RPM packages

You can obtain the prerequisite RPM packages from the Linux OS media or the distribution website, such as for Red Hat Enterprise Linux.

You can check which RPM packages are missing by running the precheck tool (viewpoint_precheck.sh).

Installing or updating the RPM packages by using the Linux OS media

The following describes how to install or update the RPM packages by using the Linux OS media.

1. Mount the Linux OS media and obtain the RPM packages:

mkdir /media/OSImage
mount /dev/cdrom /media/OSImage

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 251/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
2. Configure the yum repository.

touch /etc/yum.repos.d/OSImage.repo
echo [dvd-baseos]>>/etc/yum.repos.d/OSImage.repo
echo name=dvd-baseos>>/etc/yum.repos.d/OSImage.repo
echo baseurl=file:///media/OSImage/BaseOS/>>/etc/yum.repos.d/OSImage.repo
echo gpgcheck=0>>/etc/yum.repos.d/OSImage.repo
echo enabled=1>>/etc/yum.repos.d/OSImage.repo
echo >>/etc/yum.repos.d/OSImage.repo
echo [dvd-appstream]>>/etc/yum.repos.d/OSImage.repo
echo name=dvd-appstream>>/etc/yum.repos.d/OSImage.repo
echo baseurl=file:///media/OSImage/AppStream/>>/etc/yum.repos.d/OSImage.repo
echo gpgcheck=0>>/etc/yum.repos.d/OSImage.repo
echo enabled=1>>/etc/yum.repos.d/OSImage.repo

3. Run the yum command to install or update the packages and package group:
For packages

yum install package-to-install

For the package group

yum group install package-group-to-install

4. Unmount the Linux OS media:

umount /media/OSImage/
rm /etc/yum.repos.d/OSImage.repo

Installing or updating the RPM packages using the distribution website

The following describes how to install or update the RPM packages by using the distribution website.

1. Specify the repository to which the yum command is to connect.

For Red Hat Enterprise Linux, register the system by using Red Hat Subscription Management. For details, see https://access.redhat.com/articles/11258.
For Oracle Linux, the initial settings are set by default (the file repo is already located in the directory /etc/yum.repos.d). For details, see http://yum.oracle.com/getting-
started.html.
2. If you are using a proxy, specify the proxy for the yum command:
a. Add the following information to the /etc/yum.conf file:

proxy=http://host-name:port-number
proxy_username=user-name
proxy_password=password

b. Clear the cache for the yum command.

yum clean all

3. Run the yum command to install or update the packages and package group.
For packages

yum install package-to-install

For the package group

yum group install package-group-to-install

Changing a Linux host environment by using the installer

When you run the Analyzer viewpoint installer, the internal processing of the installer changes the environment of the host where Analyzer viewpoint is installed as follows.

Change Details

Addition of users The following users are added:

analyzer
influxdb
rattlesnake

Addition of groups The following groups are added:

analyzer
influxdb
rattlesnake

Addition of SELinux policy records Policy records for files in the following directory are added:

/var/opt/hitachi/analyzer_viewpoint

Changes to the cron settings The periodic data collection processing settings of Analyzer viewpoint are added.

Installing Analyzer viewpoint (installer)

To install Analyzer viewpoint, complete the following procedure.

Review the Analyzer viewpoint requirements (hardware and software).

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 252/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Verify that you can resolve the IP address from the host name where you plan to install Analyzer viewpoint.

Check the hosts file or the domain name system (DNS) server configuration of the host where you plan to install Analyzer viewpoint.

Make sure that the ports you specify are available for communication. (The default port is 25442.)
Verify that you have root permission to run the installer and the precheck tool.
After installation, do not change the system time to an earlier time, because this may cause Analyzer viewpoint to malfunction. If time is synchronized by using an NTP
server, use slew mode.
The time on the Analyzer viewpoint host must be synchronized with the hosts running Ops Center products. For best results, configure an NTP server.
If installing Analyzer viewpoint on the same host as Common Services, use Common Services version 10.5.1 or a later.
If firewalld is enabled, during installation, settings will be changed for the default zone. If necessary, revise the settings after installation finishes.

Note: When Analyzer viewpoint is installed, the following RPM packages are installed:

Amazon Corretto 11

If another product that uses these RPM packages is installed on the same host as Analyzer viewpoint, check the versions of the RPM packages that are supported by that product
and make sure that the upgrade will not cause any problems. If the upgrade might cause a problem, install Analyzer viewpoint on a different host than that product.

1. Stop any security monitoring software, antivirus software, and process monitoring software.
2. Mount the Analyzer viewpoint installation media.
3. Move to the root directory of the installer.

cd mounted-directory/VIEWPOINT

4. Run the precheck tool as the root user to check whether Analyzer viewpoint can be installed.

bash viewpoint_precheck.sh

Note: When you run the precheck tool, it checks the static information of the system environment.

If OK is displayed in [ Check results ], you can start the installation. If NG is displayed, make sure the system requirements have been met.

If the -v option is specified, information such as the host name and the OS name is also displayed.

5. Run the following command as the root user to start the installation:

bash viewpoint_install.sh NEW

Do not forcibly stop the host during or immediately after the installation of Analyzer viewpoint. To stop or restart the host, wait until the installation is complete, and then
perform the correct procedure (for example, by running an OS command).
6. Enter the required values according to the prompts, and complete the installation.
Note: When you specify the port, if the default port number (25442) is in use, specify a different port number. For details, see Port requirements.
Tip: Analyzer viewpoint is installed in the following directory.

/opt/hitachi/analyzer_viewpoint

Replacing the HTTPS server certificate of Analyzer viewpoint

Replacing the HTTPS server certificate of Analyzer viewpoint

Analyzer viewpoint uses a self-signed certificate by default. Change the setting to use a certificate issued by a certificate authority before using Analyzer viewpoint.

Note: You can use the cssslsetup command to create a common certificate and key file for all Ops Center products. For details, see the Hitachi Ops Center Installation and
Configuration Guide.

You must have root privilege.

Acquire a certificate and a key file issued by a certificate authority.

1. Copy the certificate and key files that you want to use into the following directory:

/var/opt/hitachi/analyzer_viewpoint/apigw/ssl

2. Log on to the Analyzer viewpoint server.

3. Open the following file:

/var/opt/hitachi/analyzer_viewpoint/apigw/user.conf

4. Uncomment the APIGW_SSL_CERT and APIGW_SSL_CERT_KEY lines and add the path to the certificate and key files.

Set permissions so that the certificate and key files can be read by the OS user root. A good practice is to grant only the necessary permissions for the key files.

Example:

APIGW_SSL_CERT=/var/opt/hitachi/analyzer_viewpoint/apigw/ssl/user.crt
APIGW_SSL_CERT_KEY=/var/opt/hitachi/analyzer_viewpoint/apigw/ssl/user.key

5. Restart the API Gateway service.

systemctl restart analyzer-viewpoint-apigw.service

Enabling certificate verification for Analyzer viewpoint

Enabling certificate verification for Analyzer viewpoint

You can enable certificate verification during secure communication for Analyzer viewpoint.

You must have root privilege.

1. Stop the Analyzer viewpoint services:

systemctl stop analyzer-viewpoint.target

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 253/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
2. Run the following command to enable certificate verification:

/opt/hitachi/analyzer_viewpoint/bin/config-cert --enable

For details on the command, see config-cert.

3. Run the following command to import a certificate to the truststore. To import multiple certificates, run the command separately for each certificate.

/opt/hitachi/analyzer_viewpoint/bin/config-cert --register certificate-file-name registration-name-of-the-certificate

You must import the following certificates or the root certificate:

Analyzer server
Analyzer viewpoint
Common Services
If you are using the instance of Common Services bundled with Analyzer viewpoint that was installed by using the OVF, you do not need to import the Common Services
certificate.
Note: If you are using a certificate that contains a host name in a SAN (Subject Alternative Name), use the setupcommonservice command to specify settings so that the link
with Common Services uses the host name. Also, use the setservicehostname command to specify settings so that Analyzer viewpoint is accessed by the host name.
4. Start the Analyzer viewpoint services:

systemctl start analyzer-viewpoint.target

If you installed by using the Analyzer viewpoint OVF and want to use an instance of Common Services other than the one provided with Analyzer viewpoint, or if you performed
installation by using the installer, perform the procedures described in Registering Analyzer viewpoint with Common Services and Registering the Analyzer viewpoint license.

If you performed installation by using the Analyzer viewpoint OVF and want to use the instance of Common Services provided with Analyzer viewpoint just perform the procedure
described in Registering the Analyzer viewpoint license.

Deleting a certificate registered in the Analyzer viewpoint truststore

You can delete a certificate that is used for verification from the Analyzer viewpoint truststore.

You must have root privilege.

1. Stop the Analyzer viewpoint services:

systemctl stop analyzer-viewpoint.target

2. Run the following command to delete a certificate from the truststore. To delete multiple certificates, run the command separately for each certificate.

/opt/hitachi/analyzer_viewpoint/bin/config-cert --delete registration-name-of-the-certificate

For details on the command, see config-cert.

3. Start the Analyzer viewpoint services:

systemctl start analyzer-viewpoint.target

Registering Analyzer viewpoint with Common Services

If you installed Analyzer viewpoint by using the virtual appliance, it is automatically registered with the instance of Common Services. Therefore, you only need to complete this
procedure if you want to register Analyzer viewpoint with a different instance of Common Services (for example, if you want to register with an existing instance of Common Services
running on another server). If you installed Analyzer viewpoint by using the installer, you must follow this procedure.

Note: Analyzer viewpoint and Ops Center Analyzer must be registered with the same instance of Common Services.
You must have root privilege.

1. Stop the Analyzer viewpoint services:

systemctl stop analyzer-viewpoint.target

2. To Register Analyzer viewpoint in Common Services, run the following command:

/opt/hitachi/analyzer_viewpoint/bin/setupcommonservice --csUri Common-Services-url

Example:

/opt/hitachi/analyzer_viewpoint/bin/setupcommonservice --csUri https://myopscenter.com/

3. Enter the username and password of the Common Services user when prompted.
Note: The Common Services user specified for this command must belong to the opscenter-administrators user group.
4. Restart the services.

systemctl start analyzer-viewpoint.target

Analyzer viewpoint is shown in the Ops Center Portal.

Note: You cannot unregister a Hitachi Ops Center product using the setupcommonservice command. To delete products, use the Ops Center Portal.

Registering the Analyzer viewpoint license

You register an Analyzer viewpoint license by using the Ops Center Portal. You must complete this procedure for a new installation or when you upgrade from version 10.0.0.

1. Locate and record the Analyzer viewpoint UUID.

a. Log in to the Ops Center Portal.
b. Click the Inventory tab to open the Products window, find the Analyzer viewpoint instance that you want to use, and then click the product status link. Usually, Ready
appears as the product status link.
The License window opens.
c. In the License window, find the UUID of your product and record it because you need it when requesting a license.
2. Contact your Hitachi Vantara representative and request a license. You must provide your UUID.
3. After receiving the license, register it as follows:
a. Log in to the Ops Center Portal.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 254/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
b. Click the Inventory tab to open the Products window, find the Analyzer viewpoint instance that you want to use, and then click the product status link. Usually, Ready
appears as the product status link.
The License window opens.
c. Register the license by using one of the following methods:

Enter the license key.

Specify the license file.

d. Click submit.
The license is added to the list.

Accessing Analyzer viewpoint

Accessing Analyzer viewpoint

If Analyzer viewpoint was installed by using the OVF, you can log in to the Operating System by using the following root user credentials:

User ID: root

Password: hitachi

You must change the password of the root user account after you log in for the first time.
You access Analyzer viewpoint by using the following address:

https://IP-address-of-the-Analyzer-viewpoint-server:port-number/

Note:

The default port number for an instance of Analyzer viewpoint that was installed by using the installer is 25442.

The default port number for an instance of Analyzer viewpoint that was installed by using the OVF is 443.

If a user's email address is changed in Common Services, the following message might be displayed during access:

The email address registered with Common Services has changed.

In this case, see update-email-address and change the email address to match the email address registered in Common Services.

Setting up the monitoring environment

Ensuring that the Common Services host name is resolvable

Setting up the monitoring environment

Ensure that Analyzer viewpoint and Ops Center Analyzer are registered with the same Common Services instance. For details, see Registering Ops Center Analyzer in Common
Services.

1. Access the Ops Center Portal.

2. Add the data center and associate the related data with Ops Center Analyzer. For details, see the Ops Center Portal Help.
Tip:
To view a list of monitored data centers and Ops Center Analyzer systems, run the following command on the Analyzer viewpoint server:

/opt/hitachi/analyzer_viewpoint/etl/list_inventory.sh

After registering the data center and the Ops Center Analyzer system, you can start data collection manually with the run.sh command. For details, see Manually
collecting data for a specific period.

Ensuring that the Common Services host name is resolvable

In the following cases, ensure that you specify the required settings so that the host names of individual Ops Center products are resolvable from client machines and from the
Analyzer viewpoint host.

Ops Center products are registered in Common Services with their host names.
The Ops Center OVA was used to install one or more products.
Note: Products installed by using the Ops Center OVA are registered in Common Services with their host names.

Advanced Configuration

Changing the maximum amount of memory used by the data collection process

If you are monitoring a large number of resources or the data collection interval is long, you should consider changing the maximum amount of memory that can be used by the data
collection process.

As a best practice, allocate about half of the memory of the host where Analyzer viewpoint is installed. For more information, see Hardware requirements.
You must have root permission.

1. Log on to the Analyzer viewpoint server.

2. Open the following file:

/var/opt/hitachi/analyzer_viewpoint/etl/config/runtime.conf

3. Specify the maximum amount of memory (in GB) that can be used by the data collection process by setting the following parameters.

The amount of memory used for data collection from storage systems:

VIEWPOINT_ETL_SCHEDULE_MAX_HEAP_IN_GB

The maximum amount of memory to be used for regular data collection.

VIEWPOINT_ETL_ONDEMAND_MAX_HEAP_IN_GB

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 255/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The maximum amount of memory to be used for manual data collection.

The amount of memory used for data collection from hypervisors, hosts, and switches:

VIEWPOINT_ETL_DETAILVIEW_SCHEDULE_MAX_HEAP_IN_GB

The maximum amount of memory to be used for regular data collection.

VIEWPOINT_ETL_DETAILVIEW_ONDEMAND_MAX_HEAP_IN_GB

The maximum amount of memory to be used for manual data collection.

Example:

VIEWPOINT_ETL_SCHEDULE_MAX_HEAP_IN_GB=12
VIEWPOINT_ETL_ONDEMAND_MAX_HEAP_IN_GB=24
VIEWPOINT_ETL_DETAILVIEW_SCHEDULE_MAX_HEAP_IN_GB=12
VIEWPOINT_ETL_DETAILVIEW_ONDEMAND_MAX_HEAP_IN_GB=24

Setting the URL for accessing Analyzer viewpoint

In the following cases, use the setservicehostname command to set the URL for accessing Analyzer viewpoint.

To access Analyzer viewpoint by using the host name

To change the IP address that you are using to access Analyzer viewpoint, which was installed by using the installer

You must have root privilege.

The Analyzer viewpoint host must be able to access itself by using the host name. If the host name cannot be resolved, edit the hosts file so that the host can be accessed
by using its host name. If Analyzer viewpoint was installed by using the OVF, edit the hosts file by running the edit-hosts command, which is stored in the
/opt/hitachi/analyzer_viewpoint/bin directory.

1. Log on to the Analyzer viewpoint server.

2. Run the following command:

/opt/hitachi/analyzer_viewpoint/bin/setservicehostname host-name

Configuring the Analyzer viewpoint host name

If you use an IP address to access Analyzer viewpoint, this procedure is unnecessary. If you use a host name to access Analyzer viewpoint and want to change the host name,
complete this procedure.

You must have root privilege.

If Analyzer viewpoint was installed by using the installer or you are using an instance of Common Services running on a different host, skip steps 1 through 7.

1. Run the following command to change the Common Services host name:

/opt/hitachi/CommonService/utility/bin/cschgconnect.sh -h host-name

Note: For details about the cschgconnect.sh command, see the section about changing host names in the Hitachi Ops Center Installation and Configuration Guide. If
Analyzer viewpoint was installed by using the OVF, you cannot use the -p option of the cschgconnect.sh command for an instance of Common Services that is running on
the same host as Analyzer viewpoint. In addition, you do not need to perform the procedure for issuing an Common Services server certificate.
2. Restart the Common Services.

systemctl restart csportal.service

3. Stop the Analyzer viewpoint services.

systemctl stop analyzer-viewpoint.target

4. Start the API gateway services.

systemctl start analyzer-viewpoint-apigw.service

5. Run the following command:

/opt/hitachi/analyzer_viewpoint/bin/setupcommonservice --csUri Common-Services-url

Example:

/opt/hitachi/analyzer_viewpoint/bin/setupcommonservice --csUri https://viewpointhost/

6. Enter the username and password of the Common Services user according to the message output by the command.
Example:

Authenticate with Common Services to set up the application.

Username:sysadmin
Password:

The Common Services user specified for this command must belong to the opscenter-administrators user group.

7. Start the Analyzer viewpoint services.

systemctl start analyzer-viewpoint.target

8. Confirm that you can access Analyzer viewpoint from the Ops Center Portal by using the following URL:

https://host-name-of-the-Analyzer-viewpoint-server[:port-number]/portal/

9. Run the following command:

/opt/hitachi/analyzer_viewpoint/bin/setservicehostname host-name

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 256/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: If you are using the instance of Common Services bundled with Analyzer viewpoint that was installed by using the OVF, this procedure also changes the host name of
Common Services. Run the setupcommonservice command for the products registered in Common Services to set new host names. For details, see the documentation for
each product.

Changing the Analyzer viewpoint port number

You must have root privilege.

1. To change the port number, use the following command:

/opt/hitachi/analyzer_viewpoint/bin/changeportnumber port-number

If firewalld is enabled, when you run the changeportnumber command, settings will be changed for the default zone. (Revise the settings if necessary.)
2. After running this command, you must use the following URL to access Analyzer viewpoint:

https://IP-address-or-host-name-of-the-Analyzer-viewpoint-server:port-number/

Note: If you are using the instance of Common Services bundled with Analyzer viewpoint that was installed by using the OVF, this command also changes the port number of
Common Services. Run the setupcommonservice command for the products registered in Common Services to set new port numbers. For details, see the documentation for
each product.

Upgrading the JDK for Analyzer viewpoint

Amazon Corretto 11 is installed on the host where Analyzer viewpoint is installed. If you want to use a newer version of Amazon Corretto, complete the following procedure to
upgrade.

Check the release notes for the Amazon Corretto 11 versions supported by Analyzer viewpoint.
Before upgrading the JDK, obtain a backup of the instance of Analyzer viewpoint that you are using.

1. Check the Amazon Corretto 11 version installed on the Analyzer viewpoint host. If another product on the same host also uses Amazon Corretto 11, verify which versions are
supported and whether an upgrade will cause any issues. If a problem might occur, do not upgrade Amazon Corretto. Alternatively, install Analyzer viewpoint on a different
host than the product.
Note: If the latest version is already installed, you do not to need to perform the following steps.
2. From the Amazon Corretto site, download the latest JDK version, and then install it on the host where Analyzer viewpoint is installed.
3. If Common Services v10.6.1 or later is installed on the same host as Analyzer viewpoint, stop the services of Common Services. If another product that uses Amazon
Corretto 11 is installed on the same host, stop it as needed.

systemctl stop csportal

4. Disable the regular data collection for Analyzer viewpoint:

/opt/hitachi/analyzer_viewpoint/etl/change-etl-config --disable

5. Run the RPM command to upgrade Amazon Corretto 11:

rpm -Uv --nopost the-Amazon-Corretto-11-rpm-file-path

6. Enable the regular data collection for Analyzer viewpoint:

/opt/hitachi/analyzer_viewpoint/etl/change-etl-config --enable

7. If Common Services v10.6.1 or later is installed on the same host as Analyzer viewpoint, start the services of Common Services. If another product that uses Amazon
Corretto 11 is installed on the same host, start it as needed.

systemctl start csportal

Required settings when using a virus detection program

If a virus detection program accesses database-related files used by Analyzer viewpoint, operations such as I/O delays or file locks can cause errors. To prevent these problems,
exclude the following directories and files from the targets scanned by the virus detection program.

