TECHNICAL OVERVIEW OF HPE 3PAR FILE PERSONA SOFTWARE - Truly converged file and object access for HPE 3PAR StoreServ Storage - HPE.com
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Technical white paper
Check if the document is available
in the language of your choice.
TECHNICAL OVERVIEW OF HPE 3PAR
FILE PERSONA SOFTWARE
Truly converged file and object access for HPE 3PAR
StoreServ Storage
Technical white paper
CONTENTS
Executive summary.............................................................................................................................................................................................................................................................................................................. 3
Intended audience .......................................................................................................................................................................................................................................................................................................... 3
Overview .................................................................................................................................................................................................................................................................................................................................. 3
Licensing ................................................................................................................................................................................................................................................................................................................................. 4
Architecture ................................................................................................................................................................................................................................................................................................................................ 4
File Persona concepts and terminology ..................................................................................................................................................................................................................................................... 4
Resiliency and high availability.................................................................................................................................................................................................................................................................................. 5
Networking................................................................................................................................................................................................................................................................................................................................... 6
Name services and authentication .................................................................................................................................................................................................................................................................. 7
Active Directory ................................................................................................................................................................................................................................................................................................................ 7
Lightweight Directory Access Protocol ....................................................................................................................................................................................................................................................... 7
Local authentication ..................................................................................................................................................................................................................................................................................................... 8
Authentication stack order ..................................................................................................................................................................................................................................................................................... 8
Authorization and permissions.................................................................................................................................................................................................................................................................................. 8
Native ACLs .......................................................................................................................................................................................................................................................................................................................... 9
Converged ACLs .............................................................................................................................................................................................................................................................................................................. 9
Cross-protocol locking ................................................................................................................................................................................................................................................................................................ 9
Access-based enumeration .................................................................................................................................................................................................................................................................................10
Protocol support ..................................................................................................................................................................................................................................................................................................................10
SMB protocol ....................................................................................................................................................................................................................................................................................................................10
Large MTU size ..............................................................................................................................................................................................................................................................................................................13
NFS protocol .....................................................................................................................................................................................................................................................................................................................13
FTP and FTPS protocol ..........................................................................................................................................................................................................................................................................................14
Development and integration..................................................................................................................................................................................................................................................................................14
Object Access API ........................................................................................................................................................................................................................................................................................................14
Integration with a Microsoft environment .............................................................................................................................................................................................................................................16
Antivirus scanning..............................................................................................................................................................................................................................................................................................................17
Quota management ..........................................................................................................................................................................................................................................................................................................18
HPE 3PAR File Access Auditing framework ..............................................................................................................................................................................................................................................19
File Lock for data immutability and retention...........................................................................................................................................................................................................................................19
