Docu86400 - ViPR SRM 4.1.1 Compliance Guide

EMC® ViPR® SRM
Version 4.1.1
Compliance Guide
302-004-178
01
Copyright © 2016-2017 EMC Corporation All rights reserved.
Published September 2017
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.
EMC Corporation
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.EMC.com
2 EMC ViPR SRM 4.1.1 Compliance Guide

CONTENTS
Figures 7
Tables 9
Chapter 1 Compliance Features 11

Compliance introduction............................................................................. 12
Feature summary ....................................................................................... 12
What is a policy?.........................................................................................13
Accessing compliance reports and configuration ........................................14
List of predefined compliance policies.........................................................14
Summary of predefined rules, scopes, and criteria......................................15
Chapter 2 Configure Compliance Policies and Rules 23

About policy configuration ......................................................................... 24
Configure a policy.......................................................................................25
Operators for rule criteria........................................................................... 31
Set appropriate policy schedules.................................................................31
Edit breach recommendations.................................................................... 32
Enable and disable policies, rules, and rule criteria......................................33
Run a policy................................................................................................ 34
Chapter 3 Configuration Guidelines for Predefined Policies 35

Array Configuration policy.......................................................................... 36
EMC Support Matrix policy........................................................................ 36
High Availability Physical Connectivity policy............................................. 37
High Availability Software Configuration policy.......................................... 38
Host Configuration policy........................................................................... 39
Path Management policy............................................................................ 40
VPLEX Configuration policy........................................................................ 41
ViPR Controller Configuration policy...........................................................41
Zoning Best Practices policy...................................................................... 42
Chapter 4 Use Compliance Reports 43

Process for identifying and resolving breaches...........................................44
Breach status............................................................................................. 45
Run a policy................................................................................................45
View breach summary reports and drill into details..................................... 46
Columns on breach reports.........................................................................48
Use group filters on compliance reports..................................................... 50
View Policies reports...................................................................................51
Chapter 5 Configure and Use Configuration Change Tracking 55

Configuration change tracking features..................................................... 56
List of configuration change tracking events .............................................56
Example configuration changes messages..................................................59
Configure change tracking......................................................................... 60
EMC ViPR SRM 4.1.1 Compliance Guide 3

CONTENTS
View Configuration Changes reports...........................................................61
Chapter 6 Configure and Use the EMC Support Matrix Policy 63

EMC Support Matrix compliance features..................................................64
ESM matching ...........................................................................................65
How to perform manual matching.............................................................. 66
Update Support Matrix version.................................................................. 66
Scenario: Set up and use the ESM compliance policy.................................68
Enable and schedule the EMC support matrix policy .................... 68
Run the policy manually.................................................................. 71
View the EMC Support Matrix Active Breaches report...................71
Fix not matched and multi-matched devices ................................. 72
Fix base connectivity interoperability breach................................. 75
Research path management breaches in E-LAB Navigator ........... 77
View inactive (fixed) breaches...................................................... 80
Chapter 7 Create New Policies and Scopes 83

Create new policy.......................................................................................84
Create a new compliance scope................................................................. 85
Syntax for scope criteria .............................................................. 86
Use property selection helper to research property names............ 87
Scenario: Create a custom compliance policy ............................................89
Create a policy...............................................................................89
Create a scope.............................................................................. 90
Add a rule...................................................................................... 92
Schedule the policy for automatic runs..........................................94
Save, enable, and run the new policy............................................. 95
View breach reports...................................................................... 95
Edit the rule to include the found value ........................................ 96
Review the breach report for all found values................................97
Edit the rule to add all found values and rerun the policy .............. 97
Summary....................................................................................... 99
Chapter 8 Create New Rules 101

About compliance rule definitions..............................................................102
Using the graphical interface.................................................................... 102
Copy and view an existing rule definition......................................105
Create a new rule......................................................................... 108
Copy a rule definition.................................................................... 110
Edit a rule definition...................................................................... 110
Component reference for compliance rule definitions................................ 111
Entry point component.................................................................. 111
Operation components..................................................................112
Condition components.................................................................. 115
Action components....................................................................... 117
Chapter 9 Compliance Administration 119

Configure notifications of compliance breaches........................................120
Configure the Compliance Breach-Notification alert definition ... 120
Add new compliance policies to the alert definition filter..............122
Enable or disable compliance breach notifications........................122
Manage breach notifications for individual policies.......................123
Configure retention duration for breaches and configuration changes...... 123

CONTENTS
Restrict access to the compliance module based on RBAC....................... 124

Redirect Compliance Frontend in deployments with multiple Frontends .. 125
Appendix A Breach Names and Messages 127

Breach names and messages.....................................................................128

CONTENTS

FIGURES
1 Parts of a compliance policy........................................................................................13

2 All Active Breaches report.......................................................................................... 49
3 Example match issue in a breach report......................................................................73
4 Example base connectivity issue in a breach report.................................................... 76
5 Example path management issue in a breach report................................................... 78

FIGURES

TABLES
1 Accessing compliance features................................................................................... 14

2 Predefined compliance policies................................................................................... 14
3 Summary of predefined rules...................................................................................... 15
4 Compliance rule criteria operators...............................................................................31
5 Array Configuration policy—user configurable criteria............................................... 36
6 High Availability Physical Connectivity policy—user configurable criteria.................. 37
7 High Availability Software Configuration policy—user configurable criteria............... 38
8 Host Configuration policy—user configurable criteria................................................ 39
9 VPLEX Configuration policy—user configurable criteria............................................. 41
10 Zoning Best Practices policy—user configurable criteria........................................... 42
11 Captured changes and associated rules .....................................................................56
12 Examples of configuration changes messages............................................................ 59
13 Match types............................................................................................................... 64
14 Wildcards in scope statements................................................................................... 87
15 Attributes for Default Entry component.....................................................................112
16 Rules and associated breach messages..................................................................... 128

TABLES

CHAPTER 1
Compliance Features
This chapter provides an overview of the ViPR SRM compliance features. It also
describes all of the out-of-the-box compliance policies and rules.
l Compliance introduction..................................................................................... 12
l Feature summary ............................................................................................... 12
l What is a policy?................................................................................................ 13
l Accessing compliance reports and configuration ............................................... 14
l List of predefined compliance policies................................................................ 14
l Summary of predefined rules, scopes, and criteria............................................. 15
Compliance Features 11
Compliance Features
Compliance introduction
The ViPR SRM compliance module contains policies that test conditions in your
infrastructure. Reports are generated that show the current violations to the policies.
The compliance module can determine compliance to the following types of business
goals:
l Does your storage infrastructure comply with industry best practices and the
specific business practices of your enterprise? If not, which components are not in
compliance?
l Are the current combinations of hardware, software, and firmware releases in your
infrastructure in compliance with the EMC support matrix interoperability
requirements? If not, which components need updating?
l What recent configuration changes were made throughout the infrastructure?
Breach reports
A breach is a violation of a rule in a compliance policy. You can find breach reports on
the ViPR SRM Console, under Operations > Compliance. The breach reports indicate
the policy and rule that was breached and the components involved in the breach.
Feature summary
Storage administrators and compliance officers use the ViPR SRM compliance module
to check for configuration errors and interoperability issues in the storage
infrastructure.
Main features
Basic compliance functions are:
l Out-of-the-box policies validate important configurations like EMC Support Matrix
interoperability, EMC VPLEX configurations, EMC ViPR Controller configurations,
I/O path redundancy and fabric zoning.
l Customized policies and rules can validate against your installation's business rules
and practices.
l Breach reports on the ViPR SRM Console show violations to the compliance
policies.
l Email and/or SNMP notifications of breaches are easily configured, and enabled or
disabled.
Additional features
The compliance module provides the following ancillary functionality:
l Tracks significant configuration changes in the data center and validates policies
when a change occurs.
l Provides drill-down features for analysis and troubleshooting. Start with summary
level reports by policy or severity, click to see a list of specific breaches, and click
again to see all details about a breach, including a link to the devices involved.
l Provides recommendations that help storage administrators troubleshoot the data
center objects and revalidate the data center to ensure compliance.
Recommendations are easily edited to make them site-specific.

Compliance Features
Flexibility features
The following configuration options provide flexibility:
l The scheduling features can set up the policies to run automatically at scheduled
times. Alternatively, you can run a policy manually on-demand.
l Enable/disable capabilities exist at three levels:
n By entire policy, including all of the rules in the policy.
n By each rule.
n By individual criteria in a rule.
l A scope filter in each policy defines the set of data center objects to validate. If
needed, you can create sets of similar policies with different criteria values for
different scope filters.
l A copy feature makes it easy to copy and alter an existing policy to create a new
policy for a different scope.
What is a policy?
The compliance module is organized around policies.
A compliance policy is a collection of rules with a common purpose. A policy defines
the objects to test, the conditions to test, and, optionally, a schedule for automatic
executions of the policy.
You can enable and disable an entire policy, individual rules within each policy, or
individual configurations within some rules.
The following figure shows the components in a policy.
Figure 1 Parts of a compliance policy
A scope uses a filter to define the components that the policy applies to.
The rules define specific conditions to test. Rules may contain configurable
parameters, which let you use the same rules in multiple policies with different
configurations. For example, two policies might contain the same rules, with different
parameter settings and different scopes.
The schedule is optional and defines the frequency for automatic runs of the policy.
Administrators can also run a policy manually.
The compliance module is installed with predefined policies, scopes, and rules. You can
also create custom policies, scopes, and rules.
What is a policy? 13
Compliance Features
Before running a policy, you must assign a scope to it, configure and enable the rules,
and enable the policy.
Accessing compliance reports and configuration

The compliance module consists of operational reports on the reporting interface and
configuration features on the Administration interface.
Table 1 Accessing compliance features
Items Location
Breach reports Operations > Compliance > Breach Reports
Configuration Administration > Modules > Storage Compliance
Includes policy configuration,
ESM Matching, and new rule
creation
List of predefined compliance policies

A set of predefined compliance policies is provided with installation.
Table 2 Predefined compliance policies
Policy Name Description

Array Configuration Enforces storage array best practices for hardware, software,
and pathing configuration.
EMC Best Practice Enforces that there are no orphaned zones, masking, mapping
Configuration entries or stranded hosts, i.e. hosts without fully established
paths to any volume.
EMC Support Matrix Enforces best practices for interoperability based on EMC
Support Matrix.
High Availability Physical Enforces best practices for the physical connectivity to ensure
Connectivity high availability, optimal path traversal and avoiding I/O
congestion.
High Availability Software Enforces software configuration to support high availability

Configuration pathing configuration.
Host Configuration Enforces best practices for hardware, software and pathing
configuration on a host.
Path Management Validates configuration to ensure connectivity and redundancy.
VPLEX Configuration Enforces VPLEX best practices for software and pathing
configuration.
ViPR Controller Enforces best practices for configurations in ViPR Controller.

Configuration
Zoning Best Practices Enforces best practices for zoning.

Compliance Features
Note
Policies and the individual rules within each policy must be enabled to make them
operational.
Summary of predefined rules, scopes, and criteria

A rule might be used in more than one policy, with different scopes defined for each
policy.
The following table describes each of the predefined rules, their intended scope, their
configurable parameters, and the out-of-the-box policies that use them.
Each rule must be enabled within a policy before it is operational for that policy.
Table 3 Summary of predefined rules
Rule Description and Rule criteria Policies used

intended scope in
1 Masking entry Checks if masking was done No configurable Array
on unmapped for a LUN without mapping criteria. Configuration,
volume to an array port. EMC Best
Scope: Physical hosts and Practice
ESX servers Configuration,
Path
Management
2 Supported Checks the array microcode Criteria operators: Array

array against the administrator- EQ, IN, Configuration,
microcode entered value. STARTS_WITH, or High Availability
version Scope: EMC Symmetrix, ENDS_WITH. Software
VNX & XtremIO arrays, and Criteria value: Configuration
HDS, IBM XIV & NetApp
l Exact value if EQ
arrays
is selected.
l Regular
expression or
comma
separated list of
values if IN is
selected.
l Value for
STARTS_WITH
or ENDS_WITH.
3 Symmetrix Checks that Symmetrix Criteria values: YES if Array

port flag port flag settings have the port bit is Configuration
settings appropriate values. enabled, NO if it is
validator Scope: EMC Symmetrix not enabled.
arrays
4 Unused Checks for masking entries No configurable Array

volume that are not used by any criteria. Configuration,
masking single fully established path. EMC Best
entries Practice
Summary of predefined rules, scopes, and criteria 15

Compliance Features
Table 3 Summary of predefined rules (continued)

intended scope in
Scope: EMC Symmetrix, Configuration,
VNX and XtremIO arrays, Path
and HDS, IBM XIV, and Management
NetApp arrays
5 Host must be Identifies hosts that are No configurable EMC Best

provisioned connected to a fabric but criteria. Practice
with storage do not have a fully Configuration,
established path to a Path
storage volume, either Management
because the host was never
provisioned, or because the
host has been de-
provisioned but is still
physically connected to a
fabric.
Scope: Physical hosts and
ESX servers
6 Storage group Identifies storage groups No configurable EMC Best

contains LUNs that are empty or with criteria. Practice
and host volumes but without a host. Configuration
Scope: EMC CLARiiON
arrays
7 Unnecessary Identifies when there is a No configurable EMC Best

zone zone for an initiator/target criteria. Practice
pair that is not used by any Configuration
single fully established path.
Scope: Fabrics and VSANs
8 Zone must be Identifies situations where No configurable EMC Best

unique two or more zones in the criteria. Practice
fabric have identical sets of Configuration,
members (but different Zoning Best
names). Practices
9 Base Checks for combinations of No configurable EMC Support

connectivity array model, host model, criteria. Matrix
interoperability operating system, and HBA
for hosts model that are not
interoperable.
ESX servers
10 End of support Identifies array components No configurable EMC Support

for array that are listed on the EMC criteria. Matrix
components end of support list.
Scope: EMC Symmetrix,
EMC VNX arrays

Compliance Features

intended scope in
11 End of support Identifies host components No configurable EMC Support
for host that are listed on the EMC criteria. Matrix
components end of support list.
Scope: Physical hosts, ESX
servers, and virtual
machines.
12 End of support Identifies switch No configurable EMC Support

for switch components that are listed criteria. Matrix
components on EMC's end of support
list.
Scope: All switches
13 Host OS Identifies combinations of No configurable EMC Support

interoperability host OS and VPLEX that criteria. Matrix, VPLEX
with EMC are not interoperable. Configuration
VPLEX Scope: Physical hosts and
ESX servers
14 Path Identifies combinations of No configurable EMC Support

management path management software criteria. Matrix, VPLEX
software on the host and VPLEX Configuration
interoperability SOE that are not
with EMC interoperable.
VPLEX Scope: Physical hosts and
ESX servers
15 Path Identifies combinations of No configurable EMC Support

management EMC array model, operating criteria. Matrix
software system, storage operating
interoperability environment, and path
for EMC management software that
arrays are not interoperable.
ESX servers
16 Switched Identifies combinations of No configurable EMC Support

fabric topology Switch models and Switch criteria. Matrix
interoperability Firmware that are not
interoperable.
17 I/O path Failure of N-1 components Criteria operator: GE High Availability

redundancy of the same type (clustered Criteria values: The Physical
hosts, HBAs, host ports, number of redundant Connectivity
switch ports, switches, objects in a path. The
fabrics, target ports, array criteria can be
port adapters) should not disabled by un-
break access from the checking them.
cluster or from the host (if
not in a cluster) to the
volume. N is configurable

Compliance Features

intended scope in
by a user per type of
component.
servers, and virtual
machines
18 Authorized Identifies the following Criteria operators: High Availability

host OS for situations: EQ, IN, Software
array STARTS_WITH, or Configuration,
l The operating system
ENDS_WITH. Host
of a host accessing a
Criteria value: Configuration
target port does not
comply with user- l Exact value if EQ
defined limitations. is selected.
l Hosts with mixed l Regular
operating systems expression or
access the same array comma
port. separated list of
values if IN is
Scope: EMC Symmetrix,
selected.
VNX and XtremIO arrays,
and HDS, IBM XIV and l Value for
NetApp arrays STARTS_WITH
or ENDS_WITH.
19 Supported Identifies when the Criteria operators: High Availability

multipath multipathing software EQ, IN, Software
software vendor and version are STARTS_WITH, or Configuration,
version different from the user- ENDS_WITH. Host
specified values. Criteria value: Configuration
l Exact value if EQ
ESX servers
is selected.
l Regular
expression or
comma
separated list of
values if IN is
selected.
l Value for
STARTS_WITH
or ENDS_WITH.
20 Supported Identifies when the Criteria operators: High Availability

Solutions Solutions Enabler version EQ, IN, Software
Enabler does not conform to the STARTS_WITH, or Configuration,
version user-specified version. ENDS_WITH. Host
Scope: Physical hosts and Criteria value: Configuration
ESX servers
l Exact value if EQ
is selected.