Exclude the following directories:

/opt/hitachi/analyzer_viewpoint/
/var/log/hitachi/analyzer_viewpoint/
/var/opt/hitachi/analyzer_viewpoint/

Exclude the following files:

/etc/systemd/system/multi-user.target.wants/analyzer-viewpoint-bootstrapper.service
/etc/systemd/system/multi-user.target.wants/analyzer-viewpoint-apigw.service
/etc/systemd/system/multi-user.target.wants/[email protected]
/etc/systemd/system/multi-user.target.wants/analyzer-viewpoint-webconsole.service
/etc/systemd/system/multi-user.target.wants/analyzer-viewpoint.target
/etc/systemd/system/analyzer-viewpoint-apigw-bootstrapper.service
/etc/systemd/system/analyzer-viewpoint-apigw.service
/etc/systemd/system/analyzer-viewpoint-apigw.service.d
/etc/systemd/system/analyzer-viewpoint-apigw.service.d/override.conf
/etc/systemd/system/[email protected]
/etc/systemd/system/[email protected]/override.conf
/etc/systemd/system/analyzer-viewpoint-webconsole.service.d
/etc/systemd/system/analyzer-viewpoint-webconsole.service.d/override.conf
/etc/systemd/system/analyzer-viewpoint.target
/etc/systemd/system/analyzer-viewpoint-bootstrapper.service.d
/etc/systemd/system/analyzer-viewpoint-bootstrapper.service.d/override.conf
/etc/systemd/system/analyzer-viewpoint.target.d

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 257/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
/etc/systemd/system/analyzer-viewpoint.target.d/override.conf
/etc/systemd/system/analyzer-viewpoint-bootstrapper.service
/etc/systemd/system/analyzer-viewpoint-license-manager.service
/etc/systemd/system/analyzer-viewpoint-iaa-launcher.service
/etc/systemd/system/analyzer-viewpoint-inventory.service
/etc/systemd/system/analyzer-viewpoint-api-proxy.service
/etc/systemd/system/multi-user.target.wants/vm-initializer.service
/etc/systemd/system/vm-initializer.service
/etc/systemd/system/graphical.target.wants/vm-initializer.service
/etc/systemd/system/vm-initializer.service.d
/etc/systemd/system/vm-initializer.service.d/override.conf
/etc/systemd/system/multi-user.target.wants/re-eruption.service
/etc/systemd/system/graphical.target.wants/re-eruption.service

Note: Depending on the environment, some of the files might not exist.

Using Analyzer viewpoint

Creating user accounts

You can create user accounts for Analyzer viewpoint by using the Ops Center Portal.
You must have Admin privilege for Common Services.
Note: By default, the built-in Admin user account of Common Services is also registered in Analyzer viewpoint as a user with Admin privileges. If you disable the built-in Admin user
account of Common Services, assign Admin privileges for Analyzer viewpoint to another Admin user account in Common Services.

1. Log in to the Ops Center Portal by using an Common Services user account that has permission to create users.
For details, see the Ops Center Portal Help.
2. In the Ops Center Portal user management window, create a user account for using Analyzer viewpoint. Be sure to specify an email address.
Note: To register an existing Common Services user in Analyzer viewpoint, you do not need to create a new user account. However, be sure to specify an email address.
3. Contact the user whose account you created in the Common Services and ask them to log in to Analyzer viewpoint.
Note:
When a Common Services user accesses Analyzer viewpoint for the first time, the user is registered with the Viewer role.

If a user's email address is changed in Common Services, the following message might be displayed during access:

The email address registered with Common Services has changed.

In this case, see update-email-address and change the email address to match the email address registered in Common Services.

Contact the Analyzer viewpoint administrator and ask them to assign the required role.

Assigning user roles

The following user roles are available for Analyzer viewpoint:

Viewer: Users assigned this role can view dashboards.

Editor: Users assigned this role can edit dashboards, in addition to performing the operations that are available to users assigned the Viewer role.
Admin: Users assigned this role can use all the management functions (such as changing user roles), in addition to performing the operations that are available to users
assigned the Editor role.

For Common Services users except the built-in Admin user, the Viewer role is set when the individual user logs in to Analyzer viewpoint for the first time. The same applies to
Common Services users who are externally authenticated by an Active Directory server. After the individual user logs in for the first time, change the user's roles as needed.

To perform this procedure, you must have administrator permission for Analyzer viewpoint.

1. Log in to Analyzer viewpoint by using an administrator account.

2. Click Configuration > Users and select the Role to assign to the user.
3. If you assigned the user the Admin role, click Server Admin > Users. Select the applicable user and then under Permissions, enable Viewpoint Admin.

Changing the default data collection interval

By default, Analyzer viewpoint collects data every five minutes from the RAID Agent, and every 20 minutes from the Analyzer detail view. To change this interval, use the change-etl-
config command.

You must have root permission.

1. Log on to the Analyzer viewpoint server.

2. Run the following command:

/opt/hitachi/analyzer_viewpoint/etl/change-etl-config --minutes data-collection-interval

For details, see change-etl-config.

Manually collecting data for a specific period

If you want to manually collect data for a specific period of time after the initial setup or when the regular data collection process does not run because of system maintenance or
other reasons, use the run.sh command.

You must have root permission.

1. Log on to the Analyzer viewpoint server.

2. Run the following command:

/opt/hitachi/analyzer_viewpoint/etl/run.sh --startTime start-time --endTime end-time --dataSource source-from-which-data-is-collected

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 258/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
By specifying the dataSource option, you can select the source from which data is to be collected. The specifiable values are all, agent, and detail_view. If you
omit this option, all is assumed.
Specify start-time and end-time in yyyyMMddHHmm format.
Specify start-time and end-time so that the period defined by these times is in the range from one minute to 24 hours. If you specify detail_view for the dataSource
option, you can specify a collection interval longer than 24 hours.
Note:
You can collect data from the past 48 hours. For best results, specify a collection interval that is shorter than 24 hours, because the command requires a large
amount of memory. To collect data for a period of more than 24 hours, run the command multiple times.
Depending on the scope of data to collect, it might take 10 minutes or longer for the processing to finish.
The longer the data collection period, the more memory the data collection process requires. If you want to change the maximum value for the amount of memory that
the data collection process can use, see Changing the maximum amount of memory used by the data collection process.
You can run the command in parallel by specifying agent and detail_view separately for the dataSource option. For best results, do not do this because this
requires more memory.
To manually collect data in a time zone that uses daylight saving time, specify the scope of data to collect, taking into account the following effects that changing the
time period might have:
During the switch to daylight saving time, if the time changes, for example, from 1:59 in standard time to 3:00 in daylight saving time and you specify a time
that was skipped (between 2:00 and 2:59), the command assumes 3:00 was specified.
When daylight saving time ends, if the time changes, for example, from 1:59 in daylight saving time to 1:00 in standard time and you specify a time in the time
period that is duplicated (between 1:00 and 1:59), the command always assumes the time during the period from 1:00 to 1:59 in daylight saving time was
specified.

Setting the C/T delta value to monitor when Universal Replicator performance is analyzed

When you analyze Universal Replicator performance, the write delay time for the consistency group (C/T delta) is monitored. You can set a maximum value and threshold values for
C/T delta. For details, see Changing the maximum C/T delta value monitored when analyzing Universal Replicator performance. To set the C/T delta threshold values (for the
critical threshold and the warning threshold), edit the ctdelta.threshold.properties file as described here.

You must have root privilege.

1. Log on to the Analyzer viewpoint server.

2. Open the following file:

/var/opt/hitachi/analyzer_viewpoint/etl/threshold/ctdelta.threshold.properties

3. Specify the C/T delta threshold value (warning or critical threshold) in units of seconds. You can specify the same value for all consistency groups, or specify values for each
consistency group.
To specify the same value for all consistency groups, use the following settings:
global.critical
global.warning
To specify values for each consistency group, use the following settings:
specific.critical.primary-storage-system-serial-number.consistency-group-ID-(hexadecimal)
specific.warning.primary-storage-system-serial-number.consistency-group-ID-(hexadecimal)
Example settings:

global.warning=1500
global.critical=1800
specific.warning.123456.0=300
specific.critical.123456.0=600
specific.warning.123456.1F=1800
specific.critical.123456.1F=2700

Collecting Analyzer viewpoint log files

You must have root privilege.

To collect log files, use the following command:

/opt/hitachi/analyzer_viewpoint/bin/diag

The collected log files are output to the current directory.

Upgrading Analyzer viewpoint

The method for upgrading Analyzer viewpoint depends on your environment.

When upgrading from version 10.5.0 or earlier:

Upgrade by using the virtual appliance.
When upgrading from version 10.5.1 or later:
If Analyzer viewpoint was installed by using a virtual appliance, you can upgrade by using a virtual appliance or by using the installer.
If Analyzer viewpoint was installed by using the installer, you must upgrade by using the installer.

Note: You can upgrade Analyzer viewpoint either before or after upgrading Analyzer server and Analyzer detail view server.

Upgrading Analyzer viewpoint by using the virtual appliance

To upgrade Analyzer viewpoint by using the virtual appliance, deploy the OVF file from the installation media and import the data from the old virtual machine. You must reimport any
Analyzer viewpoint plug-ins.

You cannot use the virtual appliance to upgrade an instance of Analyzer viewpoint that was installed or upgraded by using the installer.

Note: When Analyzer viewpoint is upgraded, the following RPM packages are upgraded:

Amazon Corretto 11

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 259/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If another product that uses these RPM packages is installed on the same host as Analyzer viewpoint, check the versions of the RPM packages that are supported by that product
and make sure that the upgrade will not cause any problems. If the upgrade might cause a problem, install Analyzer viewpoint on a different host than that product.

1. Back up Analyzer viewpoint in case the upgrade fails. For details, see Backing up and restoring Analyzer viewpoint by using the VMware functionality.
2. If you are upgrading from 10.9.2 or earlier, use the Common Services installer to upgrade to Common Services 10.9.3 or later. For details on how to upgrade Common
Services, see the Hitachi Ops Center Installation and Configuration Guide. If the linked Common Services version is 10.9.3 or later, this step is unnecessary.
3. From a VMware vSphere client, log in to the VMware ESXi server.
4. Deploy the Analyzer viewpoint OVF by selecting File > Deploy OVF Template and selecting the Analyzer viewpoint files to create a new virtual machine.
Tip: By default, the format of virtual disks is set to thick provisioning. However, you can also select thin provisioning.
5. Right-click the old virtual machine and select Power > Shutdown Guest OS.
6. If you did not create a snapshot on the old virtual machine, skip this step. If you created and retained a snapshot on the old virtual machine, create a clone of the old virtual
machine so that the new virtual machine can take over the snapshot. For the following steps, assume that the clone is the old virtual machine.
7. Copy the old virtual disk to the newly deployed virtual machine.
a. Open the Storage tree view.
b. From datastore, select the directory where you stored the data from the old virtual machine.
c. Select the old virtual machine vmdk and click Copy to.
Note: If there is more than one file named Analyzer_viewpoint_xx.yy.zz_N.vmdk, select and copy the file for which the value of N is greatest.
d. Select the directory where you store the new virtual machine, and click OK.
8. Specify the settings required to add the existing hard disk to the new virtual machine.
a. Open the Hosts and Clusters tree view.
b. Right-click the new virtual machine and select Edit settings.
c. On the Virtual Hardware tab, click ADD NEW DEVICE, and then select Existing Hard Disk.
d. From datastore, select the directory where you store the new virtual machine.
e. Select the old virtual machine vmdk, and click OK.
f. Select Hard disk 2, click ×, and then click OK to delete the disk.
9. To configure the network of the new virtual machine, refer to Using VM customization specification to configure the network.
10. Right-click the new virtual machine and select Power > Power ON.
11. To enable password-based SSH root login, refer to Enabling password-based SSH root login
12. Reimport the Analyzer viewpoint plug-ins.
a. Use an administrator account to log in to Analyzer viewpoint, and from the Configuration icon in the upper right part of the window, select Plugins and then Analyzer
viewpoint.
b. Select the Dashboards tab and click Re-import for each dashboard.
13. Refresh the browser cache.

If you changed the port number for Analyzer viewpoint on the old virtual machine, the firewall settings are not inherited. Specify the firewall settings again as needed to use the same
port on the new virtual machine.

Upgrading Analyzer viewpoint by using the installer

To upgrade Analyzer viewpoint by using the installer, complete the following procedure.

If you installed Analyzer viewpoint by using the installer, you upgrade Analyzer viewpoint by using the installer. If you installed Analyzer viewpoint by using an OVF file equivalent to
or later than version 10.5.1, you can upgrade Analyzer viewpoint by using the installer.

Before starting the upgrade, check the following requirements:

Review the Analyzer viewpoint requirements (hardware and software). Make sure that the prerequisite packages are installed.
Verify that you have root permission to run the installer and the precheck tool.

Note: When Analyzer viewpoint is upgraded, the following RPM packages are upgraded:

Amazon Corretto 11

If another product that uses these RPM packages is installed on the same host as Analyzer viewpoint, check the versions of the RPM packages that are supported by that product
and make sure that the upgrade will not cause any problems. If the upgrade might cause a problem, install Analyzer viewpoint on a different host than that product.

1. Back up Analyzer viewpoint in case the upgrade fails. For details, see Backing up and restoring Analyzer viewpoint.
2. Log in to the host where you want to complete the upgrade.
3. Stop the Analyzer viewpoint services:

systemctl stop analyzer-viewpoint.target

4. Mount the Analyzer viewpoint installation media.

5. Move to the root directory of the installer.

cd mounted-directory/VIEWPOINT

6. Run the precheck tool as the root user to check whether you are ready to install Analyzer viewpoint.

bash viewpoint_precheck.sh

Note: When you run the precheck tool, it checks the static information of the system environment.

If OK is displayed in [ Check results ], you can start the installation. If NG is displayed, make sure the system requirements have been met.

If the -v option is specified, information such as the host name and the OS name is also displayed.

7. Run the following command as the root user to start the upgrade:

bash viewpoint_install.sh VUP

Do not forcibly stop the host during or immediately after an upgrade installation of Analyzer viewpoint. To stop or restart the host, wait until the upgrade installation is
complete, and then perform the correct procedure (for example, by running an OS command).
8. Enter the required values according to the prompts, and complete the upgrade.
9. Reimport the Analyzer viewpoint plug-ins.
a. Use an administrator account to log in to Analyzer viewpoint, and from the Configuration icon in the upper right part of the window, select Plugins and then Analyzer
viewpoint.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 260/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
b. Select the Dashboards tab and click Re-import for each dashboard.
10. Refresh the browser cache.

Backing up and restoring Analyzer viewpoint

To back up or restore Analyzer viewpoint, you can use one of two methods: VMware functions or commands. If you cannot use the VMware functions, perform backup and restore by
using the commands. Decide which method to use based on your environment.

Backing up and restoring Analyzer viewpoint by using the VMware functionality

To back up and restore the Analyzer viewpoint virtual machine, complete the following procedure.

1. Clone the Analyzer viewpoint virtual machine.

2. Back up the cloned virtual machine based on the environment backup policies.
3. When you want to restore, use the virtual machine you backed up.

Backing up Analyzer viewpoint by using a command

You can back up the settings information and data of Analyzer viewpoint.

You must have root permission.

1. Stop the Analyzer viewpoint services.

systemctl stop analyzer-viewpoint.target

2. Run the backup command to back up the settings information and data of Analyzer viewpoint.

/opt/hitachi/analyzer_viewpoint/bin/backup --dir output-directory

For details, see backup.

3. After the backup finishes, start the Analyzer viewpoint services as needed.

systemctl start analyzer-viewpoint.target

Restoring Analyzer viewpoint by using a command

You can restore the settings information and data of Analyzer viewpoint.

Before you start restoring Analyzer viewpoint, verify the following:

You must have root permission.

The following items must be the same between the backup source host and the restore destination host:
Version number of the installed instance of Analyzer viewpoint
Host name

If the host name is used to access Analyzer viewpoint on the backup source host, you must use the same host name for the restore destination host.

IP address
System locale

1. Stop the Analyzer viewpoint services on the restore destination host.

systemctl stop analyzer-viewpoint.target

2. Run the restore command to restore the settings information and data of Analyzer viewpoint.

/opt/hitachi/analyzer_viewpoint/bin/restore --file backup-file-name

For details, see restore.

3. Configure the firewall settings.
If necessary, configure the settings so that the firewall allows the ports used to access Analyzer viewpoint.
4. To connect to an instance of Common Services other than the one where the backup destination was connected, re-register Analyzer viewpoint in Common Services.
5. If Analyzer viewpoint access on the backup source host used the host name, make sure that the host name can be resolved.
If the environment on the restore destination host was configured by using the installer, edit the hosts file.
If the Analyzer viewpoint environment on the backup source host was configured by using the installer, but the Analyzer viewpoint environment on the restore
destination host was configured by using the OVF, make sure that the host name can be resolved by using the edit-hosts command.
6. In Analyzer viewpoint on the backup source host, if the server certificate was changed from the default self-signed certificate and stored in a location other than
/var/opt/hitachi/analyzer_viewpoint/, manually migrate the server certificate.
7. After the restore finishes, start the Analyzer viewpoint services as needed.

systemctl start analyzer-viewpoint.target

Removing Analyzer viewpoint

Use the viewpoint_uninstall.sh command to remove the instance of Analyzer viewpoint that was installed by using the installer.

You cannot use this command to remove an instance of Analyzer viewpoint that was installed by deploying an OVF file.

You must have root privilege.

1. Log on to the Analyzer viewpoint server.

2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Run the following commands:

cd /opt/hitachi/analyzer_viewpoint/uninstaller
bash viewpoint_uninstall.sh SYS

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 261/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Do not forcibly stop the host during or immediately after the removal of Analyzer viewpoint. To stop or restart the host, wait until the removal is complete, and then perform
the correct procedure (for example, by running an OS command).
4. Enter the required values according to the prompts, and then complete the removal process.

When you use the viewpoint_uninstall.sh command to remove Analyzer viewpoint, SELinux policy records are not deleted. Delete them as needed. Do not forcibly stop the host
immediately after the deletion of the SELinux policy records. Similarly, the following rpm packages will not be removed. Remove them as needed by using the rpm command. If the
command fails, run the rpm command with the --nopreun option specified.

Amazon Corretto 11
PostgreSQL 11*2
Kong*1, *2
InfluxDB

*1: Before you remove Kong, delete the Lua modules in the following order.

/usr/local/bin/luarocks remove lua-resty-openidc

/usr/local/bin/luarocks remove lua-resty-jwt

*2: This file exists if you upgraded Analyzer viewpoint from a version earlier than 11.0.0.

Analyzer viewpoint commands

The following describes the Analyzer viewpoint commands.

backup

Use this command to back up the settings information and data of Analyzer viewpoint to the specified directory.

You can back up the following information:

Customized Analyzer viewpoint dashboard reports

Historical data
Information registered in Common Services
Information about changes to port numbers
Host name settings information
Settings information such as data collection intervals and the maximum amount of memory
Setting information for whether to enable or disable certificate verification and the certificates registered in the truststore

Format

backup --dir output-directory

Options

dir output-directory

Specify, as an absolute path, the directory in which to store the backup file.

The backup file is output in the format viewpoint-backup-viewpoint-version-backup-start-date-and-time.tgz.

Example

viewpoint-backup-105000-20201021-053210.tgz

Location

/opt/hitachi/analyzer_viewpoint/bin/

Notes

Make sure that the back up file storage directory has as much free space as the directory /var/opt/hitachi/analyzer_viewpoint/.

If the following files are not stored in /var/opt/hitachi/analyzer_viewpoint/, they are not backed up. If necessary, back them up manually.
Server certificate
Private key

change-etl-config

This command changes the settings for the Analyzer viewpoint process that collects data. You can use this command to change the data collection interval and enable or disable
data collection.

Format

To change the data collection interval:

change-etl-config --minutes data-collection-interval [--dataSource {all | agent | detail_view}]

To enable or disable data collection:

change-etl-config [--enable | --disable] [--dataSource {all | agent | detail_view}]

To check the data collection settings:

change-etl-config --display

Options

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 262/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
minutes
The data collection interval (in minutes). You can specify the following values: 1, 5, 10, 15, 20, 30, 60, 120, 180, 240, 360, 480, 720, and 1440.