Data protection .....................................................................................................................................................................................................................................................................................................................21
User-driven local recovery ...................................................................................................................................................................................................................................................................................21
Administrator-driven recovery .........................................................................................................................................................................................................................................................................22
Replication and disaster recovery .................................................................................................................................................................................................................................................................23
Traditional backup ......................................................................................................................................................................................................................................................................................................23
RMC Express Protect flat backup ..................................................................................................................................................................................................................................................................23
System configuration backup............................................................................................................................................................................................................................................................................23
Enhanced support functionality ............................................................................................................................................................................................................................................................................24
Support for HPE 3PAR data services ...............................................................................................................................................................................................................................................................24
Conclusion .................................................................................................................................................................................................................................................................................................................................24
Technical white paper Page 3 EXECUTIVE SUMMARY Today’s data centers are expected to deploy, manage, and report on different tiers of business applications, databases, virtual workloads, home directories, and file sharing simultaneously. They also need to colocate multiple systems while sharing power and energy. This is true for large and small environments. The trend in modern IT is to consolidate as much as possible to minimize cost and maximize efficiency of data centers and branch offices. HPE 3PAR StoreServ is highly efficient, flash-optimized storage engineered for the true convergence of block, file, and object access to help consolidate diverse workloads efficiently. HPE 3PAR OS and converged controllers incorporate multiprotocol support into the heart of the system architecture. Intended audience This white paper provides an overview of HPE 3PAR File Persona Software and technical details about the features and core file data services included in the software. It is intended to assist system administrators, solution architects, presales engineers, and professional services consultants who design, deploy, and administer HPE 3PAR StoreServ storage systems in a home directory or a corporate and group share environment. Overview File Persona is a feature of HPE 3PAR OS that enables a rich set of file protocols and core file data services on an HPE 3PAR StoreServ system. File Persona inherits the industry-leading architecture and Block Persona benefits of HPE 3PAR StoreServ. It extends the spectrum of primary storage workloads natively addressed by HPE 3PAR StoreServ to the following workloads through File Persona—all with truly converged controllers, agile capacity, and unified management: • Home directory consolidation (for physical desktops and VMware Horizon® virtual desktops) • Group and department shares • Corporate shares • Content management and collaboration • Data preservation and governance – Structured data optimization with Micro Focus Structured Data Manager – Unstructured data governance with Micro Focus Storage Optimizer and Micro Focus ControlPoint • Retention of business records with Micro Focus Content Manager • Video surveillance from several vendors (for details, refer to the HPE Single Point of Connectivity Knowledge [SPOCK] compatibility matrix) • Real-time business analytics for scale-out SAP HANA® shared infrastructure • Integration for designated cloud applications using the Object Access application programming interface (API) File Persona tightly integrates into the data center by supporting industry-standard NAS protocols, a file services ecosystem, and authentication and authorization methods. File Persona also supports antivirus servers and various client operating systems through a single streamlined management interface. Feature highlights Highlights of File Persona include: • Rich file protocols support a broad range of client operating systems. This support enables user, group, and corporate shares along with home directory consolidation for physical desktops with Horizon virtual desktops. Protocols supported include: – Server Message Block (SMB) 3.1.1, 3.0, 2.1, 2.0, and 1.0 (SMB 3.1.1 secures negotiation by using SMB 2.x and later) – NFS 4.0 and 3.0 – File Transfer Protocol (FTP) and File Transfer Protocol over Secure Sockets Layer (FTPS) • File Lock provides multiple modes for policy-based and ad hoc file level retention, and immutability offers data preservation and compliance. • Object Access API enables programmatic data access using a representational state transfer (REST) API for cloud applications from virtually any device anywhere. • For clients using SMB 3.0 or later and clients using NFS, transparent failover enables nondisruptive HPE 3PAR OS upgrades as well as nondisruptive failovers in the event of a controller failure.
Technical white paper Page 4
• HPE 3PAR Adaptive Flash Cache is leveraged to achieve performance acceleration for read-intensive workloads.
• Data is compacted with a combination of thin built-in zero detect, HPE 3PAR Thin Provisioning, and HPE 3PAR deduplication
technologies in addition to data optimization from the separately licensed HPE 3PAR Adaptive Optimization and HPE 3PAR Dynamic
Optimization.
– Comprehensive data protection includes point-in-time file store snapshots for user-driven file recovery, support for third-party antivirus
software, network share and Network Data Management Protocol (NDMP)-based backup and restore operations, and disaster recovery
replication from the separately licensed HPE 3PAR Remote Copy.
– Security of Federal Information Processing Standard (FIPS) 140-2 validated data-at-rest encryption as an optional measure to prevent
unauthorized data access.
– Seamless integration with a broad range of IT infrastructure services including Active Directory, folder redirection, offline files, roaming
user profiles, distributed file system (DFS) namespace, and Microsoft Management Console (MMC). It also includes Lightweight
Directory Access Protocol (LDAP) and local user authentication for Linux®-based IT infrastructure.
– The HPE 3PAR StoreServ Management Console (SSMC) GUI provides a single management interface for file and block storage with a
performance dashboard and custom reporting capability. Unified programmatic management access for file and block storage is
available through the HPE 3PAR Web Services API or the HPE 3PAR OS CLI.
Licensing
File Persona is supported on HPE 3PAR StoreServ 7000c, 8000, 9000, and 20000 series storage systems. Beginning with HPE 3PAR OS
3.3.1, a File Persona license is part of the base HPE 3PAR OS single-system software license for all supported HPE 3PAR StoreServ
platforms except the HPE 3PAR StoreServ 7000c. Refer to the appropriate HPE 3PAR StoreServ Storage QuickSpecs for specific details
regarding different platforms.
ARCHITECTURE
HPE 3PAR StoreServ Storage provides the redundant datapath and raw block storage on which the File Persona high availability file services
are functionally built. File Persona comes with its own unique set of features and functionalities that requires the use of additional managed
objects to both differentiate from similar block features and maintain consistency where appropriate.
File Persona concepts and terminology
File Persona comprises the following managed objects:
• File provisioning groups (FPGs)
• Virtual file servers (VFSs)
• File stores
• File shares
File Persona benefits from the HPE 3PAR storage foundation including wide-striped logical disks and autonomic common provisioning
groups (CPGs). A CPG can be shared between file and block storage to create the file shares or the logical unit numbers (LUNs) to provide
true convergence. Figure 1 represents the four managed objects for File Persona within HPE 3PAR OS.