Compliance Features

intended scope in
l Regular
expression or
comma
separated list of
values if IN is
selected.
l Value for
STARTS_WITH
or ENDS_WITH.
21 Supported Identifies when the switch Criteria operators: High Availability

switch firmware version does not EQ, IN, Software
firmware conform to the user STARTS_WITH, or Configuration
specified version. ENDS_WITH.
Scope: All switches Criteria value:
l Exact value if EQ
is selected.
l Regular
expression or
comma
separated list of
values if IN is
selected.
l Value for
STARTS_WITH
or ENDS_WITH.
22 Maximum Identifies when the number Criteria operator: LE Host

number of of masked volumes exceeds Criteria value: The Configuration
volumes limit. number representing
masked to Scope: Physical hosts and the maximum
host port ESX servers volumes that can be
masked to a host
port.
23 Supported Identifies when the HBA Criteria operators: Host

HBA vendor attributes of a Host do not EQ, IN, Configuration
model driver conform to the user- STARTS_WITH, or
and firmware specified values for any one ENDS_WITH.
or all of the following: HBA Criteria value:
model, driver, firmware, and
l Exact value if EQ
vendor.
is selected.
ESX servers l Regular
expression or
comma
separated list of
values if IN is
selected.

Compliance Features

intended scope in
l Value for
STARTS_WITH
or ENDS_WITH.
24 Uniform HBA Checks that all HBAs on a No configurable Host

hardware on host are the same and criteria. Configuration
host identifies situations where
the vendors, models,
firmware, or drivers are
different.
ESX servers
25 Missing path No path exists between a No configurable Path

host and a particular criteria. Management
volume, but the path is
currently defined as an
expected path.
servers and virtual
machines
26 Missing path No path exists between a No configurable Path

for VPLEX Host and a particular criteria. Management
frontend volume of VPLEX frontend,
connectivity but the path is currently
defined as an expected
path.
Scope: All physical hosts
except Windows hosts
27 I/O path Failure of N-1 components Criteria operator: GE High Availability

redundancy of the same type should not Criteria values: The Physical
for VPLEX break access from the number of redundant Connectivity
frontend cluster or the host (if not in objects in a path.
connectivity a cluster) to the volume. Disable criteria by
Types are: Clustered hosts, unchecking them.
HBAs, Initiator ports,
Switch ports, Switches,
Fabrics, Target ports, and
VPLEX port adapters. N is
user configurable for each
type of component.
Scope: All physical hosts
except Windows hosts
28 I/O path Failure of N-1 components Criteria operator: GE VPLEX

redundancy of the same type should not Criteria values: The Configuration
for VPLEX break access from the number of redundant
backend cluster or from the VPLEX objects in a path.
(if not in a cluster) to the

Compliance Features

intended scope in
volume. Types are: Disable criteria by
clustered VPLEX, VPLEX- unchecking them.
directors, VPLEX director
ports, switch ports,
switches, fabrics, target
ports, and array port
adapters. N is user
configurable for each type
of component.
Scope: All EMC VPLEX
clusters
29 Logging There must be a logging No configurable VPLEX

volume at each volume associated with criteria. Configuration
VPLEX cluster each cluster.
Scope: All EMC VPLEX
clusters
30 Multiple Identifies when there are No configurable ViPR

tenants multiple tenants accessing criteria. Configuration
accessing the same virtual pool.
same virtual Scope: All EMC ViPR
pool Virtual data centers
31 Authorized Zone should include only Criteria should be Zoning Best

zone member types specified in checked if the Practices
membership the policy. The rule will authorization for
types allow user to specify respective type
allowed member types needs to be given.
(port WWN, switch port,
fWWN and devicealias).
32 Default zoning If default zone is supported, No configurable Zoning Best

must be it should be disabled. criteria. Practices
disabled Scope: Fabrics and VSANs
33 Host port fan- Number of target ports Criteria operator: LE Zoning Best
in zoned in to an initiator port Criteria value: Practices
should not exceed N. Number mentioning
Scope: Physical hosts and the maximum target
ESX servers ports that can be
zoned to an initiator
port.
34 Minimum Zone must have at least 2 No configurable Zoning Best

number of members to be meaningful. criteria. Practices
members in Scope: Fabrics and VSANs
zone
35 Single initiator There should be at most 1 No configurable Zoning Best

zoning initiator port in a zone. criteria. Practices

Compliance Features

intended scope in
36 Storage port Number of initiator ports Criteria operator: LE Zoning Best

fan-out zoned to a target port Criteria value: Practices
should not exceed N. Number of maximum
Scope: EMC Symmetrix, initiator ports that
VNX & XtremIO arrays, and can be zoned to a
HDS, IBM XIV & NetApp target port.
arrays
37 Zone must There is no member No configurable Zoning Best

contain a host representing an initiator criteria. Practices
port port in the zone.
38 Zone must There is no member No configurable Zoning Best

contain a representing target port in criteria. Practices
storage port the zone.
39 Maximum Number of hops in a Criteria operator: LE High Availability

number of shortest path in terms of Criteria value: Physical
hops in fabric minimal number of hops Maximum number of Connectivity
(not necessarily the real hops in fabric.
route) between host and
array port should not
exceed N.

CHAPTER 2
Configure Compliance Policies and Rules
The following topics provide general guidelines for configuring compliance policies and
rules.
For configuration guidelines for each of the predefined policies, see Configuration
Guidelines for Predefined Policies on page 35. For information about creating
custom policies, scopes, and rules, see Create New Policies and Scopes on page 83.
l About policy configuration ................................................................................ 24

l Configure a policy.............................................................................................. 25
l Operators for rule criteria................................................................................... 31
l Set appropriate policy schedules........................................................................ 31
l Edit breach recommendations............................................................................32
l Enable and disable policies, rules, and rule criteria............................................. 33
l Run a policy........................................................................................................34
Configure Compliance Policies and Rules 23

About policy configuration

A compliance policy consists of a description, a scope, one or more rules, and a
schedule.
Policy
A policy contains a collection of rules for a specific type of configuration validation.
For example, all the host configuration rules are grouped into the predefined Host
Configuration policy.
Administrators can edit existing policies to manage the following:
l Select the scope of the policy, which defines the data center objects on which the
policy will be run
l Add or delete rules in the policy
l Configure rules criteria, wherever applicable
l Set the schedule, which indicates how often the policy should run
l Enable or disable the entire policy, individual rules within a policy, individual criteria
in a rule.
Administrators can also create new policies. For example, you might create two similar
policies, but with different scopes, to accommodate varying best practices for
different locations.
Description
The description identifies and describes the policy. The policy name appears in
reports.
Scope
The scope defines the groups of objects that the policy should monitor. The scope is
configured as a filter against objects in your storage environment.
Predefined scopes are installed out-of-the-box. You can also create customized
scopes tailored to compliance requirements for your installation. For example, a scope
could specify any of the following: all arrays; all arrays whose vendor is EMC; or all
arrays whose name begins with a common string, eu_.
For any scope, use the Show Members button to see a list of discovered objects that
are members of that scope.
Rules
A rule is basically a configuration validator. A rule validates the configuration in your
environment and creates a breach if there is a violation or resolves a breach when a
violation is fixed.
A breach occurs when a component fails to satisfy the conditions of the rule.
For example, the Array Configuration policy includes four rules. One rule checks the
port flag settings on Symmetrix arrays. Another checks whether the WWN bit is
enabled on these ports, and so on.
The same rule can be reused in different policies, with different configurations for
each policy.
An administrator can create new rules to implement validations that are not included
out-of-the-box.
Rule criteria
Every rule has one or more criteria. Criteria are the conditions that the configuration
must satisfy to pass the compliance validation.

Criteria are configurable or non-configurable. Examples of configurable criteria include

entering the values for redundancy expected for objects in an IO path, supported array
microcode value for arrays, and so on. Examples of non-configurable criteria include
criteria to identify a missing path, the minimum number of members in a zone, or that
a zone must contain host port, and so on.
In configurable criteria, the administrator provides the criterion value and the
operator. In non-configurable (or system-defined) criteria, the administrator does
need to enter a criterion value.
If a rule includes multiple criteria, each one can be separately enabled or disabled.
Schedule
The schedule sets the timing of automatic policy runs. A schedule is optional. You can
run a policy manually on-demand.
Configure a policy
To prepare a compliance policy to run and validate your environment, the policy must
be configured and enabled.
Configuring a policy includes the following:
l Set the policy's scope
l Configure rules and rule criteria
l Enable/disable rules and rule criteria
l Optionally configure a run schedule
Note
It is mandatory that you configure a scope for each policy and that all enabled rules
have criteria values. After those required values are configured, you can enable the
policy and run it.
Procedure
1. Go to Administration > Modules > Storage Compliance, and then click Policy
& Rules Management.
The list of compliance policies appears.
Note
Policies in a disabled state appear in faded type.
2. To configure a policy, click the checkbox in the first column, and then click Edit.
Alternatively, click the row and select Edit from the context menu.
Configure a policy 25
The tabbed Edit Policy window opens.
3. On the Description tab:

a. Optionally edit the Policy Name and Policy Description.
b. Optionally set the Policy State to Enabled or Disabled.
Note
You can keep the policy disabled for now, and easily enable it later from the
main Compliance page.
4. On the Scope tab, do one of the following:

l Select one or more of the defined scopes listed on the page.
l Click Create Scope to create a new scope, and then return to this page to
select the newly defined scope.

5. (Optional) Click Show Members to verify the defined scope against your
environment.
The system generates a list of discovered objects that match the scope criteria.
6. Click the Rules tab.
The tab lists the rules in the policy. Disabled rules appear in faded type.
Use buttons at the bottom of the page to add or delete rules in the policy,
enable or disable rules, and edit (configure) rules.
7. Configure a rule:
a. Select a rule by clicking the checkbox in the first column, and click Edit.
The Edit Rule page, specific to the selected rule, shows the criteria in the
rule that need configuration.

b. Optionally edit the Description field.

c. For State, choose Enabled or Disabled to enable or disable this rule.
d. For Severity, choose the value to associate with breaches when compliance
discovers violations to this rule. The severity appears on the breach reports
and is included in the default notifications.
Note
Breach severity is not related to the ViPR SRM alerting module.
e. For Criteria for Selected Rule, configure the displayed criteria.
Note
Some rules might not have user-configurable criteria.
In the previous figure, the software version to be validated against must be

supplied.
l Use the checkbox to enable or disable this criterion.
Note
For a rule to be meaningful, at least one criterion must be enabled. In the

figure above, the rule contains only one criterion, and it is enabled.
l Select an operator.
f. In the text box, type the value to validate against.

The operator and value form the validation criteria. For example:
EQ 5773.155.107
STARTS_WITH 5773
g. For Recommendations, review the description and optionally modify for

your environment.
h. Click Save.
The list of rules reappears.
i. Continue to configure each rule.
8. Optionally, click the Schedule tab and use the drop-down lists to set a schedule
for the policy.
The schedule sets the timing of automatic policy runs. If you do not want this
policy to run automatically, leave the schedule tab blank. Manual runs are
always available for any configured policy.
9. Click Save.
All changes on any of the tabs for the policy are saved.
The list of compliance policies reappears.

10. To run the policy that you just configured, click the policy name and choose
Run Now from the context-sensitive action menu.
Operators for rule criteria

If a rule has configurable criteria, the administrator provides an operator and a
criterion value.
The following table describes the supported criteria operators.
Table 4 Compliance rule criteria operators
Criteria Operator Meaning

EQ Equal to the specified value
LE Less than or equal to the specified value
LT Less than the specified value
GE Greater than or equal to the specified value
GT Greater than the specified value
IN Included in the comma separated list of specified values.

Can also be used to provide regular expressions. The supported
regular expression meta characters are:
l asterisk (*)
l question mark (?)
STARTS_WITH Starts with the specified value
ENDS_WITH Ends with the specified value
Set appropriate policy schedules

To determine an appropriate automatic run schedule for a compliance policy, consider
the data collection interval.
Consider data collection intervals
There is no benefit to running a compliance policy more often than the underlying data
is collected. Therefore, when you set an automatic schedule for a policy, first research
the configuration of the collectors that provide the data that the policy is monitoring.
Data collector configuration is a ViPR SRM administrative task.
For example, if collectors update the database every 5 minutes, you could schedule a
corresponding compliance policy to run every 5 minutes. However, if the database is
updated only every 15 minutes, it would be a waste of resources to run policies more
often.
Consider other system activities
It is best to schedule compliance policies during periods of low user activity and not
during nightly database maintenance script execution. Do not schedule all compliance
policies to start simultaneously, because some policy validations can consume
considerable CPU and memory resources, which could cause delay in user response
times. Schedule the policies to run at least 30 minutes apart.
For example, if nightly database maintenance is complete by midnight, then schedule:
Operators for rule criteria 31

l Array Configuration policy to run at 12:00 AM

l EMC Support Matrix policy to run at 12:30 AM
l Path Management policy to run at 1:00 AM
l And so on
Resource optimization for path-based rules
The following path-based rules are considered resource-intensive:
l I/O Path Redundancy
l I/O Path Redundancy for VPLEX Frontend
l Missing Path
You can spread out the resource consumption of these rules by reducing the scope of
any one policy run. The following tips for configuring these path-based rules can help
to optimize resources:
l Create scopes that are specific to a critical host or group of hosts, and configure
separate policies, with scattered schedules, for each scope.
For example, a scope that identifies all hosts with names that start with LINGB
would have a scope as follows:
Devtype=’Host’ & device=’LINGB%’
l Create scopes that are specific to various groups, such as all Hypervisors, all AIX,
and so on. Use each scope in a separate policy, with scattered schedules.
Edit breach recommendations

The recommendations for fixing a breach can be customized for your installation.
When a user clicks a row in a breach report, a Breach Details report appears below
the main report. The breach recommendations appear in the Breach Details report.
The recommendations are configurable for each usage of a rule within a policy.

Procedure
1. Go to Administration > Modules > Storage Compliance, and then click Policy
& Rules Management.
2. In the right pane, click the policy that contains the rule whose recommendation
you want to edit, and select Edit.
4. Click in the first column to select the rule, and then click Edit.
5. Edit the Recommendation field.
6. Click Save.
7. Click the Scope tab, and select a scope if one is not already assigned.
You can not save any edits on the policy unless a scope is assigned.
8. Click Save.
Enable and disable policies, rules, and rule criteria

You can enable and disable policies, rules, and individual criteria in rules.
The decision about which policies, rules, and criteria to enable depends on your
environment and the business practices that you want compliance to validate against.
Enabling a policy makes it available to run at its next scheduled time.
Disabling a policy prevents it from running, but preserves the configuration settings.
Procedure
1. To enable or disable policies:
a. Go to Administration > Modules > Storage Compliance > Policy and Rules
Management.
b. Click a policy name in the table and choose Enable or Disable from the
action menu.
c. To enable multiple policies, click the boxes in the first column to select one
or more policies, and then click the Enable or Disable button at the bottom
of the page.
2. To enable or disable a rule:
a. From the list of policies, click a policy row and choose Edit from the action
menu.
b. Click the Rules tab.
c. Click the boxes in the first column to select one or more rules, and then click
the Enable or Disable button at the bottom of the page.
d. Click Save.
3. To enable or disable a criterion in a rule:
Note
Not all rules have criteria.
a. From a Rules tab, click a box in the first column to select a rule, and then
click Edit at the bottom of the page.
Enable and disable policies, rules, and rule criteria 33

b. In the Criteria for Selected Rule box, check to enable or uncheck to disable a
criterion.
For example:
4. Click Save on the Edit Rule page.

5. Continue to configure additional rules in the policy.
6. When all rules are configured, click Save on the Edit Policy page.
Run a policy
When a policy runs, it validates enabled criteria in enabled rules against the objects
defined by the policy scope.
There are three ways to run a policy:
l A policy runs automatically using the configured schedule in the policy.
l A policy can run on demand by administrators with the Run Now action.
l A policy runs automatically when a configuration change occurs that is relevant to
the policy.
Configuration changes are detected by the compliance system and relevant
policies are automatically revalidated, capturing violations as early as possible.
The last validation time for a policy is the last scheduled or manual run. The last
validation time is not updated when validation occurs due to a change event.
To run a policy manually, use the following procedure.
Procedure
1. Go to Administration > Modules > Storage Compliance > Policy & Rules
Management.
2. In the right pane, click the policy and select Run Now.
The Last Run column value changes to Running... and then to the time
completed.
3. Go to User Interface > Operations > Compliance > Breach Summary to see
the results of the run.
Results
A policy run generates active breaches for violations to the rules in the policy. A policy
run also produces resolved (inactive) breaches for previous violations that are now
resolved.

