santinel_ug rootsan technologies pvt ltd

8/6/2019 SANtinel_UG Rootsan technologies Pvt Ltd

1/46

Hitachi SANtinel for z/OS user guide

Part number: HITA744-96002Second edition: March 2006


2/46

Legal and notice information

Copyright 2005, 2006 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212,Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Governmentunder vendors standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shallnot be liable for technical or editorial errors or omissions contained herein.

Adobe and Acrobat are trademarks of Adobe Systems Incorporated.

Hitachi Data Systems is a registered trademark and service mark of Hitachi, Ltd., and the Hitachi Data Systems design mark is a trademark andservice mark of Hitachi, Ltd.

Hitachi Freedom Storage and Lightning 9900 are trademarks of Hitachi Data Systems Corporation.

DFSMS, DFSMS/MVS, IBM, OS/390 and S/390 are registered trademarks of International Business Machines Corporation.

Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and other countries.

Solaris is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries.

HP-UX is a product name of Hewlett-Packard Company.

Netscape Navigator is a registered trademark of Netscape Communications Corporation in the United States and other countries.

All other brand or product names are or may be trademarks or service marks of and are used to identify products or services of their respectiveowners.

SANtinel for z/OS user guide


3/46

SANtinel for z/OS user guide 3

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Firmware versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Document conventions and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8HP technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Subscription service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Helpful web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1 SANtinel for the XP12000/XP10000/XP1024/XP128. . . . . . . . . . . . . . . . . . . . . . . . . 11Overview of SANtinel Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Protecting Logical Volumes from I/O Operations at Mainframe Hosts. . . . . . . . . . . . . . . . . . . . . . . . . 11

Enabling Only the Specified Hosts to Access Logical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Prohibiting All Hosts from Accessing Logical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Protecting Logical Volumes from Erroneous Remote Copy Operations. . . . . . . . . . . . . . . . . . . . . . . . . 14Restrictions and Cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Volume emulation types (or device emulation types) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14PCB types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Maximum possible number of security groups, host groups, and LDEV groups . . . . . . . . . . . . . . 15TrueCopy (TC390) or ShadowImage (SI390) users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15CVS volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15HPAV users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Removing secured logical volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Removing PCBs with secured ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Starting SANtinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16To access SANtinel: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

SANtinel Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Security Group tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Hosts table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17LDEVs table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Applying and Disabling Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Enabling Only the Specified Hosts to Access Logical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Creating a Host Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18To create a host group:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Registering Hosts in a Host Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19To register hosts in a host group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Registering Ports in a Host Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20To register ports in a host group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating an LDEV Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21To create an LDEV group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Registering Logical Volumes in an LDEV Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

To register logical volumes in an LDEV group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Creating a Security Group for Use As an Access Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

To create a security group and classify the group as an access group: . . . . . . . . . . . . . . . . . . . 23Registering a Host Group and an LDEV Group in a Security Group. . . . . . . . . . . . . . . . . . . . . . . . 24

To register a host group and an LDEV group into a security group: . . . . . . . . . . . . . . . . . . . . . 24Prohibiting All Hosts from Accessing Logical Volumes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating a Security Group for Use As a Pool Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25To create a security group and classify the group as a pool group: . . . . . . . . . . . . . . . . . . . . . 25

Registering an LDEV Group in a Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

To register an LDEV group into a security group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Contents


4/46

4

Protecting Logical Volumes from Remote Copy Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27To make logical volumes in a security group unusable as secondary volumes: . . . . . . . . . . . . . . 27

Disabling Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28To disable security on logical volumes: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Editing Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Editing Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Unregistering a Host Group from a Security Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29To unregister a host group from a security group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Unregistering an LDEV Group from a Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

To unregister the LDEV group from a security group:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Renaming Security Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29To rename a security group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Deleting Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30To delete a security group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Editing Host Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Registering Hosts to be Attached to the Disk Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

To register a mainframe host to be attached into a host group: . . . . . . . . . . . . . . . . . . . . . . . . 31Deleting Hosts from Host Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

To delete hosts from a host group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Deleting Ports from Host Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

To delete ports from a host group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Renaming Host Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33To rename a host group:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Deleting Host Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

To delete a host group:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Editing LDEV Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Deleting Logical Volumes from LDEV Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34To delete logical volumes from an LDEV group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Renaming LDEV Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35To rename an LDEV group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Deleting LDEV Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35To delete an LDEV group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Viewing Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Finding Logical Volumes in a Specified Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

To find logical volumes in a specified security group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Finding Security Groups that Contains a Specified Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

If the host is displayed in the Hosts table: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37If the host is not displayed in the Hosts table:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Finding Ports Through which Hosts Can Access Logical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37To find the ports through which a host can access logical volumes: . . . . . . . . . . . . . . . . . . . . . 38

Finding Logical Volumes in the Security Group that Contains a Specified Host . . . . . . . . . . . . . . . . . . 38If the host is displayed in the Hosts table: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38If the host is not displayed in the Hosts table:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Finding Security Groups that Contain a Specified Logical Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . 39If the logical volume is displayed in the LDEVs table: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39If the logical volume is not displayed in the LDEVs table: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Finding Hosts in the Security Group that Contains a Specified Logical Volume . . . . . . . . . . . . . . . . . . 40If the logical volume is displayed in the LDEVs table: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40If the logical volume is not displayed in the LDEVs table: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Finding Security Groups that Contain a Specified Host Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41To find security groups in which the specified host group is registered: . . . . . . . . . . . . . . . . . . . 41

Finding Security Groups that Contain a Specified LDEV Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41To find security groups in which the specified LDEV group is registered: . . . . . . . . . . . . . . . . . . 41

General SANtinel Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42To find the cause of the error: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45


5/46


6/46


7/46


About this guideThis guide provides information about the following:

Overview of SANtinel Operations on page 11 Starting SANtinel on page 16 Applying and Disabling Security on page 18

Editing Security Settings on page 29 Viewing Security Settings on page 36 General SANtinel Troubleshooting on page 42

Intended audienceThis guide is intended for customers and HP-authorized service providers with knowledge of the following:

Disk array hardware and software Data processing and RAID storage subsystems and their basic functions

NOTE: The functions described in this manual may be limited, depending on your assigned level of user

access. Some users will have read-only access while others will have limited or full array access. Foradditional information on users and user groups, please see theHP StorageWorks XP Remote Web Console user guide .