Technical white paper Page 5 FIGURE 1. File Persona logical view Relevant File Persona terms include: • A file provisioning group is an instance of the HPE Adaptive File System. It controls how data from the file system is stored and retrieved. Each FPG is transparently constructed from one or multiple virtual volumes (VVs) and is the unit for replication and disaster recovery for File Persona. Up to 16 FPGs are supported on a node pair. • A virtual file server acts as a virtual server that presents virtual IP addresses to clients, participates in user authentication services, and can have properties for things such as user or group quota management, File Lock policies, and antivirus policies. Many management tasks and policy decisions can be made at the VFS level. Up to 16 VFSs are supported on a node pair, one per FPG. • File stores are the slice of a VFS and FPG at which snapshots are taken, capacity quota management can be performed, and File Lock policies and antivirus scan service policies are customized. File stores also enforce access control lists (ACLs) and inheritance in NTFS or legacy security mode. Up to 256 file stores are supported on a node pair, and 16 file stores are supported per VFS. • File shares are what provide file level access to clients via SMB, NFS, FTP, and Object Access API protocols, subject to the share permissions applied to them. Multiple file shares can be created in a file store and at different directory levels within a file store. File shares and VFSs are managed as normal operations using the SSMC. File stores and FPGs are typically managed explicitly for advanced operations only. RESILIENCY AND HIGH AVAILABILITY File Persona uses a mission-critical, proven, 64-bit journaling file system that has been optimized for high metadata-driven workloads such as home directory consolidation and corporate and group shares. File Persona benefits from the inherited HPE 3PAR StoreServ resiliency. In the event of a node failover, the necessary File Persona objects will fail over to the other node in the node pair. Depending on the protocol, the failovers are transparent to the users. Figure 2 illustrates how control fails over to another server without interruption if needed.
Technical white paper Page 6 FIGURE 2. File Persona high availability configuration NETWORKING File Persona requires one of the following components to be installed in an available PCI slot on each node pair: • Four-port 1GbE NIC • Two-port 10GbE NIC • Four-port combo card with: – 2 x 16Gb Fibre Channel + 2 x 10GbE ports – 2 x 10GbE iSCSI + 2 x 10GbE ports, available on HPE 3PAR StoreServ 8000 series only These network ports should match across a node pair because File Persona is enabled and configured on a per node pair basis. More details on enabling File Persona and configuring basic networking are described in the HPE 3PAR File Persona User Guide. Departmental or functional network isolation can be implemented by configuring multiple virtual LANs (VLANs). Each VLAN uses its own static route as the VLAN-specific default gateway. This configuration acts as a “virtual router” that directs incoming connections and IP packets to the appropriate VFS VLAN and sends responses back to the client over the relevant route, thus allowing each VFS to have its own default route gateway. A total of 500 VLAN route definitions can be configured per system. Each subnet and VLAN ID combination must be unique. There is no performance impact from having static routes configured for VLAN IPs. FIGURE 3. Static VLAN routing
Technical white paper Page 7
Name services and authentication
Name services refers to the user account name and group name resolution and lookups from user and group databases such as Active
Directory, LDAP, or a local user database. Name resolution refers to user, group, or hostname lookup in the respective name services
databases. Authentication and authorization are essential components of home directories consolidation and corporate or group shares in
the data center. Users trying to access their home directories over the network need to be identified with their associated credentials. The
process of identifying an individual based on a user name and password is called authentication.
File Persona supports three types of name services for authentication—Active Directory, LDAP, and local database for local users and
groups. It supports Kerberos, NTLMv2, and NTLM for Active Directory authentication.
File Persona uses the local user authentication method by default, but Active Directory and LDAP services can be added to the
authentication stack for the user and group name lookup. Selecting the correct order optimizes the performance of account name lookups.
The stacked authentication lookup order is persistent during the failover.
NOTE
Authentication should generally be configured before starting to write data to the system, to avoid any implications of changes to the
authentication scheme.
Active Directory
Active Directory is a directory service primarily used in Microsoft Windows environments, where Kerberos, NTLMv2, and NTLM are the
primary types of authentication. File Persona supports the user credential authentication using Kerberos, NTLMv2, or NTLM authentication
in Active Directory based on the authentication stack order defined within File Persona. The Active Directory performs name lookups and
authentications for user accounts and groups. File Persona no longer stores any Active Directory credentials locally with the release of
HPE 3PAR OS 3.3.1 MU2 Patch 26. This improves security while reducing liability.
The computer name created in the Active Directory domain is in the format of the HPE 3PAR StoreServ system name plus the node number
(for example, deptserver#.sales.hpe.com). 1 Use the showfs -ad command at the HPE 3PAR OS CLI to verify that the node has joined the
Active Directory domain properly.
NOTE
Networking node IP addresses, gateway, and Domain Name System (DNS) should be configured on the File Persona node before attempting
to associate to LDAP or Active Directory. NTP should be configured for the HPE 3PAR StoreServ system such that the array and the domain
controller are synchronized before attempting an Active Directory-join, or the join might fail.