CHAPTER 3
Configuration Guidelines for Predefined Policies
The following topics provide guidelines for configuring the scopes and rule criteria for
each of the predefined policies.
l Array Configuration policy..................................................................................36

l EMC Support Matrix policy................................................................................ 36
l High Availability Physical Connectivity policy..................................................... 37
l High Availability Software Configuration policy..................................................38
l Host Configuration policy...................................................................................39
l Path Management policy................................................................................... 40
l VPLEX Configuration policy................................................................................41
l ViPR Controller Configuration policy.................................................................. 41
l Zoning Best Practices policy.............................................................................. 42
Configuration Guidelines for Predefined Policies 35

Array Configuration policy

The Array Configuration compliance policy enforces best practices for hardware,
software, and path configuration on a storage array. You must enable and edit the
policy to implement it.
Scope tab
Start by selecting native scopes, and create customized scopes later if needed. The
following native scopes are appropriate for this policy:
l All Arrays
l All Hosts
Rules tab
Enable each rule that you want to implement. The following table describes the user
configurable criteria for the rules that have them.
Table 5 Array Configuration policy—user configurable criteria
Rule name User configurable settings

Supported Array Microcode In the Criteria For Selected Rule field:
Version
l Click the drop-down list and select the IN operator.
l Configure the array microcode or firmware that you
want the policy to enforce. Type the first few
characters of the string followed by a wildcard
character. You can also specify multiple values delimited
by commas. For example:
5876*,8.1.0*
Symmetrix Port Flag Settings In the Criteria For Selected Rule field:
validator
l Select Yes or No in the drop-down lists for whether a
bit setting should be enabled or not.
l Uncheck any options that do not need to be validated.
l Make sure to scroll down to see the full list of options.
Schedule tab
Set an appropriate schedule for automatic runs of this policy.
EMC Support Matrix policy

The EMC Support Matrix compliance policy enforces best practices for
interoperability based on the EMC Support Matrix. You must enable and edit the policy
to implement it.
Scope tab
Select scopes depending on the rules that you enable. Typical scopes for this policy
are:
l All Arrays

l All Hosts
l All ESX Servers
l All Fabrics
Rules tab
Enable each rule that you want to implement. The rules in this policy do not have any
user configurable criteria.
Schedule tab
High Availability Physical Connectivity policy

The High Availability Physical Connectivity policy enforces best practices to ensure
high availability, optimal path traversal, and avoidance of I/O congestion. You must
enable and edit the policy to implement it.
Scope tab
l All Arrays
l All Hosts
l All ESX Servers
l All Fabrics
l All Switches
Rules tab
Table 6 High Availability Physical Connectivity policy—user configurable criteria
Rule name User configurable settings

I/O Path Redundancy In the Criteria For Selected Rule field:
l For each option, enter the number of paths that your
environment requires for redundancy.
l Scroll to make sure you configure all of the options.
l To simulate a pathing breach, set the number higher
than the known number of physical paths so that an
object will not be compliant. For example, to simulate
an HBA Redundancy breach for a host that has two
HBAs, set the HBA Redundancy value to three.
Schedule tab
High Availability Physical Connectivity policy 37

High Availability Software Configuration policy

The High Availability Software Configuration compliance policy enforces software
settings that support high availability pathing configuration. You must enable and edit
the policy to implement it.
Scope tab
Select the following scope groups:
l All Arrays
l All Hosts
l All Switches
Rules tab
Table 7 High Availability Software Configuration policy—user configurable criteria
Rule name User configurable settings and other suggestions

Authorized Host OS for Array In the Criteria For Selected Rule field:
l In the drop-down list, select the IN operator.
l Enter wildcard values for the OS versions that can share
the same array port. Separate the values using a
comma.
l For example, you might enter:
Li*,Mi*,Sol*,AIX*
Supported Array Microcode If you enabled this rule in the Array Configuration policy,
Version disable it here.
Otherwise, on the Criteria For Selected Rule tab:
l Enter the first few characters of the array microcode or
firmware followed by a wildcard character. You can
specify multiple values delimited by commas. For
example:
5876*,8.1.0*
Supported Multipath Software In the Criteria For Selected Rule field:

Version
l Enter wildcard values for the versions of multipath
software that are supported in your environment.
l To obtain examples of values in your environment,
switch to the ViPR SRM User Interface Console and
navigate to Explore > Hosts > hostname > Device
Details > Host Details > PowerPath Reports and

Table 7 High Availability Software Configuration policy—user configurable criteria (continued)
then choose either Multipath Software or Health

Summary. In those reports, look for Version.
Supported Solutions Enabler You might want to leave this rule Disabled. In many cases,
Version this rule should be applied to specific hosts and not to all
hosts.
Supported Switch Firmware In the Criteria For Selected Rule field:

l Click the drop-down list and select the IN operator.
l Enter comma delimited wildcard values for the versions
of switch firmware that are supported in your
environment.
l To obtain examples of values in your environment,
switch to the ViPR SRM User Interface Console and
navigate to All > Report Library . Then select a
switch family. In the family, find a summary report and
look at the firmware version numbers.
l For example, for Brocade switches, navigate to All >
Report Library > Brocade FC Switch > FC
Switches Summary .
Schedule tab
Host Configuration policy

The Host Configuration compliance policy enforces best practices for hardware,
software, and pathing configuration on a host. You must enable and edit the policy to
implement it.
Scope tab
l All Hosts
l All ESX Servers
Rules tab
Table 8 Host Configuration policy—user configurable criteria

Authorized Host OS for Array Consider leaving this rule disabled, because it is
implemented in another policy.
Host Configuration policy 39

Table 8 Host Configuration policy—user configurable criteria (continued)

Maximum Number of Volumes In the Criteria For Selected Rule field, enter the
Masked to Host Port maximum number of volumes that should be masked to a
host.
You can simulate a breach by setting the number lower than
the known number of volumes masked to a host.
Supported HBA Vendor Model Consider leaving these rules disabled because they are
Driver and Firmware implemented in other policies. If you enable these rules,
configure values to match in their Criteria For Selected
Supported Multipath Software
Version
Rule fields, as follows:
l To specify an exact string, select the EQ operator and
Supported Solutions Enabler
type the value.
Version
l To specify a pattern using a wildcard, select the IN
operator and type a value that includes an asterisk (*) in
place of one or more characters.
l To specify multiple values, select the IN operator and
type a set of values separated by commas.
l To specify the starting string of the value, select the
STARTS_WITH operator and type the string.
l To specify the ending string of the value, select the
ENDS_WITH operator and type the string.
Schedule tab
Path Management policy

The Path Management compliance policy validates configurations to ensure
connectivity and redundancy. You must enable and edit the policy to implement it.
Scope tab
l All Hosts
l All ESX Servers
l All Fabrics
Rules tab
Enable each rule that you want to implement. None of the rules in this policy contain
user-configurable criteria.
Schedule tab

VPLEX Configuration policy

The VPLEX Configuration compliance policy enforces best practices for VPLEX
configuration. You must enable and edit the policy to implement it.
Scope tab
Select the following scope:
l All VPLEX Clusters
l If that scope does not exist, click Create Scope and create it using the following
criteria:
devtype='VirtualStorage'
Rules tab
Table 9 VPLEX Configuration policy—user configurable criteria

I/O Path Redundancy for In the Criteria For Selected Rule field, configure the
VPLEX Backend minimum number of redundant ports that you want to
enforce in each option. For example, you might configure 4
(4 redundant ports) in each option.
Schedule tab
ViPR Controller Configuration policy

The ViPR Controller Configuration compliance policy enforces best practices for
configurations in ViPR Controller. You must enable and edit the policy to implement it.
Scope tab
Select the following scope:
l All ViPR Controller Virtual Data Centers
l If that scope does not exist, click Create Scope and create it using the following
criteria:
devtype='Host' & parttype ='Tenant'
Rules tab
Enable the rule. This policy does not have any user configurable criteria.
Schedule tab
VPLEX Configuration policy 41

Zoning Best Practices policy

The Zoning Best Practices policy enforces configurable best practices for zoning. You
must enable and edit the policy to implement it.
Scope tab
l All Hosts
l All Arrays
l All ESX Servers
l All Switches
l All Fabrics
Rules tab
Table 10 Zoning Best Practices policy—user configurable criteria

Authorized Zone Membership In the Criteria For Selected Rule field, uncheck wwn and
Types fwwn as these create a very large number of breaches if the
SAN objects are not all fully discovered.
Host Port Fan-In In the Criteria For Selected Rule field, enter the desired
number of ports.
the known Fan-In ports.
Minimum Number of Members This rule generates a large number of breaches when only a
in Zone small number of SAN objects are discovered.
Single Initiator Zoning This rule generates a large number of breaches when only a
small number of SAN objects are discovered.
Storage Port Fan-Out In the Criteria For Selected Rule field, enter the number
of ports.
the known ports.
Zone must Contain a Host Port This rule generates a large number of breaches when only a
small number of Host objects are discovered.
Zone must Contain a Storage This rule generates a large number of breaches when only a
Port small number of Array objects are discovered.
Schedule tab

CHAPTER 4
Use Compliance Reports
The following topics describe how the ViPR SRM reports identify breaches to your
compliance policies and how you can resolve those breaches.
l Process for identifying and resolving breaches.................................................. 44

l Breach status.....................................................................................................45
l Run a policy....................................................................................................... 45
l View breach summary reports and drill into details.............................................46
l Columns on breach reports................................................................................ 48
l Use group filters on compliance reports.............................................................50
l View Policies reports.......................................................................................... 51
Use Compliance Reports 43

Process for identifying and resolving breaches

The compliance reports identify situations in your storage infrastructure that need
attention. After making adjustments in your environment, you can rerun the policy that
was breached to determine if the problem is resolved.
Identifying breaches
To identify violations (breaches) to your enabled and configured compliance policies:
l Monitor the Compliance summary reports available in Operations > Compliance >
Breach Summary.
l Mark relevant compliance reports as favorites, or schedule them to run every day
and send the results in email.
Resolving breaches
To resolve a breach so that it no longer appears on the compliance reports, do any of
the following:
l Fix the issue that caused the breach, and then rerun the policy. For example, if a
breach shows an invalid number of ports in a switch zone, you need to add more
ports to the zone to make the zone satisfy your compliance policy.
l If the breach is reporting situations that are considered normal in your
environment, you should consider reconfiguring the policy rules to reflect your
current best practices. Then rerun the policy.
l You can disable individual criteria in a rule, disable a rule, or disable a policy. The
previously found breaches will age out of the reports.
Resolving breaches to the EMC Support Matrix policy
The EMC Support matrix policy identifies out of date or end of life hardware,
firmware, and software in your infrastructure. It compares components in your
environment to the EMC Support Matrix list of supported components, and identifies
components that are not supported.
The policy depends on matching discovered or assigned attributes in your environment
to values in the Support Matrix. The matching process is mostly automated. However,
a one-time manual matching is sometimes required when discovered values do not
match the Support Matrix values.
Breaches to this policy are caused by:
l Matching problems. These breaches are resolved by performing a manual match to
supply the correct values.
l Noncompliant components. These breaches are usually resolved by upgrading
software, firmware, or hardware.
See Configure and Use the EMC Support Matrix Policy on page 63 for a step-by-
step description of the matching process and how to resolve breaches to this policy.
Understanding breaches to the Configuration Change Tracking policy
The Configuration Change Tracking policy identifies unexpected configuration
changes in your environment. It compares configuration changes made in your
infrastructure to a list of allowed or disallowed changes.
See Configure and Use Configuration Change Tracking on page 55 for a step-by-
step description for configuring, running, and exploring breaches for this policy.

Breach status
A breach status is either ACTIVE or INACTIVE.
The breach reports show a status for each breach.
l An ACTIVE status means that the breach condition still existed at the last run of
the policy.
l An INACTIVE status means that the breach existed during the timeframe covered
in the report (the default for most reports is one week), but the breach was not
found at the last run of the policy. The breach was resolved.
INACTIVE breaches age out of reports.
Run a policy
When a policy runs, it validates enabled criteria in enabled rules against the objects
defined by the policy scope.
There are three ways to run a policy:
l A policy runs automatically using the configured schedule in the policy.
l A policy can run on demand by administrators with the Run Now action.
l A policy runs automatically when a configuration change occurs that is relevant to
the policy.
Configuration changes are detected by the compliance system and relevant
policies are automatically revalidated, capturing violations as early as possible.
The last validation time for a policy is the last scheduled or manual run. The last
validation time is not updated when validation occurs due to a change event.
To run a policy manually, use the following procedure.
Procedure
Management.
2. In the right pane, click the policy and select Run Now.
The Last Run column value changes to Running... and then to the time
completed.
3. Go to User Interface > Operations > Compliance > Breach Summary to see
the results of the run.
Results
A policy run generates active breaches for violations to the rules in the policy. A policy
run also produces resolved (inactive) breaches for previous violations that are now
resolved.
Breach status 45
View breach summary reports and drill into details

The summary-level breach report provides a holistic summary of the breaches
generated by enabled policies. You can drill into detailed reports by clicking on the
bars in the summary reports.
Procedure
1. Go to Operations > Compliance > Breach Summary.
The following reports summarize the breaches in your environment.

Active Breaches by Severity
Shows the number of current breaches by their severity. Click a bar to
generate an Active Breaches report filtered for a specific severity level.
Active Breaches by Policy

Shows the number of current breaches by policy, providing insight into
which policy is breaching the most. Click a bar to generate an Active
Breaches report filtered for a specific policy.
Breach Occurrence by Severity

Shows the occurrence of breaches on a date by date basis.
2. To drill into details, click a bar in one of the bar charts.

For example, in the Active Breaches by Policy report, click the Zoning Best
Practices bar.

An All Active Breaches report appears, filtered by the parameters of the bar
that you clicked.
3. To see the detailed message for a specific breach, click the breach row and
scroll down.
The detail appears below the All Active Breaches report. The blue band in the
top report indicates the row that you clicked.
4. To see details about the device involved in a breach, click the link in the Device
column.
View breach summary reports and drill into details 47

The link takes you to the device's home page, where you can explore all aspects
of the device. In the following report, you can see that ports have not yet been
assigned to any zones.
Columns on breach reports

The All Active Breaches report and any filtered versions of it describe active
breaches and also contain drill-down opportunities for more information. The All
Inactive Breaches report contains the same information for resolved breaches.
The following figure shows the Operations > Compliance > All Breaches > All Active
Breaches report.

Figure 2 All Active Breaches report
Column Description
Severity Severity of the breach, using a symbol in the first column and text in the second
column.
Breach Breach name as assigned in the rule definition.

Name
Device Device that the breach is associated with. The device names in this column are
links to the device home page.
Device The type of device associated with the breach.

Type
Columns on breach reports 49

Column Description
Affected The names of specific objects involved in the breach.
Objects
Policy The policy that was violated.
Rule The rule name that was violated.
Creation Time the breach was originally detected.

Time
Last The last time the breach was detected (the last run time of the policy or the last
Modified time the rule was executed as a result of a configuration change).
Time
State ACTIVE or Resolved. Resolved breaches age out of the Inactive Breaches
report.
Two methods are available to drill down:

l Click a device name in the Device column to jump to the device home report,
where you can further research the issue.
l Click a row in the table to show the Breach Details report for a breach. This
report appears below the main table, on the same page, and shows the following:
n Breach Message—A detailed description of what has gone wrong.
n Recommendations—Suggestions for resolving the breach.
Use group filters on compliance reports

The breach and change management reports contain the ViPR SRM group filters.
These filters limit a report output to one or more selected platforms, business units,
customers, or locations.
The group filters operate on values associated with the device in the Device column.
For example, the customer for a breach is inferred from the associated device.
The Platform filter is always available, out of the box. The Business Unit, Customer,
and Location filters require that your installation create rules to populate those fields.
For information about populating group fields, see the EMC ViPR SRM Data Enrichment
and Chargeback Guide available at ViPR SRM 4.0.x Documentation Index
The following procedure describes how to use group filters on a compliance report.
Procedure
1. Go to Operations > Compliance > All Breaches.
The report initially shows all breaches in your infrastructure.
2. Click a group filter.
For example, click the Platform filter.
3. In the Platform filter dialog, select one or more platforms to report on.