For best results, specify 20 minutes or longer for the data collection interval of Analyzer detail view.

dataSource {all | agent | detail_view}

The data source from which data is to be collected. Specify agent to collect data from the RAID Agent, detail_view to collect data from the Analyzer detail view, or all to
collect data from both. If you omit this option, agent is assumed.

enable
Enables data collection.

disable
Disables data collection.

display
Display data collection settings:
Item Description

ETL_COLLECTION_INTERVAL_IN_MINUTES Currently configured data collection interval for the RAID Agent (in minutes)

ETL_COLLECTION_ENABLED
Status of data collection from the RAID Agent

true: enable

false: disable

ETL_DETAILVIEW_COLLECTION_INTERVAL_IN_MINUTES Currently configured data collection interval for the Analyzer detail view (in minutes)

ETL_DETAILVIEW_COLLECTION_ENABLED
Status of data collection from the Analyzer detail view

true: enable

false: disable

Location

/opt/hitachi/analyzer_viewpoint/etl

Example

To change the interval for data collection from the RAID Agent to 10 minutes:

change-etl-config --minutes 10 --dataSource agent

To check the data collection settings:

change-etl-config --display

Output example:

ETL_COLLECTION_INTERVAL_IN_MINUTES=5
ETL_COLLECTION_ENABLED=false
ETL_DETAILVIEW_COLLECTION_INTERVAL_IN_MINUTES=5
ETL_DETAILVIEW_COLLECTION_ENABLED=true

Notes

The longer the data collection interval, the more memory the data collection process requires. If you want to change the maximum value for the amount of memory that the data
collection process can use, see Changing the maximum amount of memory used by the data collection process.

config-cert

Use this command to enable or disable certificate verification in Analyzer viewpoint and import certificates to the truststore.

Format

To enable or disable certification verification:

/opt/hitachi/analyzer_viewpoint/bin/config-cert [--enable | --disable]

To import a certificate to the truststore:

/opt/hitachi/analyzer_viewpoint/bin/config-cert --register certificate-file-name registration-name-of-the-certificate

To delete a certificate from the truststore:

/opt/hitachi/analyzer_viewpoint/bin/config-cert --delete registration-name-of-the-certificate

To check whether certificate verification is enabled and to check the certificates that were imported to the truststore:

/opt/hitachi/analyzer_viewpoint/bin/config-cert --status

To display details of the certificate imported to the truststore:

/opt/hitachi/analyzer_viewpoint/bin/config-cert --show-cert registration-name-of-the-certificate

Options

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 263/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
--enable
Enables certificate verification.

--disable
Disables certificate verification.

--register certificate-file-name registration-name-of-the-certificate

Imports a certificate. Specify an absolute path to the certificate to import. To run the command, you need the password for the truststore. If the specified certificate is already
registered, the command ends in an error. To import multiple certificates, run the command separately for each certificate.

Specify the registration name of the certificate by using no more than 64 bytes. You can use the following types of characters:

Halfwidth alphanumeric characters, _ - ( ) [ ] @ { }

You cannot use spaces. The value is not case-sensitive. If the argument contains a left "(" or right ")" parenthesis character, enclose the argument in double quotation marks.

--delete registration-name-of-the-certificate
Deletes an imported certificate. To delete multiple certificates, run the command separately for each certificate.

--status
Checks whether certificate verification is enabled and check the certificates that were imported to the trustsrore.

--show-cert registration-name-of-the-certificate
Displays details of the certificate imported to the truststore.

Location

/opt/hitachi/analyzer_viewpoint/bin/

Return value

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 The specified file is invalid.

3 The registered name specified for the certificate includes invalid characters.

4 The registered name specified for the certificate is already being used.

5 There are no certificates corresponding to the specified registered name.

6 An attempt to run an internal command failed.

7 Invalid environment.

Example

/opt/hitachi/analyzer_viewpoint/bin/config-cert --register /root/cert/server.crt commonservice

restore

Use this command to restore the backup file for the settings information and data of Analyzer viewpoint that was obtained by using the backup command.

Format

restore --file backup-file-name

Options

file backup-file-name

Specify, as an absolute path, the file name of the backup file.

Location

/opt/hitachi/analyzer_viewpoint/bin/

Notes

The restore destination directory (/var/opt/hitachi/analyzer_viewpoint/) must have as much free space as the backup source directory (/var/opt/hitachi/analyzer_viewpoint/).
If you run this command, the Analyzer viewpoint user data on the restore destination host is deleted. Manually back up the necessary user data and then recreate the data.
The following settings and file are not restored. If necessary, manually reconfigure the settings or relocate the file.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 264/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Firewall settings

Configure the settings so that the firewall allows the ports used to access Analyzer viewpoint.

Registration in Common Services

To connect to an instance of Common Services other than the one where the backup destination was connected, re-register Analyzer viewpoint in Common Services.

hosts file
If name resolution on the Analyzer viewpoint backup source host uses the hosts file, the hosts file settings are not inherited.
If the Analyzer viewpoint environment on the restore destination host was configured by using the OVF, use the edit-hosts command to reconfigure the
settings.
If the Analyzer viewpoint environment on the restore destination host was configured by using the installer, use the hosts file to reconfigure the settings.
Settings configured by using the edit-hosts command

If the Analyzer viewpoint restore destination host was configured by using the installer, the configured settings are not inherited by the edit-hosts command. If all of
the following conditions are met, edit the hosts file so that the host name can be resolved.

The host name is resolved by using the edit-hosts command on the backup source host.
The Analyzer viewpoint environment on the backup source host was configured by using the OVF.
Server certificate

If the backup source host has specified its own server certificate and the server certificate is stored in a location other than /var/opt/hitachi/analyzer_viewpoint/,
manually migrate the server certificate.

setupcommonservice

Use this command to register Analyzer viewpoint with Common Services. This command also updates the Analyzer viewpoint information that is registered in Common Services.

Format

setupcommonservice
[--applicationName product-name]
{--csUri Common-Services-URL}
[--csUsername Common-Services-username]

Options

--applicationName product-name
Specify the Analyzer viewpoint product name to display in Common Services. If you omit this option, the host name or IP address of Analyzer viewpoint is set.
--csUri Common-Services-URL
Specify the Common Services URL.
--csUsername Common-Services-username
Specify a username for Common Services. The Common Services user specified for this command must belong to the opscenter-administrators user group. If you omit this
option, you can enter a Common Services username in response to the prompt.

Location

/opt/hitachi/analyzer_viewpoint/bin

Return value

Return value Description

0 The command ran normally.

1 The argument is invalid.

10 Communication with Common Services failed.

255 An unexpected error occurred.

Example

/opt/hitachi/analyzer_viewpoint/bin/setupcommonservice --csUri https://myopscenter.com/

update-email-address

Use this command to apply an email address change for a specified user.

Format

update-email-address {--user} user-ID {--email} email-address

Options

--user user-ID

Specify the user associated with the email address with the following characters:

A-Z a-z 0-9!#$%&'()*+-.=@_｜

--email email-address

Specify the new email address with the following characters:

A-Z a-z 0-9!#$%&'*+-.=@_｜/?`{}~

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 265/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Location

/opt/hitachi/analyzer_viewpoint/bin/

Return value

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 The command terminated with an application error.

254 The command terminated abnormally due to an invalid environment.

255 An unexpected error occurred.

Example

/opt/hitachi/analyzer_viewpoint/bin/update-email-address --user username --email [email protected]

Notes

When you run this command, you must stop the Analyzer viewpoint services. You can stop the services by entering a response to the command.

Installing Virtual Storage Software Agent used by VMware vRealize

Operations Manager
The following describes how to install Ops Center Analyzer Virtual Storage Software Agent and complete the initial setup. For details, see the Hitachi Infrastructure Management
Pack for VMware vRealize Operations User's Guide.

Virtual Storage Software Agent system configuration

Virtual Storage Software Agent is required if you want to monitor VSP One SDS Block by using VMware vRealize Operations Manager.

The following shows an example of a Virtual Storage Software Agent system configuration.

Virtual Storage Software Agent requirements

The requirements for operating systems, network configuration, RPM packages, hardware, software, and ports are as follows:

Supported operating systems

Red Hat Enterprise Linux 8.8, 8.10, 9.2, 9.4 (x64)

Oracle Linux 8.8, 8.10, 9.2, 9.4 (Unbreakable Enterprise Kernel) (x64)
Oracle Linux 8.8, 8.10, 9.2, 9.4 (Red Hat Compatible Kernel) (x64)

Network configuration

Virtual Storage Software Agent supports IPv4 only.

Prerequisite RPM packages

Install the following RPM packages before you install Virtual Storage Software Agent:

coreutils
firewalld
gawk
grep
rpm
sed
systemd
which
policycoreutils
policycoreutils-python-utils

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 266/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Note: For best results after you install the prerequisite packages, you upgrade the following packages to the following versions:

libsemanage 2.9-3 or later

python3-libsemanage 2.9-3 or later

Hardware requirements

Item Requirements

Processor 4 cores

Memory 8 GB

Disk space 10 GB

Software requirements

To use Virtual Storage Software Agent, your environment must meet the following requirements:

The Ops Center Analyzer version is 10.8.1 or later.

The procedure for Initial setup of Analyzer server has been completed.
The VSP One SDS Block version is 1.10 or later.

Port requirements

Source IP address Target IP address Default port Protocol

Analyzer server Virtual Storage Software Agent 24081 HTTPS

Virtual Storage Software Agent The representative for storage clusters or the control network for storage nodes of VSP One SDS Block 443 HTTPS

Installing Virtual Storage Software Agent

The Virtual Storage Software Agent installation installs Amazon Corretto 8. If an earlier version of Amazon Corretto is already installed, you are prompted whether to upgrade.

Review the system requirements.

If firewalld is enabled, the settings will be changed for the default zone. If required, revise the settings after the installation finishes.
For the installation path:
Specify an absolute path.
Do not include any symbolic links.
Do not specify a path of a directory under /opt/jp1pc.

1. Stop all security monitoring software, antivirus software, and process monitoring software.
2. Mount the Hitachi Ops Center installation media, go to the TOOLS directory, and copy the VirtualStorageSoftwareAgent.zip file to a directory on the Linux host.
Note:
You must use only the following characters in the directory path to which the installer is copied: A-Z a-z 0-9 - . _
Do not use spaces.
3. Unzip the file and move to the VirtualStorageSoftwareAgent directory:

cd directory-where-you-unzipped-file/VirtualStorageSoftwareAgent

4. To start the installation, run the following command as the root user:

sh ./install.sh NEW

Do not forcibly stop the host during or immediately after the installation of Virtual Storage Software Agent. To stop or restart the host, wait until the installation is complete,
and then perform the correct procedure (for example, by running an OS command).
Note:
The default installation directory of Virtual Storage Software Agent is /opt/hitachi.
For a repair installation, run the following command:

sh ./install.sh VUP

To check the version of Virtual Storage Software Agent, run the following command:

cat Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/system/product_version

Changing the Linux host environment with the installer

If you run the Virtual Storage Software Agent installer, the internal processing of the installer changes the environment of the host where Virtual Storage Software Agent is installed
as follows.

Change Details

Addition of SELinux policy records The policy records for files in the following directory are added:

/var/Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent

Setting up the Analyzer server to use Virtual Storage Software Agent

Set up the Analyzer server to use the Virtual Storage Software Agent as follows:

1. Log on to the Analyzer server as root.

2. Open the Analyzer server connection definition file with a text editor:

Analyzer-server-installation-directory/Analytics/conf/virtualstoragesoftware-access-points.yaml

3. Edit the file to specify the following settings:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 267/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
agentHostOrIpAddress: Host name or IP address of Virtual Storage Software Agent. If you want to specify a host name, make sure it can be resolved on the host
where the Analyzer server is installed. If you specify the IP address, you must use IPv4.
protocol: Protocol for connecting to Virtual Storage Software Agent. Specify http or https. Set the same value as the protocol specified in the userconfig-sett
ing.yaml file on Virtual Storage Software Agent.
agentHostName: Virtual Storage Software Agent host name. Make sure that the host name can be resolved from the Analyzer server.
port: Port number for connecting to Virtual Storage Software Agent. Set the same value as the port specified in the userconfig-setting.yaml file on Virtual
Storage Software Agent.

The following is an example:

agentHostOrIpAddress: host1
protocol: https
agentHostName: host1
port: 24081

Note: If you want to connect with multiple instances of Virtual Storage Software Agent, create a separate agentHostOrIpAddress entry for each host.
4. Restart the Analyzer server. For details, see Starting and stopping the Ops Center Analyzer services.

Configuring Virtual Storage Software Agent settings

Follow this procedure to configure the Virtual Storage Software Agent settings.

1. Configure Virtual Storage Software Agent.

Setting up Virtual Storage Software Agent

2. Change the settings of Virtual Storage Software Agent.

Setting up SSL communication (Virtual Storage Software Agent)

Creating a private key and a certificate signing request for Virtual Storage Software Agent server

Submitting a certificate signing request (CSR) for Virtual Storage Software Agent

Enabling SSL communication for Virtual Storage Software Agent

Importing Virtual Storage Software Agent certificates to the Analyzer server truststore

Importing VSP One SDS Block certificates to the Virtual Storage Software Agent truststore

Collecting the log files of Virtual Storage Software Agent

Starting the Virtual Storage Software Agent services

Stopping the Virtual Storage Software Agent services

Upgrading the JDK for Virtual Storage Software Agent

Backing up Virtual Storage Software Agent

Restoring Virtual Storage Software Agent

Importing Virtual Storage Software Agent certificates to the Analyzer server truststore

To enable the Analyzer server to verify Virtual Storage Software Agent certificates, import Virtual Storage Software Agent certificates to the Analyzer server truststore, and edit the
config_user.properties file.

You must have root permission.

1. Save the server certificates for Virtual Storage Software Agent on the Analyzer server.
2. Stop the Analyzer server services.
3. Run the keytool command to import the certificates for Virtual Storage Software Agent to the truststore file:

Common-component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file certificate-file-name -keystore truststore-

file-name -storepass truststore-password -storetype JKS

Note:

Note the following when specifying a unique name in the truststore, the truststore file name, and the password:

Do not use the following symbols in the file name:

: , ; * ? " < > | -

Specify the file name as a character string of no more than 255 bytes.
Do not include double quotation marks (") in the unique name in the truststore or the password.
For the alias-name, specify a name that identifies whether the certificate is the certificate for Virtual Storage Software Agent.
For the certificate-file-name, specify the absolute path.
The truststore file is stored in the following location:

Common-component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts

Specify a password for the truststore-password.

You must specify JKS for the keystore type of the truststore.
4. Enable the verification of server certificates by changing the following properties in the config_user.properties file:
Location:

Analyzer-server-installation-directory/Analytics/conf

Key: cert.verify.enabled
Value: true

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 268/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
5. (Optional) To add cipher suites for communication with Virtual Storage Software Agent, do the following:
a. Open the config_user.properties file from the following location.
/opt/hitachi/Analytics/conf/config_user.properties
Note: The cipher suite settings apply to communication from the Analyzer server to all of the following components and servers. The settings cannot be configured for
individual components or servers.
Analyzer detail view server
RAID Agent
Virtual Storage Software Agent
Common Services
Ops Center Automator
b. Add or edit the ssl.ClientProtocol and ssl.ClientCipherSuites line (default value) as follows.

ssl.ClientProtocol = TLSv1.3, TLSv1.2

ssl.ClientCipherSuites = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SH
A384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

c. At the end of the ssl.ClientCipherSuites line, add any additional TLS 1.2 or TLS 1.3 cipher suites, using commas to separate the values.
6. Start the Analyzer server services.

Removing Virtual Storage Software Agent

To remove Virtual Storage Software Agent:

1. Log on as root on the host where Virtual Storage Software Agent is installed.
2. Stop any security monitoring software, antivirus software, and process monitoring software.
3. Run the following command:

cd /Virtual-Storage-Software-Agent-installation-directory/VirtualStorageSoftwareAgent/uninstaller
sh ./uninstall.sh SYS

When you use the uninstall.sh command to remove Virtual Storage Software Agent, SELinux policy records that were added for Red Hat Enterprise Linux/Oracle Linux are not
deleted. Delete them as needed. Do not forcibly stop the host immediately after the deletion of the SELinux policy records.

Ops Center Analyzer CLI commands

Use CLI commands to run operations and make configuration changes in Ops Center Analyzer.

List of Commands

The following table lists the Ops Center Analyzer commands.

Analyzer server

Command Description

backupsystem Backs up Analyzer server setting information in the folder you specify.

changememory Changes the maximum amount of memory that can be used by the Analyzer server.

encryptpassword Creates a password file to be specified as an argument of commands in Analyzer server.

hcmds64checkauth Checks the settings in the exauth.properties file and the connection to the external authentication server when connecting to
an external authentication server.

hcmds64getlogs Collects log files that are output during operation of Analyzer server, and then outputs the log files to an archive file.

hcmds64intg Deletes authentication data registered in the repository of the server that manages user accounts. The command also
displays the address of the server in which the authentication data is registered.

If you fail to delete authentication data when uninstalling Analyzer server, use this command to delete the authentication
data.

hcmds64ldapuser Registers, in the Analyzer server, a user account used to search user information in external authentication servers when
connecting to an external authentication server. This command also deletes user accounts used to search user information
that are registered in the Analyzer server.

hcmds64prmset Registers, changes, and cancels the registration of the host that manages the user accounts used for connection with Ops
Center Automator.

hcmds64radiussecret When connecting to an external authentication server, registers a shared secret for the RADIUS server in the Analyzer
server or deletes a shared secret registered in the Analyzer server.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 269/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Command Description

hcmds64srv Starts or stops Analyzer server services and databases. The command also displays the status of Analyzer server services.

hcmds64ssltool Creates private keys, CSRs, and self-signed certificates (including its content files), which are required for SSL connection.

hcmds64unlockaccount Unlocks a user account. Use this command when you cannot log on to Analyzer server because all the user accounts are
locked.

reloadtemplate Reload the Analyzer server template files during the startup of Analyzer server.

restoresystem Restores the backup for Analyzer server settings information that you collected by running the backupsystem command.

setupcommonservice Registers the Ops Center Analyzer to Common Services.

RAID Agent

Command Description

collection_config Changes the data collection interval for RAID Agent.

htmsrv Starts or stops services, checks the operating status, and changes the type of startup method for the RAID Agent.

htmssltool Creates private keys, CSRs, and self-signed certificates (including its content files), which are required to establish an SSL
connection by using the RAID Agent services.

jpcinslist Displays the instance names that have been set up by the RAID Agent.

Command usage guidelines

You must consider the following when using commands.

In Linux

You must have root permission.

To interrupt a running command, press Ctrl C and make sure that you read any messages and check for problems. If necessary, repeat the command. If you interrupt a
command, the return value might be undefined.
If the maximum output size of the core file is set to 0, core dumps are effectively disabled. To output a core dump when a failure occurs, run the ulimit command before
running each command, and set the maximum output size to unlimited.

In Windows

Note the following when using commands with RAID Agent on a Windows host:

You must have Administrator permission.

Run the commands in the administrator console.
1. From the desktop, display the Start window.
2. In the Analyzer RAID Agent folder, select Administrator Console.
If you enable Quick Edit Mode in the command prompt and then click the mouse in the window, the window output stops until Quick Edit Mode is canceled. For best results,
do not use Quick Edit Mode.

Usable characters for command arguments

You can specify the following characters for command arguments:

The specification method for command arguments must comply with the specifications of the OS command line. If an argument value contains a space or special symbols,
you must escape such characters by enclosing each with double quotation marks (").
You can use the following types of characters when specifying a path with an argument of a command:

Alphanumeric characters, underscores (_), periods (.), hyphens (-), spaces, left parentheses ( ( ), right parentheses ( ) ), hash marks (#), at marks (@), colons (:), and
backslash (\)

When specifying a path in an argument, you cannot use a path that has a folder name that begins or ends with a space. Also, you cannot specify a folder name that consists
of only spaces.
When specifying a path in an argument, you cannot use a path that has a folder name that begins or ends with a period (.). Also, you cannot specify a folder name that
consists of only periods.
Unless otherwise stated, the path length is from 1 to 230 characters in the absolute path.
Unless otherwise stated, each command argument is case-sensitive.

backupsystem

Use this command to back up Analyzer server setting information in the directory you specified.