Lightweight Directory Access Protocol
LDAP is most commonly used in Linux and UNIX® environments where customers have users that connect to SMB or NFS shares on an
HPE 3PAR StoreServ system running File Persona. The LDAP provider uses ldapsearch requests to look up users and groups by name or
security identifier (SID). File Persona can be configured to use up to five clone master LDAP servers for highly available, redundant lookups.
Note that this ability requires setting up the LDAP Multi-Master replication environment. SIDs are formulated based on a SID prefix, user ID
(UID), and group ID (GID) when the POSIX schema template is configured. SIDs also provide NTLM or NTLMv2 authentication by matching
a user-supplied password with a Windows encrypted password stored in LDAP. The LDAP schema attribute that File Persona uses depends
on the schema template used. The File Persona SMB server can be configured to use either a Samba or a POSIX schema, but it can use only
one schema at a time. Use the showfs -ldap command at the CLI to check the status of LDAP authentication.
The LDAP connection for File Persona uses three categories:
• Simple connection: Authentication is performed through plain text.
• Secure Sockets Layer (SSL): Authentication is performed through NTLM and uses the LDAP server’s fully qualified domain name
(FQDN) to connect. The communication is established on port 636 by default.
• Transport Layer Security (TLS): Authentication is performed through NTLM and uses the LDAP server’s FQDN to connect. The
communication is established on port 389 by default.
1
In Windows 2000 and later operating systems, DNS domain names support up to 24 characters in the hostname. Be sure to follow Microsoft guidelines for the hostname
character length.
Technical white paper Page 8 Local authentication Local authentication is often used in smaller Windows or Linux and UNIX environments. Each node has a copy of the local user database. All changes to the local accounts database are replicated to all File Persona nodes in a system. Local users are authenticated using NTLMv2 by default. The password is stored in encrypted form in the local user database. UIDs and GIDs are assigned automatically if not specified during their creation. The storage administrator should make sure that IDs are unique across the name services. Authentication stack order The authentication stack order can be configured from the SSMC after enabling advanced options in the Configure File Persona menu. Local Users & Groups must be included in the Provider Order, and LDAP and Active Directory are optional. Active Directory and Local Users & Groups are the default stacking orders (see Figure 4), and as a best practice, there should not be a value in the stacking order that is not configured. To show the configured stacking order on the CLI, use showfs –auth. Note that the stacking order is configured separately from the authentication methods, and if a method is not in the stack, users cannot authenticate using that method. File Persona uses this stack order to look up each authentication service to find an entry match, stopping on the first match found. FIGURE 4. Configuring the authentication stack order NOTE The authentication and authorization method used for File Persona is separate from the security method used for HPE 3PAR StoreServ array management (SSMC and CLI). AUTHORIZATION AND PERMISSIONS Authorization is the process used to verify what effective permissions a user (or group) has on files or folders. Authorization is performed by comparing user account or member names of a group with the permissions on file storage resources such as files or directories. Only authorized users (or groups) are allowed to access any file or folder; the rest are denied access. For shared folder access, the user must go through the share permissions first to check if the user is authorized to access that share. An ACL is a list of access control entries (ACEs). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. SMB users are granted access based on the advanced access rights allowed through the NTFS ACL permissions set on files and directories. NFS users are granted access based on the POSIX or NFSv4 ACL’s set on file or directories. The UID and GIDs are evaluated to determine access to files and directories.
Technical white paper Page 9
HPE 3PAR OS 3.3.1 MU2 provides the ability to create UIDs and GIDs using any numbers above 100, with the first 100 being reserved by
HPE 3PAR OS (earlier releases reserve ID numbers between 100–1000). The most restrictive user rights are enforced when granting access
to files and folders.
Native ACLs
Different authentication protocols handle permissions and user identities using different methods, and in a multiprotocol environment these
different methods need to be mapped and combined. For example, ACLs under the Windows NTFS-based SMB protocol are based on SIDs,
whereas ACLs under the Linux-based NFS protocol are based on UIDs and GIDs. Before HPE 3PAR OS 3.3.1 MU1, the Adaptive File System
in File Persona converted these various ACL formats into a single converged ACL format to store those ACLs on the storage media. Starting
with HPE 3PAR OS 3.3.1 MU1 Patch 08, the Adaptive File System can store ACLs on the storage media in their native format along with
native user IDs for their respective protocols. For example, for any SMB client access, the NTFS ACLs are stored on the storage media with
Windows SIDs. For any NFSv4 client access, the NFSv4 ACLs are stored with UIDs and GIDs. Similarly, for NFSv3, FTP, and REST API, POSIX
ACLs with UIDs or GIDs are stored on the storage media independent of the security modes of the file stores.
With native ACL format, the dependency on the external name services is minimized for frequent name resolution, which increases the
robustness of the file services especially for primary protocols. This increases the overall metadata performance for home directories, user
shares, and collaboration workload types. It also helps to streamline the data migration operations involving frequent name lookups from
name services.