4. Click Apply.
The report now displays only breaches that affect devices associated with the
selected platforms.
Also note that the Platform group filter changed color to indicate that this filter
is currently applied to the report results.
5. Click another group filter, such as the Business Unit filter.
6. Select one or more values, and click Apply.
Note
If a filter dialog is empty, it means that your installation is not populating that
field.
The breach report now displays only breaches that affect the selected
platforms for the selected business units.
Also note that both the Platform and Business Unit group filters have changed
color.
7. To cancel a filter, click the group filter icon, and then click Cancel.
View Policies reports

The View Policies report provides a read-only reference of each enabled policy, its
rules, and information about the breaches that are associated with each rule.
The View Policies report provides details about the policies (both out-of-the-box and
administrator created) and their associated rules. This report provides a read-only
view of the policies and rules and also allows drill-down to see the list of breaches
associated with each rule.
To change a policy or rule criteria, you must have permissions for those administrative
actions, and perform them from the Administration portal.
Procedure
1. Log onto the Console and go to Operations > Compliance > Policies.
View Policies reports 51

The report lists all defined policies, including predefined policies and custom-
defined policies. The columns show:
l State of the policy
n Green checkmark—Enabled
n Red X—Disabled
l Name of the policy
l Description of the policy
l Number of rules associated with the policy
l Number of active breaches for the policy
l Last Run—Time when the policy was last run (validated). Last run might be
a scheduled run or a manual run. It does not include validations triggered by
configuration changes.
2. Click a policy row and scroll down to see the View Rules report for that policy.
A blue band in the first report indicates the policy you clicked.

The View Rules report lists the rules associated with the selected policy. The
columns show:
l State of the rule (Enabled or Disabled)
l Rule name
l Description of the rule
l The type of object that the rule was applied to
l Severity assigned to breaches of the rule. Severity levels are for reporting
and classification purposes only.
l Number of active breaches on the rule
3. Click a rule row to view the breaches associated with the selected rule.
View Policies reports 53


CHAPTER 5
Configure and Use Configuration Change
Tracking
The following topics show how to set up and use the configuration change tracking
feature to identify configuration changes in your environment.
l Configuration change tracking features............................................................. 56

l List of configuration change tracking events .................................................... 56
l Example configuration changes messages......................................................... 59
l Configure change tracking................................................................................. 60
l View Configuration Changes reports.................................................................. 61
Configure and Use Configuration Change Tracking 55

Configure and Use Configuration Change Tracking
Configuration change tracking features

The configuration change tracking feature provides a way to monitor and view
configuration changes in your storage network.
The SolutionPack for Storage Compliance tracks and reports on configuration
changes related to storage components in your infrastructure. It also reruns enabled
compliance rules related to the detected change.
A background process that runs on a configurable schedule collects and logs
configuration changes. The installed default schedule is hourly, meaning that
administrators know within an hour about a configuration change. The compliance
change tracking feature is always enabled.
The compliance change tracking feature provides the following benefits:
l When a configuration change is related to an enabled compliance policy rule, that
rule is run against the objects involved in the change. Administrators receive quick
feedback when a change causes a breach or resolves an existing breach.
l When configuration changes cause breaches, the breaches are noted on the
change tracking report. In addition, administrators can easily navigate directly
from the row in the change tracking report to more detailed breach reports to
obtain more details about the breaches.
l Similarly, if the change was made to try to resolve a known breach, administrators
receive almost immediate validation about whether the breach was resolved.
List of configuration change tracking events

The Configuration Change Tracking feature captures and reports on certain change
events in your environment.
The following table lists the changes that are captured by this feature.
Table 11 Captured changes and associated rules
Object Component Event Change description Affected rules

s type
Switch Firmware Modified Switch Firmware changed Supported Switch
Firmware
Model Modified Switch model changed Switch Fabric Topology
Switch Port Modified Status change of a Switch Missing Path

Status Port
Switch port Added Connectivity added to a IO Path redundancy

connectivity switch port
Modified Connectivity change in IO Path redundancy,

switch port to its neighbor Missing Path
port
Fabric Zone Set Added Zone Set added in a fabric Authorized Zone
Membership Types
Host Port Fan-In

Table 11 Captured changes and associated rules (continued)

s type
Minimum Number of
Members in Zone
Single Initiator Zoning
Storage Port Fan-Out
Zone Must Be Unique
Zone must Contain a

Host Port
Zone must Contain a

Storage Port
Zone Added Zone added Authorized Zone

Membership Types
Host Port Fan-In
Minimum Number of
Members in Zone
Zone Must Be Unique
Zone must Contain a

Host Port
Zone must Contain a

Storage Port
Zone Member Added Zone Member added Authorized Zone

Membership Types
Host Port Fan-In
Minimum Number of
Members in Zone
Zone Must Be Unique
Zone must Contain a

Host Port
Zone must Contain a

Storage Port
Array Microcode Modified Array Microcode changed Supported array

microcode
Path Management
Software
List of configuration change tracking events 57

Table 11 Captured changes and associated rules (continued)

s type
interoperability, end of
support for array
FE Port Modified FE Port status changed IO Path redundancy,

status Missing Path
Host / Solution Added Solution enabler added Supported solution

Hypervis enabler enabler
or
Modified Solution enabler version Supported solution
change enabler
Multi-pathing Added Multipath software added Supported Multipath rule

software
Path management
interoperability for EMC
arrays
End of support for host
Modified Multipath software version Supported Multipath rule

change
Path management
arrays
Operating Modified Host OS change Base connectivity

system interoperability
Path management
arrays
Authorize host OS for

Array Port.
Host Model Modified Host model change Base connectivity, end

of support for host
Host adapter Modified HBA Model/Driver/ Base connectivity

Firmware/Vendor change interoperability
Supported HBA, Uniform

HBA
Host Adapter Modified HBA Port status changed IO Path Redundancy

Port Status

Example configuration changes messages

The messages produced by the configuration changes feature contain detailed
information about changes made to storage components.
The following table contains extracts from a Configuration Changes report. The
examples show the types of configuration changes that are tracked and the level of
detail included in the Configuration Changes report.
Table 12 Examples of configuration changes messages
Description Device Component

The disk device with disk wwn sl200078 /dev/dsk/emcpower9c
60A98000424550697624436C566B6C57 on
host sl200078 has been removed.
The status of switch port 2015000533AA8F40 on ibm-xiv

switch ibm-xiv changed from offline to online
The Virtual Machine FrontEnd got vMotioned FrontEnd

from ESX server lglbw014.lss.emc.com to
lglbw013.lss.emc.com.
The status of switch port 20130005337A0BE0 on xiv1

switch xiv1 changed from offline to online
The switch port connectivity for port ibm-xiv

2015000533AA8F40 on switch ibm-xiv changed
from 10000000C93911DB to
10000000C94A913E.
The disk device /dev/dsk/emcpower18c with sl200078 /dev/dsk/

disk wwn emcpower18c
600601606D203700D9600C28F5EBE311 has
been added on host sl200078.
The disk device fc. lglbw014.lss.emc fc.

20000090fa343b86:10000090fa343b86-fc. .com 20000090fa343b86:10
50000973000ed400:50000973000ed55d-naa. 000090fa343b86fc.
60000970000195700949533036324532 with 50000973000ed400:50
disk wwn 000973000ed55d-naa.
60000970000195700949533036324532 has 600009700001957009
been added on host lglbw014.lss.emc.com. 49533036324532
The member 1000000012121234 has been added 2001000DEC3E9

to the zone test72 in the fabric 981
2001000DEC3E9981
A new zone test55 has been added to the fabric 2001000DEC3E9

2001000DEC3E9981 981
Example configuration changes messages 59

Configure change tracking

The compliance change tracking feature is configured with default settings out of the
box, and no action is required on your part. However, you might want to change the
default settings.
Procedure
1. To enable and disable individual events that are tracked for changes:
a. Open the following XML file.
/APG/Backends/Compliance-Backend/generic-compliance/conf/
compliance-change-events-config.xml
Most change tracking events in this file are installed as enabled. Several are
disabled (commented out), including:
l Zone addition/removal
l Zone member addition/removal
l LUN masking
l LUN mapping
b. Use the XML commenting structure to comment out the lines that you want
to disable, or, remove the commenting structure to enable events that are
currently commented out.
c. Save the file.
d. Restart the Compliance-Backend.
2. To increase the interval for running the change tracking process:
a. Open the following file.
/APG/Backends/Compliance-Backend/generic-compliance/conf/
config-scheduler.properties
b. Locate the following section:
##ChangeGenerator Scheduler:
c. Change the scheduler value to your desired interval for running the change
tracking process. The default scheduling cycle is every one hour from the
time the Compliance-Backend is started. You can increase that interval.
d. Save the file.
The new schedule is implemented.

View Configuration Changes reports

These reports provide a view of various changes happening in the data center
environment. When changes create breaches to compliance rules, you can drill into
the breach details.
Examples of changes include disk provisioning or de-provisioning, or failure of an HBA
or switch port. Whenever such a change occurs, compliance reruns its enabled policies
to check if there are any violations. For example, failure of an HBA port makes
compliance revalidate the I/O Path redundancy rule to check if the path redundancy
was reduced. If so, a breach is generated.
Using these reports, you can view the breaches associated with a configuration
change, and thus understand both the event and the impact of the event on the
environment. Drill down into details of each breach, to understand the breach and its
source and troubleshoot it effectively.
Procedure
1. Go to Operations > Compliance > Configuration Changes.
The columns on the Configuration Changes report show:

l Time when a configuration change violation was detected by the compliance
module
l Description of the change
l Device on which the change occurred
l Component on which the change occurred
l Number of breaches generated because of the change
2. Click a change event row to view details about the breaches that were
generated due to the change.
View Configuration Changes reports 61

The columns show details of each breach, including the device on which the
breach occurred and the affected objects.
3. Click a breach row to display the detailed breach message and recommended
fix.
These details appear below the View Breaches report, on the same page.

CHAPTER 6
Configure and Use the EMC Support Matrix
Policy
The following topics describe how to configure and use the EMC Support Matrix
(ESM) policy to monitor your environment for compliance with the EMC Support
Matrix. ESM matching procedures are included.
l EMC Support Matrix compliance features......................................................... 64

l ESM matching .................................................................................................. 65
l How to perform manual matching...................................................................... 66
l Update Support Matrix version.......................................................................... 66
l Scenario: Set up and use the ESM compliance policy........................................ 68
Configure and Use the EMC Support Matrix Policy 63

Configure and Use the EMC Support Matrix Policy
EMC Support Matrix compliance features

The EMC Support Matrix compliance policy in ViPR SRM matches your environment
to the EMC Support Matrix. Breaches to this policy point out noncompliant
components and unsupported combinations of components. Using the ViPR SRM
breach report and support matrix match list, you can research and fix these issues.
What is the EMC Support Matrix?
The EMC Support Matrix is a database of interoperability rules for EMC arrays,
supported switches and switch firmware, and hosts running UNIX, Windows, and
VMWare operating systems.
The EMC Support Matrix compliance policy ensures that all components in your EMC
storage network comply to EMC support standards and best practices.
Which conditions are validated?
The EMC Support Matrix compliance policy validates interoperability and versioning
among combinations of components, such as:
l host, host OS, array, and HBA
l host OS, storage OS, and path management software
l switch models and switch firmware
l VPLEX and other components
What is the match list?
For this compliance policy to work, the attributes of all components in your storage
infrastructure must be matched to attribute values in the EMC Support Matrix
database. The Match List is accessible from the ViPR SRM Administration portal.
The Match List uses the terms in the following table to describe how each match was
derived.
Table 13 Match types
Match type Description

AutoMatched ViPR SRM successfully matched a discovered attribute value to a value in
the EMC Support Matrix database. ViPR SRM performs automatic matches
whenever possible.
MultiMatched The discovered attribute value is not definitive and matches to more than
one value in the EMC Support Matrix database. You need to resolve a
multimatch with a manual match. MultiMatched components are reported as
breaches.
Not Matched There was no discovered value or the discovered value does not match any
values in the EMC Support Matrix database. You need to resolve a not match
item with a manual match. Not Matched components are reported as
breaches.
Manual A ViPR SRM system administrator performed a manual match. If there are
multiple objects with the same unmatched value, a manual match on one of
them is automatically applied to all instances.
How should I use the EMC Support Matrix Active Breaches report?
This compliance policy generates the EMC Support Matrix Active Breaches report.
The report lists issues and provides detailed information for researching and fixing the
issues.

Unmatched and multimatched components are breaches. You can resolve match
issues by performing manual matches.
When components in the storage infrastructure do not comply with the EMC Support
Matrix database, the report identifies other breach types, such as interoperability and
path management breaches. You can research these breaches using the information
provided in the report. The E-LAB Interoperability Navigator is a useful resource for
researching supported configurations and upgrade requirements.
What about RPQs?
Your site might obtain a verified EMC Request Per Qualification (RPQ) that permits
alternate components in conflict with the EMC Support Matrix. In this case, you can
create a customized scope and apply it to this policy so that the nonconforming but
approved component does not continuously appear as a breach.
ESM matching
EMC Support Matrix (ESM) matching helps to reduce the gap between your
resources discovered by ViPR SRM and the ESM data in EMC E-LAB.
ESM matching is required for the interoperability rules in the ESM compliance policy
to produce meaningful results. After ESM matching is performed for all the objects in
your storage environment, interoperability rules can validate if your data center
resources are interoperable according to the EMC Support Matrix.
ESM matching is configured in the following ways:
Auto-matching
When the discovered values for a resource match the E-LAB values, the resource
is labeled as auto-matched. No further matching action is required for these
resources. Most resources are auto-matched.
Multi-matching
When the discovered values for a resource match several potential values in E-
LAB, the resource is labeled as multi-matched. These resources produce breach
errors and require manual matching to select a singe value from the list of multi-
matched values.
Manual-matching
When the discovered values for a resource do not match any value in E-LAB, the
resource is labeled Not matched. These resources produce breach errors and
require manual matching. Manual matching presents you with a list of E-LAB
values, and you manually select the correct value for the resource.
In the case where the same unmatched phrase occurs multiple times, a manual
match on one of the instances is automatically applied to all of the instances.
Auto-matching and Multi-matching are configured as back-end processes. These

processes match data from discovered resources to one or more items in the E-Lab
data. They run when the EMC Support Matrix policy rules are run.
ESM matching 65
How to perform manual matching

If a resource item has discovered values and is not automatically matched or if a
resource is multi-matched, then you can manually match the configuration item to
values in the Support Matrix.
Procedure
1. Go to Administration > Modules > Storage Compliance > Match to EMC
Support Matrix.
2. For a resource with the status Not Matched or Multi-matched, click the
pencil icon in the Matched To column.
The Match Value dialog appears.
3. Type an appropriate value, or start typing the value and then select from the
presented list.
You might need to research appropriate values.
4. Click OK.
Results
The status of the configuration item appears as Manual matched in the Matched
Methods column. If there are additional instances of the same unmatched discovered
value, the system matches all of them, and they are all now marked Manual matched.
Update Support Matrix version

The Match to EMC Support Matrix page indicates which version of the Support
Matrix is currently being used for compliance comparisons. If the version is outdated,
you can install a newer version.
An initial version of the EMC Support Matrix is installed with the SolutionPack for
Storage Compliance. To ensure that your infrastructure remains in compliance with
the latest E-Lab data, you can optionally update the Support Matrix whenever a newer
version is available.
When EMC generates a new version of the Support Matrix, it is available to you from
EMC Support Zone or from your EMC account team. Use the procedure below to
obtain and load a new Support Matrix version.
Note
Updating the support matrix version could result in new breaches if elements in your
infrastructure are not in compliance with the newer version.
Procedure
1. Go to Administration > Modules > Storage Compliance > Match to EMC
Support Matrix.