PrerequisitesPrerequisites for using this product include:

Installation of the HP StorageWorks disk array(s) Installation of the license key for this product

Firmware versionsThe recommended firmware versions shown inTable 1 provide the optimal level of support for the featuresprovided with this product. Older firmware versions can be used; however, product features enabled withnewer firmware will not appear.

requisites for using this product include:Related documentation

In addition to this guide, please refer to other documents for this product:

HP StorageWorks XP Remote Web Console user guide for XP12000/XP10000 HP StorageWorks XP Remote Web Console user guide for XP1024/XP128 Hitachi TrueCopy for z/OS user guide Hitachi ShadowImage for z/OS user guide

You can find these documents athttp://www.hp.com/support/rwc/manuals

Table 1 Recommended and minimum firmware versions

XP disk array Minimum Recommended

XP12000 50-05-46-00/00 or later 50-06-xx-00/00 or later

XP10000 50-05-46-00/00 or later 50-06-xx-00/00 or later

XP1024/XP128 21-14-14-00/00 or later 21-14-18-00/00 or later
http://www.hp.com/support/rwc/manuals/http://www.hp.com/support/rwc/manuals/


8/46

8

Document conventions and symbols

CAUTION: Indicates that failure to follow directions could result in damage to equipment or data.

IMPORTANT:Provides clarifying information or specific instructions.

NOTE: Provides additional information.

TIP: Provides helpful hints and shortcuts.

HP technical supportTelephone numbers for worldwide technical support are listed on the HP support web site:http://www.hp.com/support/ .

Collect the following information before calling:

Technical support registration number (if applicable) Product serial numbers Product model names and numbers Applicable error messages Operating system type and revision level Detailed, specific questions

For continuous quality improvement, calls may be recorded or monitored.

Subscription serviceHP strongly recommends that customers register online using the Subscribers choice web site athttp://www.hp.com/go/e-updates .

Table 2 Document conventions

Convention Element

Blue text:Table 1 Cross-reference links and e-mail addresses

Blue, underlined text: (http://www.hp.com ) Web site addresses

Bold text Keys that are pressed Text typed into a GUI element, such as a box GUI elements that are clicked or selected, such as

menu and list items, buttons, and check boxes

Italic text Text emphasis

Monospace text File and directory names System output Code Commands, their arguments, and argument values

Monospace, italic text Code variables Command variables

Monospace, bold text Emphasized monospace text
http://www.hp.com/support/http://www.hp.com/go/e-updates/http://www.hp.com/go/e-updates/http://www.hp.com/support/


9/46


Subscribing to this service provides you with e-mail updates on the latest product enhancements, newestdriver versions, and firmware documentation updates as well as instant access to numerous other productresources.

After subscribing, locate your products by selectingBusiness supportand then Storage under ProductCategory.

Helpful web sitesFor additional information, see the following HP web sites:

http://www.hp.com http://www.hp.com/go/storage http://www.docs.hp.com http://www.hp.com/support/rwc/manuals
http://www.hp.com/http://www.hp.com/go/storage/http://www.docs.hp.com/http://www.hp.com/support/rwc/manuals/http://www.hp.com/go/storage/http://www.hp.com/http://www.hp.com/support/rwc/manuals/http://www.docs.hp.com/


10/46


11/46


1 SANtinel for theXP12000/XP10000/XP1024/XP128SANtinel protects data in your disk array from I/O operations performed at mainframe hosts. You can useSANtinel to apply security to logical volumes so that the specified mainframe hosts will be unable to readfrom and write to the specified logical volumes. You can also use SANtinel to prevent data on logicalvolumes from being overwritten by erroneous remote copy operations.

SANtinel can be used in conjunction with an add-in program called SANtinel Port Security Option, whichprovides port-level security by preventing hosts from accessing logical volumes through specified ports.

Port-level security is a security policy for enabling hosts to access logical volumes only through portsregistered in host groups and thus prohibiting hosts to access the volumes through other ports.

NOTE: Logical volumes are sometimes referred to as logical devices or LDEVs. Also, this guide sometimesuses the term LDEV security to refer to the security policy that you can apply to logical volumes.

Overview of SANtinel OperationsSystem Requirements

To use SANtinel, you need the following:

XP12000/XP10000/XP1024/XP128 firmware version (see Firmware versions on page 7 ) Web client to access the Command View XP management station or XP Remote Web Console SANtinel license key installed

To apply port-level security, also install SANtinel Port Security Option. Before installing this program,SANtinel must already be installed.

Protecting Logical Volumes from I/O Operations at Mainframe Hosts

Use SANtinel to protect logical volumes from unauthorized accesses by mainframe hosts. To protect logicalvolumes from unauthorized accesses, you must createsecurity groupsand then register mainframe hostsand/or logical volumes in security groups. Security groups are classified intoaccess groups or pool groups. If you want to allow some mainframe hosts to access logical volumes, you must classify the securitygroup as an access group. If you want to prohibit all mainframe hosts from access logical volumes, classifythe security group as a pool group.

Enabling Only the Specified Hosts to Access Logical VolumesIf you want to allow only some mainframe hosts in your network to access logical volumes, register themainframe hosts and the logical volumes in an access group. For example, if you register two hosts (host_A and host_B)and two logical volumes (vol_C and vol_D ) in an access group, only the host_Aand host_Bwill be able to access vol_C and vol_D . No other hosts will able to accessvol_C and vol_D .

If mainframe hosts are registered in an access group, the hosts will be able to access logical volumes in thesame access group, but will be unable to access other logical volumes. For example, if you register twohosts (host_Aand host_B) and two logical volumes (vol_C and vol_D ) in an access group, the host_Aandhost_Bcan access vol_C and vol_D , but cannot access other logical volumes.

To register hosts in an access group, create a host group, register the hosts in the host group, and thenregister the host group in the access group. To register logical volumes in an access group, create an LDEVgroup, register the logical volumes in the LDEV group, and then register the LDEV group in the accessgroup. An access group can only contain one host group and one LDEV group.

The following figure shows six mainframe hosts attached to a disk array, and two available access groups.The following security settings have been applied:


12/46

12 SANtinel for the XP12000/XP10000/XP1024/XP128

The logical volumesldev1 and ldev2 are accessible only fromhost1, host2 , and host3 because the twovolumes and the three hosts are registered in the same access group.

The logical volumeldev4 is accessible only fromhost4 because ldev4 and host4 are registered in thesame access group.