Format

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 270/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
backupsystem
-dir output-directory
-type {all | Analytics}

Options

dir output-directory

Specify the directory in which the backup file is stored with the absolute or relative path.

type {all | Analytics}

Specify the type of information for backup.

all

Backs up Analyzer server and Common component. Common component manages the user information.

Analytics

Backs up only Analyzer server.

Location

Analyzer-server-installation-directory/Analytics/bin

Notes

Make sure that the directory in which the backup file is to be stored has sufficient free space. Use the following formula to calculate the required amount of free space:

10 GB + Size of Analyzer-server-installation-directory/Analytics/data

If products that use Common component are installed on the Analyzer server, add the capacity required to back up information for those products.

The following files for HTTPS connections are not backed up. If necessary, back up these files manually.
SSL server certificate file
Private key

In addition, the files for HTTPS connections are defined in the httpsd.conf file and the user_httpsd.conf file.

Stop the service by running the hcmds64srv command with the stop option. The service to stop depends on the type option.

If you specified all in the type option:

You must stop not only the service of Analyzer server, but also the services of the products that use Common component.

If you specified Analytics in the type option:

You must stop the service only for the Analyzer server.

If products that use Common component are installed on the Analyzer server, run the restoresystem command by specifying type Analytics to restore only Analyzer
server. You can back up the data required for restoring only Analyzer server by specifying type Analytics for the backupsystem command.
If you specify Analytics for the type option, the following files are not backed up. If you must back up these files, back them up manually.
Security definition file (security.conf)
File for setting port numbers and host names (user_httpsd.conf)

If the changememory command was used to change the maximum amount of memory that can be used by the Analyzer server, when you restore the system, run the
changememory command again.

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 Command running was interrupted.

3 The service status is invalid.

4 Another command is currently running.

7 The path is invalid.

9 The path does not exist.

10 The path cannot be accessed.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 271/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

11 The directory is not empty.

14 You do not have permission to run this command.

100 The backup operation failed.

101 The start or stop of the service failed.

255 Command running was interrupted because of another error.

Example

The following example shows the use of this command to back up information of Analyzer server:

backupsystem -dir /tmp -type Analytics

changememory

Change the maximum amount of memory that can be used by the Analyzer server.

Format

changememory
{-set memory-size [-auto] | -status}

Options

set memory-size

Specify the maximum amount of memory (in GB) that can be used by the Analyzer server. You can specify a value in the range from 1 to 256. Note that the specified value
must be less than the total memory of the OS.

auto

Automatically stops and starts Analyzer server services.

status

Displays the setting status for the maximum amount of memory that can be used by the Analyzer server.

Location

Analyzer-server-installation-directory/Analytics/bin

Notes

If you run this command without specifying the auto option, you must restart the product by running the hcmds64srv command on the host where you ran the changememory
command.

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 Command running was interrupted.

4 Another command is currently running.

13 An attempt to write to the file failed.

14 You do not have permission to run this command.

16 An attempt to start or stop the services of the Analyzer server failed.

18 An attempt to read the file failed.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 272/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

255 Command running was interrupted because of another error.

Example

To change the maximum amount of memory that can be used by the Analyzer server to 32 GB:

changememory -set 32 -auto

To check the setting status for the maximum amount of memory that can be used by the Analyzer server:

changememory -status

collection_config

Use this command to change the data collection interval for all RAID Agent instances that share the same Access Type. To change the intervals for collecting data, specify the same
value as the data collection intervals for both the RAID Agent and the Hitachi Enterprise Storage probe.

Note:

RAID Agent uses various methods to collect performance data. The time required to collect data varies depending on the method used. For some methods, the collection interval
cannot be changed. The data collection method is determined by the value of Access Type specified when an instance is created.

You can use the following command to specify a collection interval for each Access Type and to check records collected based on Access Type.

Format

In Linux

collection_config
{showinterval -at AccessType |
changeinterval -at AccessType -r record-ID {-i data-collection-interval | -reset} [-stop | -restart] |
showaccesstype {-at AccessType} |
service {-start | -stop | -status}}

In Windows

collection_config.bat
{showinterval -at AccessType |
changeinterval -at AccessType -r record-ID {-i data-collection-interval | -reset} [-stop | -restart] |
showaccesstype {-at AccessType} |
service {-start | -stop | -status}}

Options

showinterval -at AccessType

Displays the data collection interval and other information for a specific Access Type.

-at AccessType

Specifies the Access Type for which you want to check the data collection interval.

In the results, the records with RW displayed in the Mode column can be changed.

The following table shows the items displayed in the list:

Item Description

Record The record ID in RAID Agent

Mode Indicates whether data collection intervals can be changed

RW Can be changed.
R Cannot be changed.
N/A Cannot be changed because data cannot be collected.

Type Details of data collection intervals set for the record

Collection Interval The value of the data collection intervals of the record is displayed in the Current column.
Sync Collection With The value of the data collection intervals of the record is synchronized with the record values
displayed in the Current column.
Not Collectable This value is displayed when Mode is N/A. This indicates that the record cannot be collected.

Current The value specified as data collection intervals. The following information is displayed according to the value in the Type
column:

For Collection Interval Data collection intervals (unit: seconds)

For Sync Collection With ID of the record with which the value of data collection intervals is to be synchronized
For Not Collectable - (hyphen)

Default The default value. The following information is displayed according to the value in the Type column:

For Collection Interval Data collection intervals (unit: seconds)

For Sync Collection With ID of the record with which the value of data collection intervals is to be synchronized

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 273/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Item Description
For Not Collectable - (hyphen)

Note that, for some records, the default data collection intervals vary depending on the Access Type.

Modified Information indicating whether the value specified for the data collection interval is customized.

Y The setting is customized.

changeinterval -at AccessType -r record-ID {-i data-collection-interval | -reset} [-stop | -restart]

Specify, for a specific Access Type, the record whose data collection interval you want to change and the new data collection interval.

Running the command allows you to change the data collection intervals for only one record. When you want to run this subcommand, stop the RAID Agent service.

-at AccessType

Specifies the Access Type whose data collection interval you want to change.

-r record-ID

Specifies the ID of the record for which you want to change data collection intervals.

If the specified record does not exist, or if the data collection intervals for the specified record cannot be changed, an error occurs.

-i data-collection-interval

Specifies a value (unit: seconds) for the data collection interval to use for the specified record after the change.

The values that can be specified vary depending on the record.

The following table shows the requirements for the values to be specified as data collection intervals for each record. Note that this table includes records for which,
depending on the Access Type, you might not be able to change the collection interval. To check whether the collection interval can be changed for a particular Acce
ss Type, use the subcommand showinterval.

Record ID Requirement for the values to be specified as data collection

intervals

PD_PLC, PD_PLTC, PD_VVC, PD_VVTC A value that is a multiple of 3,600 and a divisor of 86,400 in the range
from 3,600 to 86,400

PD_PEFF, PD_PLF, PD_PLR, PD_PLTR, PD_PLTS, PD_SEFF, PD_VVF A value that is a multiple of 60 and a divisor of 3,600, or a value that is
a multiple of 3,600 and a divisor of 86,400

PD_UMS, PI, PI_CHS2, PI_CLMS, PI_CLPS, PI_CTGS, PI_JNLS, PI_LDA1, PI_LDS1, A value that is a multiple of 60 and a divisor of 3,600 in the range from
PI_LDSX, PI_PLS1, PI_PRCS, PI_PTS2, PI_PTSX2, PI_RGS1 60 to 3,600

PI_PLTI, PI_VVTI A value that is a multiple of 300 and a divisor of 3,600 in the range
from 300 to 3,600

Notes:

1. If the value of a data collection interval is set to a value smaller than the default, the KAVE00227-W message might be output continuously. In this case, you
must increase the value of the data collection interval.
2. When you want to monitor VSP One B20, setting the value of data collection intervals to 300 or greater might cause port performance to be displayed
incorrectly.

For details about the default setting of data collection intervals for each record, see the Hitachi Ops Center Analyzer REST API Reference Guide.

-reset

Returns the data collection interval for the specified record to the default value.

-stop

Stops the instance for which the data collection interval to update, as well as the RAID Agent service.

-restart

Stops the instance for which the data collection interval to update, as well as the RAID Agent service, and then restarts them after the data collection interval is
updated.

showaccesstype {-at AccessType}

Shows the Access Type for each instance.

-at AccessType

Specifies the Access Type for which you want to show information. If this option is omitted, information about all instances is shown.

The following table shows the items displayed in the list:

Item Description

AccessType Access Type

Instance Instance name

service {-start | -stop | -status}

Uses RAID Agent services. You can specify the following options:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 274/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
-start
Starts RAID Agent services
-stop
Stops RAID Agent services
-status
Displays the status of RAID Agent services

Execution Permission

root permission (Linux) or Administrator permission (Windows)

Location

In Linux

This command is stored in the following directory on the Analyzer probe server:

/opt/hitachi/Analytics/bin/

In Windows

RAID-Agent-installation-folder\raid_agent\bin\

Notes

The data collection intervals of the records that have been changed by using this command are applied to all instance environments that have the same Access Type.

Return values

Return value Description

0 The command ran normally.

10 The specified arguments are invalid.

12 The environment is invalid.

13 The specified record does not exist.

14 The data collection interval cannot be changed for the specified record and Access Type.

15 The value specified for the data collection interval is invalid.

16 Running the command was suspended because the RAID Agent service is not stopped.

17 The instance to be updated does not exist.

20 Failed to stop the RAID Agent service.

21 Failed to update the data collection interval.

22 Failed to start the RAID Agent service.

23 Other config commands are running.

100 Failed to access the file.

254 The system environment is invalid.

255 An unexpected error occurred.

Example (Linux)

To display a list of information about all records when the Access Type is 1:

collection_config showinterval -at 1

To change the value of the data collection interval to 7,200 seconds (2 hours) for the record PD_PLC in all instance environments for which the Access Type is 1:

collection_config changeinterval -at 1 -r PD_PLC -i 7200 -restart

To display the Access Type of all instances of RAID Agent:

collection_config showaccesstype

To start RAID Agent services:

collection_config service -start

encryptpassword

Use this command to generate a password file to be specified as the argument of a command in Analyzer server. To generate a password file, the user must be registered in
Analyzer server.

Format

encryptpassword
[-user user-ID]
-passwordfile password-file-path

Options

user user-ID

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 275/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Specify the user ID of the Analyzer server user for whom you want to create a password file. The user must have the Admin or Modify permission for IAA, or the User
Management permission. Enter the password in response to the prompt.

If you omit the user option, you can enter a user ID in response to the prompt.

passwordfile password-file-path

Use an absolute or relative path to specify a path of the password file to be created.

Location

Analyzer-server-installation-directory/Analytics/bin

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 Command running was interrupted.

3 The service status is invalid.

4 An exclusion error occurred.

5 Communication failed.

6 Authentication failed. (The specified value is invalid.)

7 The path is invalid.

8 The output destination path exists.

9 The path does not exist.

10 The path cannot be accessed.

14 You do not have permission to run this command.

18 An attempt to read the file failed.

200 The password file could not be generated.

255 Command running was interrupted because of another error.

hcmds64checkauth

When connecting to an external authentication server, use this command to check the settings of the exauth.properties file and the connections to the external authentication server.

If you run this command, the command will perform checks in the following four phases, and then the results will be displayed:

Phase 1: The command checks whether the property used when connecting to the external authentication server is correctly set in the exauth.properties file.
Phase 2: The command checks whether the properties for the external authentication server and the external authorization server are correctly set in the exauth.properties
file.
Phase 3: The command checks whether a connection to the external authentication server can be established.
Phase 4: If the settings are specified so that an external authorization server is also connected, the command checks whether a connection to the external authorization
server can be established, and whether the authorization group can be searched.

The following message is displayed if the checking in each phase finishes normally.

KAPM15004-I The result of the configuration check of Phase phase-number was normal.

Format

hcmds64checkauth
[-user user-ID]
[-summary]

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 276/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Options

user user-ID

Specify the user ID of the user account registered in the external authentication server or the external authorization server for which the connection is to be checked. Enter
the password in response to the prompt.

If you omit the user option, you can enter a user ID in response to the prompt.

For LDAP authentication

Specify the value saved in the attribute specified by auth.ldap.value-specified-in-auth.server.name.attr in the exauth.properties file.

For RADIUS authentication

Specify the user ID of the user account registered in the RADIUS server.

For Kerberos authentication

When connecting to the external authentication server only, specify the user ID of the user account that is registered in the Analyzer server and for which the
authentication method to be performed is Kerberos.

When connecting also to the external authorization server, specify the user ID of the user account that is not registered in the Analyzer server.

summary

This option simplifies the confirmation message that appears when you run the command.

If this option is specified, the messages to be displayed are limited to messages indicating whether each processing phase is successful or failed, error messages, and
messages indicating the results. However, if an error message similar to the message indicating the results is to appear, the former error message is omitted and only the
latter resulting message is displayed.

Location

Common-component-installation-directory/bin

Notes

You cannot specify a user account with a user-ID or password that begins with a hyphen (-).

If you are using Kerberos authentication and the realm name is specified multiple times in the exauth.properties file, check the user account for each realm. In addition,
specify the user ID using the following format:

When specifying a user who does not belong to the realm specified for auth.kerberos.default_realm in the exauth.properties file, specify a value in the form of us
er-ID@realm-name.

When specifying a user who belongs to the realm specified as the auth.kerberos.default_realm in the exauth.properties file, you can specify a value for user-ID
without specifying the realm name.

When you are using LDAP authentication in a multi-domain configuration and you run the hcmds64checkauth command, the authentication is checked for all connected
external authentication servers specified in the exauth.properties file and the results are displayed for each.

If an external authentication server does not have registered user accounts that match the user accounts specified in the hcmds64checkauth command, an error message
with this information is generated and displayed as a check result in phase 3. In this case, processing might end because of failure during the phase 3 confirmation. In this
case, use a user account registered on the external authentication server to check the connection of the external authentication server.

If Ops Center Automator is connected, run the hcmds64checkauth command on the server that is set as the primary server.

Return values

Return value Description

0 The command ran normally.

1 - 99 This code indicates the total number of syntax errors.

100 This is the return code when the number of syntax errors exceeds 100 lines.

101 - 199 A connection or authentication error occurred.

Unit's place: Number of connection errors

Ten's place: Number of authentication errors

The maximum number of each place is nine. If more than nine errors occur, each place displays nine.

250 The command is run on the secondary server.

252 The common item setting in the definition file is incorrect.

The settings for connecting to the external authentication server are not configured.
253

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 277/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

254 The argument is invalid.

255 The command ran abnormally.

Example

The following example shows how to use the command to verify the connection with the external authentication server:

hcmds64checkauth -summary

Escaping special characters

The following explains how to escape when running the hcmds64ldapuser command, hcmds64radiussecret command, or hcmds64checkauth command.

If the following characters are included in an argument, enclose the argument in double quotation marks or use a backslash to escape each character:

Spaces, hash marks (#), ampersands (&), single quotation marks ('), left parentheses ( ( ), right parentheses ( ) ), tildes (~), backslashes (\), grave accent marks (`), left angle
brackets (<), right angle brackets (>), semicolons (;), and vertical bars (|)

A backslash in an argument is treated as an escape character even if the argument is enclosed in double quotation marks. If a backslash is included in an argument, escape it by
using another backslash.

hcmds64getlogs

Use this command to collect log files that are output during operation of Analyzer server, and then output the log files to an archive file.

Format

hcmds64getlogs
-dir output-directory-path
[-types Analytics]
[-arc archive-file-name]
[-logtypes {log | db | csv}]

Options

dir output-directory-path

Specify the directory path for outputting the archive file. You can specify only a directory of a local disk.

As the output directory path, specify an empty directory in absolute or relative path format. If the directory path does not exist, the directory is created automatically. The
maximum allowable path length is 100 characters. The Write permission is set for the directory you specify in this option.

types Analytics

Specify Analytics as the product name of the target of log file collection. This is not case-sensitive. If you omit this option, Analyzer server and all Hitachi Command Suite
products that have been installed are subject to the command processing. In this case, log collection might take while.

arc archive-file-name

Specify the name of the archive file to be created as the result of Common component's material collection tool. If you omit this option, the archive file name is
HiCommand_log_64. Archive files are output under the directory in the dir option.

Characters that can be specified as the archive file name include printable ASCII characters (0x20 to 0x7E), excluding the following special characters: Backslashes (\),
slashes (/), colons (:), commas (,), semicolons (;), asterisks (*), question marks (?), double quotation marks ("), left angle brackets (<), right angle brackets (>), vertical bars
(|), dollar signs ($), percent signs (%), ampersands (&), single quotation marks ('), and grave accent marks (`) You do not need to specify an extension.

logtypes {log | db | csv}

Specify the type of the log file for Common component for which you want to collect logs. The following table shows the correspondence between the log file type and the log
files that can be collected:

Log file type Archive file to be created

log Archive-file-name-in-the-arc-option_64.jar
Archive-file-name-in-the-arc-option_64.hdb.jar

db Archive-file-name-in-the-arc-option_64.db.jar

csv Archive-file-name-in-the-arc-option_64.csv.jar

For best results, omit this option so that all log files of Common component are collected.

To specify more than one type, use a space as a delimiter (for example, /logtypes log db csv). If you use the types option and the logtypes option at the same time,
specify log as the value of the logtypes option.

Output format

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 278/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The following table lists the log files collected using the hcmds64getlogs command.

Archive file Output result

output-directory-in-dir-option/archive-file-name-in-arc-option_64.jar
All files in Analyzer-server-installation-directory/Analytics/logs
All files in Analyzer-server-installation-directory/Analytics/conf
All files in Analyzer-server-installation-directory/Analytics/work
All files in Analyzer-server-installation-directory/Analytics/data
All files in Analyzer-server-installation-directory/Analytics/system
/var/opt/hitachi/HPA/*.log files
List of the files in Analyzer-server-installation-directory/Analytics
Result of running the netstat command of the OS with the -nao option specified
Result of running the uname command of the OS with the -a option specified
Result of running the free command of the OS
Result of running the ps command of the OS with the -elfa option specified
/var/log/messages* files
/etc/hosts file
/etc/services file
Result of running the env command of the OS
Result of running the sysctl command of the OS with the -a option specified
Result of running the ulimit command of the OS with the -a option specified
Result of running the ipcs command of the OS with the -a option specified
Result of running the cat /proc/meminfo command of the OS
Result of running the df command of the OS with the -k option specified
Result of running the dmesg command of the OS
Result of running the rpm command of the OS with the -qa option specified
/etc/inittab file
/etc/redhat-release file
/etc/nsswitch.conf file
/etc/resolv.conf file
Result of running the ip command of the OS with the -a option specified
/etc/.hitachi/Analytics/installInfo file
/etc/sysconfig/iptables-config file
Result of running the service iptables status command of the OS
Result of running Common component's material collection tool (hcmdsgetlogs, hcmdsras)
Result of running the systemctl status firewalld.service command of the OS
Result of running the firewall-cmd command of the OS with the --list-all-zones option specified
Result of running the ss command of the OS with the -nao option specified
/etc/NetworkManager/system-connections/*.nmconnection files
/etc/sysconfig/network-scripts/ifcfg-* files

output-directory-in-dir-option/archive-file-name-in-arc- Result of running Common component's material collection tool (hcmdsgetlogs)

option_64.hdb.jar

output-directory-in-dir-option/archive-file-name-in-arc-option_64.db.jar

output-directory-in-dir-option/archive-file-name-in-arc-option_64.csv.jar

Location

Common-component-installation-directory/bin

Notes

Do not interrupt the running of this command.

Do not run more than one instance of this command at the same time.
If the directory in the dir option has insufficient free space, running of the hcmds64getlogs command will not be completed. Secure a sufficient amount of space in the
directory in the dir option, and then rerun this command. Use the following formula to calculate the amount of required free space:

Size of directories and files in Analyzer-server-installation-directory/Analytics/data + size of directories and files in Analyzer-server-installation-directory/Analytics/logs + 10
GB

If products that use Common component are installed on the Analyzer server, add the capacity required for collecting logs for these products in the calculation.

