Installation

Introduction

The Superna Disaster Recovery (DR) Edition installation guide provides instructions for successfully deploy the Superna DR solution. This page gives an high-level overview of the full installation process and the phases it includes, such as reviewing system requirements, deploying a Superna virtual appliance, configuring hardware clusters, and the initial setup of the Superna DR Solution environment. At the end of this guide are some recommended next steps for after you have successfully installed and initially configured Superna DR Edition.

Requirements and Prerequisites

Release Compatibility

Powerscale OneFS

Powerscale OneFS Version

Version	First Supported Superna Release
8.2.x.y	2.5.9.x or older
9.0.x.y	2.5.9.x or older
9.1.x.y	2.5.9.x or older
9.2.x.y	2.5.9.x or older
9.3.x.y	2.5.9.x or older
9.4.0.12	2.5.10
9.5.0.1	2.5.11
9.7.x.y	2.8.3
9.8.0.0	2.9.0

ECS

ECS Version

Version	First Supported Superna Release
3.7.x	2.5.9.x or older
3.8.x	2.5.11

DR Edition Feature Release Compatibility

Configuration Replication Non-DFS Mode

Source Cluster Release	Target SyncIQ Cluster Release
8.2.x.x	8.2.x.x**
9.0	9.0
9.1	9.1
9.2	9.2
9.3	9.3
9.4	9.4
9.5	9.5

Configuration Replication DFS Mode

Source Cluster Release	Target SyncIQ Cluster Release
8.2.x.x	8.2.x.x
9.0	9.0
9.1	9.1
9.2	9.2
9.3	9.3
9.4	9.4
9.5	9.5

SyncIQ Policy Failover Non-DFS Mode

Source Cluster Release	Target SyncIQ Cluster Release
8.2.x.x	8.2.x.x
9.0	9.0
9.1	9.1
9.2	9.2
9.3	9.3
9.4	9.4
9.5	9.5

SyncIQ Policy Failover DFS Mode

Source Cluster Release	Target SyncIQ Cluster Release
8.2.x.x	8.2.x.x
9.0	9.0
9.1	9.1
9.2	9.2
9.3	9.3
9.4	9.4
9.5	9.5

Access Zone Failover

Source Cluster Release	Target SyncIQ Cluster Release
8.2.x.x	8.2.x.x
9.0	9.0
9.1	9.1
9.2	9.2
9.3	9.3
9.4	9.4
9.5	9.5

Data Config Migration

Source Cluster Release	Target SyncIQ Cluster Release
9.0	9.0
9.1	9.1
9.2	9.2
9.3	9.3
9.4	9.4
9.5	9.5

Live Ops DR Test Mode

Source Cluster Release	Target SyncIQ Cluster Release
9.0	9.0
9.1	9.1

Feature Support Matrix

Description	Supported
Overlapping Access Zone with System (/ifs)	Yes - Create / Update, No - Delete
Configuration Replication (non DFS mode)	Yes - Create / Update, No - Delete
Configuration Replication (DFS mode)	Yes - Create / Update, No - Delete
SyncIQ Failover	Yes
SyncIQ Failover - DFS Mode	Yes
Access Zone Failover	No
Overlapping Access Zone - non System Zones	Yes - shares/export/alias, No - Access Zone
Runbook Robot Access Zone Multi cluster	No (only cluster pairs with no common cluster)
Failover with SyncIQ Encryption	Yes (8.2 or later only)

System Requirements

Virtualization Platforms

• VMware vSphere: Version 6.0 ESX host or higher is required.
• Microsoft Hyper-V: Appliance deployment requires support for the VHDX format.

VMware vCenter Deployment

vCenter 7 and vCenter 8 are supported.

System Resources

• CPU: 4 vCPUs
• Memory: 16 GB RAM (Memory may need to be upgraded based on scalability requirements. Refer to the scalability table for more information.)
• Disk Space:
  • Operating System Partition: 30 GB
  • Additional Disk Space: 80 GB
  • Total Disk Size in VMware: 110 GB

Network Requirements

• Latency: The latency between the administration PC and the Eyeglass VM GUI must be less than 15 ms (measured by ping).