FIGURE 5. Adaptive File System in File Persona
Converged ACLs
Before HPE 3PAR OS 3.3.1 MU1, the Adaptive File System in File Persona converted these differing ACL formats into a converged ACL
format and stored the new ACLs on the local storage. The converged ACL stores the permissions in NFSv4.1 ACL style with user identities
in a User Principal Name (UPN) format for all files and directories; it converts the ACLs to each protocol-specific ACL for SMB, NFS, HTTP, or
FTP clients on-access, as described in Table 1. The Adaptive File System also performs the user name resolution from the protocol-specific
user name format to UPN format to store on the disk.
TABLE 1. Converged ACLs.
Converged ACL stack SMB NFSv3 NFSv4 Object Access API over HTTP
ACL enforcer SMB server FPG (file system) FPG (file system) FPG (file system)
ACLs enforced by File Persona NTFS ACLs POSIX ACLs POSIX ACLs POSIX ACLs
On-disk ACLs stored NFSv4.1 ACLs NFSv4.1 ACLs NFSv4.1 ACLs NFSv4.1 ACLs
Name resolution Domain\username → UID/GID user@domainname → Domain\username →
user@domainname user@domainname user@domainname user@domainname
Cross-protocol locking
Many NAS customers want multiprotocol access for common data. Simultaneous read/write access with cross-protocol file locking ensures
data integrity. In versions of HPE 3PAR OS earlier than 3.3.1, multiprotocol access in File Persona was limited to one protocol with read/write
access and secondary protocols with read-only access. HPE 3PAR OS 3.3.1 enables support for cross-protocol locking, which allows
customers to access data from more than one protocol with simultaneous read/write access. Using cross-protocol locking ensures that NFS
clients can access the files opened by SMB clients through share mode locks. 2 With File Persona, you can choose two different security
modes for file stores at the time of the share creation:
2
In this case, cross-protocol locking requires that SMB opportunistic locks and leases are disabled.
Technical white paper Page 10 • NTFS: This near-native experience allows for simultaneous read/write access for both Windows and POSIX clients that use cross-protocol file locking. • Legacy: One protocol has read/write access whereas other protocols have read-only access, which offers backward-compatibility with File Persona running on HPE 3PAR OS 3.3.1 or earlier. NOTE In versions of HPE 3PAR OS earlier than 3.3.1, File Persona supports file locking within a protocol but not across protocols, so accessing the same file simultaneously from different file protocols is not possible. This restriction does not preclude access of the directory or files by any file protocol at different times. For example, all locks held by SMB clients are honored by other SMB clients. Access-based enumeration In addition to protecting sensitive information at the workplace, access-based enumeration (ABE) enables administrators to simplify the display of large directory structures for the benefit of users who do not need access to the full range of content. Users see only the files and folders that they are responsible for, rather than looking through a busy folder structure holding hundreds of user folders. Administrators can be more productive because they do not need to help less-skilled users navigate through dense shared folders. Enable ABE in File Persona by specifying the –abe true option when creating an SMB file share: createfs smb –abe true . You can also use the SSMC to enable this option when creating or modifying the file share (see Figure 6 [enable the advanced options]). FIGURE 6. Enable access-based enumeration on file share NOTE Access-based enumeration is valid only for SMB shares. PROTOCOL SUPPORT Enterprise file sharing relies on a standard set of protocols in order to effectively access and move files. File Persona is constantly evolving its protocol stack to more effectively, securely, and reliably support file sharing in enterprise environments. SMB protocol The SMB protocol is the most widely used protocol for home directory access. It brings a robust feature set for enterprise file sharing. File sharing protocols provide central data management that uses a client and server method, which reduces administrative overhead and provides more granular access control to the files. SMB is the default protocol used by Windows clients. Mac, Linux, and Samba software packages are also available that use the SMB protocol to connect to an SMB file server. SMB brings a variety of security, performance, resiliency, and efficiency features that help customers offer home directories along with group, department, and corporate shares to their clients.
