FASTFIND LINKS Document Organization Product Version Getting Help Table of Contents
MK-99ARC025-04
Copyright 20092011 Hitachi Data Systems Corporation, ALL RIGHTS RESERVED No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or stored in a database or retrieval system for any purpose without the express written permission of Hitachi Data Systems Corporation (hereinafter referred to as Hitachi Data Systems). Hitachi Data Systems reserves the right to make changes to this document at any time without notice and assumes no responsibility for its use. This document contains the most current information available at the time of publication. When new and/or revised information becomes available, this entire document will be updated and distributed to all registered users. Some of the features described in this document may not be currently available. Refer to the most recent product announcement or contact your local Hitachi Data Systems sales office for information about feature and product availability. Notice: Hitachi Data Systems products and services can be ordered only under the terms and conditions of the applicable Hitachi Data Systems agreement(s). The use of Hitachi Data Systems products is governed by the terms of your agreement(s) with Hitachi Data Systems. By using this software, you agree that you are responsible for: a) Acquiring the relevant consents as may be required under local privacy laws or otherwise from employees and other individuals to access relevant data; and b) Ensuring that data continues to be held, retrieved, deleted, or otherwise processed in accordance with relevant laws. Hitachi is a registered trademark of Hitachi, Ltd. in the United States and other countries. Hitachi Data Systems is a registered trademark and service mark of Hitachi, Ltd. in the United States and other countries. All other trademarks, service marks, and company names are properties of their respective owners.
Contents
Preface........................................................................................................ ix
Intended audience . . . . Product version . . . . . . Document organization . Syntax notation . . . . . . Related documents. . . . Getting help. . . . . . . . . Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... ..... ..... ..... ..... ..... ..... . . . . . . . .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . .... .... .... .... .... .... .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix . .ix ..x . .xi . .xi . xiii . xiv
iii
Default shred setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default index setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Custom metadata operations for objects under retention . . . XML checking for custom metadata . . . . . . . . . . . . . . . . . . Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disposition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data access permission masks . . . . . . . . . . . . . . . . . . . . . . Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System-level administrative access. . . . . . . . . . . . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
iv
Configuring the tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the tenant contact information . . . . . . . . . . . . . . . . Changing the tenant permission mask . . . . . . . . . . . . . . . . . . Changing the tenant description . . . . . . . . . . . . . . . . . . . . . . Controlling system-level administrative access. . . . . . . . . . . . . Controlling access to the Tenant Management Console . . . . . . Adding and removing entries in Allow and Deny lists . . . . . . Valid Allow and Deny list entries . . . . . . . . . . . . . . . . . . . . Allow and Deny list handling . . . . . . . . . . . . . . . . . . . . . . . Controlling access to HCP through the management API . . . . . Controlling access to the Search Console . . . . . . . . . . . . . . . . Monitoring the tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the complete tenant event log . . . . . . . . . . . . . . . . . . Viewing the tenant security log . . . . . . . . . . . . . . . . . . . . . . . Viewing the tenant compliance log . . . . . . . . . . . . . . . . . . . . . Understanding log messages . . . . . . . . . . . . . . . . . . . . . . . . . Managing the message list . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling syslog logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling SNMP logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring and managing replication . . . . . . . . . . . . . . . . . . . . . . Tenant-level view of replication . . . . . . . . . . . . . . . . . . . . . . . Namespace-level view of replication . . . . . . . . . . . . . . . . . . . . Backlog time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data transmission rate . . . . . . . . . . . . . . . . . . . . . . . . . . . Operation rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting or deselecting namespaces for replication . . . . . . . . . Generating chargeback reports . . . . . . . . . . . . . . . . . . . . . . . . . . About chargeback reports . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating a chargeback report . . . . . . . . . . . . . . . . . . . . . . . Chargeback statistics collection . . . . . . . . . . . . . . . . . . . . . . . Chargeback report content . . . . . . . . . . . . . . . . . . . . . . . . . . Sample chargeback report . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 5-7 . . . . . . . . 5-7 . . . . . . . . 5-9 . . . . . . . . 5-9 . . . . . . . .5-10 . . . . . . . .5-11 . . . . . . . .5-12 . . . . . . . .5-12 . . . . . . . .5-13 . . . . . . . .5-13 . . . . . . . .5-14 . . . . . . . .5-15 . . . . . . . .5-17 . . . . . . . .5-17 . . . . . . . .5-18 . . . . . . . .5-18 . . . . . . . .5-20 . . . . . . . .5-20 . . . . . . . .5-21 . . . . . . . .5-22 . . . . . . . .5-22 . . . . . . . .5-24 . . . . . . . .5-24 . . . . . . . .5-25 . . . . . . . .5-25 . . . . . . . .5-25 . . . . . . . .5-26 . . . . . . . .5-26 . . . . . . . .5-27 . . . . . . . .5-28 . . . . . . . .5-28 . . . . . . . .5-30
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
6-2 6-2 6-3 6-3 6-4 6-5 6-5 6-6 6-7 6-7 v
Creating a namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Configuring a namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-11 Changing the namespace name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-12 Changing the namespace permission mask . . . . . . . . . . . . . . . . . . . . . . .6-12 Changing the namespace description . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13 Changing namespace quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-14 Changing the default retention setting . . . . . . . . . . . . . . . . . . . . . . . . . .6-14 Changing the default shred setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-17 Changing the default index setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-17 Changing custom metadata operations allowed for objects under retention 6-18 Enabling or disabling XML checking for custom metadata . . . . . . . . . . . . .6-19 Configuring object versioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-20 Changing the disposition setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-21 Enabling or disabling read from replica . . . . . . . . . . . . . . . . . . . . . . . . . .6-22 Changing the DPL setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-23 Changing the retention mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-24 Configuring the HTTP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-25 Managing search and indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-27 Enabling or disabling search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-28 Stopping or restarting HCP indexing . . . . . . . . . . . . . . . . . . . . . . . . . .6-28 Restarting HCP indexing from a specified point . . . . . . . . . . . . . . . . . .6-28 Monitoring a namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-29 Viewing the complete namespace event log . . . . . . . . . . . . . . . . . . . . . .6-30 Viewing the namespace compliance log . . . . . . . . . . . . . . . . . . . . . . . . .6-30 Working with irreparable objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-31 Deleting a namespace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-32
vi
Glossary Index
vii
viii
Preface
This book explains how to use Hitachi Content Platform (HCP) to monitor and manage tenants and namespaces in an HCP system. It presents the concepts and instructions you need to set up both administrative user accounts and data access accounts, configure the HTTP protocol, manage the search feature, and download installation files for HCP Data Migrator and the HCP client tools. It also covers activities you can perform to keep namespaces in compliance with local regulations. This book does not address the default tenant and namespace. For information on managing them, see Managing the Default Tenant and Namespace. Note: Throughout this book, the word Unix is used to represent all UNIXlike operating systems (such as UNIX itself or Linux), except where Linux is specifically required.
Intended audience
This book is intended for tenant administrators who configure, monitor, and manage HCP namespaces. It assumes you are familiar with your client operating system and the web browser you use to run the HCP Tenant Management Console.
Product version
This book applies to release 4.1 of HCP.
ix
Document organization
Document organization
This book contains ten chapters and two appendixes.