Authentication and User Management

• Active Directory (AD) Authentication: An AD authentication provider must be available in the system zone for Role-Based Access Control (RBAC) and SID-to-user resolution API requirements.

Browser Requirements

• Supported Browser: Google Chrome is required. The browser must support WebSockets.
• Unsupported Browsers: Internet Explorer is not supported.
• Cookie Settings: Third-party cookies must not be disabled, as they are required for authentication sessions and file downloads.

Ports Requirements

Port	Protocol	Source --> Destination	Description
DNS 53 UDP	DNS	Appliance --> DNS server OR Appliance --> GroupNet (DNS configured on all clusters)	Functional DNS is a requirement for multiple validations needed for failover and Failover Readiness
TLS 443	TCP TLS 1.2	Appliance --> Internet	DR Remote Monitoring or Phone Home remote log upload for support and health checks
NTP 123	UDP	Appliance --> NTP server in your environment	Time sync should use same NTP as the clusters. Always disable VMware host VM time sync option.
SMTP 25	TCP	Appliance --> Mail server in your environment	Email of alarms from Eyeglass to your mail server
HTTP 80	TCP	Appliance --> Open Suse Mirror Repositories	URL to allow security updates: Open Suse Download Security patches come directly from Open Suse and requires the appliance to have access to download the patches and apply on a weekly schedule.
HTTPS 8080	TCP TLS 1.2	Appliance --> Isilon/Powerscale OneFS cluster	REST API is authenticated using the service account created here. Authentication uses Isilon session authentication method.
SSH 22	AES	Appliance --> Isilon/Powerscale OneFS cluster	SSH access for some CLI commands
HTTPS 443	TCP TLS 1.2 AES - Unsigned certificate	Admin PC browser --> Appliance	Secures client to browser access
Target Port 80 --> Destination random TCP source port on the browser	Only used to redirect to 443, can be blocked if needed	Admin PC browser --> Appliance	If connection on IP address port 80 is made, an HTTP 301, 302 redirect is returned on port 80 to switch the browser to https and url https:/x.x.x.x/eyeglass. No services run on port 80 and this is only used to redirect to port 443 HTTPS.
HTTPS 2011 Websocket	TCP TLS 1.2 AES	Admin PC browser --> Appliance	Websocket for real-time appliance to browser updates (redirected to 2012)
TLS 2012 Websocket	TCP TLS 1.2 AES	Admin PC browser --> Appliance	Websocket for real-time appliance to browser updates (redirected to 2012)
SSH 22	TCP AES	Admin PC browser --> Appliance	Secure shell access
Proxy login SMB 2 (only) 445	TCP	Appliance --> Isilon/Powerscale OneFS	Used to authenticate to AD through Isilon/Powerscale OneFS using standard Microsoft SMB authentication request for Role based login proxy interface
Dual DNS Delegation	UDP	Appliance Port 53 UDP DNS --> Groupnet(x) DNS servers	New in 2.5.6 or later, requires Eyeglass to be able to access the Groupnet DNS servers to validate Dual DNS delegation is configured correctly. The OS DNS is not used since the DNS that must be configured correctly is used by Isilon/Powerscale OneFS itself.
Internet Control Message Protocol	ICMP	Appliance --> Isilon/Powerscale OneFS	If for any reason ICMP is disabled, or PMTUD is not supported, this causes OneFS to default the MTU to 536 bytes, which typically leads to performance degradation.