2. Determine the Support Matrix version number currently in use from the
information message next to the Update Support Matrix button.
3. Obtain a newer version, if available.
Option Description
From Support l Log onto https://support.emc.com
Zone
l Click Downloads.
l For product name, type vipr srm.
l Select a release number.
l Search for the following file:
emc-support-matrix-compliance-version.pkg
l If version is newer, download the file.
From account Your account team might reach out to you when a new
team version is available.
4. Update the compliance package to use the newer version. Use one of the
following options:
Option Description
Use Package a. Go to Administration > Centralized Management > Packages Manage
Management
b. Click Upload, and browse to the new emc-support-matrix-compli
c. Go to SolutionPacks > Other Components.
d. For the emc-support-matrix-compliance row, click the Upgrade
block to use the newly uploaded package file.
Manual a. On the Compliance Backend, copy the new emc-support-matrix-co

copy; update Module-Repository.
on the
Compliance b. Go to Administration > Modules > Storage Compliance > Match to EM
UI
Update Support Matrix version 67

Option Description
c. Click Update Support Matrix. The information message next to the but
support matrix version is available.
d. Review the details on the popup dialog and click Update.

e. Click OK when the Success message appears.
The next execution of compliance rules will use the new Support Matrix version.
5. To revert to a previous version, delete and reinstall isolated blocks as follows:
Note
Reverting is generally not recommended. The latest data is always better, and
the newer versions are qualified before releasing to customers.
a. In Centralized Management > SolutionPacks > Storage > Storage

Compliance, delete the Compliance Backend component.
b. In Centralized Management > SolutionPacks > Other Components, delete
the emc-support-matrix-compliance, where version is the latest version.
c. In /opt/Tools/Module-Repository, check that the pkg file for the
older version is present, and then remove the emc-support-matrix-
compliance-version.pkg file, where version is the newer version.
d. On the Administration page, click SOLUTIONPACK CENTER > Storage
Compliance, and reinstall only the Compliance Backend block. Messages
displayed during the installation show the Support Matrix version number
used.
Scenario: Set up and use the ESM compliance policy

The following topics provide details about the features of the ESM compliance policy
and a beginning-to-end scenario showing how to set up and use the policy.
l Set up the policy

l Run the policy
l Identify breaches on the Active Breach report
l Use matching to resolve some breaches
l Use the EMC E-LAB Navigator to research breaches not related to matching
l Verify resolved breaches on the Inactive Breach report
Enable and schedule the EMC support matrix policy

To implement the ViPR SRM EMC Support Matrix compliance policy, you must first
enable the policy and edit it to set a scope, enable rules, and set a schedule.
Assume that you are an administrator for data centers in a large enterprise. You want
to monitor the storage network and identify noncompliant configurations within a day.
You decide to enable the EMC Support Matrix compliance policy. You want to run a

new EMC Support Matrix Active Breaches report first thing each morning and again
mid-day.
Procedure
1. Log in to the ViPR SRM Console, and click Administration in the banner.
2. In the Administration navigation tree, click Modules > Storage Compliance >
Policy & Rules Management.
A table of storage compliance policies appears.
3. In the Name column, locate the policy named EMC Support Matrix .
4. Click the checkbox in the first column for that row, and then click Enable.
5. Click the checkbox again, and then click Edit.
The Edit Policy window opens.

6. Configure the scope for this policy:
a. Click the Scope tab.
b. Select the scopes that you want this policy to monitor.
Scope selections depend on the rules that you intend to enable in the next
step. Typical native scopes to associate to this policy are:
l All Arrays
l All Hosts
l All ESX Servers
l All Fabrics
l All Virtual Machines
c. If needed, you can create a customized scope. For example, rather than
monitoring All Hosts, you might want to monitor only Linux hosts.
7. Enable the rules that you want to implement:
Enable and schedule the EMC support matrix policy 69

a. Click the Rules tab.

b. In the first column, click to select each rule that you want to implement.
c. Click Enable at the bottom of the window.
8. To schedule automatic runs for this policy:

a. Click the Schedule tab.
b. Complete the form to schedule when this compliance policy should run.
For example, the following settings run the policy at 5 AM and 2 PM each
day.
9. To save the changes on all tabs, click Save on any tab.

The Policy & Rules Management page redisplays.
Results
On the next scheduled date and time, the policy will run and generate new breach
reports.

Run the policy manually

You can run a compliance policy on demand, outside of its scheduled time, from the
Administration portal in ViPR SRM.
Procedure
1. Log in to the Console, and click Administration in the banner.
2. In the Administration navigation tree, click Modules > Storage Compliance >
Policy & Rules Management.
3. Click the row for the policy named EMC Support Matrix, and then select Run
Now.
4. Verify that the Last Run column changes to Running.....

If it does not:
a. Click the policy again and choose Edit.
b. On the Scope tab, make sure at least one scope is selected. See the
previous task for scope suggestions.
c. On the Rules tab, make sure at least one rule is enabled.
d. Click Save.
e. Rerun the policy.
5. To view the results of the policy run:

a. Return to the browser tab that contains the ViPR SRM interface.
b. Click User Interface in the banner.
c. Navigate to Operations > Compliance > Storage Compliance > Breach
Report > Active Breaches by Policy > EMC Support Matrix.
View the EMC Support Matrix Active Breaches report

The EMC Support Matrix Active Breaches report in ViPR SRM lists noncompliance to
the EMC Support Matrix and provides information for researching and fixing the
issues.
Assume that you are a storage administrator with several data centers that recently
configured new storage arrays. You want to check the latest EMC Support Matrix
Active Breaches report to ensure that the new configurations are compliant.
Run the policy manually 71

Procedure
1. Log into the Console.
2. Navigate to Operations > Compliance > Breach Summary > Active Breaches
by Policy > EMC Support Matrix.
The Support Matrix Active Breaches report appears.
3. To determine when the Support Matrix policy was last run, look in the Last
Modified Time column.
Note
To update the data in a compliance policy report, you must run the policy. The
policy runs on its scheduled time or on-demand from the Administration portal.
You can not run the policy and generate a new report from the User Interface
portal.
4. To determine which components are not in compliance, look in the Device

column. To identify the role of the noncompliant device in the configuration,
look in the Device Type column.
In the following example, two hypervisors have issues.
5. To understand and fix compliance issues, analyze the information in the

Message column.
See subsequent sections for examples.
Fix not matched and multi-matched devices

Discovered devices in your environment that are not matched to a support matrix
value or match to multiple values cause breaches of the EMC Support Matrix

compliance policy. You need to perform manual matches for all Not Matched and
Multi-matched devices.
For example, the Message column in the following figure describes a host that needs
to be matched. A similar message could occur in several breaches in the report. If you
fix the match issue, all associated breaches will be fixed.
Figure 3 Example match issue in a breach report
Procedure
1. Navigate to the EMC Support Matrix match list.
a. Log in to the Console, and click Administration in the banner.
b. Click Modules > Storage Compliance > Match to EMC Support Matrix.
The match list is initially sorted to show the Not matched entries first.
2. Use these methods to find items in the list:
l Type a portion of the discovered value in the Search box, and press Enter.
l To sort the report by the values in a column, click in the header of a column.
3. (Optional) To see information about the devices associated with this
unmatched value, click the number in the Devices Affected column.
Fix not matched and multi-matched devices 73

A dialog appears with known information. At the end, a table shows the affected
device names. Close the dialog to continue with the matching process.
4. To match an item, click Edit (the pencil icon) in the row.
5. In the dialog, type a portion of the discovered value to search the EMC Support
Matrix for a match .
For example, type SUN.
Note
Although the discovered value did not result in an automatch to any value in the
EMC Support Matrix, the discovered value in most cases is close to the Support
Matrix entry or at least contains useful hints.
To narrow the list, type a more specific value, such as 375.

6. If a reasonable match appears, select it, and click OK.
If you do not see an appropriate match value:
l The component might not be supported, and therefore does not exist on the
EMC Support Matrix list. It might be end-of-life or never supported. To
resolve breaches, upgrade to a supported component.
l The discovered value might be misleading. Perform offline research about
the affected device to find a better match value.
7. After matching some components, rerun the EMC Support Matrix policy, as
follows:
a. In the left pane (still on the EMC M&R platform interface), click Policy &
Rules Management.
b. In the list of policies in the right pane, click the EMC Support Matrix row,
and select Run Now.

The Last Run column changes to indicate that the policy is currently running.
c. When the Last Run column displays the current date and time, click the web
browser Refresh button to refresh the window.
The refresh action updates the # of Breaches column.
Fix base connectivity interoperability breach

The EMC Support Matrix Active Breaches report contains all of the information you
need to research a base connectivity interoperability breach in ViPR SRM.
Assume that you are a storage administrator and want to correct the interoperability
breach described in the following figure.
Fix base connectivity interoperability breach 75

Figure 4 Example base connectivity issue in a breach report
Use the following general process for researching and fixing interoperability breaches:
1. Verify and correct the match values for each component listed in the breach
message.
The automatch feature makes the best assumption possible based on discovered
values but sometimes an automatched value is incorrect. Also, manual matches
can be erroneous.
2. After fixing match values, rerun the policy to determine if the breach is fixed.
3. If the breach still exists, use the tools in E-LAB Navigator to research the
incompatible component and obtain a list of possible compatible replacements.
4. If your site has a negotiated EMC RPQ that covers support for the incompatible
component, you can edit the policy, changing the scope to cover the component in
question and prevent the breach from appearing on subsequent report runs. The
process for creating a customized scope is described in another article.
To fix the base connectivity breach shown in the report above, use this procedure.
Procedure
1. Go to the Match List:
a. Log in to the Console, and click Administration in the banner.
b. Click Modules > Storage Compliance > Match to EMC Support Matrix.
2. Verify the Operating System component in the incompatibility message:

Windows 2008 R2 SP1.
a. In the search box on the upper right corner of the report, enter Windows
2008 R2, and press Enter.
You notice that the component is not matched.

b. Click the Edit (pencil) icon on the row.

c. Type Windows 2008 R2 on the dialog to find all matches.
Notice that there are no matches for SP1 or Service Pack 1, which is the
version listed in the breach message. SP1 is no longer supported.
d.
You know you must upgrade this host to Service Pack 2 to resolve the breach.
However, there might be additional interoperability problems with this
configuration, so continue to verify all other components listed in the breach
message.
3. Verify the Host System component in the incompatibility message: PowerEdge
2950.
a. In the search box on the upper right corner of the report, enter 2950, and
press Enter.
You notice that the component is matched, but you want to verify the
match.
b. Click the Edit icon on the row and type 2950 in the dialog.
You find two possible matches.
c. Perform offline research to determine whether the configuration for device

MHMPC111 is a PowerEdge 2950 or 2950 III.
You discover that it is a 2950 III.
d. Select that value and then click OK.
4. Verify the Host Bus Adapter component in the incompatibility message: LP982-
E
a. In the search box, type LP982-E.
b. Click the Edit icon on the found row and type LP982 in the dialog.
The entry is found and listed as End of Life.
You now know that the Host Bus Adapter on the MHMPC111 device is out of
date and must be updated to resolve this breach.
5. Continue to verify the other components in the breach message to discover all
outdated components.
6. Perform the physical updates to bring the MHMPC111 device up to date and in
compliance with the EMC Support Matrix.
Research path management breaches in E-LAB Navigator

You can research a PowerPath or path management interoperability issue by using
information from a ViPR SRM Support Matrix Breach report. The breach report
provides information to plug into the EMC E-LAB Navigator.
Assume that you want to fix the breach in the following figure.
Research path management breaches in E-LAB Navigator 77

Figure 5 Example path management issue in a breach report
Procedure
1. In a web browser, go to the EMC E-LAB Navigator at the following URL:
https://elabnavigator.emc.com/eln/elnhome
2. Scroll to the bottom of the E-LAB Navigator page and click Advanced Queries.
3. To create a query:
a. In the tool on the right side of the page, create a query name, and then click
Save.
b. Use the component tree on the right to fill in the query categories on the
left.
Use the values listed in the breach message, and make selections that match
the message as closely as possible.
For our example, we do not include the multipathing software that is listed in
the breach message, because we assume that it is the noncompliant
component causing the breach. We want this tool to provide us with valid
multipathing software for the combination of storage array and operating
systems.
The following figure shows the completed query that matches the first three
components that are listed in the breach message. Note that two storage

array entries are supplied, one that mentions Symmetrix and one that
mentions the S/N. These choices most closely match the breach message.
c. Click Save again.

4. To generate results that will list valid multipathing software for this combination
of array and OS:
a. Scroll down to expose step 2.
b. Select Path Management Software in the Configuration Name column.
c. Click Get Results for Selected Configurations.
5. Click the breach_example Results tab.
Note
The tab name includes the query name. Our query name is breach_example.
The result is a table that lists valid multipathing software for the provided
combination of components.
Research path management breaches in E-LAB Navigator 79

Note
If no results are reported, try eliminating other components from the list, or try
using less specific component choices.
Results
In this scenario, you researched the reason behind a path management interoperability
breach. The EMC E-LAB Navigator shows that the supported EMC PowerPath
versions for the combination of components are:
l PowerPath 5.7
l PowerPath 5.7 SP3
l PowerPath 5.7 SP4
Referring back to the breach report, you find that EMC PowerPath version 5.7 SP2 is
currently installed. You need to update the software to resolve this breach.
View inactive (fixed) breaches

Fixed breaches are called inactive breaches in ViPR SRM. The Inactive Breaches
report lists the support matrix policy breaches that were fixed during the current
reporting cycle.
Procedure
1. Navigate to Operations > Compliance > All Breaches > All Inactive Breaches.
The report shows the four breaches that were fixed previously.

2. Click in a row to view more details about a specific inactive breach.

The following figure shows more details about the last inactive breach.
Results
The inactive breaches reports provide details about the breaches that were fixed
during the reporting period.
View inactive (fixed) breaches 81


CHAPTER 7
Create New Policies and Scopes
The following topics describe how to create customized policies and scopes.
l Create new policy.............................................................................................. 84

l Create a new compliance scope......................................................................... 85
l Scenario: Create a custom compliance policy ................................................... 89
Create New Policies and Scopes 83

Create new policy

You can create a new compliance policy to enforce best practices in your
environment.
There are different ways to create new policies.
Copy an existing policy
When you copy an existing policy, you obtain the current configuration of the
copied policy, including the list of selected rules, all of the rule criteria values, the
scope, and the schedule for the policy. This feature is useful when you have
defined all of the parameters for a policy and need another policy with almost the
same parameters.
After the copy is created, you can quickly edit only the attributes that need
changing, such as the scope. This method saves the time and effort of creating
and configuring numerous similar policies from the beginning each time.
Create a new policy from a template of an existing policy

By using a template of an existing policy, you start with all of the rules of the
existing policy, but nothing is configured. You then configure the scope, the rules,
and the schedule.
Create a new policy from an empty template

By using an empty template, you create the framework for a new policy. It does
not have any rules in it. You need to add rules to the policy.
Regardless of how you create the new policy, each policy must have a scope and all of
the enabled rules must have criteria values before you can enable and run the policy.
Procedure
1. Navigate to Administration > Modules > Storage Compliance > Policy and
Rlues Management.
2. To create a new policy by copying an existing policy:
a. Click the policy that you want to copy.
b. Click Copy.
c. Click OK to confirm the copy.
The new policy appears in the list of policies, with the name
Original_Policy_Name - copy.
d. To change the policy name:
a. Click the policy.
b. Select Edit.
c. On the Description tab, change the Policy Name field.
e. Make other changes if needed.

f. Click Save.
3. To create a new policy from a template:
a. On the Policy and Rlues Management page, click Create.
b. In the Select Policy Template field, select a template:

l Select Empty Template to create a framework for a new policy, with no

rules.
l Select other templates to create a new policy that includes all of the
rules of the templated policy.
c. On the Description tab, change the Policy Name field.

d. On the Scope tab, configure a scope.
e. On the Rules tab, add or remove rules, configure rules, and enable rules.
f. Optionally configure a schedule.
g. Click Save.
Create a new compliance scope

A compliance scope is available for association with any compliance policy.
Procedure
Management.
2. Click any policy, and choose Edit from the action menu.
3. Click the Scope tab.
4. Click Create Scope at the bottom of the page.
Note
The new scope is not associated with the policy unless you manually choose it
later.
5. Complete the Create Scope dialog:

a. For Scope Name, type a name for the scope. This name is used in the list of
scopes on the Scope tab.
b. For Scope Criteria, type the criteria that defines members of this scope.
Use the following format:
PropertyName Operator Value
For Operator, the following are supported:
Operator Description
& AND
I OR
= Equal To
Wildcards are also supported.

For more information, see Syntax for scope criteria on page 86.
6. (Optional) To verify the defined scope against your environment, click Show
Members.
The system generates a list of discovered objects that match the scope criteria.
Create a new compliance scope 85

7. Click Save.
The new scope is included in the list of predefined scopes on the Scope tab.
Any compliance policy can use the new scope.
Syntax for scope criteria

Customized compliance scopes can define precise groups of objects to include or
exclude when a policy runs. Scope criteria can be simple value statements or complex
combinations using wildcards.
To create a custom scope, edit an existing compliance policy or create a new one. The
Scope tab contains a Create Scope button.
The same set of scopes are available to all policies. After you create a new scope, you
can assign that scope to any compliance policy.
Basic Construct
The basic construct for specifying scope criteria is:
property_name = 'value'
or
property_name = 'pattern'
where:
property_name
Is a property field in the database.
value
Is the value to match.
pattern
Is a string that uses wildcards to describe a set of values to match.
Complex construct
You can form complex scope criteria by combining basic constructs using the AND
(&), OR (|), and NOT (!) operators. For example:
devtype='Array'&vendor='EMC%'&sstype='Block'
device='mqqb080'|device='mqqb081'
!device=='mhmbd014_LDAP'
A complex scope can include parentheses if needed to indicate operational

precedence. For example:
devtype='Array'&(vendor='EMC%'|vendor='Dell%')

Wildcards and patterns

Wildcards are placeholders for characters in a value. The wildcards that are supported
are SQL wildcards and work the same as they do in a SQL SELECT statement. The
following table shows the wildcards that are supported and examples.
Table 14 Wildcards in scope statements
Wildcard Description and Example

% Placeholder for one or more characters.
xxx...%
Value starts with xxx...
%xxx...
Value ends with xxx...
%xxx...%
Value contains xxx...
Examples:
devdesc='Lin%' finds Linux and Linux 6.
device='%013' finds serverA013 and serverB013
device='%013%' finds dept013Server, serverA013, and 013serverB.
_ Placeholder for any one character.