Chapter/Appendix
Chapter 1, Introduction to Hitachi Content Platform Chapter 2, Tenant and namespace properties Chapter 3, General administrative information Chapter 4, Managing administrative users Chapter 5, Managing the current tenant Chapter 6, Managing namespaces
Description
Introduces basic HCP concepts and highlights some of the product features Describes tenant and namespace properties Introduces the Tenant Management Console and describes tenant administrator responsibilities Explains how to create and manage accounts for tenant administrators and how to configure remote authentication Explains how to configure and monitor the current tenant Explains how to create, configure, and monitor the namespaces owned by the current tenant Explains how to create, modify, and delete data access accounts Describes retention classes and explains how to create, modify, and delete them Describes the privileged delete capability and explains how to perform privileged delete operations from the Tenant Management Console Contains instructions for downloading HCP Data Migrator for installation on client computers Contains instructions for downloading the HCP client tools for installation on client computers Describes the alerts that can appear on various pages of the Tenant Management Console Explains the messages that can appear in the tenant log
Chapter 7, Managing data access accounts Chapter 8, Working with retention classes Chapter 9, Using privileged delete
Chapter 10, Downloading HCP Data Migrator Chapter 11, Installing the HCP client tools Appendix A, Tenant Management Console alerts Appendix B, Tenant log messages
Syntax notation
Syntax notation
The table below describes the conventions used for the syntax of commands, expressions, URLs, and object names in this book.
Notation boldface Meaning
Type exactly as it appears in the syntax (if the context is case insensitive, you can vary the case of the letters you type) Replace with a value of the indicated type This book shows:
Example https://tenant-url-name.hcp-name.domainname:8000
You enter: https://finance.hcp-ma.example.com:8000
italics
Related documents
The following documents contain additional information about Hitachi Content Platform:
xi
Related documents
Using the Default Namespace This book describes the file system
HCP uses to present the contents of the default namespace. It provides instructions for accessing the namespace by using the HCP-supported protocols for the purpose of storing, retrieving, and deleting objects, as well as changing object metadata such as retention and permissions.
Using HCP Data Migrator This book contains the information you
need to install and use the HCP Data Migrator (HCP-DM) utility distributed with HCP. This utility enables you to copy data between local file systems, HCP namespaces, and earlier HCAP archives. It also supports bulk delete operations. The book describes both the interactive window-based interface and the set of command-line tools included in HCP-DM.
Using the HCP Client Tools This book contains the information you
need to install and use the legacy set of client command-line tools distributed with HCP. These tools enable you to find files and to copy and move files to and from namespaces. The book contains many examples that show command-line details and the overall workflow. Note: For most purposes, the HCP client tools have been superseded by HCP Data Migrator. However, they have some features, such as finding files, that are not available in HCP-DM.
xii
Getting help
Getting help
The Hitachi Data Systems customer support staff is available 24 hours a day, seven days a week. If you need technical support, please call:
United States: (800) 446-0744 Outside the United States: (858) 547-4526
Note: If you purchased HCP from a third party, please contact your authorized service provider.
xiii
Comments
Comments
Please send us your comments on this document: hcp.documentation.feedback@hds.com Include the document title, number, and revision, and refer to specific sections and paragraphs whenever possible. Thank you! (All comments become the property of Hitachi Data Systems.)
xiv
1
Introduction to Hitachi Content Platform
Hitachi Content Platform (HCP) is a distributed storage system designed to support large, growing repositories of fixed-content data. HCP stores objects that include both data and metadata that describes the data. It presents these objects as URLs. An HCP repository is partitioned into namespaces. Each namespace consists of a distinct logical grouping of objects with its own directory structure. Namespaces are owned and managed by tenants. HCP provides access to objects through the HTTP protocol, as well as through various HCP-specific interfaces. This chapter contains an overview of Hitachi Content Platform.
11
Object-based storage
HCP stores objects in a repository. Each object permanently associates data HCP receives (for example, a file, an image, or a database) with information about that data, called metadata. An object encapsulates:
12
13
Namespace access
Namespace access
HCP supports access to namespace content through:
The HTTP protocol The Namespace Browser HCP Data Migrator A set of client command-line tools A metadata query API The Search Console
To use any of these interfaces, you need a data access account (see Data access accounts on page 1-8).
HTTP protocol
HCP allows access to namespace content through the HTTP protocol. HTTP is an industry-standard protocol for transferring data between a client and a server. Using HTTP, you can perform various operations, including: storing data, creating directories, viewing object data and metadata, viewing directories, modifying certain metadata, and deleting objects (when permitted). With HTTP, HCP presents each object as a URL. The root of the object path in the URL is always rest. HCP supports both plain HTTP and HTTP with SSL security (HTTPS). You can choose whether to enable one or both of them on a per-namespace basis. If you dont enable either one, users and applications have no access to the namespace. For more information on object representation and access, see Using a Namespace.