The logical volumeldev5 does not belong to any access groups. For this reason, hosts in access groupscannot access ldev5 . ldev5 is only accessible fromhost5 and host6, which are not registered in accessgroups.

Figure 1 Security example 1

Usually, hosts are connected to two or more ports by cables and have access to logical volumes through

these ports. In the previous security example, hosts in access groups can access logical volumes throughevery port to which the hosts are connected.

However, SANtinel Port Security Option prohibits hosts from accessing logical volumes through specifiedports. For example, if a host namedhost1 is connected to two ports (port1 and port2 ), you can permit thehost to access logical volumes throughport1 and prohibit the host from accessing logical volumes throughport2 . To implement port-level security, first determine which ports hosts can use to access logical volumes,and then you must register the ports in host groups. For example, if you registerhost1 and port1 in thesame host group named hg1 and then register hg1 in an access group, host1 can access logical volumethroughport1 but cannot access logical volumes throughport2 .

In security example 2, the following security settings have been applied:

The hostshost1, host2 , and host3 can access the logical volumesldev1 and ldev2 throughport1,

port2 , and port3. However, the hosts cannot access the logical volumes through other ports.


13/46


The hosthost4 can access the logical volumeldev4 throughport4. However, the host cannot access thelogical volume through other ports.


If no ports are registered in a host group, hosts in the host group can access logical volumes through theports to which the hosts are connected.

Before you apply security, confirm which hosts are performing I/O operations on logical volumes in accessgroups. If any hosts perform I/O operations on logical volumes in access groups that the hosts do notbelong to, stop the I/O operations before applying security. For example, if you attempt to apply securitysettings illustrated in the previous figure, an error occurs and the attempt fails ifhost4 and host5 areperforming I/O operations on ldev1. To apply the security settings, first ensure thathost4 and host5 arenot performing I/O operations on ldev1.

Prohibiting All Hosts from Accessing Logical VolumesTo prevent all the mainframe hosts from accessing logical volumes, register the logical volumes in apool group . You do not need to register hosts in pool groups. For example, if you register two logical volumes(vol_Aand vol_B) in a pool group, all the mainframe hosts connected to your disk array will be unable toaccess vol_Aand vol_B. To register logical volumes in a pool group, create an LDEV group, register thelogical volumes in the LDEV group, and then register the LDEV group in the pool group. A pool group canonly contain one LDEV group.


14/46


The following figure shows an example of a pool group. The logical volumes in this pool group are notaccessible from all the hosts.


Protecting Logical Volumes from Erroneous Remote Copy OperationsIf you use TrueCopy (TC390) or ShadowImage (SI390) to perform remote copy operations, data will beoverwritten onto the secondary volumes. If a volume containing important data is specified as a secondaryvolume by mistake, TC390 or SI390 remote copy operations can overwrite important data on the volumeand you could suffer loss of important data. SANtinel prevents this type of data loss. If a volume containsdata that should not be overwritten, you can prevent the volume from being used as a secondary volume.

NOTE: Secondary volumes are often referred to as remote volumes or R-VOLs inHitachi TrueCopy for z/OS user guide . Also, secondary volumes are referred to as target volumes or T-VOLs inHitachi ShadowImage for z/OS user guide .

Restrictions and CautionsDo not apply security to logical volumes on which any job is running. If you apply security to such avolume, the job will possibly end abnormally.

When applying security, please make sure that your security settings are correct. If incorrect securitysettings are made, the system will be difficult or impossible to control.

If the CPU of a mainframe host is upgraded after you apply security settings, execute the system commandD M=CPU at the mainframe host to obtain the latest information about the host. Next, use the latestinformation to update host information in the Add/Change Host window. If you do not update hostinformation, the system will be impossible to control.

Volume emulation types (or device emulation types)SANtinel supports the following volume emulation types: 3990-3, 3390-3A, 3390-3B, 3390-3C,3390-3R, 3390-9, 3390-9A, 3390-9B, 3390-9C, 3390-L, 3390-LA, 3390-LB, and 3390-LC.

PCB typesSANtinel supports the following PCB types:


15/46


ESCON or ACONARC FICON or FIBARC

Maximum possible number of security groups, host groups, and LDEV groupsSANtinel can manipulate up to 32 hosts and 8,192 logical volumes for one disk array. SANtinel cancreate up to 32 security groups, 32 host groups, and 32 LDEV groups for one disk array.

Security groups are classified into access groups and pool groups:

An access group can contain only one host group and one LDEV group. A host group can contain upto 16 hosts. An LDEV group can contain up to 8,192 logical volumes.

A pool group can contain only one LDEV group. An LDEV group can contain up to 8,192 logicalvolumes.

TrueCopy (TC390) or ShadowImage (SI390) users When you use SANtinel to make security settings, be sure to register the primary volume and thesecondary volume (such as, the copy source volume and the copy destination volume) in the same LDEVgroup. For information on how to register volumes in LDEV groups, refer toRegistering Logical Volumes inan LDEV Group on page 22 .

If you apply security to a primary volume of a TC390 pair or an SI390 pair, some or all mainframe hostsmight be unable to read from and write to the primary volume. However, the remote copy operation will

perform normally; data will copy from the primary volume to the secondary volume.If you register a primary volume or secondary volume in a security group and then make a setting toprevent the volume from being used as a secondary volume, this setting will take effect after the pair issplit.

Mainframe hosts cannot access logical volumes in pool groups. If a logical volume in a pool group isspecified as a primary volume, the pair creation command might fail.

In Hitachi TrueCopy for z/OS user guide , primary volumes are often referred to as M-VOLs or mainvolumes. Also, secondary volumes are often referred to as R-VOLs or remote volumes. InHitachi ShadowImage for z/OS user guide , primary volumes are often referred to as S-VOLs or source volumes.

Also, secondary volumes are often referred to as T-VOLs or target volumes.

CVS volumesIf you apply security to a CVS volume, you will be unable to change the CVS settings on the volume. Tochange the CVS settings, use SANtinel to disable security on the CVS volume. For details on how todisable security, refer toDisabling Security on page 28 .

HPAV usersIf you apply security to an HPAV base volume, the security settings will also apply to the correspondingalias volume.

Removing secured logical volumesIf you apply security to a logical volume, you will be unable to remove the volume. To remove the volume,disable security on the volume. For details on how to disable security, refer toDisabling Security onpage 28 .