Example:
devdesc='_inux' finds Linux and linux
Research database property_name

To create a scope, you need to know the property_name used in the APG database for
the property you want to match against. A quick way to find property names is to use
the property selection helper, a tool that is available from various locations on the
Console.
Use property selection helper to research property names

The property selection helper tool lists all property names in the databases, along with
aliases and descriptions, if available.
The database property names are required for activities such as:
l Creating filters and compliance scopes
l Creating reports or adding new properties to existing reports
l Searching the database
The property selection helper is available in various locations throughout the Console.
The following procedure describes how to use it from the Advanced Search interface.
Procedure
1. From any report on the reporting Console, click the arrow for advanced search.
The advanced search arrow is located at the top of any report, as shown here:
Use property selection helper to research property names 87

2. On the right side of the Expansion field, click the property selection helper icon.
3. On the dialog that appears, click the APG tab.

The tabs identify available databases. For compliance scopes, you want
properties from the APG database.
4. In the search field at the bottom of the dialog, type a search word to research.
The search is performed on the property names, aliases, and the property
descriptions.
For example, searching for port returns property names with port anywhere in
the name, alias, or description.
5. To scan descriptions, hover the cursor over the property names.

6. Take note of the database property names you need for your scope definition,
and click Cancel to exit.
Scenario: Create a custom compliance policy

This compliance use case shows how to create a customized compliance policy that
validates the HBA driver and firmware for a group of Linux hosts.
In this example, we create a new policy for a group of Linux hosts that are configured
with Emulex HBAs. We then create a rule that validates the driver and firmware
versions for all members of the group. We show all steps to configure the rule to
reflect the current environment.
To ensure continued compliance to the current environment, we run the new policy on
a recurring schedule. For the future, we can easily change the policy to validate
against new driver and firmware versions.
Create a policy
Create a new compliance policy, name the policy, and provide a description.
Procedure
1. Log on to the ViPR SRM Console, and click Administration > Modules >
Storage Compliance > Policy & Rules Management.
2. Click Create Policy.
3. On the Create Policy page, for Select Policy Template, select Empty Policy.
An empty policy will not contain any rules; we will create the rules from scratch.
4. Complete the Description tab:
a. For Policy Name, type a name for the policy. For example, type Linux HBA
Validation.
b. For Policy Description field, type a descriptive explanation of what the

policy will validate.
Scenario: Create a custom compliance policy 89

Create a scope
Create a scope to define the group of objects that this compliance policy should
monitor.
ViPR SRM provides built-in scopes that are useful for applying a policy to a general
object type, such as All Virtual Machines.
You can select one of these built-in scopes if they are adequate for your purpose. If
not, you can create a customized scope by defining a new filter.
Note
You can edit user-created scopes but not the built-in scopes. You can copy a built-in
scope, and then edit the copy.
The following steps show how to create a new, customized scope that is specific to
our example.
Procedure
1. Click the Scope tab.
2. Scroll down, reviewing the list of built-in scopes.

In this case, you determine that none of the existing scopes apply to the current
use case.
3. Click Create Scope at the bottom of the page.

4. Complete the fields on the Create Scope page.

a. For Name, enter a descriptive phrase. For example, enter Linux hosts with
Emulex HBA.
b. For Criteria, enter a string that defines the members of the group. The
following string defines a group of Linux hosts that use Emulex HBAs:
devdesc='Lin%' & pvendor='Emu%'
l The devdesc property defines the host operating system to match. In

this example, Lin% matches all versions of the Linux operating system.
For AIX, enter AI%. For Solaris, enter Sol%. For Windows, enter Mi%.
l The pvendor property is the HBA vendor name. The example above is
for Emulex HBAs. For QLogic, enter QL%.
For more information about supported wildcards, see Syntax for scope
criteria on page 86.
5. Click Show Members to show a list of results from the scope you defined.
6. Review the members and change the filter if the results are not what you
expected.
7. Click Close.
The new scope is added to the list of scopes.
8. Locate the new scope you just created, and click the check box to select it.
Create a scope 91
9. Proceed to the Rules tab.
Note
If you click Save at this point, the system attempts to save the policy, which
generates an error because there are no rules in the policy.
Add a rule
A policy can have one or more rules. The rules criteria define the specific values to
monitor.
This procedure describes how to add an existing rule to a policy. To create a new rule,
see Create a new rule on page 108.
Procedure
2. Click Add Rule.
3. Using the drop-down list in the Name column, select Supported HBA Vendor
Model Driver and Firmware.

4. Complete the Criteria For Selected Rule field as follows:

a. Type fictitious values for Supported Model, Supported Firmware, and
Supported Driver.
Note
For the purpose of this use case, we want to generate breaches for
noncompliant host HBAs. The breach message will describe discovered
values in the environment, and we will use that information to revise this rule
to validate against the current environment.
b. Uncheck Supported Vendor because we defined Emulex in the scope.
5. For State, select Enabled.

6. For Recommendation, type text that provides instructions to the person
responsible for resolving the compliance violation
7. Click Save to save the new rule
Add a rule 93
Schedule the policy for automatic runs

You can schedule the policy to run automatically. Various drop-down menus let you
specify exactly the month, day, hour, and minutes of automatic runs.
Procedure
1. Click the Schedule tab.
2. Use the drop-down menus to set the frequency of automatic runs for the policy.
The example here sets the policy to run every hour on the hour.

Save, enable, and run the new policy

Save and enable the new policy. Then you have the option of waiting for an automatic
run at the scheduled time, or running the policy on demand.
Procedure
1. Click Save on any of the tabs to save the new policy.
2. On the list of policies, scroll to find the policy you just created.
3. Click the new policy, and then select Enable.
4. Click the new policy again and select Run Now.
View breach reports

See the results of the policy run on the ViPR SRM breach reports.
You can view breach reports from the summary level and drill into the details, or view
breaches for a specific policy.
Procedure
1. From the Administration page, click User Interface in the banner.
2. Go to Operations > Compliance > Breach Summary.
This dashboard provides summary information and access to the following
reports: Breaches by Severity, Breaches by Policy, Occurrence by Severity,
and the All Breaches report.
3. Place your cursor over bars in the bar charts to see the count of breaches for a
severity or a policy.
The first value shows the number of breaches related to the policy and the
second number shows the total number of breaches across all policies.
4. Click the Breaches by Policy title.
5. In the full Breaches by Policy report, click on a bar in the chart to drill into the
breaches for a specific policy.
Observe also that the Breaches by Policy node in the navigation tree expanded
to show all of the policies that have breaches.
6. In the navigation tree, select the report for the HBA Validation Policy.
7. Find a breach and analyze the message.
Save, enable, and run the new policy 95

In the example below, the breach message is:
An unsupported Firmware version present as part of HBA :

com.hp.fcd-3
installed on Host: lgloe149. Found 5.4.0 instead of 12345.
You can resolve this breach by updating the Supported Firmware criteria in the
HBA Validation rule to include or equal the value 5.4.0.
Note
Use the found value only if you consider it to be valid in your environment. If it is
not valid, then you need to upgrade the HBA to use different firmware, and
update the rule criteria accordingly.
Edit the rule to include the found value

Change the criteria in the rule to include the found value, rather than the fictitious
value that you initially configured.
Procedure
Management.
2. In the list of policies, click the checkbox in the first column for our customized
policy (Linux HBA Validation) and then click Edit.
3. On the Edit Policy page, click the Rules tab.
4. Click the checkbox in the first column for the rule Supported HBA Vendor
Model Driver and Firmware, and then click Edit.
5. In the Criteria For Selected Rule field, replace the fictitious value originally
entered with the found value that appeared in the breach.
l Make sure the operator is EQ.
l Type the found value from the previous task (5.4.0)
Here is the changed rule criteria for Supported Firmware.
6. Click Save.
7. Click the policy row and select Run Now.

8. Watch the Last Run column to notice when the policy is finished running.
Review the breach report for all found values

Use the Inactive Breaches report to verify that the found value that we added to the
rule actually resolved some breaches. Then, use the Active Breaches report to
identify all additional values to add to the rule; that is, all found values for firmware,
drivers, and HBA models.
When the policy is finished running, return to the User Interface Console to review the
breach reports.
Procedure
1. Click User Interface in the banner.
2. Go to Operations > Compliance > All Breaches > All Inactive Breaches.
Inactive breaches are previous breaches that were resolved in the reporting
period.
3. Review the Inactive Breaches report to confirm that there are now resolved
breaches for the Linux HBA Validation policy for the supported firmware value
that you just corrected in the rule.
4. Go to Operations > Compliance > Breach Summary > Active Breaches by
Policy > policy_name (our example customized policy name is Linux HBA
Validation).
5. In the Message column for active breaches, look for other found values for
models, drivers, and firmware. Record them so you can update the rule to use
your existing infrastructure as the reference for validations.
Found Firmware versions:___________________
Found Driver versions:____________________
Found HBA Models:___________________
Edit the rule to add all found values and rerun the policy
Edit the rule to include all of the found values for Linux HBAs in your current
environment (assuming that you want to enforce the current environment going
forward).
Procedure
Management.
2. Right-click the Linux HBA Validation policy and select Edit.
4. Click to select the row for the Supported HBA Vendor Model Driver and
Firmware rule.
5. In the Criteria For Selected Rule field, complete the criteria fields for
Supported Model, Supported Firmware, and Supported Driver.
Review the breach report for all found values 97

Use the found values you noted earlier from the Active Breaches report.
l To enter multiple values in a field, select the IN operator in the drop down
list and use a comma to separate values. For example, the following criteria
when used with the IN operator enforces two values:
5.4.0,3.92A2
l Use wildcards to indicate multiple values or simply to reduce complexity for a

long value. For example, the following criteria when used with the IN
operator enforces any value that starts with 8.2.0.3 (such as
8.2.0.33p;HBAAP(1)v2.1g) or is 8.2.4:
8.2.0.3*,8.2.4
l The IN operator supports regular expressions with the following wildcards

symbols:
n asterisk (*)
n question mark (?)
l Here are completed criteria for Supported Firmware and Supported
Driver.
6. Click Save.
7. Right-click the HBA policy and select Run Now.
8. Watch the Last Run column to track when the policy is finished running.
9. Go to User Interface > Operations > Compliance > Breach Summary >
Breaches by Policy > HBA Validation Policy.
10. Review the policy's All Active Breaches report to make sure that no more
breaches are remaining.
If there are additional breaches, you can edit the rule again to add additional
values to the rule.
Results
When no additional breaches remain, you have successfully created a rule that
enforces the current running environment.

Summary
In this use case, you created a new compliance policy that monitors a group of hosts
for compliance with a customized set of drivers and firmware.
In the future, new versions of drivers and firmware are likely to become the preferred
versions. To handle that scenario, you know how to edit the policy's rule to change the
monitored values and keep the compliance policy current with business rules.
Summary 99

CHAPTER 8
Create New Rules
The following topics describe the components and construction of a compliance rule.
l About compliance rule definitions..................................................................... 102

l Using the graphical interface............................................................................ 102
l Component reference for compliance rule definitions........................................ 111
Create New Rules 101

Create New Rules
About compliance rule definitions

A rule definition defines the data to process, the conditions to validate, and the
outcomes. It consists of configurable components that are connected to define a
process flow.
A graphical interface defines the components, how they are connected, and their
configurable parameters.
Predefined rules
The Compliance Module is installed with a set of predefined rules. These rules are
already assigned to the predefined policies, and are also available for you to add into
any custom policies that you create.
The predefined rule definitions are locked. You cannot view or edit them. You can,
however, copy them, and view or edit the copy.
Note
Editing a rule definition means changing the underlying construction of the rule. This is
not the same thing as configuring the rule criteria, which is the feature that permits
reusing the same rule in different policies and for different scopes.
New rules
Administrators can use the graphical interface to create new rules. Some reasons for
creating a new rule are:
l To implement a new type of compliance checking that is not covered by any of the
predefined rules.
l To alter the basic construction of a predefined rule to accommodate your business
practices. Because the predefined rules are locked, you would copy the rule and
change the copy.
You can add a custom rule to any compliance policy. A rule can be used in multiple
policies.
Using the graphical interface

You use the Rule Definition graphical interface for viewing, modifying, configuring, and
creating compliance rules.
Build a rule definition
To access the graphical interface, go to Administration > Modules > Storage
Compliance > Rule Definitions, and click Create Rule.
A blank whiteboard appears. Available components appear in the column on the right.
To build a rule definition, you drag graphical symbols from the column on the right
onto the whiteboard.

Create New Rules
When you release the drag, an Edit Component dialog appears. Configure the
component by completing the fields on the dialog.
l Use the ? icons on the dialog to learn about the parameters.
l Red asterisks indicate required parameters. You must supply a value for them;
otherwise you cannot save the configuration.
l Click OK to save the configuration and exit the dialog.
l To change parameters later, you can edit the component.
Connect components
To specify the processing flow and relationships between components, you connect
the symbols.
To connect components, click and drag from an output connection point on one
component to an entry connection point on another component. Connection points
are small yellow squares on the perimeter of a component. Release the drag when the
input connection point turns green.
Note
Remember to start the drag at an output connection point and drag to an entry
connection point.
l Output connection points are on the right side of a component. You can connect
multiple objects to the same output.
l Entry connection points are on the left side of a component.
Using the graphical interface 103

Create New Rules
Components might have multiple exit connection points. For example, components
with filters or conditional possibilities have multiple possible outcomes. To identify the
outcome that a connection point represents, hover the cursor over the yellow square
until a tooltip appears. The following example shows two possible outcomes from a
filter in the APG Data Retrieval component:
The processing flow is typically different for different outcomes. Depending on the
purpose of the rule, an empty result might end the flow altogether, or might lead to an
Active Breach or a Breach Resolution.
Disconnect components
To remove a connector, drag the end point of the line (at an entry connection point)
away from the component. When you release the drag, the line disappears.
Rearrange components
Rearrange components on the whiteboard by dragging them. If symbols are
connected, the end points of the connectors travel with the component.
Manage or edit a component
To manage or edit a component, hover the cursor over the component until a mini-
menu appears.

Create New Rules
Click an icon in the mini-menu.
Removes the component from the whiteboard.

Delete
Adds another component of the same type with the same configuration
Copy
values onto the whiteboard.
Edit Opens the component's configuration dialog so you can edit the
parameters.
Copy and view an existing rule definition

One way to learn about rule definitions is to view an existing rule.
This procedure illustrates the composition of a rule definition by copying and viewing
the predefined rule named Supported Switch Firmware.
Procedure
1. Navigate to Administration > Modules > Storage Administration > Rule
Definitions.
2. In the table of rule definitions, click the row for Supported Switch Firmware,
and select Copy.
3. Click OK to confirm the copy request.
A new entry appears in the table, with the name Supported Switch Firmware -
Copy. The new rule is not locked.
4. Click the new rule and select Edit.
5. Click OK to confirm the edit request.
The graphical view of the rule appears on the whiteboard.
6. To view the data being captured for this rule, hover your cursor over the APG
Data Retrieval component until the mini-menu appears, and click the Edit
(pencil) icon.
Copy and view an existing rule definition 105

Create New Rules
7. In the Edit Component dialog, note the following:
Field Description
Name Contains an identifying phrase for this component. You will see
the phrase referenced in other components.
Filter Specifies an index into the APG database. In this case, the data
being retrieved relates to ports on fabric switches.
Properties Specifies the properties to retrieve from the filtered data. In this
case, the device and firmware properties are retrieved.
Note
Multiple properties are separated by commas, with no spaces

permitted.
8. To view how the comparison to a user-provided firmware value is constructed,

hover your cursor over the Comparator component until the mini-menu
appears, and click the Edit (pencil) icon.

Create New Rules
9. In the Edit Component dialog, note the Parameters section.