Namespace Browser
The HCP Namespace Browser lets you manage content in and view information about namespaces. With the Namespace Browser, you can:
14
Namespace access
Create empty directories Store and delete objects Display namespace information, including:
The namespaces that you can access Retention classes available for a given namespace Permissions for namespace access Namespace statistics such as the number of objects in a given namespace or the total capacity of the namespace
Copy objects, files, and directories between local file systems, HCP
namespaces, and earlier HCAP archives
Purge all versions of an object View the content of objects and files, including the content of old
versions of objects
Rename files and directories on the local file system View object, file, and directory properties Create empty directories Add, replace, or delete custom metadata for objects
HCP-DM has both a graphical user interface (GUI) and a command-line interface.
15
Namespace access
For information on downloading HCP-DM, see Chapter 10, Downloading HCP Data Migrator. For information on installing and using HCP-DM, see Using HCP Data Migrator.
Namespace Change time Object status (created, deleted, or purged) Index setting Directory
16
Namespace access
The query API returns object metadata only, not object data. The metadata is returned as XML, with each object represented by a separate element, or JSON, with each object represented by a separate name/value pair. For queries that return large numbers of objects, you can use paged requests. For information on using the metadata query API, see Using a Namespace.
Only one of the search facilities can be enabled at any given time. If neither one is enabled, the HCP system does not support using the Search Console to search namespaces. The system associated with the enabled search facility is called the active search system. The active search system (that is, HDDS or HCP) maintains an index of objects in each search-enabled namespace. This index is based on object content and metadata. The active search system uses the index for fast retrieval of search results. When objects are added to or removed from the namespace or when object metadata changes, the active search system automatically updates the index to keep it current.
17
To learn which search facility is enabled for the HCP system, contact your HCP system administrator. For more information on the search index, see Search and indexing on page 2-4. For information on using the Search Console, see Searching Namespaces.
18
2
Tenant and namespace properties
Tenants and namespaces have certain properties that affect how they operate. Some of these properties are set when the tenant or namespace is created. Others are set after creation. Some can be modified after they are initially set; others cannot. This chapter addresses these properties of tenants and namespaces:
Quotas Data protection level Cryptographic hash algorithm Retention mode Search and indexing Default retention, shred, and index settings Which custom metadata operations are allowed for objects under
retention
XML checking for custom metadata Versioning Disposition Data access permission masks Replication System-level administrative access
Tenant and namespace properties Managing a Tenant and Its Namespaces
21
Storage quotas
Storage quotas
Both tenants and namespaces have hard and soft storage quotas:
A soft quota is the percentage point at which HCP notifies the tenant
that allocated storage space is being used up. For a tenant, the soft quota measures the space used in all the namespaces the tenant owns relative to the hard quota for that tenant. For a namespace, the soft quota measures the space used in just that namespace relative to the hard quota for that namespace. The quotas for a tenant are set when the tenant is created. HCP systemlevel administrators can change these quotas at any time. However, the hard quota for a tenant cannot be set lower than the amount of space the tenant has currently allocated to its namespaces. The quotas for a namespace are set when the namespace is created. You can change these quotas at any time. However, the hard quota for a namespace cannot be set lower than the amount of space currently used in the namespace. And, the total of the hard quotas for all the namespaces owned by a tenant cannot exceed the hard quota for that tenant.
22
The DPL affects the amount of storage used when data is added to the namespace. With a DPL of one, HCP stores only one copy of the object. With a DPL of two, HCP stores two copies, thereby using twice as much storage. The DPL for a namespace is set when the namespace is created. You can change this setting at any time. For information on changing the DPL setting for a namespace, see Changing the DPL setting on page 6-23.