If you use the same option more than once, only the first option is used.
You can run this command even if the Analyzer server is not running.

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 The command ran abnormally.

Example

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 279/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
The following example shows the use of this command to collect log files in the folder:

hcmds64getlogs -dir /tmp/dir01 -types Analytics -arc Analyzer_log

hcmds64intg

Use this command to delete authentication data registered in the repository of the server that manages user accounts. The command also displays the address of the server in
which the authentication data is registered.

If you fail to delete authentication data when uninstalling Analyzer server, use this command to delete the authentication data.

Format

hcmds64intg
{-delete -type Analytics | -print | -primary}
[-user user-ID]

Options

delete

Deletes authentication data.

type Analytics

Specify Analytics as the product name of the server in which the authentication data is registered.

print

Displays the name of the program in which the authentication data is registered.

primary

Displays the host name or the IP address of the server in which the authentication data is registered.

user user-ID

Specify the user ID for connecting with the server in which the authentication data is registered. The user ID you specify must have the User Management permission. Enter
the password in response to the prompt. If you omit the user option, you can enter a user ID in response to the prompt.

Location

Common-component-installation-directory/bin

Return values

Return value Description

0 The command ran normally.

1 The authentication data has already been deleted.

2 Authentication data is registered in the server where you ran the command.

3 Authentication data is not registered on the server where you ran the command.

4 Authentication data is not registered in the server where you ran the command. In addition, an authentication error occurred on the server
where authentication data is registered.

253 An authentication error occurred on the server where authentication data is registered.

254 Communication with the server where authentication data is registered failed.

255 The command ran abnormally.

Example

The following example shows the use of this command to delete authentication data from the server that manages the user account:

hcmds64intg -delete -type Analytics

hcmds64ldapuser

To connect to an external authentication server, use this command to register, in the Analyzer server, a user account used to search user information in external authentication
servers. You can also use this command to delete user accounts used to search user information that are registered in the Analyzer server.

If you register a user account by using this command, use the hcmds64checkauth command to verify whether the user account can be correctly authenticated.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 280/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Format

To register an LDAP search user account:

hcmds64ldapuser -set
-dn DN-of-user-account-used-to-search-for-LDAP-user-info
-name name

To delete an LDAP search user account:

hcmds64ldapuser -delete
-name name

To display external authentication servers for which LDAP search user accounts have already been registered in the Analyzer server:

hcmds64ldapuser -list

Options

set

Registers user information

dn DN-of-user-account-used-to-search-for-LDAP-user-info

Specify the DN of the user used to search information.

Specify the DN in accordance with the rules defined in RFC 4514. For example, if any of the following characters are included in the DN, you must use a backslash (\) to
escape each character.

Spaces, hash marks (#), plus signs (+), commas (,), semicolons (;), left angle brackets (<), equal signs (=), right angle brackets (>), and backslashes (\)

Enter the password in response to the prompt.

delete

Deletes user information.

Specify this option to delete user information, including the server identification name or the domain name specified for the name option.

name name

The items to be specified vary depending on the authentication method.

For LDAP authentication: Server identification name or the domain name for external authentication servers of the LDAP directory server

Specify the server identification name that was specified for the auth.server.name property in the exauth.properties file, or specify the domain name specified for
auth.ldap.value-specified-for-auth.server.name.domain.name property in the exauth.properties file.

For RADIUS authentication: Domain name of the RADIUS server

Specify the domain name specified for auth.radius.auth.server.name-property-value.domain.name in the exauth.properties file.

For Kerberos authentication: Realm name of the Kerberos server)

If you directly specify information about a Kerberos server in the exauth.properties file, specify the value specified for auth.kerberos.default_realm or
auth.kerberos.auth.kerberos.realm_name-property-value.realm.

If you specify the settings in the exauth.properties file to use the DNS server to look up information about a Kerberos server, specify the realm name registered in the
DNS server.

list

Displays the external authentication servers for which the user accounts used to search information have already been registered in the Analyzer server.

Location

Common-component-installation-directory/bin

Notes

In the LDAP directory server, you can use double quotation marks (") for the DN and password. In the Analyzer server, however, you must register a user account whose DN
and password do not include double quotation marks.

If you are using Active Directory, you can use the dsquery command provided by Active Directory to check the DN of a user. The following example shows how to use the
dsquery command to check the DN of the user administrator, and also shows the results:

dsquery user -name administrator

"CN=administrator,CN=admin,DC=example,DC=com"

If the DN includes commas such as cn=administrator,cn=admin,dc=example,com, specify as follows:

hcmds64ldapuser -set -dn "cn=administrator,cn=admin,dc=example\\,com" -name ServerName

Return values

Return value Description

0 The command ran normally.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 281/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

1 The argument is invalid.

2 The argument includes a character that cannot be specified.

3 The registered information cannot be found.

255 The command ran abnormally.

Example

To register an LDAP search user account:

hcmds64ldapuser -set -dn "CN=user01,CN=Users,DC=Example,DC=com" -name example.com

To delete an LDAP search user account:

hcmds64ldapuser -delete -name example.com

hcmds64prmset

Use this command to register, change, and cancel the registration of the host that manages the user accounts used to connect with Ops Center Automator.

If you run this command, the information about the user accounts in the Common component will be managed by the Common component of the primary server. The host whose
user accounts are managed by the primary server is called the secondary server.

Run this command on the secondary server:

If the Analyzer server is linked to Ops Center Automator on another host and Automator is the primary server, run this command on the Analyzer server.
If the Analyzer server is linked to Ops Center Automator on another host and the Analyzer server is the primary server, run this command on Ops Center Automator.

Format

When registering the primary server or changing information about the registered primary server

hcmds64prmset
[-host host-name-or-IP-address]
[-port port-number-for-non-SSL-communication
| -sslport port-number-for-SSL-communication]
[-check]

When cancelling the registered primary server

hcmds64prmset -setprimary

When displaying the registered information

hcmds64prmset -print

Options

host host-name-or-IP-address

Specify the host name or IP address of the primary server. If SSL communication is enabled on the primary server, specify the same value as that of Common Name (CN) in
the server certificate.

If you change the host name of only the registered primary server, you can omit the port or sslport option.

port port-number-for-non-SSL-communication

Specify the port number of HBase 64 Storage Mgmt Web Service of the primary server. Specify this option if SSL communication is disabled on the primary server. The
default port number is 22015.

If you change the port number of only the registered primary server, you can omit the host option.

sslport port-number-for-SSL-communication

Specify the port number of HBase 64 Storage Mgmt Web Service of the primary server. Specify this option if SSL communication is enabled on the primary server. The
default port number is 22016.

If you change the port number of only the registered primary server, you can omit the host option.

check

Checks the connection to the primary server.

setprimary

Cancels the registered primary server. The host where the command was run will be changed from the secondary server to the primary server.

print

The following information is displayed:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 282/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Role of the host where the command was run (primary server or secondary server)

Host name (IP address) and port number of the primary server

This information is displayed only if the role of the host is the secondary server.

Location

Common-component-installation-directory/bin

Notes

After running this command, restart the product by using the hcmds64srv command.

Return values

Return value Description

0 The command ran normally.

255 The command ran abnormally.

Example

The following example shows how to use this command to register the primary server:

hcmds64prmset -host host01 -port 22015

hcmds64radiussecret

To connect to an external authentication server, use this command to register a shared secret for the RADIUS server in the Analyzer server. You can also use this command to
delete shared secrets registered in the Analyzer server.

When you run the command, enter a shared secret in response to the prompt. For a shared secret, you can specify printable ASCII characters (0x21 to 0x7E) of 128 bytes or less.

If you register a shared secret by using this command, run the hcmds64checkauth command to verify whether the shared secret can be correctly authenticated.

Format

To register a shared secret:

hcmds64radiussecret
-name RADIUS-server-identification-name

To delete a shared secret:

hcmds64radiussecret
-delete
-name RADIUS-server-identification-name

To display a list of server identification names of the RADIUS servers for which shared secrets are registered:

hcmds64radiussecret -list

Options

delete

Deletes a shared secret registered in the Analyzer server.

name RADIUS-server-identification-name

Specifies a RADIUS server identification name.

The specified name must match a server identification name specified for the auth.server.name property in the exauth.properties file.

list
Displays a list of server identification names of the RADIUS servers for which shared secrets are registered.

Location

Common-component-installation-directory/bin

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 283/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

2 The argument includes a character that cannot be specified.

3 The registered information cannot be found.

255 The command ran abnormally.

Examples

To register a shared secret:

hcmds64radiussecret -name example.com

To delete a shared secret:

hcmds64radiussecret -delete -name example.com

hcmds64srv

Use this command to start or stop Analyzer server services. The command also displays the Analyzer server service status or changes the service start method.

Format

To start, stop, or display only the status of a specific service:

hcmds64srv
{-start | -stop | -check | -status}
[-server service-name]

To display the status of services of Analyzer server and products that use Common component:

hcmds64srv
-statusall

To change the start method of a service:

hcmds64srv
-starttype {auto | manual}
{-server service-name | -all}

Options

start

Starts the service and database you specified in the server option.

stop

Stops the service and database you specified in the server option.

status

Displays the status of the server and database you specified in the server option.

server service-name

To start, stop, or display the status of Analyzer server product services only, specify AnalyticsWebService as the service name. By running this command by specifying
AnalyticsWebService in the server option, you can start, stop, or display the status of the following services:

Service display name and process Start Stop Status display

HAnalytics Engine Web Service Y Y Y

HBase 64 Storage Mgmt Web Service Y N N

HBase 64 Storage Mgmt Web SSO Service Y N N

Database process* Y N N

Legend:

Y: Processed

N: Not processed

* An Analyzer server internal process corresponding to the service HiRDB/EmbeddedEdition _HD1

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 284/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If you omit the server option, the next service is started, stopped, or the status of the next service displays.

Service display name and process Start Stop Status display

HAnalytics Engine Web Service Y Y Y

HBase 64 Storage Mgmt SSO Service Y Y Y

HBase 64 Storage Mgmt Web Service Y Y Y

HBase 64 Storage Mgmt Web SSO Service Y Y Y

Database process* Y Y Y

Service of products that use Common component Y Y Y

Legend:

Y: Processed

* An Analyzer server internal process corresponding to the service HiRDB/EmbeddedEdition _HD1

statusall

Displays the service and data statuses, and the status of the products registered in Common component. If you omit the server option, this argument is used.

starttype {auto | manual}

Specify the start type of the service with the server option. Specify auto for an automatic start. Specify manual for a manual start.

all

If you specify this option, the command runs for all services of Analyzer server and other products that use Common component.

Location

Common-component-installation-directory/bin

Notes

If you start or stop Analyzer server services as a daily operation, omit the server option to start or stop all the services. To start only Analyzer server services by specifying the
server option, specify AnalyticsWebService for the server option to start Common component service.
If you run the command with the stop option and the termination processing does not end within three minutes, an error occurs and a message is displayed to indicate a time-
out. In this case, wait a while, and then rerun the command with the stop option.
If you start or stop a service with the start or stop option, the command might end while the service does not start or stop completely. To confirm that the service has
completely started or stopped, use either of the following operations:
Confirm that either of the following messages has been output to a disclosed log or the syslog:

At startup
KNAQ10086-I Application is running.
When stopped
KNAQ10089-I Application is stopped.

Specify the statusall option to check the status of the service.

Return values

The following table shows the return values of the command with start option or stop option:

Return value Description

0 The command ran normally.

1 With start option

The service was already started.

With stop option

The service was already stopped.

255 The command failed.

The following table shows the return values of the command with the check, status, or statusall option:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 285/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

0 The service has not started.

1 The service has started.

255 The command failed.

The following table shows the return values of the command with the starttype option:

Return value Description

0 The command ran normally.

255 The command failed.

Examples

To start all services:

hcmds64srv -start

To stop all services:

hcmds64srv -stop

To check the status of all services:

hcmds64srv -status

To start the services of only Analyzer server products:

hcmds64srv -start -server AnalyticsWebService

hcmds64ssltool

Use this command to create private keys, certificate signing requests (CSRs), self-signed certificates, and content files for self-signed certificates that are required for SSL
connections. The created files are used for the following purposes:

Submitting the CSR to a CA to obtain an SSL server certificate. You can build an SSL-connected environment by combining the obtained SSL server certificate and the
private key.
Building an SSL-connected environment by combining the self-signed certificate with the private key. You should only use the environment only for test purposes because
security is low.
Checking the details of the registration of the self-signed certificate from the content file of the self-signed certificate.

Format

hcmds64ssltool
[-key private-key-file-name]
[-csr CSR-file-name]
[-cert self-signed-certificate-file-name]
[-certtext name-of-the-content-file-of-the-self-signed-certificate]
[-validity expiration-date-of-the-self-signed-certificate]
[-dname distinguished-name (DN)]
[-sigalg signature-algorithm-of-the-server-certificate-for-RSA-cryptography]
[-keysize private-RSA_key-size]
[-eccsigalg signature-algorithm-of-the-server-certificate-for-elliptic-curve-cryptography]
[-ecckeysize size-of-the-private-key-for-elliptic-curve-cryptography]
[-ext extension-information-for-the-X.509-certificate]

Options

key private-key-file-name

Specifies the absolute path for storing the private key. The private key for RSA cryptography will be output to a file of the specified file name. The private key for elliptic curve
cryptography will be output to another file of the specified file name with the prefix ecc-.

If you omit this option, the httpsdkey.pem file and the ecc-httpsdkey.pem file will be output under the Common-component-installation-
directory/uCPSB11/httpsd/conf/ssl/server/.

csr CSR-file-name

Specifies the filename, and absolute path, for storing the CSR. The CSR for RSA cryptography is output to a file of the specified file name. The CSR for elliptic curve
cryptography will be output to another file of the specified file name with the prefix ecc-.

If you omit this option, the httpsd.csr file and the ecc-httpsd.csr file are output under the Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/.

cert self-signed-certificate-file-name

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 286/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Specifies the filename, and absolute path, for storing the self-signed certificate. The self-signed certificate for RSA cryptography will be output to a file of the specified file
name. The self-signed certificate for elliptic curve cryptography is output to another file of the specified file name with the prefix ecc-.

If you omit this option, the httpsd.pem file and the ecc-httpsd.pem file are output under the Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/.

certtext name-of-the-content-file-of-the-self-signed-certificate

Outputs the content of the self-signed certificate in text to a specified path and filename. The content of the self-signed certificate for RSA cryptography is output to a file of
the specified file name. The content of the self-signed certificate for elliptic curve cryptography is output to another file of the specified file name with the prefix ecc-.

If you omit this option, the httpsd.txt file and the ecc-httpsd.txt file are output under the Common-component-installation-directory/uCPSB11/httpsd/conf/ssl/server/.

validity expiration-date-of-the-self-signed-certificate

Specifies the number of days until the self-signed certificate expires. If you specify this option, the same value is specified for RSA cryptography and elliptic curve
cryptography. If you omit this option, the certificate expires in 3,650 days.

dname distinguished-name (DN)

Specifies the distinguished-name (DN) described in the SSL server certificate, in the format "attribute-type=attribute-value". You can specify some attribute type values using
a comma (,) as a delimiter.

Characters specified for attribute types are not case sensitive. You cannot use a double quotation mark (") or a backslash (/) in the attribute type. For details about how to use
escape characters, follow the instructions in RFC 2253. To use the following symbols, add a backslash (/) before each symbol as an escape character.

Plus signs (+), commas (,), semicolons (;), left angle brackets (<), equal signs (=), right angle brackets (>)
Spaces at the beginning of character strings
Spaces at the end of character strings
Hash marks (#) at the beginning of character strings

If you omit this option, you must enter attribute values according to the instructions in the window displayed when you run the command.

The following table lists the attribute types that you can specify for this option:

Attribute type Definition Window response Attribute value

CN Common Name Server Name Distinguished-name* of the Analyzer server, such as host
name, IP address, or domain name

OU Organizational Unit Name Organizational Unit Lower-level organization name, such as department or
section name

O Organization Name Organization Name Company or other organization's name*

L Locality Name City or Locality City name or region name

ST State or Province Name State or Province State name or district name

C Country Name two-character country-code Country code

* Required in a response entry

The following is an example of response input:

Enter Server Name [default=MyHostname]:example.com

Enter Organizational Unit:Analyzer Administration
Enter Organization Name [default=MyHostname]:HITACHI
Enter your City or Locality:Santa Clara
Enter your State or Province:California
Enter your two-character country-code:US
Is CN=example.com,OU=Analyzer Administration,O=HITACHI,L=Santa Clara, ST=California,C=US correct? (y/n) [default=n]:y

If the entry is incorrect, you can input again by typing n.

sigalg signature-algorithm-of-the-server-certificate-for-RSA-cryptography

Specifies the signature algorithm of the server certificate for RSA cryptography. You can specify SHA512withRSA, SHA256withRSA, or SHA1withRSA. If you omit this option,
the signature algorithm is SHA256withRSA.

keysize private-RSA_key-size

Specifies the size (in bits) of the private key for RSA cryptography. You can specify 2048, 3072, or 4096. If you omit this option, the size of the private key for RSA
cryptography is 2,048 bits.

eccsigalg signature-algorithm-of-the-server-certificate-for-elliptic-curve-cryptography

Specifies the signature algorithm of the server certificate for elliptic curve cryptography. You can specify SHA512withECDSA, SHA384withECDSA, SHA256withECDSA, or
SHA1withECDSA. If you omit this option, the signature algorithm is SHA384withECDSA.

ecckeysize size-of-the-private-key-for-elliptic-curve-cryptography

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 287/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Specifies the size (in bits) of the private key for elliptic curve cryptography. You can specify 256 or 384. If you omit this option, the size of the private key for elliptic curve
cryptography is 384 bits.

ext extension-information-for-the-X.509-certificate

Specifies the extension information for the X.509 certificate. The specification method is based on the ext option of the keytool command in Java. Note, however, that the
only extension that can be specified in Ops Center Analyzer is SAN (SubjectAlternativeName).

The following is an example of specifying the extension information.

To specify www.example.com as the host name:

hcmds64ssltool -ext san=dns:www.example.com

To specify www.example.com and www.example.net as multiple host names:

hcmds64ssltool -ext san=dns:www.example.com, dns:www.example.net

If you specify the ext option multiple times, the first specification takes effect.

Location

Common-component-installation-directory/bin

Notes

If the value of the attribute type CN of the SSL server certificate does not match the host name, IP address, or domain name as the connection destination of the Analyzer server from
the web browser, a message indicates a server mismatch.

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

249 The file or directory already exists on the specified path.

250 Deletion of the key store failed.

251 Creation of the private key failed.

252 Creation of the self-signed certificate failed.

253 Creation of the CSR failed.

254 Creation of the content file of the self-signed certificate failed.

255 The command ran abnormally.

hcmds64unlockaccount

Use this command to unlock user accounts for all users with User Management permission.

You can use this command to unlock user accounts managed by the Common component.

Format

hcmds64unlockaccount
[-user user-ID]

Options

user user-ID

Specify the user ID of the user account to be unlocked. The user ID you specify must have the User Management permission. Enter the password in response to the prompt.
If you omit the user option, you will be prompted to enter a user ID.

Location

Common-component-installation-directory/bin

Notes

To run this command, the Common component services (HBase 64 Storage Mgmt Web Service and HBase 64 Storage Mgmt SSO Service) and the database must already
be running.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 288/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
You can use the hcmds64unlockaccount command to unlock only user accounts that have the User Management permission.

If the user ID or password contains symbols, add a backslash (\) as an escape character before each symbol.

If Ops Center Automator is connected, run the hcmds64unlockaccount command on the server that is set as the primary server.

Return values

Return value Description

0 The command ran normally.

251 An authentication error (logon error) occurred.

252 An authentication error (no User Management permission) occurred.

253 Communication with the authentication server failed.

254 The command was run on the secondary server side.

255 The command ran abnormally.

Example

The following example shows how to use this command to unlock a user account:

hcmds64unlockaccount

htmsrv

Use the htmsrv command to start or stop services, check the operating status, and change the type of startup method for the RAID Agent.

start: Specify this to start the services.

stop: Specify this to stop the services.
status: Specify this to check the operating status of the services.
starttype: Specify this to specify how the services are to start.