Scalability Limits

Eyeglass Scalability Limits and Appliance Memory Minimum Requirements

Scaling Limit Area	Tested Scaling Limits	Notes
Number of Managed Clusters (1 appliance)	Manages up to 22 clusters	Contact Support for RAM requirements
SyncIQ Policies Across All Clusters	Supports > 100 policies with 64 GB RAM Supports > 200 policies with 84 GB RAM
Access Zones	Handles > 10 zones with 32 GB RAM Handles > 30 zones with 64 GB RAM Handles > 50 zones with 84 GB RAM	Requires 32 GB to 84 GB of RAM
Failover Job Limitations	Supports 100 policies in a single failover	Requires 64 GB RAM
Total Object Count (shares + exports + quotas)	Handles < 5,000 objects with 16 GB RAM Handles 5,000 - 10,000 objects with 32 GB to 48 GB RAM Handles > 10,000 objects with 64 GB RAM Handles > 20,000 objects with 84 GB RAM
Clusters Added to the Appliance	Supports 4 clusters with 32 GB RAM Supports 4 - 8 clusters with 64 GB RAM Supports > 10 clusters with 84 GB RAM
Performance Auditor	Requires a minimum of 32 GB RAM when the Performance Auditor is licensed	Minimum 32 GB RAM
Concurrent Administrators (3 or more)	Adds 8 GB RAM to the above requirements for each logged-in administrator using RBAC or not using RBAC

info

Each release of the software may adjust memory requirements, and the alarm code (SCA0094) will recommend memory for the supported configuration. The recommendation from Alarm Code SCA0094 takes priority over this documentation.

Download and Deploy Virtual Appliance

Download Virtual Appliance

Start the process by downloading the latest version of the Superna Core Agent Appliance.

Download them from our support site: https://support.superna.net.

1. To start, sign in.

2. Once in the Superna support site, scroll down to display the links to latest version of Superna Eyeglass.

3. If this is a fresh installation of Superna Disaster Recovery Edition, select Download VM Install Files. For appliances to be hosted with VMWare, select Download OVF Installer.

4. Accept the Subscription Terms and Conditions.

5. Click the link to download the Core Agent Appliance installer.

Deploy Virtual Appliance

Unzip the download package on a machine with vSphere installed. Select both .ovf and .vmdk files under the OVF template deployment.

Select required VM settings for VM name and folder, computer resource, datastore, and networking. Complete the networking section as requested.

Post-Deployment Verification and Configuration Steps

1. Power on Eyeglass VM

   • SSH to the Eyeglass VM as the admin user.
   • The default password for both admin and root users is 3y3gl4ss.

2. Verify First Boot Process

   • Use the following command to check the status of the first boot process:

     sudo systemctl status superna-on-boot

   • The output's last line should read: "Finished Superna OnBoot Service."

3. Confirm Eyeglass VM

   • View the Message Of The Day (MOTD) file to confirm the Eyeglass VM:

     cat /etc/motd

4. Verify Network Configuration

   • Verify the IP address and subnet:

     ip a

   • Verify the default gateway:

     ip r

5. Validate Date and Timezone

   • Use the following command to validate the date and timezone:

     date

6. Verify NTP Server

   • Check the NTP server details with:

     chronyc sources

   • The output should show your NTP server with an * next to it.

   • If an update is needed, update the NTP server using:

     sudo /sbin/yast2 ntp-client

7. Verify DNS Servers

   • To verify DNS server IPs, use:

     cat /etc/resolv.conf

8. Verify System Resources

   • Verify the total RAM:

   free -h

   • Verify the total disk space:

     df -kh

Post-Deployment Hardware Setup

Setup Time Zone and NTP

The virtual machines that make up the Superna solution are required to be time synchronized with the PowerScale OneFS clusters in the environment. Please make sure the Eyeglass appliance and the ECA nodes are connected to the same NTP server as the PowerScale OneFS clusters, and that the timezone is appropriately set on all.

Create local PowerScale OneFS Eyeglass user

1. Start by logging into the PowerScale OneFS cluster via an SSH session using the root user credentials. This provides the necessary administrative privileges to create new user accounts.

2. Run the following command to create the eyeglass service account:

   isi auth users create eyeglass --enabled yes --password 3y3gl4ss

   This command sets up the account with an initial password and enables it for immediate use.

warning

• Restricted Characters: Ensure your password does not include restricted characters such as brackets, tilde, back quote, forward slash, ampersand, asterisk, and dollar sign. These characters can cause issues in scripting and command execution within the PowerScale OneFS environment.
• Password Length: Ensure the password is no longer than 20 characters.

