Skip to content

EMC-Celerra Connector Overview

Capabilities

This connector enables you to use File Access Manager to access and analyze data stored in EMC-Celerra and do the following:

  • Analyze the structure of your stored data.

  • Monitor user activity in the resources.

  • Classify the data being stored.

  • Verify user permissions on the resources, and compare them against requirements.

  • Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.

  • Identity collector – collect IAM users, groups and roles and the connections between them.

Refer to the File Access Manager documentation for a full description.

Connector Overview

For more information and a deep technical understanding of the EMC architecture and CEE, refer to EMC CEE version 7.0 using the Common Event Enabler for Windows.

  • Physical & Virtual Data Mover - A physical data mover can host multiple virtual data movers (VDMs). Celerra/VNX architecture is based on physical components named data movers.

Warning

Audit facility (CEPA) is single for each physical data mover, and must be configured separately for each physical data mover.

  • CIFS Server - A CIFS server is an EMC component that corresponds to a file server (\cifs_server_name). You can configure a CIFS server on a physical Data Mover or on a VDM. Typically, the CIFS servers are configured on a VDM. Every CIFS server requires an Application definition in File Access Manager.

  • CIFS Servers Aliases - An alias is a synonym name of the CIFS server. It is defined in the CIFS server itself and is visible in the EMC Unisphere. Every CIFS server can have one or more aliases. All the activities are always saved in File Access Manager with the real name of the filer. The filer name configured in the application must be the real name only.

    • A DNS alias is not an EMC alias.

Warning

You must configure the aliases in the application configuration as well. Failure to do so results in losing the events of users accessing the aliases.

  • NFS Exports - An NFS export is an EMC component that can be associated with any existing network interface to expose a UNIX-style NFS file server. Every NFS network interface that exposes NFS exports requires an Application definition in File Access Manager.

  • CEE - A CEE service is the EMC gateway for communicating and receiving events notifications from the data movers.

    • All data movers send notifications on CIFS/NFS events to the CEE service. The service in the data mover responsible for sending the events to the CEE is called CEPA (Celerra Event Publishing Connector).

    • There is an n:n relation between the CEPA service running on the data mover and the CEE service:

    • Every CEE can communicate with multiple data movers.

    • Every CEPA service on a data mover can communicate with multiple CEE servers (for high availability and load sharing).

  • CEPA and Virtual Data Movers - For CEE to work, you need to have a CIFS server configured on the physical Data Mover. This is the global CIFS server or the default CIFS server on the physical Data Mover.

  • CEE & Activity Monitor - Every Activity Monitor can communicate with one or more CEE servers. Every CEE service can be configured to work with a multiple Activity Monitor services.

  • Activity Monitor - Each Activity Monitor in File Access Manager corresponds to a single CIFS server.

    • The first Activity Monitor installed on a physical server creates the Activity Monitor service. Subsequent Activity Monitors installed will not create additional Activity Monitor services.

    • Every Activity Monitor that is installed adds a bamconfig.xml file under the Activity Monitor to add itself to the same service.

Warning

The first installed Activity Monitor must be the last Activity Monitor uninstalled. If you uninstall the first Activity Monitor before uninstalling the other installed Activity Monitors, those Activity Monitors will not work, and it will not be possible to uninstall them.

Permissions Collection Operation Principle

  • CIFS Shares - File Access Manager connects using EMC administrative shares and analyzes folder permissions. Local groups and users are collected from the CIFS server during the permissions collection process.

  • NFS Exports - File Access Manager connects using standard NFSv3 access to analyze UNIX-style folder permissions. A NIS Identity Collector is used to resolve UIDs/GIDs permissions discovered during the permissions collection process.

Monitored Activities

The following activities are monitored by the EMC-Celerra connector:

  • Create File - A new file was created.

  • Create Folder - A new folder was created.

  • Create from Move - A “Create Folder” event generates this event on the newly created folder.

  • Create from Rename - A “Rename Folder” event generates this event on the newly created folder.

  • Delete File - A file was deleted.

  • Delete Folder - A folder was deleted.

  • Move File - A file was moved.

  • Move Folder - A folder was moved.

  • Permission Change File - A file’s permissions were changed.

  • Permission Change Folder - A folder’s permissions were changed.

  • Read File - A file was read.

  • Rename File - A file was renamed.

  • Rename Folder - A folder was renamed.

  • Write File - A file was modified.

Sample Architecture

In the schema below, the first physical Data Mover is configured to send events to CEE 1 & 2. CEE 1 & 2 are configured to send event notifications to the Activity Monitor.

The second physical Data Mover is configured to send events to CEE 2 & 3. CEE 2 & 3 are configured to send event notifications to the Activity Monitor.

  • CIFS Server 1

  • CIFS Server 2

  • NFS Export 1

The Activity Monitor monitors using CEE 2 & 3:

  • CIFS Server 4

  • CIFS Server 5

  • NFS Export 2

EMC-Celerra Installation Flow Overview

To install the EMC-Celerra connector:

  1. Configure all the prerequisites.

  2. Add a new EMC-Celerra application in the Business Website.

  3. Install the relevant services:

    • Activity Monitor - This is the activity collection engine, used by all connectors that support activity monitoring.

    • Permissions Collector

      If you are using EC2 login, the collector should be installed on the EC2 instance.

    • Data Classification Collector

Important

Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.