Removing PCBs with secured portsIf port-level security is applied to your disk array, you cannot remove the PCBs (printed circuit boards) thatinclude secured ports. To remove PCBs that include secured ports, use SANtinel Port Security Option todisable security on the ports. For details on how to disable security, refer toDeleting Ports from HostGroups on page 32 .


16/46


Starting SANtinelTo access SANtinel:1. Click theMainframetab, click theMainframe Connectionbutton ( ), and then click theSANtineltab.

The SANtinel window is displayed.

Figure 4 SANtinel window

SANtinel WindowThe SANtinel window is the starting point for all the SANtinel operations.

Security Group treeThe Security Group tree is located on the left side of the window and displays a view a list of securitygroups, host groups, and LDEV groups. The tree contains the following folders:

Security Group: Contains all of the security groups. Double-clicking a security group displays the hostgroup and/or LDEV group registered in the security group.The security group icons show the security settings applied to the logical volumes.

Table 3 Security group icons for SANtinel operations

Icon Status

Logical volumes in this access group can be used as secondary volumes for remote copy operations.

Logical volumes in this access group cannot be used as secondary volumes for remote copyoperations.

Logical volumes in this pool group can be used as secondary volumes for remote copy operations.

Logical volumes in this pool group cannot be used as secondary volumes for remote copy operations.

The security settings in this security group are currently disabled.If you enable the security settings, this security group will be classified as an access group. Also,logical volumes in this security group can be used as secondary volumes for remote copy operations.


17/46


Host Group: Contains all of the host groups. LDEV Group: Contains all of the LDEV groups.

Changes made to the groups in the Security Group tree are displayed in italics and in blue. The text will berestored to the original typeface and color when changes are applied or canceled.Hosts tableThe Hosts table is located in the upper-right area of the window and displays information about the hosts.The table contents depends the item selected in the Security Group tree.

Click one of the group folders (Security Group, Host Group, or LDEV Group) to display all the hosts. Click a security group to display all the hosts that belong to the selected security group. Click a host group to display all the hosts that belong to the selected host group. Clicking an LDEV group displays nothing.

The table columns provide the following information:

Type/Model: The type and the model number of a host or a channel extender. SEQNUMBER: The node ID of a host or a channel extender. LPAR#: A logical partition number of a host. Vendor : The vendor of the host. For instance, this column can displayFJT(Fujitsu),IBM, HTC(Hitachi),

and CNT(Ex). IfCNT(Ex)is displayed, the table row indicates the type, the model number, and the nodeID of a channel extender.

Changes made to a host are displayed in italics and in blue. The text will be restored to the originaltypeface and color when changes are applied or canceled.

LDEVs tableThe LDEVs table is located in the lower-right area of the window and displays information about the logicalvolumes. CU#: Use this list to select a logical CU, which displays the logical volumes in the selected CU.

The table contents depends on the item selected in the Security Group tree.

Click one of the group folders (Security Group, Host Group, or LDEV Group) to display all the logicalvolumes that are accessible from the mainframe hosts.

Click a security group to display all the logical volumes that belong to the selected security group. Click an LDEV group to display all the logical volumes that belong to the selected LDEV group. Clicking a host group displays nothing.

The table columns provide the following information:

The security settings in this security group are currently disabled.If you enable the security settings, this security group will be classified as an access group. Also,logical volumes in this security group will be unavailable for use as secondary volumes for remote copyoperations.

The security settings in this security group are currently disabled.

If you enable the security settings, this security group will be classified as a pool group. Also, logicalvolumes in this security group will be available for use as secondary volumes for remote copyoperations.

The security settings in this security group are currently disabled.If you enable the security settings, this security group will be classified as a pool group. Also, logicalvolumes in this security group will be unavailable for use as secondary volumes for remote copyoperations.

Table 3 Security group icons for SANtinel operations (continued)

Icon Status


18/46


LDEV#: The logical volume ID. This ID is a hexadecimal number (00 to FF). Emulation: The emulation type of the logical volume. Attribute: The status of the logical volume. If an asterisk (*) is displayed, the logical volume is specified

as a secondary volume (copy destination) for TC390 or SI390. If a plus symbol (+) is displayed, one ormore LU paths are assigned to the logical volume.

Changes made to a logical volume are displayed in italics and in blue. The text will be restored to theoriginal typeface and color when changes are applied or canceled.

Buttons Apply button: Applies the settings made on this window to the disk array. Cancel button: Discards changes and restores the initial settings.

Applying and Disabling SecurityThis section contains the following topics about applying security settings:

Enabling specific hosts to access certain logical volumes (seepage 18 ) Prohibiting all hosts from accessing logical volumes (seepage 25 ) Preventing data in logical volumes from being overwritten by remote copy operations (seepage 27 ) Disabling security (seepage 28 )

You must operate Command View XP or XP Remote Web Console in Modify mode to perform SANtineloperations. Users in view mode can only view SANtinel information.

Enabling Only the Specified Hosts to Access Logical VolumesTake the following steps to allow specific hosts to access certain logical volumes so that the other hostscannot access the volumes:

Create a host group (see page 18 ) Register hosts in the host group (seepage 19 ) Register ports in the host group (seepage 20 ) Create an LDEV group (seepage 21 ) Register logical volumes in an LDEV group (seepage 22 ) Create a security group and classify it as an access group (see page 23 ) Register a host group and an LDEV group in the security group (seepage 24 )

Creating a Host GroupTo specify which hosts can access certain volumes, first create a host group.

To create a host group:1. From the SANtinel window, right-clickHost Group. A pop-up menu is displayed.


19/46


20/46


2. ClickSpecifyand then Hostfrom the pop-up menu. The Add/Change Host window displays a list ofhosts.

Figure 6 Add/Change Host window

3. Select and then right-click one or more hosts that you want to register.The or icon indicates that the host is already registered in the specified host group. You cannotregister hosts that belong to any other host group. If no ports are registered in the displayed host group,you can register the following hosts: Hosts that do not belong to any host group. Hosts belonging to host groups in which no ports are registered. You cannot register hosts

belonging to host groups in which ports are registered.4. ClickRegistrationand then Register Host in Host Groupfrom the pop-up menu. The specified hosts are

shown in blue and are represented with the or icon.5. ClickOK .6. From the SANtinel window, click Apply. A confirmation dialog box is displayed.7. Click Yes. The settings are applied to the disk array.

Registering Ports in a Host Group After registering hosts in a host group, you can register ports in the host group to implement port-levelsecurity. This is an optional step, but to do this, you must have SANtinel Port Security Option installed.