Update the Sudoers File

warning

Some critical administrative commands required for managing PowerScale OneFS clusters are not accessible through the PowerScale OneFS Platform API and must be executed directly via the command-line interface with root privileges.

Updating the sudoers file to allow these commands to be run without a password is essential for enabling efficient, automated disaster recovery processes.

Use the following instructions to update the sudoers file.

1. Use the isi_visudo command to safely open and edit the sudoers file.

   isi_visudo

2. Add the following lines to the sudoers file. These entries allow the eyeglass user to execute specific administrative commands without requiring a password:

   eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic auth ads*
   eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic domain info*

3. Add the following lines to the sudoers file. These entries allow the eyeglass service account to manage SMB file operations without requiring a password:

   eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array -s isi_run -z ?* isi_classic smb file*
   eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi_run -z ?* isi_classic smb file*

   eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array -s isi smb openfiles list *
   eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi smb openfiles close *

Modify user account properties and create roles

1. Disable the password expiration for the eyeglass account to ensure continuous access without the need for periodic password updates.

   isi auth users modify eyeglass --password-expires no

2. Establish a role named EyeglassAdmin to centralize administrative privileges for managing the cluster.

   isi auth roles create --name EyeglassAdmin --description "EyeglassAdmin role"

3. Add the eyeglass user to the EyeglassAdmin role to grant necessary administrative permissions.

   isi auth roles modify EyeglassAdmin --add-user eyeglass

Assign privileges to the admin role

Assign necessary privileges to the EyeglassAdmin role to ensure it has the required access across various system functionalities.

General Administrative Privileges: Provide broad administrative capabilities such as authentication, role management, and configuration oversight:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUTH
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_ROLE
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_CONFIGURATION

System and Network Management: Grant permissions related to network settings, NFS, SMB, and system quotas:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NFS
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SMB
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NETWORK
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_QUOTA

Security and Compliance: Enable privileges related to security measures, audit capabilities, and compliance:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUDIT
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_HARDENING
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_WORM

Data Protection and Recovery: Add privileges for managing snapshots, disaster recovery, and data replication:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SNAPSHOT
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SYNCIQ
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_REMOTE_SUPPORT

Storage Optimization: Enhance the role with capabilities to manage storage pools, devices, and file filtering:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SMARTPOOLS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_CLOUDPOOLS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_DEVICES
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FILE_FILTER

Monitoring and Statistics: Provide read-only access for monitoring and statistics to support performance analysis:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_STATISTICS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_MONITORING
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HTTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_EVENT
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_ANTIVIRUS

Specialized Access: Enable specialized access for system features such as HDFS and NDMP:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HDFS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NDMP

Post-Deployment Environment Setup

Register Superna License

Retrieve the Superna Disaster Recovery Edition license keys from the Zendesk case by following these steps:

1. Login to the Superna Support Desk.

   note

   Ensure a valid support account is logged in to access the license key download dialog box.

   Submit the license request by entering the Appliance ID and Transaction Token as provided in the license email.

   note

   The Appliance ID and Transaction Token must be entered exactly as shown on the license email, with all dashes and without any leading or trailing spaces.

   Ex. EMC-xxx-xxx-xxx-xxx

2. Download the provided zipped license file.

   warning

   Do not unzip the license file; the .zip file will be uploaded in the next step.

3. Upload License File Click License Management > Manage Licenses > Browse

   Upload the zipped file downloaded in the previous step.

   note

   After clicking Upload, the Eyeglass EULA must be accepted to continue the process.

Add Clusters

warning

Ensure that both the source and target clusters comply with the support feature matrix. Additionally, all PowerScale OneFS cluster replication pairs should operate on a PowerScale OneFS version that is listed and supported as per the System Requirements / Feature Release Compatibility matrix.

1. Open the Eyeglass UI to get started.

2. In the Eyeglass Main Menu, select Add Managed Device to start adding cluster configurations.

3. Provide the cluster details as prompted by the interface.

   PowerScale OneFS

   • Node IP in System Zone (not SSIP): Provide an IP address allocated for the System Access Zone. Avoid using SSIP, as it is unsuitable for administrative connections.

     note

     Starting from release 2.5.5, it is mandatory to use a node IP with dynamic IP allocation within a subnet that is part of the System Access Zone. This requirement is due to a CSRF security patch that disables basic authentication and prevents session tokens from being shared between PowerScale OneFS nodes. For further details, refer to the associated technical documentation.