The retrieved Firmware property value is compared to a user-defined input
value. The Type field defines the source of the value to compare against, as
follows:
Selected Type Description

userDefined The value to compare against is configured by the user in the
Policy & Rule Management UI. The field becomes a required
criterion that a user must configure before enabling the rule.
systemDefined The value to compare against is configured in the rule
definition, on this dialog, in the Compare-To field.
10. Use the ? icons to learn about parameter usage and valid options.
11. Click OK on the Edit Component dialog to exit.
12. To view how the results of the comparison are configured, hover over the
comparator's outcome nodes.
Copy and view an existing rule definition 107

Create New Rules
The comparator has two outcomes:

l A false outcome (firmware is not equal to the user-defined value) results in
an Active Breach.
l A true outcome results in a Resolved Breach to indicate compliance.
Note
The Inactive Breach reports only display resolved breaches if they match a
previous Active Breach.
13. To view how the breach is configured, hover the cursor at the top of the Active
Breach component, and click Edit in the mini-menu.
The Edit Component dialog for the Active Breach component opens. Here is
the breach message:
An unsupported firmware version is installed on the switch.

Found OPER.'Operation for fetching Supported Switch Firmware
Version:Firmware' instead of INPUT.
14. Notice the parameter usage in the message above:

l OPER.'operationName:propertyName' references the operation in the
APG Data Retrieval component and the retrieved value for the Firmware
property. The operationName is case-sensitive and must be exactly the
same as what is specified for the referenced component name .
l INPUT references the user-defined value.
15. Click OK on the Edit Component dialog to exit the dialog.

16. Click Save or Cancel to exit the whiteboard.
Create a new rule

You can create a new compliance rule.
Procedure
1. Navigate to Administration > Modules > Storage Compliance > Rule
Definition.
2. Click Create Rule.
3. Drag the Default Entry component from the right column onto the whiteboard.
This is the required starting component for a rule definition.

Create New Rules
When you release the drag, the Edit Configuration dialog for the new
component appears.
4. Type a name for the component, and click OK.
Each component has a name, which allows you to reference the output from
one component in another component.
Note
Attributes for the entire rule, such as a Rule Name, Severity, Type, and
Description, are provided at the end of this process, after you finish adding and
configuring components, and after you click Save.
5. In the right column, click a category to expand it.

For example, click Operation.
6. Drag an Operation component onto the whiteboard.
For example, drag APG Data Retrieval.
When you release the drag, the Edit Configuration dialog for the new
component appears.
7. Configure the component.
You must supply values for all required parameters; otherwise, the system will
not save the configuration.
8. Click OK to save the configuration and exit the dialog.
9. Connect the components by dragging from the Default Entry output
connection point to the APG Data Retrieval input connection point.
10. Drag an Executor Service operation after APG Data Retrieval, and add the
proper connectors.
The Executor Service operation helps improve the performance of rule
validation. It is a required operation after APG Data Retrieval. It is highly
recommended to have only one Executor Service operation per rule.
11. Continue to add components and connectors.

A rule should terminate with Active Breach and Resolve Breach actions.
12. Click Save.
The Save Rule Definition dialog appears.
13. Complete the dialog. The values in this dialog are used to describe the rule in
the Rule Definition table.
Name Rule name.

Description Rule description.
Severity Severity assigned to breaches of this rule.
Recommendation Instructions to users for how to fix breaches of this rule.
This information appears in the breach reports.
Create a new rule 109

Create New Rules
Rule Type The category for this rule. Rules are listed by category in
the Add Rule list. You can use an existing type, or create a
new one.
Device Type The device type that this rule applies to, for descriptive
purposes. This value is used on the Operations >
Compliance > Policies > View Rules report, in the
Applies On column.
14. Click Save.

The new rule appears in the Rule Definition table. It also appears in the list of
available rules when a user clicks Add Rule on the Rules tab in a Policy
configuration.
Copy a rule definition

Copy an existing rule definition to have a starting point for creating a new rule.
Procedure
1. Navigate to Administration > Modules > Storage Compliance > Rule
Definition.
2. Click the rule you want to copy, and select Copy.
The copied rule appears in the Rule Definition table, with a name of
originalRuleName - Copy.
3. To change the name of the copy:
a. Click the row and select Edit.
b. Click Save below the whiteboard.
c. Change the Name field.
d. Click Save.
Edit a rule definition

You can change or add additional components to an existing rule definition.
Procedure
1. Click Administration > Modules > Storage Compliance > Rule Definitions.
2. Click the rule you want to edit and select Edit.
Note
You cannot edit locked rules. Instead, copy the rule and edit the copy.
A graphical representation of the rule definition appears on a whiteboard, with

an expanding list of available components on the right.
3. To reconfigure an existing component:
a. Hover the cursor over the component until a menu of small icons appears
above the component, and click Edit (pencil icon).

Create New Rules
b. Make changes to the component's configuration in the dialog that appears.

c. Click OK to preserve the changes and exit the dialog.
4. To add a new component:
a. In the list of components on the right, click the type of component you want
to add.
b. Drag the symbol for the desired component from the list onto the
whiteboard.
c. Complete the configuration dialog that appears when you release the drag,
and click OK.
To reconfigure the component later, hover the cursor over the symbol and
click the Edit icon that appears.
d. Add the new component into the process flow by dragging a line between
connection points on the symbols.
l Start the drag from an outcome connection point, on the right side of a
symbol.
l Drag to an entry connection point on the left side of a symbol.
5. Move components around on the whiteboard by dragging them.

6. Click Save at the bottom of the whiteboard.
7. Make changes to the descriptive information about the rule, if needed.
8. Click Save.
Component reference for compliance rule definitions

You create a rule definition by dragging components onto a whiteboard and
configuring each component.
Each component has an associated configuration dialog. Use the ? icons in the dialogs
to view usage guidelines for each field.
Note
Attributes for the entire rule definition, such as the rule name and rule description, are
assigned after you finish dragging and configuring the individual components and after
you click Save.
Entry point component

An Entry Point component is the starting point for the processing flow.
Default Entry
The Default Entry component is the required starting point for a compliance rule
definition. The next component in the processing flow is an Operation or a Comparator
component.
Note
You can not connect a Default Entry directly to an Action component.
Component reference for compliance rule definitions 111

Create New Rules
Table 15 Attributes for Default Entry component
Field Description
Name Required name for this component. The name may include spaces.
Descriptio Optional description for this component.

n
Operation components
The Operation components retrieve and manipulate data.
APG Data Retrieval
Use the APG Data Retrieval operation to retrieve properties from the APG database.
The property values are forwarded to the next component in the rule flow. The dialog
contains the following configuration fields:
Field name Description

Name The name of the operation. May contain spaces. The name can be
used later in the processing flow to reference a property value
retrieved by this component. The reference is in the form:
OPER."name":property
Type: The type of retrieval operation.
APG Data Retrieval Retrieves the specified properties and forwards each set individually
to the next operation in the flow.
APG List Retrieval Retrieves the specified properties and forwards the results as a list
(array) to the next operation in the flow.
APG Group By Data Receives grouped data from a previous operation and processes each
Processing group.
APG Group By Retrieves the specified properties, groups them, and forwards the
Retrieval grouped data to the next operation in the flow.
APG List Group By Retrieves the specified properties, groups them, and forwards the
Retrieval grouped results as a list (array) to the next operation in the flow.
APG Result Set Counts the result set from a previous operation and sends the counter
Count value to the next operation.
Reference the count value in the next operation using the count
field.
APG Result Set Receives data from a previous operation, applies a filter, and forwards
Processing specified properties to the next operation.
APG Sub Query Receives data from a previous operation, applies a filter, applies a
Processor second filter to the result set from the first filter, and forwards
specified properties to the next operation.
Description Optional description of this operation.
Filter Describes the records to examine in the database. The default filter
chooses all records.

Create New Rules

Right-click in the filter box to show menu options for creating a valid
filter. Choosing Refine > using a wizard is recommended.
Properties Lists the property names to retrieve from the filtered records. Use
commas to separate multiple properties. Do not include spaces.
To research property names:
1.
Click the icon next to the property text box.
2. Click the APG tab.
3. Start typing the property name.

4. Select a property from the list.
Group-by Only available when the chosen Type uses groups. This is the property
name used to form the groups of result data.
Topology Data Retrieval

Use the Topology Data Retrieval operation to retrieve and process properties from the
Topology database. The property values are forwarded to the next component in the
rule flow. The dialog contains the following configuration fields:

Name The name of the operation. May contain spaces. The name can be
used later in the processing flow to reference a property value
retrieved by this component. The reference is in the form:
OPER."name":property
Type:
Topology Data Retrieves the specified properties and forwards each set individually
Retrieval to the next operation in the flow.
Topology Group By Retrieves the specified properties, groups them, and forwards the
Retrieval grouped data to the next operation in the flow.
Topology Group By Receives grouped data from a previous operation and processes each
Data Processing group.
Filter A SPARQL query that describes the records to examine in the

Topology database.
Properties The property names to retrieve from the filtered records. Use
commas to separate multiple properties. Do not include spaces.
To research property names:
1.
Click the icon next to the property text box.
2. Click the Topology tab.
3. Start typing the property name.

4. Select a property from the list.
Operation components 113

Create New Rules

Group-by Only available when the chosen Type uses groups. This is the property
name used to form the groups of result data.
Executor Service
This component adds multithreaded capability to the rule and helps improve the
performance of rule validation.
An Executor Service is required in every rule. It should be added after a APG Data
Retrieval or Topology Data Retrieval operation. It is highly recommended to have only
one Executor Service operation per rule.
Data Concatenation
This operation concatenates retrieved properties.
In the concatenated string, you can use constants except for comma and space; those
two are used as separators in DataConcatenateOperation.
For an example using concatenated strings, see the out-of-the-box rule called
Supported multipathing software. That rule concatenates the value of part and
version to create, for example, the value Powerpath 6.0.
Case
This operation sends data to each of multiple conditions until a condition is met.
About groups in rules definitions

A group in an Operation component classifies the retrieved data into groups based on
the specified Group-By field.
Group retrieval works as follows:
1. The operation first retrieves all of the requested property values using the
specified filter. This list of properties forms the result set.
2. The result set is traversed and grouped together using the property specified in
the Group-By field.
3. Each group is pushed to the next element one by one for further processing.
For example, consider the following HBA setup:
Hosts HBAs HBA model (model)

(device)
H1 HBA-1 M1
HBA-2 M1
HBA-3 M2
HBA-4 M2
H2 HBA-a M1
HBA-b M1
HBA-c M1
HBA-d M1

Create New Rules
If an operation retrieves the device and model properties, and the Group-By field is
device, the data is grouped as follows:
(H1={M1, M1, M2, M2}, H2={M1, M1, M1, M1})
First H1={M1, M1, M2, M2} is pushed to the next operation. Then H2={M1, M1, M1,
M1} is pushed.
Example rules
The following predefined rules use groupings in data retrieval operations:
l Multiple tenants accessing same virtual pool
l Uniform HBA hardware on host
l Several zoning-related rules
Condition components
Conditions provide a way to test values.
Comparator
A Comparator compares a retrieved property value to a user-defined or system-
defined value. The comparator result is a true or false value. A comparator has two
exit points: one is for the processing flow associated with the true result, and the
other is for the processing flow associated with the false result.
The component dialog contains the following configuration fields:

Name Name of this operation.
Type:
String Comparator Compares a string property value to a configured string value.
Number Compares a number property value to a configured number value.

Comparator
Uniform Property Ensures that all instances of the named property contain the same
Comparator configured value. The property name that needs to be uniform is
named in the Uniform Property parameter field.
MultiValue String Compares a string property value to a configured set of strings. The
Comparator result is true if the retrieved value matches any of the configured
string values.
Property The property name to evaluate.
Comparator The comparative operation. The choices available are appropriate to

the operation.
Status The default state of the criterion to display in the rule's configuration.
The user can change the state.
l enabled — The criterion is active and considered when the rule is
run.
l disabled — The criterion is not considered when the rule is run.
Condition components 115

Create New Rules

Type Defines the source of the value to compare against.
l userDefined — The value to compare against is configured by
the user in the Policy & Rule Management UI. The field becomes
a required criterion that a user must configure before enabling
the rule. The Compare-To field provides the default value that
can be changed by the user.
l systemDefined — The value to compare against is configured
in the rule definition, on this dialog, in the Compare-To field
Compare-To The value to compare to.

When the comparator type is MultiValue String Comparator, this field
can be a comma-separated set of string values.
Input-Type When Type is userDefined, this field defines the look of the
criterion field in the rule's configuration.
l DEFAULT — Shows a text box.
l BOOL — Shows a dropdown menu with Yes and No choices.
l CHECKBOX — Shows a set of checkboxes for the user to click
to select.
Uniqueness Comparator
A Uniqueness Comparator determines if a property value or set of property values is
unique within a given key. The key defines the set of retrieved entries to examine, and
the values define the properties to compare for uniqueness within the set.
An example predefined rule that uses a Uniqueness Comparator is the “A zone must
be unique” rule. The uniqueness comparator checks that the members of each zone
are unique. The key is the zone name. The values to check for uniqueness are the zone
member ids.

Create New Rules
Action components
Actions are the end result of the processing flow.
A rule definition terminates with Active Breach and Resolve Breach actions.
Active Breach
Use this action to generate a breach that will appear in the breach reports. A
breach indicates that current conditions violate the rule. The parameters of this
component configure the breach message and breach attributes.
Resolve Breach
A resolve breach indicates that current conditions are in compliance to the rule.
l If a breach was previously reported for the same parameters, then the reports
show that the breach is resolved.
l No reporting activity occurs if there is no outstanding breach for the
parameter values used in the resolve breach.
Parameters in message contents

The message can contain parameters, as follows:
OPER.'operationName:propertyName' References a previous operational component

in the processing flow by name and a
retrieved property value. The
l OPER is a literal, used to refer to any
previous component in the processing
flow.
l operationName is case-sensitive and must
be exactly the same as what is specified
for the referenced component name,
including all relevant spaces.
l propertyName is the property previously
retrieved that you want to reuse.
INPUT A literal that references the user-defined

value for a comparator of type userDefined.
Action components 117

Create New Rules

CHAPTER 9
Compliance Administration
The following topics describe compliance configuration and administration.
l Configure notifications of compliance breaches............................................... 120

l Configure retention duration for breaches and configuration changes..............123
l Restrict access to the compliance module based on RBAC...............................124
l Redirect Compliance Frontend in deployments with multiple Frontends .......... 125
Compliance Administration 119

Configure notifications of compliance breaches

Notifications of compliance breaches are in the form of emails to configured contacts
and/or SNMP traps to configured IP addresses.
Notifications are delivered with the help of the ViPR SRM Alerting module. In the
alerting module, alert definitions filter for the alert conditions (breaches, in this case)
and define the desired reaction (emails and SNMP traps).
The Compliance-Breach-Notification alert definition is installed out-of-the-box. This
alert definition filters for all of the out-of-the-box compliance policies. If your
installation creates new compliance policies, those customized policies must be added
to the filter.
The Compliance-Breach-Notification alert definition must be configured and enabled
to make it operational.
Configure the Compliance Breach-Notification alert definition

You must configure details for both the email and SNMP trap notifications in the
compliance alert definition. Also, the alert definition must be enabled.
Notifications are optional. Skip this topic if notifications about breaches are not
needed in your environment.
The generated email and SNMP trap contain information from the breach message, in
addition to the following fields:
l State
n 1 = Active
n 0 = Resolved
l Severity
n 1 = Critical
n 2 = Major
n 3 = Minor
n 5 = Normal
Procedure
1. Click Administration > Modules > Alerting.
2. Click Alert definitions > Compliance.
3. In the right pane, right-click the Compliance-Breach-Notification row and
choose Configure.
The Configure dialog contains two sections, one for each of the actions defined
in the alert definition:
l Mail Action
l SNMP v1 Trap
4. To complete the Mail Action configuration:

a. (Required) For the To field, type one or more email addresses to receive the
notification. Multiple addresses are separated with a comma.

b. Optionally edit the Subject field. The installed default uses property values
from the breach data to identify the device type and device name in the
subject line.
c. Optionally edit the Message field. The installed default uses property values
from the breach data to display information about a breach.
d. Click Test Action.
e. Wait for a message reporting either success or failure to send the email. It
might take a few minutes for the message to appear while the system
locates the mail server.
f. If the test is successful, click Ok. Otherwise, check the To field, and also
check the global mail server configuration, as follows:
l In the banner area of the Administration interface, click Global Settings
.
l On the SMTP Settings tab, verify all fields and edit as needed.
l Click Save.
5. To complete the SNMP V1 Trap configuration:

a. (Required) For Host, type the IP address of the host to receive SNMP
traps.
b. Usually, no further configuration is needed. The installed default sends a
properly formatted trap using data from the breach message.
c. Click Test Action.
d. If the test is successful, click Ok. Otherwise, check all fields and try again.
e. If you need to change the trap data, edit the alert definition as follows:
l Click Save to exit the dialog.
l Right-click the Compliance-Breach-Notification row on the Alert
definitions page, and select Edit.
l Double-click the SNMP Trap symbol.
l Scroll down to locate the Trap Content field and edit as needed.
l Click OK, and then click Save.
l Click Save again, and then choose either Save and enable or Save and
disable.
6. To implement only one of the notification types (email or SNMP traps), edit the
alert definition and delete the unwanted action.
Note
Before you can enable the out-of-the-box alert definition, both the email and
the SNMP trap notification actions must be configured.
Delete an unwanted action as follows:

l Navigate to Alert definitions > Compliance.
l Right-click the Compliance-Breach-Notification row on the Alert
definitions page, and select Edit.
Configure the Compliance Breach-Notification alert definition 121

l Hover the pointer over the symbol for the unwanted action until a small
menu appears above the symbol, and select the Delete action (red minus
icon).
l Confirm the deletion, click Save, and then choose either Save and enable or
Save and disable.
7. Enable the compliance alert definition:

a. Navigate to Alert definitions > Compliance.
b. Right-click the Compliance-Breach-Notification row on the Alert
definitions page, and select Enable.
Add new compliance policies to the alert definition filter

If you create a new Storage Compliance policy, you need to add the policy to the filter
in the Compliance-Breach-Notifications alert definition to generate notifications for
breaches of the new policy.
Procedure
1. Click Administration > Modules > Alerting.
2. Click Alert definitions > Compliance.
3. In the right pane, right-click the Compliance-Breach-Notification row and
choose Edit.
4. Double-click the Filtered entry symbol.
5. Right-click in the filter conditions box, and select OR > using a wizard.
6. Type or select policyname.
7. Type or select the new policy's name.
8. Click OK.
9. Verify that your new condition exists correctly in the filter expression below the
box.
It should be:
| PolicyName=='new_policy_name'
To make a correction, right-click on the phrase that needs correcting in the box,
and select Edit expression.
10. Click Ok.