If you do not want to implement port-level security, you do not need to register ports in host groups. If noports are registered in a host group, hosts in the host group can access logical volumes through every portto which the hosts are connected.

To register ports in a host group:1. From the SANtinel window, right-click a host group. A pop-up menu is displayed.


21/46


2. ClickSpecifyand then Port from the pop-up menu. The Select Port window displays a list of ports.

Figure 7 Select Port window

3. From the Unregistered port list, click the ports you want to register and then click the< button to movethem to the Registered port list. The specified ports should be shown in blue in the Registered port list.To select all the ports in the Unregistered port list, clickSelect All.

NOTE: If hosts registered in the host group are also registered in another host group, you cannotregister the ports in Registered port list, and thus you cannot implement port-level security.

4. ClickOK .5. From the SANtinel window, click Apply. A confirmation dialog box is displayed.6. Click Yes. The settings are applied to the disk array.

Creating an LDEV GroupTo specify logical volumes that should be secured, create an LDEV group and then register the logicalvolumes in the LDEV group.

To create an LDEV group:1. From the SANtinel window, right-clickLDEV Group. A pop-up menu is displayed.


22/46


23/46


2. ClickSpecifyand then LDEV from the pop-up menu. The Select LDEV window is displayed.

Figure 9 Select LDEV window

3. In theCU#list, click a CU image. The tables located below the list display the logical volumes in theCU image you selected. The Registered in LDEV group table displays the logical volumes registered inthe LDEV group. The Not registered in LDEV group table displays logical volumes that are notregistered in the LDEV group.

4. In the Not registered in LDEV group table, click the logical volumes that you want to register. Then, clickthe < button to move the selected logical volumes move to the Registered in LDEV group table.

5. To register logical volumes in other CU images, repeat the previous steps.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

Creating a Security Group for Use As an Access GroupTo make security settings, you must create security groups. You can classify security groups as accessgroups or pool groups. To allow logical volumes to be accessed only by specified hosts, classify a securitygroup as an access group.

To create a security group and classify the group as an access group:1. From the SANtinel window, right-clickSecurity Group. A pop-up menu is displayed.


24/46


2. Click Add/Change from the pop-up menu. The Add/Change Security Group window is displayed.

Figure 10 Add/Change Security Group window

3. In theEnter Security Groupbox, enter the name of the security group that you want to create.Security group names can be up to eight characters and are case-sensitive. The first character and thelast character must not be a space. Also, the following characters are unusable in security groupnames:\ , / : ; * ? " < > |

4. Under Security, clickEnable.5. Under Group Status, click Access.6. Under T-VOL/R-VOL, clickEnableor Disable. ClickEnableto allow logical volumes in the security group

to be used as secondary volumes for remote copy operations. ClickDisableto prohibit this.7. Click Add. Information about the new security group is added to the Security Group List and is shown

in blue.8. ClickOK .9. From the SANtinel window, click Apply. A confirmation dialog box is displayed.10.Click Yes. The settings are applied to the disk array.

Registering a Host Group and an LDEV Group in a Security Group After classifying your security group as an access group, register your host group and LDEV group into thesecurity group. When you complete this, the logical volumes in the LDEV group are secured and can onlybe accessed by hosts in the host group. Other hosts cannot access the logical volumes.To register a host group and an LDEV group into a security group:1. From the SANtinel window, right-click a host group. A pop-up menu is displayed.


25/46


2. ClickSpecifyand then Security Group from the pop-up menu. The Specify Security Group window isdisplayed.

Figure 11 Specify Security Group window

3. In theSelect Security Grouplist, click a security group and then clickOK .4. From the SANtinel window, right-click an LDEV group. A pop-up menu is displayed.5. ClickSpecifyand then Security Group from the pop-up menu. The Specify Security Group window is

displayed.6. In theSelect Security Grouplist, click the security group and then clickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.

8. Click Yes. The settings are applied to the disk array.Prohibiting All Hosts from Accessing Logical Volumes

To prohibit all the hosts from accessing the specified logical volumes, complete the following steps:

Create an LDEV group (seepage 21 ) Register logical volumes in the LDEV group (seepage 22 ) Create a security group and classify it as a pool group (seepage 25 ) Register the LDEV group in the security group (seepage 26 )

Creating a Security Group for Use As a Pool GroupTo make security settings, you must create security groups. You can classify security groups as access

groups or pool groups. To prohibit all hosts from accessing logical volumes, classify a security group as apool group . Complete this step after creating an LDEV group and registering logical volumes in the LDEVgroup.

To create a security group and classify the group as a pool group:1. From the SANtinel window, right-clickSecurity Group. A pop-up menu is displayed.


26/46


27/46


2. ClickSpecifyand then Security Group from the pop-up menu. The Specify Security Group window isdisplayed.

Figure 13 Specify Security Group window

3. In theSelect Security Grouplist, click a security group and then clickOK .4. From the SANtinel window, click Apply. A confirmation dialog box is displayed.5. Click Yes. The settings are applied to the disk array.

Protecting Logical Volumes from Remote Copy OperationsThe following procedure makes logical volumes in a security group unusable as secondary volumes forremote copy operations and protects data the logical volumes from being overwritten by remote copyoperations.To make logical volumes in a security group unusable as secondary volumes:1. From the SANtinel window, right-clickSecurity Groupor any specific security group. A pop-up menu is

displayed.2. Click Add/Change from the pop-up menu. The Add/Change Security Group window is displayed.


3. In the Security Group List, click the security group you want to change.4. Under T-VOL/R-VOL, clickDisable.5. ClickChange. The change is reflected in the window.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.


28/46


8. Click Yes. The settings are applied to the disk array.

NOTE: If you want to make logical volumes in your security group usable as secondary volumesfor remote copy operations, click the security group in the Add/Change Security Group windowand then clickEnableunder T-VOL/R-VOL. Next, clickChange and then OK . Finally, click Apply inthe SANtinel window.

Disabling SecurityComplete the following procedure to disable security on logical volumes in the security group. If security isdisabled, logical volumes in the security group are accessible from all hosts and are usable as secondaryvolumes for remote copy operations, regardless of whether the security group is an access or pool group.

If you are certain that you will not need to restore security, you can delete your security group to disablesecurity. For details on how to delete security groups, refer toDeleting Security Groups on page 30 .