Format (to start or stop the services)

htmsrv
｛ start | stop ｝{-all | -webservice | -key agtd [-inst instance-name]}

Format (to check the operating status)

htmsrv
status {-all | -webservice | -key agtd | -id service-ID}

Format (to change the type of startup method)

htmsrv
starttype ｛ auto | manual ｝-webservice

Options

-all

Specify this option to run the following services.

RAID Agent REST Web Service

RAID Agent REST Application Service
Agent Collector, Agent Store, Status Server, Action Handler

-webservice

Specify this option to run the following services.

RAID Agent REST Web Service

RAID Agent REST Application Service

-key agtd

Specify this option to run the following services.

Agent Collector, Agent Store, Status Server, Action Handler

-inst instance-name

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 289/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Specify this option to run the following services for a specific instance.

Agent Collector, Agent Store

-id service-ID

Specify this option to run the service of a specific service ID.

A RAID Agent service is assigned a unique ID called the service-ID.

The components of a service-ID are shown below:

<Product-ID><Function-ID><Instance-number><Device-ID>
Example: PH1001

<Product-ID> and <Function-ID> are one-byte identifiers defined by the RAID Agent service.
<Instance-number> is an identifier consisting of a one-byte control number used for internal processing.
<Device-ID> is an identifier containing characters (1-255 bytes) that indicate, for example, the host on which the RAID Agent service is started. <Device-ID> differs
depending on the service settings.

The following table provides an overview of each RAID Agent service and the contents of each Product-ID, Function-ID and Device-ID.

Service name Service Overview Product ID Function ID Device ID

Agent Collector Collects performance data D A Instance-name[host-name] is set.

Agent Store Manages performance data and event data D S Instance-name[host-name] is set.

Status Server Manages the status of services P T Sets the host-name.

Action Handler Executes actions P H Sets the host-name.

auto

Specify this option to automatically start the RAID Agent REST Web Service and the RAID Agent REST Application Service.

manual

Specify this option to manually start the RAID Agent REST Web Service and the RAID Agent REST Application Service.

Execution Permission

root permission (Linux) or Administrator permission (Windows)

Location

In Linux

This command is stored in the following directory on the Analyzer probe server:

/opt/jp1pc/htnm/bin/

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\

Return values

Return value Description

0
When an option other than the status option is specified:

The command ran normally.

When the status option is specified:

The command ran normally. (All the services to be checked are running.)

1
When the start option is specified:

The command ran normally. (The specified services are already running.)

When the stop option is specified:

The command ran normally. (The specified services have already stopped.)

When the status option is specified:

The command ran normally. (All the services to be checked have already stopped.)

2
When the status option is specified:

The command ran normally. (Some of the services to be checked are running, and some have stopped.)

10
The specified option is invalid.

255
An unexpected error occurred.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 290/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Example

To check the status of all services:

htmsrv status -all

KATR10032-I The specified service is already running. (service=Status Server, serviceid=PT1hostA)

KATR10032-I The specified service is already running. (service=Action Handler, serviceid=PH1hostA)
KATR10032-I The specified service is already running. (service=Agent Store, serviceid=DS1testinst[hostA])
KATR10032-I The specified service is already running. (service=Agent Collector, serviceid=DA1testinst[hostA])
KATR10032-I The specified service is already running. (service=Agent REST Application Service)
KATR10032-I The specified service is already running. (service=Agent REST Web Service)

htmssltool

Create the private keys, certificate signing requests (CSRs), self-signed certificates, and content files for self-signed certificates that are required for SSL connection that uses the
RAID Agent services. The created files are used for the following purposes:

Submitting the CSR to a CA to obtain a server certificate. You can build an SSL-connected environment by combining the obtained server certificate and the private key.
Building an SSL-connected environment by combining the self-signed certificate with the private key. You should only use the enviroment only for test purposes because
security is low.
Checking the details of the registration of the self-signed certificate from the content file of the self-signed certificate.

Format

htmssltool
-key private-key-file-name
-csr CSR-file-name
-cert self-signed-certificate-file-name
-certtext name-of-the-content-file-of-the-self-signed-certificate
[-validity expiration-date-of-the-self-signed-certificate]
[-dname distinguished-name (DN)]
[-sigalg signature-algorithm-of-the-server-certificate-for-RSA-cryptography]
[-keysize private-RSA_key-size]
[-eccsigalg signature-algorithm-of-the-server-certificate-for-elliptic-curve-cryptography]
[-ecckeysize size-of-the-private-key-for-elliptic-curve-cryptography]

Options

-key private-key-file-name

Specifies the absolute path for storing the private key. The private key for RSA cryptography will be output to a file of the specified file name. The private key for elliptic curve
cryptography will be output to another file of the specified file name with the prefix ecc-.

-csr CSR-file-name

Specifies the filename, and absolute path, for storing the CSR. The CSR for RSA cryptography is output to a file of the specified file name. The CSR for elliptic curve
cryptography will be output to another file of the specified file name with the prefix ecc-.

-cert self-signed-certificate-file-name

Specifies the filename, and absolute path, for storing the self-signed certificate. The self-signed certificate for RSA cryptography will be output to a file of the specified file
name. The self-signed certificate for elliptic curve cryptography is output to another file of the specified file name with the prefix ecc-.

-certtext name-of-the-content-file-of-the-self-signed-certificate

Specifies the filename, and absolute path, for the content of the self-signed certificate in text. The content of the self-signed certificate for RSA cryptography is output to a file
of the specified file name. The content of the self-signed certificate for elliptic curve cryptography is output to another file of the specified file name with the prefix ecc-.

-validity expiration-date-of-the-self-signed-certificate

Specifies the number of days until the self-signed certificate expires. If you specify this option, the same value is specified for RSA cryptography and elliptic curve
cryptography. If you omit this option, the certificate expires in 3,650 days.

-dname distinguished-name (DN)

Specifies the distinguished-name (DN) described in the SSL server certificate, in the format "attribute-type=attribute-value". You can specify some attribute type values using
a comma (,) as a delimiter.

Characters specified for attribute types are not case sensitive. You cannot use a double quotation mark (") or a backslash (/) in the attribute type. For details about how to use
escape characters, follow the instructions in RFC 2253. To use the following symbols, add a backslash (/) before each symbol as an escape character.

Plus signs (+), commas (,), semicolons (;), left angle brackets (<), equal signs (=), right angle brackets (>)
Spaces at the beginning of character strings
Spaces at the end of character strings
Hash marks (#) at the beginning of character strings

If you omit this option, you must enter attribute values according to the instructions in the window displayed when you run the command.

The following table lists the attribute types that you can specify for this option:

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 291/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Attribute type Definition Window response Attribute value

CN Common Name Server Name Distinguished-name* of the host where RAID Agent is
installed, such as the host name, IP address, or domain
name

OU Organizational Unit Name Organizational Unit Lower-level organization name, such as department or
section name

O Organization Name Organization Name Company or other organization's name*

L Locality Name City or Locality City name or region name

ST State or Province Name State or Province State name or district name

C Country Name two-character country-code Country code

* Required in a response entry

The following is an example of response input:

Enter Server Name [default=MyHostname]:example.com

Enter Organizational Unit:Analyzer
Enter Organization Name [default=MyHostname]:HITACHI
Enter your City or Locality:Santa Clara
Enter your State or Province:California
Enter your two-character country-code:US
Is CN=example.com,OU=Analyzer,O=HITACHI,L=Santa Clara,ST=California,C=US correct? (y/n) [default=n]:y
-sigalg signature-algorithm-of-the-server-certificate-for-RSA-cryptography

Specifies the signature algorithm of the server certificate for RSA cryptography. You can specify SHA256withRSA or SHA1withRSA. If you omit this option, the signature
algorithm is SHA256withRSA.

-keysize private-RSA_key-size

Specifies the size (in bits) of the private key for RSA cryptography. You can specify 2048 or 4096. If you omit this option, the size of the private key for RSA cryptography is
2,048 bits.

-eccsigalg signature-algorithm-of-the-server-certificate-for-elliptic-curve-cryptography

Specifies the signature algorithm of the server certificate for elliptic curve cryptography. You can specify SHA512withECDSA, SHA384withECDSA, or SHA256withECDSA. If
you omit this option, the signature algorithm is SHA384withECDSA.

-ecckeysize size-of-the-private-key-for-elliptic-curve-cryptography

Specifies the size (in bits) of the private key for elliptic curve cryptography. You can specify 256 or 384. If you omit this option, the size of the private key for elliptic curve
cryptography is 384 bits.

Execution Permission

root permission (Linux) or Administrator permission (Windows)

Location

In Linux

This command is stored in the following directory on the Analyzer probe server:

/opt/jp1pc/htnm/bin/

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\htnm\bin\

Notes

For common name (CN) included in the distinguished name (DN), specify the host name of the host where RAID Agent is installed. When specifying CN, make sure that the host
name can be resolved in the hosts file or DNS of the server connected to RAID Agent.

Return values

Return value Description

0 The command ran normally.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 292/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

1 The argument is invalid.

250 Deletion of the key store failed.

251 Creation of the private key failed.

252 Creation of the self-signed certificate failed.

253 Creation of the CSR failed.

254 Creation of the content file of the self-signed certificate failed.

255 An unexpected error occurred.

Example

htmssltool -key /root/htnmkey.key -csr /root/htnmkey.csr -cert /root/htnmkey.cert -certtext /root/htnmkey.cert.txt

jpcinslist

Use the jpcinslist command to display the instance names that have been set up by the RAID Agent.

Format

jpcinslist agtd

Execution Permission

root permission (Linux) or Administrator permission (Windows)

Location

In Linux

This command is stored in the following directory on the Analyzer probe server:

/opt/jp1pc/tools/

In Windows

RAID-Agent-installation-folder\raid_agent\jp1pc\tools\

Notes

If you have not created an instance, nothing is output when you run the command.
If you interrupt the command by using the Ctrl+C key or a signal, certain return values are not returned. Therefore, if you interrupt the command by using the Ctrl+C key or
a signal, ignore the return value.

Return values

Return value Description

0
The command ran normally.

1
The specified option is invalid.

5
The specified option is invalid.

10
The command is running in another session.

100
The RAID Agent environment is invalid.

102
The specified option is invalid.

200
Memory is insufficient.

210
There is not enough disk space.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 293/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Return value Description

211
The file or directory cannot be accessed.

230
The internal command could not be run.

255
An unexpected error occurred.

Example

jpcinslist agtd

reloadtemplate

Use this command during the startup of the Analyzer server to reload the template files.

The following table describes the types of template files that the command references, and the reference destination directories:

Type of template file Reference destination folder

Template file for emails Analyzer-server-installation-directory/Analytics/conf/template/mail

Template file for commands Analyzer-server-installation-directory/Analytics/conf/template/command

Template file for Ops Center Automator Analyzer-server-installation-directory/Analytics/conf/template/automation

Format

reloadtemplate
-user user-ID
-passwordfile password-file

Arguments

user user-ID

Specify the Analyzer server user ID to use when running the command. The user must have the Admin or Modify permission for IAA.

passwordfile path-of-the-password-file

Specify the path to the password file of the user who is specified for the user option. Use the encryptpassword command to create the password file.

Location

Analyzer-server-installation-directory/Analytics/bin

Notes

To run this command, the Analyzer server service must already be running. If the Analyzer server service is not running, you do not have to run this command because the template
files are automatically read when the Analyzer server service starts.

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 The command was interrupted.

3 The service status is invalid.

5 Communication failed.

6 An authentication error occurred.

7 The specified path is invalid.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 294/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

9 The specified path does not exist.

10 The specified path could not be accessed.

14 You do not have permission to run this command.

18 An attempt to read the file failed.

232 The reloading of the template files failed.

233 You do not have the necessary permissions to update the template file.

255 The command terminated abnormally.

restoresystem

Use this command to restore the backup for Analyzer server settings information that you collected by running the backupsystem command.

Format

restoresystem
-dir backup-directory
-type {all | Analytics}

Options

dir backup-directory

Specify the directory in which the backup file is stored with the absolute or relative path.

type {all | Analytics}

Specify the system restore target.

all

Restores information for both the Analyzer server and the Common component.

Analytics

Restores only the backup information for the Analyzer server.

Location

Analyzer-server-installation-directory/Analytics/bin

Notes

When restoring the backup, the directory in which the backup file is stored requires at least 2 GB of free space.
When you run the restoresystem command, for backup, the extension .original is appended to the file name of the file in Analyzer-server-installation-
directory/Analytics/conf. This file is overwritten every time the restoresystem is run. If a file with an extension of .original exists before running the command and you want
to save the file, change the file extension before using the command.
The settings for connecting to the Analyzer detail view server and those for connecting to Common Services are always restored. For this reason, if you are performing a
migration to a different host, manually reconfigure these settings after they are restored.
The following files are not restored by this command. If necessary, manually reset or relocate the files again.

Files that require resettings

Security definition file (security.conf)
File for setting port numbers and host names (user_httpsd.conf)

These files are backed up in the following directories:

backup-directory/HBase/base/conf/sec
backup-directory/HBase/base/httpsd.conf

The definition files are stored in the following locations in the environments where the files are restored:

security.conf

Common-component-installation-directory/conf/sec

user_httpsd.conf

Common-component-installation-directory/uCPSB11/httpsd/conf

Files for HTTPS connections that must be relocated

SSL server certificate file
Private key

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 295/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
In addition, the settings for HTTPS connections are defined in the httpsd.conf file and the user_httpsd.conf file. Save each file to the storage destination directory.
Stop the service by running the hcmds64srv command with the stop option. The service to stop depends on the type option.

If you specified all in the type option:

You must stop not only the service of Analyzer server, but also the services of the products that use Common component.

If you specified Analytics in the type option:

You must stop the service only for the Analyzer server.

Make sure that the following information is the same between the environment where the backup was collected and the environment where the information was restored:
Version of Analyzer server
Installation directory of Analyzer server

If you are performing the restore as part of the procedure for migrating the system to a different host name, the installation directories on the backup source host and
restore destination host do not need to match.

When products that use Common component are installed on the Analyzer server, if you do a system restore with all specified in the type option, the definition information for
Common component is also restored. In this example, an inconsistency might occur in the definition information between the products that use Common component and
Common component itself. Therefore, if products that use Common component are installed on the Analyzer server of the restore destination, do a system restore by using
one of the following procedures:

To restore data for products that use Common component, in addition to Analyzer server data
1. Run the system restore command for the product that uses Common component.
2. Specify type Analytics for the restoresystem command of Analyzer server, and then run the command.
To restore only user information, in addition to Analyzer server data
1. Specify type Analytics for the restoresystem command of Analyzer server, and then run the command.
2. Update the user management information.
To restore data only for the Analyzer server
1. Specify type Analytics for the restoresystem command of Analyzer server, and then run the command.

Return values

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 Command running was interrupted.

3 The service status is invalid.

4 Another command is currently running.

7 The path is invalid.

9 The path does not exist.

10 The path cannot be accessed.

14 You do not have permission to run this command.

18 An attempt to read the file failed.

110 Running of system restore failed.

111 The start or stop of the service failed.

113 The backup file is invalid.

255 Command running was interrupted because of another error.

Example

The following example shows the use of this command to restore information only for the Analyzer server:

restoresystem -dir /tmp -type Analytics

setupcommonservice

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 296/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Use this command to register Analyzer with Common Services. This command also updates the Analyzer information that is registered in Common Services. This command requires
a secure connection between Common Services and Analyzer. See the Hitachi Ops Center Installation and Configuration Guide for more information.

Format

When registering Analyzer with Common Services

setupcommonservice
-csUri Common-Services-URL
[-csUsername Common-Services-username]
[-appHostname Analyzer-server-host-name-or-IP-address]
[-appPort Analyzer-server-port]
[-appName product-name-to-display-in-the-portal]
[-appDescription description-to-display-in-the-portal]
[-auto]

When updating the Analyzer information registered in Common Services

setupcommonservice
[-csUri Common-Services-URL
-csUsername Common-Services-username]
[-appHostname Analyzer-server-host-name-or-IP-address]
[-appPort Analyzer-server-port]
[-appName product-name-to-display-in-the-portal]
[-appDescription description-to-display-in-the-portal]
[-auto]

When displaying command usage information

setupcommonservice -help

Options

csUri Common-Services-URL

Specify the Common Services URL (URL for Ops Center Portal).

csUsername Common-Services-username

Specify a username with Security Admin or System Admin role for Common Services. Enter the password in response to the prompt.

If you omit this option, you can enter a Common Services username in response to the prompt.

appHostname Analyzer-server-host-name-or-IP-address

Specify the host name or IP address for the Analyzer server.

If this option is omitted, the host name of Analyzer server is set.

appPort Analyzer-server-port

Specify the port number for the Analyzer server.

If this option is omitted, 22016 (SSL) is set.

appName product-name-to-display-in-the-portal

Specify the Analyzer name to display in the Ops Center Portal.

You can specify from 1 to 255 characters.

If this option is omitted during the registration of a new instance, the host name or IP address of the Analyzer server is set.

appDescription description-to-display-in-the-portal

Specify the Analyzer description to display in the Ops Center Portal.

You can specify from 0 to 255 characters.

If this option is omitted, no description is displayed.

auto

Automatically stops and starts Analyzer server services.

help

Display command usage information.

Location

Analyzer-server-installation-directory/Analytics/bin

Notes

If you run this command without specifying the auto option, you must restart the product by running the hcmds64srv command on the host where you ran the setupcommonservice
command.

Return values

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 297/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Return value Description

0 The command ran normally.

1 The argument is invalid.

2 Command running was interrupted.

5 Communication failed.

6 Authentication failed.

13 An attempt to write to the file failed.

14 You do not have permission to run this command.

16 An attempt to start or stop the services of the Analyzer server failed.

18 An attempt to read the file failed.

255 Command running was interrupted because of another error.

Example

To register a new instance of Analyzer in Common Services:

setupcommonservice -csUri https://myopscenter.com:443/portal -appHostname myanalyzer.com -appName Analyzer_B -appDescription "For managing site
B" -auto

To reregister Analyzer with an instance of Common Services on another host:

setupcommonservice -csUri https://myopscenter2.com:443/portal -csUsername sysadmin -appHostname myanalyzer.com -appName Analyzer_B -appDescriptio
n "For managing site B" -auto

Note: After running the command, delete the Analyzer information from the original Ops Center Portal.

If the host name of the Common Services instance in which Analyzer is registered was changed to US_opscenter.com:

setupcommonservice -csUri https://US_opscenter.com:443/portal -auto

To change the Analyzer server host name that is registered in Common Services to myanalyzer2.com:

setupcommonservice -appHostname myanalyzer2.com -auto

User-specified properties file (config_user.properties)

The definition file for configuring public logs and setting values for dynamic thresholds is described and explained.

Format

key-name=value

Location

Analyzer-server-installation-directory/Analytics/conf

Timing at which definitions are applied

The definitions are applied when the HAnalytics Engine Web Service starts.

Content to be specified

Specify each key name and its value on one line. When defining the user-specified properties file, note the following points:

Any line starting with # is treated as a comment line.

Blank lines are ignored.
UTF-8 is used for character encoding.
Specified values are case-sensitive.
To include "\" in a specified character string, specify "\\".

In this situation, "\\" is counted as a single byte.

If you specify an invalid value, the KNAQ02022-W message is output to the integrated trace logs and public logs, and the default value is used.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 298/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
If you specify the same key more than once in the same file, the last specification takes effect.

Note:

Set the threshold monitoring period as an integer multiple of the data collection interval.
Starting with version 10.9.3, part of the key names to be specified in the config_user.properties file changed from dynamicThreshold to threshold. You can still use
the old key names in version 10.9.3 and later. If both the old and new key names are specified in the config_user.properties file, the value set by the new key name will
be applied.

Settings

Corresponding
Category Key name Setting Specifiable values Default value Analyzer metric

--
Public logs logger.sysloglevel Specify a threshold value for 0 0
outputting syslog. 10

--
logger.message.server.M Maximum number of log 1 to 16 7
axBackupIndex backup files for the server.

--
logger.message.server.M Maximum size of log files for 4 to 2,097,151 10240
axFileSize the server. (unit: KB)

--
logger.message.command. Maximum number of log 1 to 16 7
MaxBackupIndex backup files for commands.

--
logger.message.command. Maximum size of log files for 4 to 2,097,151 1024
MaxFileSize commands. (unit: KB)

--
Dynamic threshold dynamicThreshold.calcul Time when the calculation of 00:00:00 to 23:59:59 00:00:00
values (parameters) ateTime dynamic threshold values
starts.