11. Click Save, and then choose Save and enable or Save and disable.
Enable or disable compliance breach notifications

To enable or disable all breach notifications, enable or disable the Compliance-Breach-
Notifications alert definition.
The filter in the Compliance-Breach-Notifications alert definition includes all policies.
With this alert definition, you can enable or disable breach notifications for all policies
with one management action.
Procedure
1. Go to Administration > Modules > Alerting > Alert Definitions >
Compliance.

2. In the right pane, click in the first column to select the Compliance-Breach-
Notifications alert definition.
3. Click Enable or Disable.
Results
All notifications for all breaches are enabled or disabled.
Manage breach notifications for individual policies

To enable or disable breach notifications for specific policies, you can copy the out-of-
the-box alert definition and edit the filter in the copies.
Procedure
1. Go to Administration > Modules > Alerting > Alert Definitions.
2. In the navigation tree, expand Alert Definitions, and then expand Compliance.
3. In the navigation tree, click to select Compliance-Breach-Notifications, and
then click the Copy icon at the top of the navigation pane.
4. In the navigation tree, click to select the Compliance folder, and then click the
Paste icon at the top of the navigation pane.
5. In the dialog that appears, name the copy, and click OK.
The new alert definition appears under the Compliance folder.
6. In the right pane, right-click on the new alert definition, and select Edit.
7. Double-click the FilterEntry symbol.
8. Right-click on whitespace inside the box of filter expressions, and select Edit
expression.
9. Edit the list of policy names to include only the subset you want, and click OK.
10. Click Save, and then choose Save and enable or Save and disable.
Configure retention duration for breaches and configuration

changes
The compliance retention duration defines how long breaches and configuration
changes persist in the database.
Breaches and configuration changes older than the configured purgeduration value
are purged from the system. The default setting after installation is 30 days.
Use the following procedure to change the retention period.
Procedure
1. Go to Administration > Centralized Management > Backends >
Compliance-Backend.
2. In the right pane, click Configuration Files.
3. Click Edit (pencil icon) for the conf\config-scheduler.properties.
4. Set the value in days for the purgeduration property.
By default, the value is 30 days.
purgeduration=30
Manage breach notifications for individual policies 123

5. Click Save.
Restrict access to the compliance module based on RBAC

You can use role-based access control to limit who can perform management
functions for the compliance module.
RBAC access to the Storage Compliance module gives a user ability to:
l Enable/disable policies and rules

l Configure rules, such as changing the scope of a rule or changing configurable
parameters of a rule
l Create custom scopes and policies
l Create new compliance rules
l Schedule and run policies
l Perform matching for the Compliance to the EMC Support Matrix policy
Any user can view the compliance breach reports.
On the ViPR SRM Console, use the Roles node in the Administration view to limit
access to a set of users with specific roles. For example, the following procedure
allows access to users with the role of Storage Administrator Users.
Procedure
1. Log onto the Console and navigate to Administration > Roles > Storage
Administrator Users.
The Role Modification dialog appears.
2. Click the Modules and Restrictions Access tab.
3. On the Storage Compliance line, select Yes.
4. Click Save.

Results
Users assigned to the Storage Administrator Users role can perform management
tasks for compliance.
Redirect Compliance Frontend in deployments with multiple

Frontends
In deployments using multiple Frontend servers, you might want to redirect the
compliance Frontend URL to another system Frontend server.
Typically, administrators want to centralize administrative actions. This procedure
allows you to install Compliance on one Frontend server and access the administrative
actions from another Frontend server.
This procedure is optional.
Procedure
1. Log onto the CLI of the Frontend server that was referenced during the
Compliance module installation.
You can research the compliance installation settings in Administration >
Centralized Management > Logical Overview.
2. Execute the following command:
./bin/administration-tool.sh updateModule -module [ -name

'storage_compliance' -url 'http://
<frontend_server_to_be_redirected_to>:58080/compliance-
frontend' ]
For example:
./bin/administration-tool.sh updateModule -module [ -name

'storage_compliance' -url 'http://abcde123:58080/compliance-
frontend' ]
Redirect Compliance Frontend in deployments with multiple Frontends 125


APPENDIX A
Breach Names and Messages
The following table provides detailed information about the out-of-the-box compliance
policies.
l Breach names and messages............................................................................ 128
Breach Names and Messages 127

Breach names and messages

Breach messages contain detailed explanations of the breach, including variables that
identify the noncompliant objects.
Table 16 Rules and associated breach messages
Rule Name Breach Name Message

Authorized Host OS Authorized Host Host {hostname} with OS {hostos} is not
for Array port OS for Array port authorized to access array port {port} on array
{arrayname}.
Authorized Zone Noncompliance Zone {zonename} in fabric {fabricname} contains

members zone membership unauthorized zone membership types. Authorized
type Members: {list of authorized zone member types}
Unauthorized Members Found: {list of unauthorized
zone member type}.
Default Zoning is Fabric should not Fabric {fabricname} has default zoning enabled.
Disabled have default
zoning enabled
Host port fan-in Host port fan-in Host port {hostport} on host {hostname} has a fan-
exceeded in of {faninvalue}, is greater than the desired state
{expected faninvalue}.
l A storage port was added to a zone in the
fabric, exceeding the maximum number of
storage ports allowed per hostport.
l An additional zone was activated, containing
the same host port and additional storage
ports.
Host must be No storage Host {hostname} has no volumes provisioned.

provisioned with provisioned to
Storage host
Logging volume Logging volume VPLEX-Cluster {cluster name} has no logging

should be present at should be present volume associated with it.
VPLEX Cluster. at VPLEX Cluster.
Masking Entry on Unmapped volume A masking record contains host access to an

Unmapped Volume unmapped storage volume.
Maximum Number Number of The number of masked volumes accessed by the

of Storage Volumes masked volumes host exceeds the desired maximum. Expected
masked to a Host exceeds limit {expected count} but {actual count} were masked
to Host Port {hostport}.
Minimum number of Insufficient Zone {zone name} in fabric {fabric name} has too
members in Zone number of few zone members.
members in zone
Missing Path No access to Host {hostname} unable to access the required

required volumes volume {volume} on array {arrayname} because:

Table 16 Rules and associated breach messages (continued)
l Physical path failed (port unplugged, hardware

down, etc.)
l Fabric has merged or split.
l Zoning changed.
l Required volume was unmapped.
I/O Path I/O Path One of the following:

Redundancy Redundancy
l Initiator port redundancy from host
{hostname} to array {arrayname} was found to
be {actual value} initiator ports, but was
defined to be greater than or equal to
{expected value} initiator ports.
l HBA redundancy from host {hostname} to
array {arrayname} was found to be {actual
value} HBAs, but was defined to be greater
than or equal to {expected value} HBAs.
l Fabric redundancy from host {hostname} to
array {arrayname} was found to be {actual
value} fabrics, but was defined to be greater
than or equal to {expected value} fabrics.
l Host-connected switch redundancy from host
be {actual value} switches, but was defined to
be greater than or equal to {expected value}
switches.
l Array-connected switch redundancy from host
be {actual value} switches, but was defined to
be greater than or equal to {expected value}
switches.
l Host-connected switch port redundancy from
host {hostname} to array {arrayname} was
found to be {actual value} switch ports, but
was defined to be greater than or equal to
{expected value} switch ports.
l Array-connected switch port redundancy from
host {hostname} to array {arrayname} was
found to be {actual value} switch ports, but
was defined to be greater than or equal to
{expected value} switch ports.
l Target port redundancy from host {hostname}
to array {arrayname} was found to be {actual
value} target ports, but was defined to be
greater than or equal to {expected value}
target ports.
l Array adapter redundancy from host
Breach names and messages 129

be {actual value} array adapters, but was

defined to be greater than or equal to
{expected value} array adapters.
I/O Path I/O Path l VPLEX-Director redundancy from VPLEX

Redundancy for Redundancy {vplex cluster name} to array {array name} was
VPLEX found to be {actual value} VPLEX-Directors,
but was defined to be greater than or equal to
{expected value} VPLEX-Directors.
l VPLEX-Backend Port redundancy from VPLEX
{vplex cluster name} to array {array name} was
found to be {actual value} VPLEX-Backend
ports, but was defined to be greater than or
equal to {expected value} VPLEX-Backend
ports.
Single Initiator Too many Zone {zonename} in fabric {fabricname} contains

Zoning initiators in a zone too many initiators.
Storage Port Fan- Storage Port Fan- Storage port {storageport} on array {arrayname} in
Out Out fabric {fabricname} has a fan-out of {fanout value},
is greater than the desired state {fanout expected
value}. A host port was added to a zone in the
fabric, exceeding the maximum number of host
ports allowed per storage port.
Supported Array Unsupported array An unsupported version of array software was

Microcode Version software installed on storage array. Found {actual value}
instead of {expected value}.
Supported HBA Unsupported HBA An unsupported {hba model/driver/firmware/

Vendor, Model, attributes version} present as part of HBA : {hbaname}
Driver and Firmware installed on Host : {hostname}. Found {actual
value} instead of {expected value}.
Supported Unsupported An unsupported multipath software version was

Multipath Software multipathing installed on the host. Found {actual value} instead
Version software of {expected value}.
Supported Solutions Unsupported Found {actual value} instead of {expected value}.

Enabler Version Solutions Enabler An unsupported version of EMC Solutions Enabler
version is installed.
Supported Switch Unsupported An unsupported firmware version is installed on the

Firmware switch firmware switch. Found {actual value} instead of {expected
value}.
Symmetrix Port l WWN Bit is Symmetrix port does not have appropriate flag
Flag Settings Enabled settings.
l FCSW Bit is
Enabled
l VCM Bit is
Enabled

l C bit is
Enabled
l SC3 Bit is
Enabled
l SPC2 Bit is
Enabled
Uniform HBA Dissimilar HBAs on HBAs of different {hba model/driver/version/

Hardware on Host the same host firmware} were installed on the same host.
{hostname} of HBAs seems to be different.
Unnecessary zone Unnecessary zone Zone {zone name} in fabric {fabric name} does not
have members of any fully established path and is
unnecessary.
Unused Volume Unused Volume Either:

Masking Entries Masking Entries
l The storage port is not actively zoned with the
host port.
l A physical connection in the path is unplugged/
down.
Multiple tenants Multiple tenants The virtual pool {pool identifier} in ViPR Controller
accessing same accessing same host {hostname} is being accessed by tenants :
virtual pool virtual pool {tenant names}
Zone contains at Zone contains at Zone {zonename} is missing a host port (initiator).
least one host port least one host port
l One or more host ports were deleted from a
zone, leaving no host ports in the zone.
l A valid zone is used for array replication or
migration and does not contain host ports.
Zone contains at Zone contains at Zone {zonename} is missing a storage port

least one Storage least one Storage (target).
Port Port
l One or more storage ports were deleted from a
zone, leaving no storage ports in the zone.
l The zone is waiting for a storage port to be
added.
Zone Must Be Zone Must Be Fabric {fabric name} contains duplicate zones. A
Unique Unique zone was added or modified, resulting in multiple
zones with identical membership in active zone set.
Duplicate Zones: {zone names}
Breach names and messages 131


Docu86400 - ViPR SRM 4.1.1 Compliance Guide

Uploaded by

Copyright:

Available Formats

Docu86400 - ViPR SRM 4.1.1 Compliance Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Docu86400 - ViPR SRM 4.1.1 Compliance Guide

Uploaded by

Copyright:

Available Formats

EMC® ViPR® SRM

Published September 2017

2 EMC ViPR SRM 4.1.1 Compliance Guide

Chapter 1 Compliance Features 11

Chapter 2 Configure Compliance Policies and Rules 23

Chapter 3 Configuration Guidelines for Predefined Policies 35

Chapter 4 Use Compliance Reports 43

Chapter 5 Configure and Use Configuration Change Tracking 55

EMC ViPR SRM 4.1.1 Compliance Guide 3

View Configuration Changes reports...........................................................61

Chapter 6 Configure and Use the EMC Support Matrix Policy 63

Chapter 7 Create New Policies and Scopes 83

Chapter 8 Create New Rules 101

Chapter 9 Compliance Administration 119

4 EMC ViPR SRM 4.1.1 Compliance Guide

Restrict access to the compliance module based on RBAC....................... 124

Appendix A Breach Names and Messages 127

EMC ViPR SRM 4.1.1 Compliance Guide 5

6 EMC ViPR SRM 4.1.1 Compliance Guide

1 Parts of a compliance policy........................................................................................13

EMC ViPR SRM 4.1.1 Compliance Guide 7

8 EMC ViPR SRM 4.1.1 Compliance Guide

1 Accessing compliance features................................................................................... 14

EMC ViPR SRM 4.1.1 Compliance Guide 9

10 EMC ViPR SRM 4.1.1 Compliance Guide

12 EMC ViPR SRM 4.1.1 Compliance Guide

Accessing compliance reports and configuration

Table 1 Accessing compliance features

List of predefined compliance policies

Table 2 Predefined compliance policies

Policy Name Description

High Availability Software Enforces software configuration to support high availability

Path Management Validates configuration to ensure connectivity and redundancy.

ViPR Controller Enforces best practices for configurations in ViPR Controller.

Zoning Best Practices Enforces best practices for zoning.

14 EMC ViPR SRM 4.1.1 Compliance Guide

Summary of predefined rules, scopes, and criteria

Table 3 Summary of predefined rules

Rule Description and Rule criteria Policies used

2 Supported Checks the array microcode Criteria operators: Array

3 Symmetrix Checks that Symmetrix Criteria values: YES if Array

4 Unused Checks for masking entries No configurable Array

Summary of predefined rules, scopes, and criteria 15

Table 3 Summary of predefined rules (continued)

Rule Description and Rule criteria Policies used

5 Host must be Identifies hosts that are No configurable EMC Best

6 Storage group Identifies storage groups No configurable EMC Best

7 Unnecessary Identifies when there is a No configurable EMC Best

8 Zone must be Identifies situations where No configurable EMC Best

9 Base Checks for combinations of No configurable EMC Support

10 End of support Identifies array components No configurable EMC Support

16 EMC ViPR SRM 4.1.1 Compliance Guide

Table 3 Summary of predefined rules (continued)

Rule Description and Rule criteria Policies used

12 End of support Identifies switch No configurable EMC Support

13 Host OS Identifies combinations of No configurable EMC Support

14 Path Identifies combinations of No configurable EMC Support

15 Path Identifies combinations of No configurable EMC Support

16 Switched Identifies combinations of No configurable EMC Support