To disable security on logical volumes:1. From the SANtinel window, right-click the security group in which the logical volumes are registered. A

pop-up menu is displayed.2. Click Add/Change from the pop-up menu. The Add/Change Security Group window is displayed.


3. In the Security Group List, click the security group you want to disable.4. Under Security, clickDisable.5. ClickChange. The change is reflected in the window.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

NOTE: If you want to restore security, click the security group in the Add/Change Security Groupwindow and then clickEnableunder Security. Next, clickChange and then OK . Finally, click Apply in the SANtinel window.


29/46


Editing Security SettingsEditing Security Groups

This section contains the following topics about editing security groups:

Unregistering a host group from a security group (seepage 29 ) Unregistering an LDEV group from a security group (seepage 29 ) Renaming a security group (seepage 29 )

Deleting a security group (seepage 30 )You must operate Command View XP or XP Remote Web Console in Modify mode to perform SANtineloperations. Users in view mode can only view SANtinel information.

Unregistering a Host Group from a Security GroupTo unregister a host group from a security group:1. From the SANtinel window, double-click a security group containing the host group. The tree view

displays the host group in the specified security group.2. Right-click the host group and clickDeletefrom the pop-up menu. A confirmation dialog box is

displayed.3. Click Yes.4. Click Apply. A confirmation dialog box is displayed.5. Click Yes. The settings are applied to the disk array.

Unregistering an LDEV Group from a Security GroupTo unregister the LDEV group from a security group:1. From the SANtinel window, double-click a security group containing the LDEV group. The tree view

displays the LDEV group in the specified security group.2. Right-click the LDEV group and clickDeletefrom the pop-up menu. A confirmation dialog box is

displayed.3. Click Yes.

4. Click Apply. A confirmation dialog box is displayed.5. Click Yes. The settings are applied to the disk array.

Renaming Security GroupsTo rename a security group:1. From the SANtinel window, right-clickSecurity Groupor a security group. A pop-up menu is displayed.


30/46


2. Click Add/Change from the pop-up menu. The Add/Change Security Group window is displayed.


3. In the Security Group List, click the security group you want to rename.4. In theEnter Security Groupbox, enter the new name for the security group.

Security group names can be up to eight characters and are case-sensitive. The first character and thelast character must not be a space. Also, the following characters are unusable in security groupnames:\ , / : ; * ? " < > |

5. ClickChange. The change is reflected in the window.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

Deleting Security GroupsTo delete a security group:1. From the SANtinel window, right-click the security group you want to delete. A pop-up menu is

displayed.2. ClickDeletefrom the pop-up menu. A confirmation dialog box is displayed.3. Click Yes.

4. Click Apply. A confirmation dialog box is displayed.5. Click Yes. The settings are applied to the disk array.

Editing Host GroupsThis section contains the following topics about editing host groups:

Registering hosts (not attached to the disk array) into a host group (seepage 31 ) Deleting hosts from a host group (seepage 32 ) Deleting ports from a host group (seepage 32 ) Renaming a host group (seepage 33 ) Deleting a host group (seepage 34 )


31/46



Registering Hosts to be Attached to the Disk ArrayIf your organization is planning to attach new mainframe hosts to the disk array, you will possibly need torevise the security settings on logical volumes. For example, if you do not want to allow the new hosts toaccess some logical volumes, you might need to register the new hosts in the host group in an existingaccess group. You can use SANtinel to register new hosts in host groups before the new hosts are attachedto the disk array.

To register a mainframe host to be attached into a host group:1. Execute the following system command at the mainframe host:

D M=CPU

Typing this command displays the type, the model number, the node ID, and the logical partitionnumber of the host. Write down the information to refer to it later.

2. From the SANtinel window, right-click a host group inHost Group. A pop-up menu is displayed.3. ClickSpecifyand then Host from the pop-up menu. The Add/Change Host window displays a list of

hosts.


4. Use the text boxes and the list to specify the information provided instep 1.5. Click Add. The specified host is added to the table and is represented by the icon.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

TIP: If you registered a host in an incorrect host group, first follow the previous procedure to register

the host in the correct host group. Then, follow the procedure inDeleting Hosts from HostGroups on page 32 to remove the host from the incorrect host group.


32/46


To modify information about hosts with the icon, use the Add/Change Host window. Clickthe host in the table and then use the text boxes and/or list to change the information. Next,clickChange and then OK . Finally, click Apply in the SANtinel window.

To delete a host with the icon from the Add/Change Host window, select and right-click thehost, clickDeletefrom the pop-up menu, and then clickOK . Finally, click Apply in the SANtinelwindow.

Deleting Hosts from Host GroupsTo delete hosts from a host group:1. From the SANtinel window, right-click a host group. A pop-up menu is displayed.2. ClickSpecifyand then Hostfrom the pop-up menu. The Add/Change Host window displays a list of

hosts.


3. Select and then right-click one or more hosts (with the or icon) that you want to delete.4. ClickRegistrationand then Unregister Host in Host Groupfrom the pop-up menu. The specified hosts

are shown in blue. Also, the icons are no longer displayed or will change to the or icon. Theand icons indicate that the host is registered in another host group.


Deleting Ports from Host GroupsTo delete ports from host groups, you must have SANtinel Port Security Option installed.

To delete ports from a host group:1. From the SANtinel window, right-click a host group. A pop-up menu is displayed.


33/46


2. ClickSpecifyand then Port from the pop-up menu. The Select Port window is displayed.

Figure 19 Select Port window

3. From the Registered port list, click the ports you want to delete and then click the> button to move themto the Unregistered port list. The specified ports should be shown in blue in the Unregistered port list. Toselect all the ports in the Registered port list, clickSelect All.


Renaming Host GroupsTo rename a host group:1. From the SANtinel window, right-clickHost Groupor a host group. A pop-up menu is displayed.2. Click Add/Change from the pop-up menu. The Add/Change Host Group window is displayed.

Figure 20 Add/Change Host Group window

3. In the Host Group List, click the host group you want to rename.4. In theEnter Host Groupbox, enter the new name for the host group.


34/46


Host group names can be up to eight characters and are case-sensitive. The first character and the lastcharacter must not be a space. Also, the following characters are unusable in security group names:\ , / : ; * ? " < > |

5. ClickChange. The change is reflected in the window.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

Deleting Host GroupsTo delete a host group:1. From the SANtinel window, right-click the host group you want to delete. A pop-up menu is displayed.2. ClickDeletefrom the pop-up menu. A confirmation dialog box is displayed.3. Click Yes.4. Click Apply. A confirmation dialog box is displayed.5. Click Yes. The settings are applied to the disk array.