Technical white paper Page 11 By default, the HPE 3PAR OS 3.3.1 MU2 Patch 26 release disables SMB 1.0 for new File Persona installations. (This is a global setting.) When upgrading existing File Persona installations to HPE 3PAR OS 3.3.1 MU2 Patch 26, the global SMB 1.0 configuration is not changed. However, after confirming all clients are on SMB 2.0 or later, disabling SMB 1.0 is strongly recommended for security reasons. You can create an SMB file share by using createfshare smb [options ] . FIGURE 7. Creating SMB file share File Persona supports SMB 3.1.1, 3.0, 2.1, 2.0, and 1.0. This includes integrity checks using Secure Hash Algorithm (SHA)-512, the advanced SMB 3.0 protocol transparent failover feature, SMB signing, and SMB opportunistic locks and leases (file and directory) for all SMB versions. In addition to these SMB protocol features, File Persona also supports Offloaded Data Transfer features of Windows 2012. TABLE 2. Protocol support by operating system Operating system SMB 3.1.1 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0 Windows 10, Windows Server 2016 Windows 8 and 8.1, Windows Server 2012 R2 Windows 7, Windows Server 2008 R2 Windows Server 2008 Mac OS X 10.7, 10.8, 10.9 Mac OS X 10.10, 10.11, 10.12, 10.13
Technical white paper Page 12
SMB Transparent Failover
SMB Transparent Failover is one of the key features introduced in SMB 3.0 with Windows Server 2012 and Windows 8. This feature enables
administrators to configure Windows file shares to be continuously available. Using continuously available file shares, administrators can
perform hardware or software maintenance on any cluster node without interrupting the client connections that store their data files on
these file shares. Also, in case of a hardware or software failure, the clients transparently reconnect to another cluster node without
disrupting the user connections. To benefit from SMB Transparent Failover, both the SMB client computer and the SMB server computer
must support SMB 3.0 or later. Computers running earlier SMB versions (1.0, 2.0, or 2.1) can connect and access data on a file share that has
the continuously available property set, but cannot leverage the benefits of the SMB Transparent Failover feature.
SMB signing
SMB signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets
enables the recipient of the packets to confirm their point of origination and authenticity. This SMB security mechanism helps avoid issues
such as tampering of packets.
SMB signing can be set to either enabled or required for both client-side and server-side communications. The settings can be specified by
using the command:
Setfs smb [-f] [-enableoplocks {true|false}] [-signingenabled {true|false}] [-signingrequired
{true|false}]
NOTE
With SMB 1.0, if both client-side and server-side communications settings are false, then no signing is used at all.
If you enable Allow SMB signing in SSMC, the File Persona SMB server uses SMB signing when requested by the SMB client. Allow SMB
signing is the default setting. If you enable SMB signing required, the File Persona SMB server communicates with SMB clients only if they
have valid signatures. The default is disabled. You can manage this setting from the SSMC software by selecting an HPE 3PAR StoreServ
array and then selecting Edit protocol settings from the Action menu. Clicking the SMB Settings drop-down menu shows all available
options, as presented in Figure 8.
FIGURE 8. Setting the SMB signing optionTechnical white paper Page 13 SMB oplocks and leases Opportunistic locks or oplocks is a client caching mechanism that allows SMB and SMB 2.0 clients to decide the client-side buffering strategy dynamically, so the network traffic can be minimized to improve performance. In SMB 2.1, the client oplock lease model allows oplocks to be held by a client for enhanced file and handle caching opportunities. This feature enhances performance by reducing network bandwidth consumption, increasing file server scalability, and improving response time when accessing the files over a network. The only disadvantage of file level oplocks or leases is that if the files or folders on the file server are changed, clients with the cached listing of that directory would not be aware of the changes when directory listing is refreshed locally. In SMB 3.0, the directory-leasing feature improves this behavior by allowing the SMB client to cache the directory and file metadata together in a consistent manner for a longer duration. Clients are notified when directory information on the server changes and the data resynchronizes and updates the cache. This feature is designed to work with a user’s home folders (read/write with no sharing) and published shares (read-only with sharing). This results in improved network performance and faster response time. SMB crediting SMB 2.0 and later use a credit-based flow control, which allows the server to control a client’s behavior. The server starts with a few credits and automatically scales up as needed. With this type of control, the protocol can keep more data in flight and better use the available bandwidth. Credit-based flow control makes it easy for clients to send multiple requests to a server. This process allows the client to build a pipeline of requests instead of waiting for a response before sending the next request. This is especially relevant when using a high-latency network. Large MTU size The maximum transmission unit (MTU) of a communications protocol of a layer is the size (in bytes) of the largest protocol data unit that the layer can pass on. File Persona support for large MTU sizes was introduced in SMB 2.1 to achieve better performance for 10GbE (high-speed, low-latency) networks. In SMB 2.1, the MTU size increased from 64 KB to 1 MB. The large MTU option must be enabled in the registry on SMB client computers. It is enabled by default on Windows 2012 and 2012 R2. File Persona adapts to what the SMB client computer is using for its MTU size. NFS protocol The NFS protocol is a versatile protocol for all Linux and UNIX clients. It provides high concurrency for the clients with central management of data using a client and server method. NFS reduces administrative overhead and provides granular access control. Linux and UNIX clients use the NFS protocol by default because of inherent differences in machine architecture, operating system, network architecture, and transport protocol by using remote procedure calls (RPCs). File Persona supports NFSv4 and NFSv3, along with a variety of Linux and UNIX client operating systems. Refer to the HPE SPOCK website for the latest interoperability matrix. You can create an NFS file share by using createfshare nfs [options ] to instruct the file share to use the NFS protocol. FIGURE 9. Creating an NFS file share
Technical white paper Page 14 FTP and FTPS protocol File Transfer Protocol is a client/server file sharing protocol that leverages clear-text authentication with user names and passwords or anonymous credentials. It is compatible with most operating systems, including Windows, UNIX, and Linux. File Transfer Protocol over SSL adds a layer of security by supporting file transfer over TLS and SSL protocols. This added support enables the use of server-side and client-side public key authentication based on certificates. FIGURE 10. Creating FTP file share DEVELOPMENT AND INTEGRATION HPE provides effective means for the integration and continued development of the HPE 3PAR File Persona experience through the Object Access API with REST over HTTP and deep integration with Microsoft environments. Object Access API Web Services can be considered “RESTful” if they conform to the parameters described in the architectural constraints of REST. Complex file system semantics are compressed into a small number of commands. REST over HTTP is a simple way for applications to interact with the storage where, unlike SMB or NFS, HTTP access is available from nearly every device. The API enables developers and customers to integrate direct file access into their applications. The File Persona Object Access API is a rich set of file system semantics that enable RESTful applications to access files and folders on the file share directly by using the REST API. File Persona supports the operations listed in Table 3.