--
dynamicThreshold.startL Period (unit: days) for which Single-byte numerals and 1, 3, 7, 14
atencyDay to check the number of commas (,)
performance values that are
required to start the
calculation of dynamic
threshold values.

To specify more than one

value, use commas (,) to
delimit the values.

--
dynamicThreshold.minimu Specify the minimum number 1 to 2,147,483,647 150
mDataN of performance values that is
required to start the
calculation of dynamic
threshold values.

The calculation of dynamic

threshold values starts when
the number of performance
values in the period specified
for dynamicThreshold.star
tLatencyDay exceeds the
minimum number of
performance values specified
for dynamicThreshold.mini
mumDataN.

--
Dynamic threshold dynamicThreshold.margi Specify the margin for 0 to 2,147,483,647 1
values (margin) n.Severe.plus addition when the value of
Margin is Severe.

--
dynamicThreshold.margi Specify the margin for 0 to 100 1
n.Severe.rate multiplication (unit: %) when
the value of Margin is Severe.

--
dynamicThreshold.margi Specify the margin for 0 to 2,147,483,647 5
n.Normal.plus addition when the value of
Margin is Normal.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 299/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value
Analyzer metric

--
dynamicThreshold.margi Specify the margin for 0 to 100 5
n.Normal.rate multiplication (unit: %) when
the value of Margin is Normal.

--
dynamicThreshold.margi Specify the margin for 0 to 2,147,483,647 10
n.Rough.plus addition when the value of
Margin is Rough.

--
dynamicThreshold.margi Specify the margin for 0 to 100 10
n.Rough.rate multiplication (unit: %) when
the value of Margin is Rough.

Specify the number of times 1 to the number of Hitachi Storage

Event issuance threshold.alertConditio that a spike exceeds a samples during the period 2 Total IOPS (LDE
conditions n.RAID_VOLUME_RAIDLDEV_ threshold to issue an event of V)
TOTALIOPS.numberInPerio the Hitachi Storage Total
d.number IOPS (LDEV) metric during
the threshold monitoring
period.

Specify the threshold 0 < period <= 60 and a

threshold.alertConditio 10
monitoring period (in minutes) multiple of the data
n.RAID_VOLUME_RAIDLDEV_ for the Hitachi Storage Total collection interval
TOTALIOPS.numberInPerio IOPS (LDEV) metric.
d.period

Specify the number of times 1 to the number of Hitachi Storage

threshold.alertConditio 2
that a spike exceeds a samples during the period Transfer Rate
n.RAID_VOLUME_RAIDLDEV_
threshold to issue an event of (LDEV)
TRANSFERRATE.numberInPe the Hitachi Storage Transfer
riod.number Rate (LDEV) metric during
the threshold monitoring
period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 10
monitoring period (in minutes)
n.RAID_VOLUME_RAIDLDEV_
for the Hitachi Storage
TRANSFERRATE.numberInPe
Transfer Rate (LDEV) metric.
riod.period

Specify the number of times 1 to the number of Hitachi Storage

threshold.alertConditio 2
that a spike exceeds a samples during the period Total Response
n.RAID_VOLUME_RAIDLDEV_
threshold to issue an event of Time (LDEV)
RESPONSETIME.numberInPe
the Hitachi Storage Total
riod.number
Response Time (LDEV)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 10
n.RAID_VOLUME_RAIDLDEV_ for the Hitachi Storage Total
RESPONSETIME.numberInPe
Response Time (LDEV)
riod.period
metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDCACH that a spike exceeds a samples during the period Access Path Usa
EESW_ACCESSPATHUSAGE​
.nu threshold to issue an event ge (Cache ESW)
mberInPeriod.number for the Hitachi Storage
Access Path Usage (Cache
ESW) metric during the
threshold monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDCACH monitoring period (in minutes)
EESW_ACCESSPATHUSAGE​
.nu for the Hitachi Storage
mberInPeriod.period Access Path Usage (Cache
ESW) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDCHAE that a spike exceeds a samples during the period Access Path Usa
SW_ACCESSPATHUSAGE​
.numb threshold to issue an event of ge (CHA ESW)
erInPeriod.number the Hitachi Storage Access
Path Usage (CHA ESW)
metric during the threshold
monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDCHAE monitoring period (in minutes)
for the Hitachi Storage

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 300/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value
Analyzer metric

SW_ACCESSPATHUSAGE​
.numb Access Path Usage (CHA
erInPeriod.period ESW) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDCLPR that a spike exceeds a samples during the period Write Pending R
_WRITEPENDINGRATE​
.numbe threshold to issue an event of ate (CLPR)
rInPeriod.number the Hitachi Storage Write
Pending Rate (CLPR) metric
during the threshold
monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDCLPR monitoring period (in minutes)
_WRITEPENDINGRATE​
.numbe for the Hitachi Storage Write
rInPeriod.period Pending Rate (CLPR) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDDKAE that a spike exceeds a samples during the period Access Path Usa
SW_ACCESSPATHUSAGE​
.numb threshold to issue an event of ge (DKA ESW)
erInPeriod.number the Hitachi Storage Access
Path Usage (DKA ESW)
metric during the threshold
monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDDKAE monitoring period (in minutes)
SW_ACCESSPATHUSAGE​
.numb for the Hitachi Storage
erInPeriod.period Access Path Usage (DKA
ESW) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDMP_U that a spike exceeds a samples during the period Utilization (M
TILIZATION​
.numberInPeri threshold to issue an event of P)
od.number the Hitachi Storage Utilization
(MP) metric during the
threshold monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDMP_U monitoring period (in minutes)
TILIZATION​
.numberInPeri for the Hitachi Storage
od.period Utilization (MP) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDMPB_ that a spike exceeds a samples during the period Utilization (MP
UTILIZATION​
.numberInPer threshold to issue an event of B)
iod.number the Hitachi Storage Utilization
(MPB) metric during the
threshold monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDMPB_ monitoring period (in minutes)
UTILIZATION​
.numberInPer for the Hitachi Storage
iod.period Utilization (MPB) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDMPBC that a spike exceeds a samples during the period Write Pending R
LPR_WRITEPENDINGRATE​
.nu threshold to issue an event of ate (MPB CLPR)
mberInPeriod.number the Hitachi Storage Write
Pending Rate (MPB CLPR)
metric during the threshold
monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDMPBC monitoring period (in minutes)
LPR_WRITEPENDINGRATE​
.nu for the Hitachi Storage Write
mberInPeriod.period Pending Rate (MPB CLPR)
metric.

threshold.alertConditio 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDMPBE Specify the number of times samples during the period Access Path Usa
.numb that a spike exceeds a
SW_ACCESSPATHUSAGE​ ge (MPB ESW)
erInPeriod.number threshold to issue an event of
the Hitachi Storage Access
Path Usage (MPB ESW)
metric during the threshold
monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDMPBE monitoring period (in minutes)
SW_ACCESSPATHUSAGE​
.numb for the Hitachi Storage
erInPeriod.period Access Path Usage (MPB
ESW) metric.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 301/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value Analyzer metric

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDPG_S that a spike exceeds a samples during the period Read Hit (Parit
YN_RAIDLDEV_READHIT​
.num threshold to issue an event of y Group)
berInPeriod.number the Hitachi Storage Read Hit
(Parity Group) metric during
the threshold monitoring
period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDPG_S monitoring period (in minutes)
YN_RAIDLDEV_READHIT​
.num for the Hitachi Storage Read
berInPeriod.period Hit (Parity Group) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDPG_U that a spike exceeds a samples during the period Utilization (Pa
TILIZATION​
.numberInPeri threshold to issue an event of rity Group)
od.number the Hitachi Storage Utilization
(Parity Group) metric during
the threshold monitoring
period.

threshold.alertConditio Specify the threshold 0 < period <= 60 5

n.RAID_STORAGE_RAIDPG_U monitoring period (in minutes)
TILIZATION​
.numberInPeri for the Hitachi Storage
od.period Utilization (Parity Group)
metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDPOOL that a spike exceeds a samples during the period Usage Rate (Poo
_PERCENTUSAGERATE​
.numbe threshold to issue an event of l)
rInPeriod.number the Hitachi Storage Usage
Rate (Pool) metric during the
threshold monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 60

n.RAID_STORAGE_RAIDPOOL monitoring period (in minutes)
_PERCENTUSAGERATE​
.numbe for the Hitachi Storage Usage
rInPeriod.period Rate (Pool) metric.

threshold.alertConditio Specify the number of times 1 to the number of 1 Hitachi Storage

n.RAID_STORAGE_RAIDPOOL that a spike exceeds a samples during the period Physical Capaci
_PHYSICALCAPACITYUSAGER threshold to issue an event of ty Usage Rate
ATE​
.numberInPeriod.numb the Hitachi Storage Physical (Pool)
er Capacity Usage Rate (Pool)
metric during the threshold
monitoring period.

threshold.alertConditio Specify the threshold 0 < period <= 60 60

n.RAID_STORAGE_RAIDPOOL monitoring period (in minutes)
_PHYSICALCAPACITYUSAGER for the Hitachi Storage
ATE​
.numberInPeriod.peri Physical Capacity Usage
od Rate (Pool) metric.

Specify the number of times 1 to the number of VMware CPU Read

threshold.alertConditio that a spike exceeds a samples during the period 2 y (VMware virtu
n.ESX_VM_VM_CPUREADY.nu threshold to issue an event of al Machine)
mberInPeriod.number the VMware CPU Ready
(VMware virtual Machine)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.ESX_VM_VM_CPUREADY.nu for the VMware CPU Ready
mberInPeriod.period (VMware virtual Machine)
metric.

Specify the number of times 1 to the number of VMware Virtual

threshold.alertConditio that a spike exceeds a samples during the period 2 Disk Total Read
n.ESX_VM_VDISK_VIRTUALD threshold to issue an event of Latency (Virtua
ISKTOTALREADLATENCY.num
the VMware Virtual Disk Total l Disk)
berInPeriod.number
Read Latency (Virtual Disk)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.ESX_VM_VDISK_VIRTUALD for the VMware Virtual Disk
ISKTOTALREADLATENCY.num Total Read Latency (Virtual
berInPeriod.period
Disk) metric.

Specify the number of times 1 to the number of VMware Virtual

threshold.alertConditio that a spike exceeds a samples during the period 2 Disk Total Writ
n.ESX_VM_VDISK_VIRTUALD threshold to issue an event of

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 302/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value Analyzer metric

ISKTOTALWRITELATENCY.nu the VMware Virtual Disk Total e Latency (Virt

mberInPeriod.number Write Latency (Virtual Disk) ual Disk)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.ESX_VM_VDISK_VIRTUALD for the VMware Virtual Disk
ISKTOTALWRITELATENCY.nu Total Write Latency (Virtual
mberInPeriod.period Disk) metric.

Specify the number of times 1 to the number of VMware Dropped

threshold.alertConditio that a spike exceeds a samples during the period 2 Rx (VMware Virt
n.ESX_VM_VM_NETDROPPEDR threshold to issue an event of ual Machine)
X.numberInPeriod.number the VMware Dropped Rx
(VMware Virtual Machine)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.ESX_VM_VM_NETDROPPEDR for the VMware Dropped Rx
X.numberInPeriod.period (VMware Virtual Machine)
metric.

Specify the number of times 1 to the number of VMware Dropped

threshold.alertConditio that a spike exceeds a samples during the period 2 Tx (VMware Virt
n.ESX_VM_VM_NETDROPPEDT threshold to issue an event of ual Machine)
X.numberInPeriod.number
the VMware Dropped Tx
(VMware Virtual Machine)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.ESX_VM_VM_NETDROPPEDT for the VMware Dropped Tx
X.numberInPeriod.period (VMware Virtual Machine)

metric.

Specify the number of times 1 to the number of Linux Memory Us

threshold.alertConditio 2
that a spike exceeds a samples during the period ed % (Linux Hos
n.LINUX_LHOST_L_MEMUSE threshold to issue an event of t)
D.numberInPeriod.number the Linux Memory Used %
(Linux Host) metric during the
threshold monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.LINUX_LHOST_L_MEMUSE
for the Linux Memory Used %
D.numberInPeriod.period
(Linux Host) metric.

Specify the number of times 1 to the number of Linux Available

threshold.alertConditio that a spike exceeds a samples during the period 2 KB (Linux Host)
n.LINUX_LHOST_L_FREE.nu threshold to issue an event of
mberInPeriod.number
the Linux Available KB (Linux
Host) metric during the
threshold monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.LINUX_LHOST_L_FREE.nu for the Linux Available KB
mberInPeriod.period (Linux Host) metric.

Specify the number of times 1 to the number of Linux Processor

threshold.alertConditio that a spike exceeds a samples during the period 2 Time % (Linux H
n.LINUX_LHOST_L_CPULOA threshold to issue an event of ost)
D.numberInPeriod.number the Linux Processor Time %
(Linux Host) metric during the
threshold monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.LINUX_LHOST_L_CPULOA
for the Linux Processor Time
D.numberInPeriod.period
% (Linux Host) metric.

Specify the number of times 1 to the number of Linux Processor

threshold.alertConditio that a spike exceeds a samples during the period 2 Time Idle % (Li
n.LINUX_LHOSTCPU_L_IDL
threshold to issue an event of nux Host CPU)
E.numberInPeriod.number
the Linux Processor Time Idle
% (Linux Host CPU) metric
during the threshold
monitoring period.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 303/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value Analyzer metric

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.LINUX_LHOSTCPU_L_IDL for the Linux Processor Time
E.numberInPeriod.period Idle % (Linux Host CPU)
metric.

Specify the number of times 1 to the number of Windows Committ

threshold.alertConditio that a spike exceeds a samples during the period 2 ed Bytes In Use
n.WINDOWS_WHOST_PERCENT
threshold to issue an event of % (Windows Hos
COMMITTEDBYTESINUSE.num
the Windows Committed t)
berInPeriod.number
Bytes In Use % (Windows
Host) metric during the
threshold monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.WINDOWS_WHOST_PERCENT for the Windows Committed
COMMITTEDBYTESINUSE.num Bytes In Use % (Windows
berInPeriod.period
Host) metric.

Specify the number of times 1 to the number of Windows Availab

threshold.alertConditio that a spike exceeds a samples during the period 2 le MB (Windows
n.WINDOWS_WHOST_AVAILAB threshold to issue an event of Host)
LEMBYTES.numberInPerio the Windows Available MB
d.number
(Windows Host) metric during
the threshold monitoring
period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.WINDOWS_WHOST_AVAILAB for the Windows Available MB
LEMBYTES.numberInPerio (Windows Host) metric.
d.period

Specify the number of times 1 to the number of Windows Process

threshold.alertConditio that a spike exceeds a samples during the period 2 or Time % (Wind
n.WINDOWS_WHOST_PERCENT threshold to issue an event of ows Host)
PROCESSORTIME.numberInP the Windows Processor Time
eriod.number % (Windows Host) metric
during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.WINDOWS_WHOST_PERCENT for the Windows Processor
PROCESSORTIME.numberInP Time % (Windows Host)
eriod.period metric.

Specify the number of times 1 to the number of Windows Process

threshold.alertConditio 2
that a spike exceeds a samples during the period or Time % (Wind
n.WINDOWS_WPROCESSOR_PE threshold to issue an event of ows Processor)
RCENTPROCESSORTIME.numb the Windows Processor Time
erInPeriod.number % (Windows Processor)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.WINDOWS_WPROCESSOR_PE
for the Windows Processor
RCENTPROCESSORTIME.numb
Time % (Windows Processor)
erInPeriod.period metric.

Specify the number of times 1 to the number of VSP One SDS Blo
threshold.alertConditio 2
that a spike exceeds a samples during the period ck Read IOPS (V
n.VSSB_VOLUME_VSSBVOLUM
threshold to issue an event of SP One SDS Bloc
E_READIOPS.numberInPeri
the VSP One SDS Block k Volume)
od.number Read IOPS (VSP One SDS
Block Volume) metric during
the threshold monitoring
period.

Specify the threshold 0 < period <= 60 and a

threshold.alertConditio 2
monitoring period (in minutes) multiple of the data
n.VSSB_VOLUME_VSSBVOLUM
for the VSP One SDS Block collection interval
E_READIOPS.numberInPeri
Read IOPS (VSP One SDS
od.period
Block Volume) metric.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 304/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value Analyzer metric

Specify the number of times 1 to the number of VSP One SDS Blo
threshold.alertConditio that a spike exceeds a samples during the period 2 ck Read Respons
n.VSSB_VOLUME_VSSBVOLUM threshold to issue an event of e Time(VSP One
E_READRESPONSETIME.numb the VSP One SDS Block SDS Block Volum
erInPeriod.number Read Response Time (VSP e)
One SDS Block Volume)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.VSSB_VOLUME_VSSBVOLUM for the VSP One SDS Block
E_READRESPONSETIME.numb Read Response Time (VSP
erInPeriod.period One SDS Block Volume)
metric.

Specify the number of times 1 to the number of VSP One SDS Blo
threshold.alertConditio 2
that a spike exceeds a samples during the period ck Read Transfe
n.VSSB_VOLUME_VSSBVOLUM
threshold to issue an event of r Rate(VSP One
E_READTRANSFERRATEINMI
the VSP One SDS Block SDS Block Volum
B.numberInPeriod.number Read Transfer Rate (VSP e)
One SDS Block Volume)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.VSSB_VOLUME_VSSBVOLUM
for the VSP One SDS Block
E_READTRANSFERRATEINMI
Read Transfer Rate (VSP
B.numberInPeriod.period
One SDS Block Volume)
metric.

Specify the number of times 1 to the number of VSP One SDS Blo
threshold.alertConditio that a spike exceeds a samples during the period 2 ck Write IOPS
n.VSSB_VOLUME_VSSBVOLUM threshold to issue an event of (VSP One SDS Bl
E_WRITEIOPS.numberInPer the VSP One SDS Block ock Volume)
iod.number
Write IOPS (VSP One SDS
Block Volume) metric during
the threshold monitoring
period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.VSSB_VOLUME_VSSBVOLUM for the VSP One SDS Block
E_WRITEIOPS.numberInPer Write IOPS (VSP One SDS
iod.period Block Volume) metric.

Specify the number of times 1 to the number of VSP One SDS Blo
threshold.alertConditio that a spike exceeds a samples during the period 2 ck Write Respon
n.VSSB_VOLUME_VSSBVOLUM threshold to issue an event of se Time (VSP On
E_WRITERESPONSETIME.num the VSP One SDS Block e SDS Block Vol
berInPeriod.number Write Response Time (VSP ume)
One SDS Block Volume)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio monitoring period (in minutes) 2
n.VSSB_VOLUME_VSSBVOLUM for the VSP One SDS Block
E_WRITERESPONSETIME.num Write Response Time (VSP
berInPeriod.period One SDS Block Volume)
metric.

Specify the number of times 1 to the number of VSP One SDS Blo
threshold.alertConditio 2
that a spike exceeds a samples during the period ck Write Transf
n.VSSB_VOLUME_VSSBVOLUM threshold to issue an event of er Rate (VSP On
E_WRITETRANSFERRATEINMI the VSP One SDS Block e SDS Block Vol
B.numberInPeriod.number Write Transfer Rate (VSP ume)
One SDS Block Volume)
metric during the threshold
monitoring period.

Specify the threshold 0 < period <= 60

threshold.alertConditio 2
monitoring period (in minutes)
n.VSSB_VOLUME_VSSBVOLUM
for the VSP One SDS Block
E_WRITETRANSFERRATEINMI Write Transfer Rate (VSP
B.numberInPeriod.period One SDS Block Volume)
metric.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 305/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value Analyzer metric

--
Security cert.verify.enabled Specify whether to enable the true or false false
verification of a server
certificate.

ssl.ClientCipherSuites Specify the TLS cipher suites
used for SSL communication
from the Analyzer server to
the communication
destination.
Names of cipher suites
that can be used for TLS
1.2 or TLS1.3. Add
cipher suites to the end of
the list, using commas to
separate the values.
TLS_AES_256_GCM_SHA384,TLS_AES_128 --
_GCM_SHA256,TLS_CHACHA20_POLY1305_
SHA256,TLS_ECDHE_RSA_WITH_AES_256_
GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
128_GCM_SHA256,TLS_RSA_WITH_AES_25
6_GCM_SHA384,TLS_RSA_WITH_AES_128_
GCM_SHA256

ssl.ClientProtocol Specify the TLS version used TLSv1.3 or TLSv1.2 or T TLSv1.3, TLSv1.2 --
for SSL communication from LSv1.3, TLSv1.2
the Analyzer server to the
communication destination.