   • Port: Default to 8080 unless there is a requirement for a different port number.

   • Username and Password: Input the username and password of the Eyeglass service account.

   • Maximum RPO Value: (Optional) Define the recovery point objective in minutes, if desired.

   • Active Directory Username and Password for Runbook: (Optional) Enter if you're using AD credentials for Runbook automation.

4. Submit the form to add the cluster to Eyeglass.

Verify Inventory Collection

After adding a cluster, Superna DR Edition initiates an automatic inventory task to identify and catalog the cluster's components.

note

The inventory discovery process typically takes between 5 to 10 minutes.

Once this inventory task completes, the results are displayed in the Inventory View.

To access this, click the Inventory View icon.

This will open the Inventory View window, showing a list of all managed devices.

note

The Inventory View does not auto-refresh. To view the most up-to-date information, manually refresh the page by clicking the Refresh button located at the bottom right corner of the GUI.

Remember: The inventory discovery process typically takes between 5 to 10 minutes.

Monitor this process and verify that all components have been correctly added and displayed.

Enable/Disable Jobs

This section will walk you through the process of enabling or disabling jobs, including bulk actions for managing multiple jobs at once.

1. Open the Eyeglass Main Menu

   From the main dashboard, locate and click the Jobs icon, which is located in the top-middle section of the screen and represented by a checklist icon.

2. View the Jobs List

   Once the Jobs window is open, you'll see a list of available jobs. You can view details such as the job name, policy, type, last run date, and the current state.

3. Select Jobs to Enable or Disable

   Check the box next to the jobs you want to enable or disable.

   info

   You can select more than one job at the same time by checking multiple boxes.

4. Use the Bulk Action to Enable or Disable Jobs
   After selecting the jobs, look at the bottom right of the window for the dropdown button labeled Select a bulk action. Click on this button and choose either Enable or Disable based on the action you want to perform.

5. Effect of Enabling the Job

   info

   On the next Configuration Replication cycle, the enabled Job will be run.

   This process allows you to manage multiple jobs efficiently by enabling or disabling them in bulk.

Setup Notifications

Configure SMTP

Enter the information for an email server by clicking Notification Center > Configure SMTP in the Eyeglass Main Menu:

To continue the configuration of SMTP:

• In the Host name: textbox enter the host name for the email server.

• In the Port textbox, type the port which should be used for sending email.

• In the From: textbox, enter the email address of the sender of the email. Any String before and after @ is accepted:

  Syntax: xx@y, xx@y.z E.g.: alerts@eyeglass, alerts@eyeglass.com, etc.

• Tick the Use Authentication: checkbox if email server requires an authenticated login.

• In the User: textbox, provide the user or email address required for authentication.

• In the Password: textbox, provide the password for authentication.

• Tick Enable TLS: checkbox if the email server expects TLS communication.

• Alarm Severity Filter: Select level of alarms to receive emails for. Note that alarms more severe than the selected filter are also emailed.

  • Use the Test Email Setting button to check that the email server information added is correct. If an error occurs, there are error codes from the SMTP connection. The "no error" response indicates a successful connection. If an error is returned the debug response should be sent to https://support.superna.net.

Save the changes.

Configure Email Recipients

Enter the information for email recipients by clicking Eyeglass Main Menu > Notification Center > Manage Recipients.

• Enter the email address in the Email Recipient: textbox.

• Select the report type for this user to receive. The following options are available:

  • All (All Reports & Alerts)

  • Reports (RPO, cluster configuration)

  • Auditor Only Reports (All reports and email notifications for Easy Auditor)

  • Quota Management (Quota Usage reports for Cluster Storage Monitor solution)

  • Data recovery+ (Cluster Storage Monitor product Data Recovery portal emails)

  • Click the Add/Edit button.