Technical white paper Page 15 TABLE 3. Object Access API supported operations Operation Command value HTTP method Create or replace a file (none) PUT Set extended attributes xattr POST Commit data to disk fsync POST Create directories mkdir PUT Move or rename files or directories mv POST Change file group chgrp POST Change permissions chmod POST Change owner chown POST Get extended attributes xattr GET List directory with pagination ls GET Download a file (none) GET Display file or directory status stat GET Remove extended attributes xattr DELETE Remove directories rmdir DELETE Delete a file (none) DELETE Copy a file cp PUT Copy a directory cp PUT Download partial file (none) GET Update partial file (none) POST HPE 3PAR OS 3.3.1 introduces enhancements to the Object Access API, such as the file copy feature and the partial file access feature. NOTE The file copy feature supports copying a file to another file and location in the share. It also supports copying a directory and all of its contents recursively to a new directory name and location in the share. Partial file access supports byte-range operations, which allows an application to retrieve a portion of the file without downloading the entire file. It also allows the application to modify a portion of the file without writing the entire file. You can create an Object Access API-enabled file share by issuing the command: createfshare obj [options ] Object Access API HTTP examples are: • To create a file: PUT: http://10.33.19.94/v1/myObjShare/afile.txt • To download a file: GET: http://10.33.19.94/v1/myObjShare/afile.txt • To delete a file: DELETE: http://10.33.19.94/v1/myObjShare/afile.txt • To list directory contents: GET: http://10.33.19.94/v1/myObjShare/?cmd=ls&type=true
Technical white paper Page 16 Integration with a Microsoft environment Home directory consolidation provides central management and security for users’ home directory environments. File Persona supports several Microsoft features that tightly integrate with home directory consolidation and group and corporate shares. These features make it easier for a storage administrator to manage user data and enhance the user experience at the same time. For example, NTFS ACLs, folder redirection, roaming user profiles, offline files, DFS namespace, and management are available through the MMC. User settings and user files are typically stored in the local user profile under the Users folder on a local PC. The files in local user profiles can be accessed only from the current computer, which makes it difficult for users who regularly change workstations to work with their data and synchronize settings between multiple computers. Two technologies address this problem: • Roaming user profiles: A roaming user profile is available in Windows operating systems. It allows users with a computer joined to a Windows Server domain to log on to any computer on the same network and access their documents. These users have a consistent desktop experience, so applications maintain the same toolbar positions, preferences, and desktop appearance. File Persona supports roaming user profiles to provide the same look and feel of the user desktop. This capability eases the process of replacing a user’s computer because all the user’s profile information is maintained separately on Active Directory, independent of the individual computer. When the user logs on to the new computer for the first time, the server copy of the user’s profile is copied to the new computer and the home directory path continues to point to the network home directory stored on the HPE 3PAR StoreServ system. • Folder redirection: File Persona support for folder redirection lets administrators redirect the path of a user’s local profile and an application data folder to a new location. The location can be a folder on the local computer or a directory on a network file share— typically the network home directory on the StoreServ system. The documents in the folder are available to the user from any computer on the network as if the documents were based on the local drive. Both technologies have their advantages, and they can be used separately or together to create a seamless user experience from one computer to another. They also provide additional options for administrators who manage user data. Microsoft Offline Files The Microsoft Offline Files feature enables users to access copies of their network files by making the copies available offline, even when the computer is disconnected from the corporate network. By supporting this feature, File Persona enables home directory users to work with their network files offline by caching them on the local computer and automatically synchronizing their files the next time they connect to the network. To enable Offline Files when creating a file share, specify the –cache option to be off|manual|optimized|auto where: • Off: The client must not cache any files from this share. The share is configured to disallow caching. • Manual: The client must allow only manual caching for files opened from this share. This is the default setting. • Optimized: The client may cache every file that it opens from this share. Also, the client may satisfy the file requests from its local cache. The share is configured to allow automatic caching of programs and documents. • Auto: The client may cache every file that it opens from this share. The share is configured to allow