--
Controlling resources automation.parameter.pr Specify the name that was set A value from 1 to 32 Analytics
by using Storage I/O oductName for Category in the Web characters, using only
controls feature Service Connections window single-byte alphanumeric
of Ops Center Automator. characters, underscores
(_), periods (.), and
hyphens (-)

Analytics Service Group --

automation.parameter.se Specify the service group
rviceGroupName name that was set in Ops
Center Automator for Ops
Center Analyzer.
A value from 1 to 80
characters, using only
single-byte alphanumeric
characters and
underscores (_)

--
automation.parameter.se Specify the service name that A value from 1 to 128 Modify IO Control Settings for Volume
rviceName.ioControl.mod was set when the service was characters
ify created by using the service
template "Modify IO Control
Settings for Volume" in Ops
Center Automator.

--
automation.parameter.se Specify the service name that A value from 1 to 128 Delete IO Control Settings for Volume
rviceName.ioControl.del was set when the service was characters
ete created by using the service
template "Delete IO Control
Settings for Volume" in Ops
Center Automator.

--
iocontrol.history.maxco Specify the maximum number 30 to 10,000 5000
unt of log entries to be retained
for I/O control tasks.

--
iocontrol.cmd.parameter Specify the maximum number 1 to 5,000 100
File.maxCount of files that are used as the
parameter file for I/O controls
by using script files.

--
iocontrol.cmd.parameter Specify the minimum 1 to 14,400 5
File.minRetention.minut retention of files that are used
e as the parameter file for I/O
controls by using script files.

System monitoring of Specify the threshold used to 1 to 99 --

fileSystemCheck.alert.u 30
the Analyzer server issue a Warning event when
sable.threshold.warn
the Usable Ratio of the free
space falls below this value
(%).

Specify the threshold used to 1 to 99

fileSystemCheck.alert.u issue a Critical event when 15
sable.threshold.critica the Usable Ratio of the free
l
space falls below this value
(%).

--
Event event.maxcount* Specify the maximum number 1 to 1,000,000 100000
of events.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 306/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide
Corresponding
Category Key name Setting Specifiable values Default value
Analyzer metric

--
event.retentionperiod.h Specify the retention period 1 to 2,880 336
our* for events.

* If you set a value greater than the default value, the amount of memory used by Analyzer server increases.

Examples

logger.sysloglevel = 0
logger.message.server.MaxBackupIndex = 7
logger.message.server.MaxFileSize = 10240
logger.message.command.MaxBackupIndex = 7
logger.message.command.MaxFileSize = 1024
dynamicThreshold.calculateTime = 00:00:00
dynamicThreshold.startLatencyDay = 1, 3, 7, 14
dynamicThreshold.minimumDataN = 150
dynamicThreshold.margin.Severe.plus = 1
dynamicThreshold.margin.Severe.rate = 1
dynamicThreshold.margin.Normal.plus = 5
dynamicThreshold.margin.Normal.rate = 5
dynamicThreshold.margin.Rough.plus = 10
dynamicThreshold.margin.Rough.rate = 10
threshold.alertCondition.RAID_VOLUME_RAIDLDEV_TRANSFERRATE.numberInPeriod.number = 2
threshold.alertCondition.RAID_VOLUME_RAIDLDEV_TRANSFERRATE.numberInPeriod.period = 10
cert.verify.enabled = false
automation.parameter.productName = Analytics
automation.parameter.serviceGroupName = Analytics Service Group
automation.parameter.serviceName.ioControl.modify = Modify IO Control Settings for Volume
automation.parameter.serviceName.ioControl.delete = Delete IO Control Settings for Volume
iocontrol.history.maxcount = 5000
iocontrol.cmd.parameterFile.maxCount = 100
iocontrol.cmd.parameterFile.minRetention.minute = 5
event.maxcount = 100000
event.retentionperiod.hour = 336

Analyzer server audit events that are output to the audit log
In Analyzer server, the following categories of audit events are output to the audit log:

StartStop
ExternalService
Authentication
ConfigurationAccess

Each audit event is assigned a severity level. You can filter the audit log data to be output according to the severity levels of events.

The following four tables describe, for each type, the audit events that are output to the audit log by the Analyzer server.

For details on the audit log data generated by other products that use the Common component, see the manuals for the relevant products.

The following table describes the audit events when the type is StartStop.

Type description Audit event Severity Message ID

Start and stop of software Successful SSO server start 6 KAPM00090-I

Failed SSO server start 3 KAPM00091-E

SSO server stop 6 KAPM00092-I

The following table describes the audit events when the type is ExternalService.

Type description Audit event Severity Message ID

Communication with the external Successful communication with the LDAP directory server 6 KAPM10116-I
authentication server

Failed communication with the LDAP directory server 3 KAPM10117-E

Successful communication with the RADIUS server 6 KAPM10118-I

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 307/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Failed communication with the RADIUS server (no response) 3 KAPM10119-E

Successful communication with the Kerberos server 6 KAPM10120-I

Failed communication with the Kerberos server (no response) 3 KAPM10121-E

Successful communication with the DNS server 6 KAPM10122-I

Failed communication with the DNS server (no response) 3 KAPM10123-E

Authentication with an external Successful TLS negotiation with the LDAP directory server 6 KAPM10124-I
authentication server

Failed TLS negotiation with the LDAP directory server 3 KAPM10125-E

Successful authentication of the user for an information search on the 6 KAPM10126-I

LDAP directory server

Failed authentication of the user for an information search on the LDAP 3 KAPM10127-W
directory server

User authentication on an external Successful user authentication on the LDAP directory server 6 KAPM10128-I
authentication server

User not found on the LDAP directory server 4 KAPM10129-W

Failed user authentication on the LDAP directory server 4 KAPM10130-W

Successful user authentication on the RADIUS server 6 KAPM10131-I

Failed user authentication on the RADIUS server 4 KAPM10132-W

Successful user authentication on the Kerberos server 6 KAPM10133-I

Failed user authentication on the Kerberos server 4 KAPM10134-W

Acquisition of information from an Successful acquisition of user information from the LDAP directory server 6 KAPM10135-I
external authentication server

Failed acquisition of user information from the LDAP directory server 3 KAPM10136-E

Successful acquisition of the SRV record from the DNS server 6 KAPM10137-I

Failed acquisition of the SRV record from the DNS server 3 KAPM10138-E

Sending of a test email Successful sending of a test email 6 KNAQ38002-I

Failed to send a test email 3 KNAQ38003-E

An action defined in the command Success of an action defined in the command definition file 6 KNAQ38058-I
definition file

Failure of an action defined in the command definition file 3 KNAQ38059-E

Success of an action defined in the command definition file 6 KNAQ38062-I

Failure of an action defined in the command definition file 3 KNAQ38063-E

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 308/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Connection to the Analyzer detail Successful connection to the Analyzer detail view server 6 KNAQ38064-I
view server

Failed to connect to the Analyzer detail view server 3 KNAQ38065-E

Configuration of I/O control settings Successful configuration of I/O control settings for a storage system 6 KNAQ38068-I
for a storage system

Failed to configure I/O control settings for a storage system 3 KNAQ38069-E

Connection to Ops Center

Automator Successful connection to Ops Center Automator 6 KNAQ38072-I

Failed to connect to Ops Center Automator 3 KNAQ38073-E

An event action Success of an event action 6 KNAQ38078-I

Failure of an event action 3 KNAQ38079-E

Start of a predictive task Successful start of a predictive task 6 KNAQ38086-I

Failed start of a predictive task 3 KNAQ38087-E

Interruption of a predictive task Successful interruption of a predictive task 6 KNAQ38088-I

Failed interruption of a predictive task 3 KNAQ38089-E

The following table describes the audit events when the type is Authentication.

Type description Audit event Severity Message ID

Administrator or end user Successful login 6 KAPM01124-I

authentication

Successful login (to the external authentication server) 6 KAPM02450-I

Failed login (wrong user ID or password) 4 KAPM02291-W

Failed login (logged in as a locked user) 4 KAPM02291-W

Failed login (logged in as a nonexisting user) 4 KAPM02291-W

Failed login (no permission) 4 KAPM01095-E

Failed login (authentication failure) 4 KAPM01125-E

Failed login (to the external authentication server) 4 KAPM02451-W

Successful logout 6 KAPM08009-I

Failed logout 4 KAPM01126-W

Automatic account lock Automatic account lock (repeated authentication failure or expiration of 4 KAPM02292-W
account)

The following table describes the audit events when the type is ConfigurationAccess.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 309/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

User registration Successful user registration 6 KAPM07230-I

(GUI)
Failed user registration 3 KAPM07237-E

KAPM07238-E

KAPM07240-E

User deletion Successful single user deletion 6 KAPM07231-I

(GUI)
Failed single user deletion 3 KAPM07240-E

Successful multiple user deletion 6 KAPM07231-I

Failed multiple user deletion 3 KAPM07240-E

Password change Successful password change by the administrator 6 KAPM07232-I

(from the administrator window)

Failed password change by the administrator 3 KAPM07240-E

Password change Failed authentication processing for verifying old password 3 KAPM07239-E

(from the user's own window)

Successful change of login user's own password (from the user's own 6 KAPM07232-I
window)

Failed change of login user's own password (from the user's own window) 3 KAPM07240-E

Profile change Successful profile change 6 KAPM07233-I

Failed profile change 3 KAPM07240-E

Permission change Successful permission change 6 KAPM02280-I

Failed permission change 3 KAPM07240-E

Account lock Successful account lock1 6 KAPM07235-I

Failed account lock 3 KAPM07240-E

Account lock release Successful account lock release2 6 KAPM07236-I

Failed account lock release 3 KAPM07240-E

Successful account lock release using the hcmds64unlockaccount 6 KAPM07236-I

command

Failed account lock release using the hcmds64unlockaccount command 3 KAPM07240-E

Authentication method change Successful authentication method change 6 KAPM02452-I

Failed authentication method change 3 KAPM02453-E

Authorization group addition Successful addition of an authorization group 6 KAPM07247-I

(GUI)
Failed addition of an authorization group 3 KAPM07248-E

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 310/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Authorization group deletion Successful deletion of one authorization group 6 KAPM07249-I

(GUI)
Failed deletion of one authorization group 3 KAPM07248-E

Successful deletion of multiple authorization groups 6 KAPM07249-I

Failed deletion of multiple authorization groups 3 KAPM07248-E

Authorization group permission Successful change of an authorization group's permission 6 KAPM07250-I

change

(GUI) Failed change of an authorization group's permission 3 KAPM07248-E

User registration Successful registration of user 6 KAPM07241-I

(GUI and CLI)

Failed to register user 3 KAPM07242-E

User information update Successful update of user information 6 KAPM07243-I

(GUI and CLI)

Failed to update user information 3 KAPM07244-E

User deletion Successful deletion of user 6 KAPM07245-I

(GUI and CLI)

Failed to delete user 3 KAPM07246-E

Authorization group registration Successful registration of an authorization group 6 KAPM07251-I

(GUI and CLI)

Failed registration of an authorization group 3 KAPM07252-E

Authorization group deletion Successful deletion of an authorization group 6 KAPM07253-I

(GUI and CLI)

Failed deletion of an authorization group 3 KAPM07254-E

Authorization group permission Successful change of an authorization group's permission 6 KAPM07255-I

change

(GUI and CLI) Failed change of an authorization group's permission 3 KAPM07256-E

Database backup or restore Successful backup using the hcmds64backups command or the hcmds64db 6 KAPM05561-I
command

Failed backup using the hcmds64backups command or the hcmds64db 3 KAPM05562-E

command

Successful full restore using the hcmds64db command 6 KAPM05563-I

Failed full restore using the hcmds64db command 3 KAPM05564-E

Successful partial restore using the hcmds64db command 6 KAPM05565-I

Failed partial restore using the hcmds64db command 3 KAPM05566-E

Database export or import Successful database export 6 KAPM06543-I

Failed database export 3 KAPM06544-E

Successful database import 6 KAPM06545-I

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 311/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Failed database import 3 KAPM06546-E

Database area creation or deletion Successful database area creation 6 KAPM06348-I

Failed database area creation 3 KAPM06349-E

Successful database area deletion 6 KAPM06350-I

Failed database area deletion 3 KAPM06351-E

Authentication data input/ output Successful data output using the hcmds64authmove command 6 KAPM05832-I

Failed data output using the hcmds64authmove command 3 KAPM05833-E

Successful data input using the hcmds64authmove command 6 KAPM05834-I

Failed data input using the hcmds64authmove command 3 KAPM05835-E

Update of the mail server settings Successful update of the mail server settings 6 KNAQ38000-I

Failed update of the mail server settings 3 KNAQ38001-E

Creation of a user account Successful creation of a user account 6 KNAQ38004-I

Failed creation of a user account 3 KNAQ38005-E

Update of user information Successful update of user information 6 KNAQ38006-I

Failed update of user information 3 KNAQ38007-E

Deletion of a user account Successful deletion of a user account 6 KNAQ38008-I

Failed deletion of a user account 3 KNAQ38009-E

Creation of a threshold profile Successful creation of a threshold profile 6 KNAQ38010-I

Failed creation of a threshold profile 3 KNAQ38011-E

Update of a threshold profile Successful update of a threshold profile 6 KNAQ38012-I

Failed update of a threshold profile 3 KNAQ38013-E

Deletion of a threshold profile Successful deletion of a threshold profile 6 KNAQ38014-I

Failed deletion of a threshold profile 3 KNAQ38015-E

Settings for resources to be Successful configuration of settings for resources to be allocated to a 6 KNAQ38016-I
allocated to a threshold profile threshold profile

Failed to configure settings for resources to be allocated to a threshold 3 KNAQ38017-E

profile

Settings for dynamic threshold Successful configuration of settings for dynamic threshold values 6 KNAQ38018-I
values

Failed to configure settings for dynamic threshold values 3 KNAQ38019-E

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 312/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Consumer creation Successful creation of a consumer 6 KNAQ38020-I

Failed creation of a consumer 3 KNAQ38021-E

Consumer update Successful update of a consumer 6 KNAQ38022-I

Failed update of a consumer 3 KNAQ38023-E

Consumer deletion Successful deletion of a consumer 6 KNAQ38024-I

Failed deletion of a consumer 3 KNAQ38025-E

Settings for resources to be Successful configuration of settings for resources to be allocated to a 6 KNAQ38026-I
allocated to a consumer consumer

Failed to configure settings for resources to be allocated to a consumer 3 KNAQ38027-E

Creation of email address Successful creation of email address information 6 KNAQ38028-I

information

Failed creation of email address information 3 KNAQ38029-E

Update of email address Successful update of email address information 6 KNAQ38030-I

information

Failed update of email address information 3 KNAQ38031-E

Deletion of email address Successful deletion of email address information 6 KNAQ38032-I

information

Failed deletion of email address information 3 KNAQ38033-E

Change to the status of email Successful change to the status of email address information 6 KNAQ38034-I
address information

Failed to change the status of email address information 3 KNAQ38035-E

Settings for a condition profile to be Successful configuration of settings for a condition profile to be allocated to 6 KNAQ38036-I
allocated to email address email address information
information

Failed to configure settings for a condition profile to be allocated to email 3 KNAQ38037-E

address information

Creation of a condition profile Successful creation of a condition profile 6 KNAQ38038-I

Failed creation of a condition profile 3 KNAQ38039-E

Update of a condition profile Successful update of a condition profile 6 KNAQ38040-I

Failed update of a condition profile 3 KNAQ38041-E

Deletion of a condition profile Successful deletion of a condition profile 6 KNAQ38042-I

Failed deletion of a condition profile 3 KNAQ38043-E

Settings for notification email Successful configuration of settings for notification email addresses to be 6 KNAQ38044-I
addresses to be allocated to a allocated to a condition profile
condition profile

Failed to configure settings for notification email addresses to be allocated 3 KNAQ38045-E

to a condition profile

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 313/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Creation of resource allocation Successful creation of resource allocation rules 6 KNAQ38046-I

rules

Failed creation of resource allocation rules 3 KNAQ38047-E

Update of resource allocation rules Successful update of resource allocation rules 6 KNAQ38048-I

Failed update of resource allocation rules 3 KNAQ38049-E

Deletion of resource allocation Successful deletion of resource allocation rules 6 KNAQ38050-I

rules

Failed deletion of resource allocation rules 3 KNAQ38051-E

Priority of resource allocation rules Successful change to the priority of resource allocation rules 6 KNAQ38052-I

Failed to change the priority of resource allocation rules 3 KNAQ38053-E

Allocation of resources to a Successful allocation of resources to a threshold profile based on the 6 KNAQ38054-I
threshold profile based on the resource allocation rules
resource allocation rules

Failed allocation of resources to a threshold profile based on the resource 3 KNAQ38055-E

allocation rules

Update of information about Successful update of information about conditions of the resource allocation 6 KNAQ38056-I
conditions of the resource rules
allocation rules

Failed update of information about conditions of the resource allocation 3 KNAQ38057-E

rules

Reloading of a definition file Successful reloading of a definition file 6 KNAQ38060-I

Failed to reload a definition file 3 KNAQ38061-E

Update of connection settings for Successful update of connection settings for the Analyzer detail view server 6 KNAQ38066-I
the Analyzer detail view server

Failed update of connection settings for the Analyzer detail view server 3 KNAQ38067-E

Update of the status of I/O control Successful update of the status of I/O control configuration tasks for a 6 KNAQ38070-I
configuration tasks for a storage storage system
system

Failed update of the status of I/O control configuration tasks for a storage 3 KNAQ38071-E
system

Update of the connection settings Successful update of the connection settings for Ops Center Automator 6 KNAQ38074-I
for Ops Center Automator

Failed update of the connection settings for Ops Center Automator 3 KNAQ38075-E

Deletion of the connection settings Successful deletion of the connection settings for Ops Center Automator 6 KNAQ38076-I
for Ops Center Automator

Failed deletion of the connection settings for Ops Center Automator 3 KNAQ38077-E

Backup of server configuration Successful backup of server configuration information 6 KNAQ38082-I

information

Failed backup of server configuration information 3 KNAQ38083-E

Restore of server configuration Successful restore of server configuration information 6 KNAQ38084-I

information

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 314/315
1/4/25, 8:32 AM Ops Center Analyzer Installation and Configuration Guide

Type description Audit event Severity Message ID

Failed to restore server configuration information 3 KNAQ38085-E

Deletion of the predictive history Successful deletion of the predictive history 6 KNAQ38090-I

Failed to delete the predictive history 3 KNAQ38091-E

Update of the status of the Successful update of the status of the predictive history 6 KNAQ38092-I
predictive history

Failed to update the status of the predictive history 3 KNAQ38093-E

Creation of a predictive profile Successful creation of a predictive profile 6 KNAQ38094-I

Failed to create a predictive profile 3 KNAQ38095-E

Editing of a predictive profile Successful editing of a predictive profile 6 KNAQ38096-I

Failed to edit a predictive profile 3 KNAQ38097-E

Deletion of a predictive profile Successful deletion of a predictive profile 6 KNAQ38098-I

Failed to delete a predictive profile 3 KNAQ38099-E

Creation of a predictive report Successful creation of a predictive report 6 KNAQ38100-I

Failed to create a predictive report 3 KNAQ38101-E

Editing of a predictive report Successful editing of a predictive report 6 KNAQ38102-I

Failed to edit a predictive report 3 KNAQ38103-E

Deletion of a predictive report Successful deletion of a predictive report 6 KNAQ38104-I

Failed to delete a predictive report 3 KNAQ38105-E

Notes:

1. If an account is locked because the authentication method was changed for a user whose password is not set, this information is not recorded in the audit log.
2. If an account is unlocked because a password was set for a user, this information is not recorded in the audit log.

https://docs.hitachivantara.com/internal/api/webapp/print/6b658644-934a-42a3-8ecd-6fbe393f328b 315/315