Editing LDEV GroupsThis section contains the following topics about editing LDEV groups:

Deleting logical volumes from an LDEV group (seepage 34 ) Renaming an LDEV group (seepage 35 ) Deleting an LDEV group (seepage 35 )


Deleting Logical Volumes from LDEV GroupsTo delete logical volumes from an LDEV group:1. From the SANtinel window, right-click an LDEV group. A pop-up menu is displayed.2. ClickSpecifyand then LDEV from the pop-up menu. The Select LDEV window is displayed.

Figure 21 Select LDEV window

3. In theCU#list, click a CU image. The tables located below the list display the logical volumes in theCU image you selected. The Registered in LDEV group table displays the logical volumes registered inthe LDEV group. The Not registered in LDEV group table displays logical volumes that are notregistered in the LDEV group.


35/46


4. In the Registered in LDEV group table, click the logical volumes that you want to delete. Then, click the> button to move the selected logical volumes to the Not registered in LDEV group table.

5. To delete logical volumes in other CU images, repeat the previous steps.6. ClickOK .7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

Renaming LDEV Groups

To rename an LDEV group:1. From the SANtinel window, right-clickLDEV Groupor an LDEV group. A pop-up menu is displayed.2. Click Add/Change from the pop-up menu. The Add/Change LDEV Group window is displayed.

Figure 22 Add/Change LDEV Group window

3. In the LDEV Group List, click the LDEV group you want to rename.4. In theEnter LDEV Groupbox, enter the new name for the LDEV group.

LDEV group names can be up to eight characters and are case-sensitive. The first character and the lastcharacter must not be a space. Also, the following characters are unusable in security group names:\ , / : ; * ? " < > |

5. ClickChange. The change is reflected in the window.6. ClickOK .

7. From the SANtinel window, click Apply. A confirmation dialog box is displayed.8. Click Yes. The settings are applied to the disk array.

Deleting LDEV GroupsTo delete an LDEV group:1. From the SANtinel window, right-click the LDEV group you want to delete. A pop-up menu is displayed2. ClickDeletefrom the pop-up menu. A confirmation dialog box is displayed.3. Click Yes.4. Click Apply. A confirmation dialog box is displayed.5. Click Yes. The settings are applied to the disk array.


36/46


Viewing Security SettingsThis section explains how to view security settings for the following:

Logical Volumes in a Specified Security Group (seepage 36 ) Security Groups that Contains a Specified Host (seepage 37 ) Ports through which Hosts Can Access Logical Volumes (seepage 37 ) Logical Volumes in the Security Group that Contains a Specified Host (seepage 38 ) Security Groups that Contain a Specified Logical Volume (seepage 39 ) Hosts in the Security Group that Contains a Specified Logical Volume (seepage 40 ) Security Groups that Contain a Specified Host Group (seepage 41 ) Security Groups that Contain a Specified LDEV Group (seepage 41 )

Finding Logical Volumes in a Specified Security GroupTo search a security group for logical volumes, click the security group in the tree view of the SANtinelwindow and then display the list of logical volumes in the lower-right table. Another method is described inthe following procedure.

To find logical volumes in a specified security group:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that

is displayed immediately below a security group.2. From the pop-up menu, clickList -> Security Group to LDEV . The Security Group to LDEV window is

displayed.

Figure 23 Security Group to LDEV window

3. In theSecurity Grouplist, click a security group.4. Display the CU image numbers by clicking the down arrow to open theCU#list.

If one CU image number is listed, the table in the window displays all the logical volumes in thespecified security group.

If two or more CU image numbers are listed, the table in the window currently displays some of thelogical volumes in the specified security group. Click each CU image number to find logicalvolumes in the specified CU image.


37/46


Finding Security Groups that Contains a Specified HostTo specify a host and find the security groups in which the host is registered, complete one of the followingprocedures. Follow the first procedure if the host is displayed in the Hosts table (the upper-right table on theSANtinel window). Follow the second procedure if the host is not displayed in the Hosts table.

If the host is displayed in the Hosts table:1. Right-click the host in the table.2. From the pop-up menu, clickList -> Host to Security Group. The Host to Security Group window is

displayed.

Figure 24 Host to Security Group window

If the host is not displayed in the Hosts table:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that

is displayed immediately below a security group.2. From the pop-up menu, clickList -> Host to Security Group. The Host to Security Group window is

displayed.3. In theHost list, click the host. The table lists the security groups that you want.

Finding Ports Through which Hosts Can Access Logical VolumesTo find the ports through which a host can access logical volumes, you must have SANtinel Port SecurityOption installed.


38/46


To find the ports through which a host can access logical volumes:1. In the tree view of the SANtinel window, right-click an item and then clickList -> Host Group to Port

from the pop-up menu. The Host Group to Port window is displayed.

Figure 25 Host Group to Port window

2. In theHost Grouplist, click a host group.3. In theHost list, click a host.4. The Port list displays the ports through which the specified host can access logical volumes. ClickOK to

close the Host Group to Port window.

Finding Logical Volumes in the Security Group that Contains a Specified HostIf a security group is classified as an access group, the security group contains both host and logicalvolumes. The following procedures explain how to specify a host and to find logical volumes in the securitygroup in which the specified host is registered. Follow the first procedure if the host is displayed in theHosts table (the upper-right table on the SANtinel window). Follow the second procedure if the host is notdisplayed in the Hosts table.

If the host is displayed in the Hosts table:1. Right-click the host in the table.


39/46


2. From the pop-up menu, clickList -> Host to LDEV . The Host to LDEV window displays a list of logicalvolumes.

Figure 26 Host to LDEV window

3. Display the CU image numbers by clicking the down arrow to open theCU#list. If one CU image number is listed, the table in the window displays all the logical volumes that you

want. If two or more CU image numbers are listed, the table in the window currently displays some of the

logical volumes that you want. Click each CU image number to find logical volumes in the specifiedCU image.

If the host is not displayed in the Hosts table:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that

is displayed immediately below a security group.2. From the pop-up menu, clickList -> Host to LDEV . The Host to LDEV window is displayed.3. In theHost list, click the host. The table lists the security groups that you want.4. Display the CU image numbers by clicking the down arrow to open theCU#list.

If one CU image number is listed, the table in the window displays all the logical volumes that youwant.