automatic caching of documents. The command createfshare smb –cache auto creates a file share on the VFS that allows automatic caching of documents. Offloaded Data Transfer Offloaded Data Transfer (ODX) is a Windows feature that enhances host performance by off-loading copy and move operations. This allows the operations to be performed by the storage hardware rather than the operating system. Support for ODX was introduced in SMB 3.0. It serves as a way to off-load the copy of large files between SMB shares on the same controller. File Persona supports ODX natively in the HPE 3PAR StoreServ system to improve performance for large file transfers. By default, ODX is enabled in Windows Server 2012, along with Windows 8 and 8.1 when the prerequisites are met. ODX can be verified by entering the following command in a PowerShell session: Get-ItemProperty hklm:\system\currentcontrolset\control\filesystem -Name "FilterSupportedFeaturesMode" When ODX is enabled, the FilterSupportedFeaturesMode returns “0” as the value. DFS namespace File Persona supports DFS namespace as a leaf node, so the shares can be easily distributed across the VFSs on the File Persona nodes for redundancy and load distribution. A namespace is a virtual view of shared folders where the path to a namespace is similar to a Universal Naming Convention (UNC) path to a shared folder. However, instead of referring to a server (such as \\SFO-vfs01\policies), it refers to the DFS namespace (such as \\hserver\policies), which provides a single place for users to locate data and distributes data across different VFSs to enhance availability and performance.
Technical white paper Page 17 FIGURE 11. DFS namespace Microsoft Management Console File Persona offers seamless integration with the MMC to manage shared folders on File Persona. Figure 12 provides an example, including creating new shares and deleting existing shares. To manage permissions for the share in Figure 12, you would need to right-click the share name, select Properties, and then select the Permission tab. This provides a well-known interface alternative to the SSMC for file share administrators. FIGURE 12. Managing shared folders from MMC ANTIVIRUS SCANNING File Persona supports antivirus scanning to provide data protection against viruses and malware. Antivirus scanning on a network share or home directory is critical for data protection because the incoming data is from multiple users and multiple PCs. It quarantines the infected files for an offline action to maintain business continuity, thus preventing outages by a virus attack. File Persona seamlessly integrates with Internet Content Adaptation Protocol (ICAP)-based external third-party antivirus servers. Currently, File Persona supports virus scan engines (VSEs) from Symantec Protection Engine, McAfee® VirusScan® Enterprise version, McAfee VirusScan Enterprise for Storage, Trend Micro ServerProtect, Sophos Endpoint Protection antivirus software, and Kaspersky Security for Storage. Only a single VSE can be used at a time for an HPE 3PAR StoreServ system. For supported versions of the software, refer to the application support matrix at HPE SPOCK.
Technical white paper Page 18 FIGURE 13. File Persona antivirus architecture File Persona supports antivirus scan policies to control scanning as well as on-access (real-time) and on-demand scanning. For redundancy and improved throughput performance, virus scanning can be configured with multiple antivirus scan servers. Scanned file information is persisted to avoid running redundant scans and wasting valuable resources. For more information on antivirus scanning, refer to the Virus scanning best practices guide for HPE 3PAR File Persona. QUOTA MANAGEMENT Quota management provides better control and planning for data growth, thus reducing the business cost for data backups and archiving. Furthermore, quotas balance resource utilization and help to ensure appropriate usage. Quotas can be combined with alerts, logs, and reporting events to maintain records. They are essential for organizations that implement a chargeback model in their environment. File Persona enables quotas by default in the file system. It supports native quota management for user and group quotas on VFSs and capacity quotas on file stores. The user and group quotas can restrict the total capacity or the number of files (or both) for a user or group within a VFS. The capacity quotas on the file store enforce the quota policy to control the space usage and the number of files within that file store independent of users and groups storing files in it. You can configure quotas used in File Persona with a hard threshold limit, which is immediately enforced after being exceeded (that is, users cannot write any more after the hard limit is reached), or a soft threshold limit. When a soft threshold limit is reached, a grace period (seven days by default) begins in which continued writes are allowed. File Persona also supports quota reporting for current usage with alerts and events generated when soft or hard thresholds are reached. Quotas are persistent through a local failover to the other node in the node pair. You can manage quotas from the SSMC by navigating to the VFS details and selecting Manage User/Group Quotas from the Action menu. From this menu, you can create, modify, export, and import quotas, as shown in Figure 14. FIGURE 14. Manage user and group quotas
You can also read