If two or more CU image numbers are listed, the table in the window currently displays some of thelogical volumes that you want. Click each CU image number to find logical volumes in the specifiedCU image.

Finding Security Groups that Contain a Specified Logical VolumeTo specify a logical volume and find the security groups in which the logical volume is registered, completeone of the following procedures. Follow the first procedure if the logical volume is displayed in the LDEVstable (the lower-right table on the SANtinel window). Follow the second procedure if the logical volume isnot displayed in the LDEVs table.

If the logical volume is displayed in the LDEVs table:1. Right-click the logical volume in the table.


40/46


2. From the pop-up menu, clickList -> LDEV to Security Group. The LDEV to Security Group window isdisplayed. The table on the right displays a list of hosts.

Figure 27 LDEV to Security Group window

If the logical volume is not displayed in the LDEVs table:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that

is displayed immediately below a security group.2. From the pop-up menu, clickList -> LDEV to Security Group. The LDEV to Security Group window isdisplayed.

3. In theCU#list, click a CU image number. Then, click an LDEV number from the lower-left table. Thetable on the right lists the security groups that you want.

Finding Hosts in the Security Group that Contains a Specified Logical VolumeIf a security group is classified as an access group, the security group contains both host and logicalvolumes. The following procedures explain how to specify a logical volume and to find hosts in the securitygroup in which the specified logical volume is registered. Follow the first procedure if the logical volume isdisplayed in the LDEVs table (the lower-right table on the SANtinel window). Follow the second procedureif the logical volume is not displayed in the LDEVs table.

If the logical volume is displayed in the LDEVs table:1. Right-click the logical volume in the table.2. From the pop-up menu, clickList -> LDEV to Host. The LDEV to Host window is displayed. The table on

the right displays a list of hosts.

Figure 28 LDEV to Host window

If the logical volume is not displayed in the LDEVs table:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that

is displayed immediately below a security group.


41/46


2. From the pop-up menu, clickList -> LDEV to Host. The LDEV to Host window is displayed.3. In theCU#list, click a CU image number. Then, click an LDEV number in the lower-left table. The table

on the right lists the security groups that you want.

Finding Security Groups that Contain a Specified Host GroupTo find security groups in which the specified host group is registered:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that


2. From the pop-up menu, clickList -> Host Group to Security Group. The Host Group to Security Groupwindow is displayed.

Figure 29 Host Group to Security Group window

3. In theHost Grouplist, click the host group. The table lists the security groups that you want.

Finding Security Groups that Contain a Specified LDEV GroupTo find security groups in which the specified LDEV group is registered:1. In the tree view of the SANtinel window, right-click an item except for a host group or LDEV group that



42/46


2. From the pop-up menu, clickList -> LDEV Group to Security Group. The LDEV Group to Security Groupwindow is displayed.

Figure 30 LDEV Group to Security Group window

3. In theLDEV Grouplist, click the LDEV Group. The table lists the security groups that you want.

General SANtinel TroubleshootingSANtinel may display the Error Detail window when you attempt to apply security settings and an erroroccurs.

Figure 31 Error Detail window

The probable causes of the error are:

Some hosts in one security group are accessing logical volumes in another security group. Some hosts do not belong to any security group, but the hosts are accessing logical volumes in a

security group.

To correct this error, find the hosts and the logical volumes that cause the error.


43/46


To find the cause of the error:1. In the Error Detail window, click the down arrow to open theHost list.

If the list displays one entry, only one host is causing the error. If the list displays two or more entries, two or more hosts are causing the error.

2. In theHost list, click a host.3. Display the CU image numbers by clicking the down arrow to open theCU#list.

If the list displays one entry, the table displays all the logical volumes that are causing the error.

If the list displays two or more entries, the table displays some of the error-causing logical volumes.To view other error-causing volumes, use theCU#list to specify another CU image.4. If two or more hosts are causing the error, repeatstep 2 and step 3.

If error-causing hosts and logical volumes are detected, do one of the following to remove the error:

Vary the error-causing logical volume offline from the error-causing host. For detailed information aboutvarying the volume offline, refer to the documentation for host commands.

Find the security group that contains the error-causing hosts and the error-causing logical volumes.Then, disable the security settings of the security group (seeDisabling Security on page 28 ).


44/46


45/46


Index

Aaccess groups 11applying security 18audience, documentation 7

Cclassifying security groups 23 , 25conventions

document 8text symbols 8

creatinghost groups 18LDEV groups 21security groups for use as access groups 23security groups for use as pool groups 25

customer support 8

Ddeleting

host groups 34hosts from host groups 32LDEV groups 35logical volumes from LDEV groups 34ports from host groups 32security groups 30

disabling security 18 , 28document

conventions 8prerequisites 7related documentation 7

Eediting

host groups 30LDEV groups 34security groups 29security settings 29

emulation types 14enabling

hosts to access logical volumes 18

specified hosts to access logical volumes 11Ffinding

hosts in security groups containing specified logicalvolumes 40

logical volumes in security groups 36logical volumes in security groups containing

specified hosts 38ports through which hosts can access logical volumes

37security groups containing specified host groups 41

security groups containing specified hosts 37

security groups containing specified LDEV groups 41security groups containing specified logical volumes

39firmware versions 7

Hhelp, obtaining 8 , 9HP

storage web site 9Subscribers choice web site 8technical support 8

LLDEV security 11LDEVs 11logical devices 11logical partitions 17LPARs 17

Mmaximum number of groups 15

PPCB types 14pool groups 13port-level security 11 , 12prerequisites 7prohibiting hosts from accessing logical volumes 13 , 25protecting

logical volumes from erroneous remote copyoperations 14

logical volumes from I/O operations 11logical volumes from remote copy operations 27

Rregistering

host and LDEV groups in security groups 24hosts in host groups 19hosts to be attached to disk arrays 31LDEV groups in security groups 26

logical volumes in LDEV groups 22ports in host groups 20related documentation 7renaming

host groups 33LDEV groups 35security groups 29

restrictions 14

Ssecondary volumes 14starting 16

Subscribers choice, HP 8


46/46

symbols in text 8system requirements 11

Ttechnical support, HP 8text symbols 8troubleshooting 42

Uunregistering

host groups from security groups 29LDEV groups from security groups 29

Vviewing security settings 36

W web sites

HP documentation 7HP storage 9HP Subscribers choice 8

santinel_ug rootsan technologies pvt ltd

Documents