Retention mode
Each object has a retention setting that specifies how long the object must remain in the namespace before it can be deleted; this duration is called the retention period. While an object cannot be deleted due to its retention setting, it is said to be under retention. Retention mode is a property of a namespace that affects which operations are allowed on objects under retention. A namespace can be in either of two retention modes:
23
Search is enabled for the namespace. HTTP or HTTPS is enabled for the namespace.
24
The effective permission mask for the namespace includes the read and
search permissions.
The HCP management API is enabled at both the system level and
tenant levels.
25
26
Allow custom metadata to be added for objects under retention but not
replaced or deleted
27
Versioning
You can enable or disable custom metadata XML checking for a namespace at any time. For instructions on doing this, see Enabling or disabling XML checking for custom metadata on page 6-19. Note: If the custom metadata XML for an object has a very large number of different elements and attributes, HCP may determine that the XML is not well-formed, even if it is, and reject the file. If this happens, the user can try restructuring the XML so that it includes fewer different elements and attributes. Alternatively, you can temporarily disable custom metadata XML checking to allow that XML to be stored in the namespace.
Versioning
Versioning is the creation of multiple versions of objects. Any given namespace can be configured to support versioning or not to support it. You can change this configuration at any time. When versioning is enabled for a namespace, you can set a time for version pruning. Version pruning is the automatic deletion of previous versions of objects that are older than a specified amount of time. You can also set a time for version pruning in the namespace on a replica to be used if and when the namespace is replicated. This time can be the same as or different from the time for version pruning on the primary system. For example, you can choose to keep versions for ten days in the namespace on the primary system and two years in the namespace on the replica. HCP always ensures that old versions needed for the replica are replicated before pruning them on the primary system. Old versions of objects can be kept for a longer amount of time on the primary system than on the replica. In this case, should recovery from the replica become necessary, you can recover only the number of versions kept on the replica. This will be fewer than the number of versions that would have been kept on the primary system. You can create namespaces with versioning enabled only if allowed to do so by the tenant configuration. HCP system-level administrators can change this configuration from not allowing the creation of namespaces with versioning enabled to allowing it. However, they cannot do the reverse. For definitions of primary system and replica, see Replication on page 2-11. For information on changing versioning settings for a namespace, see Configuring object versioning on page 6-20.
28
Disposition
Disposition
Disposition is the automatic deletion of objects with expired retention periods. To be eligible for disposition, an object must have a retention setting thats either of these:
A date in the past A retention class with automatic deletion enabled that results in a
calculated expiration date in the past Disposition has the benefit of automatically freeing HCP storage space for the creation of more objects. Without disposition, users and applications need to explicitly delete expired objects in order to free the occupied space. Disposition deletes only the current version of a versioned object. It does not delete old versions. Disposition is enabled on a per-namespace basis. When you create a namespace, this feature is disabled. You can change this setting at any time. For information on enabling and disabling disposition, see Changing the disposition setting on page 6-21. For information on retention classes, see Chapter 8, Working with retention classes. Note: HCP system-level administrators can enable or disable disposition for the repository as a whole. While disposition is disabled for the repository, enabling it for a namespace has no effect.
Read Lets users and applications read and retrieve objects, including
object metadata, and list directory contents.
29
Search Lets users use the HCP metadata query API and the HCP
Search Console to query or search the namespace. For users to query or search a namespace, read operations must also be allowed. Data access permission masks are set at the system, tenant, and namespace levels:
The tenant-level mask is set individually for each tenant. This mask
applies only to the namespaces owned by that tenant.
210
Replication
The table below shows an example of the effective permissions for a namespace given a set of data access permission masks.
Permissions Priv. delete
Permission mask
Systemwide permission mask Tenant permission mask Namespace permission mask Effective permission mask
HCP system-level administrators can change the systemwide permission mask at any time. You can change the tenant and namespace permission masks at any time. You can make a namespace effectively read-only be removing all operations except read from its data access permission mask. For information on setting the tenant and namespace permission masks, see Changing the tenant permission mask on page 5-9 and Changing the namespace permission mask on page 6-12.
Replication
Replication is the process of keeping selected tenants and namespaces in two HCP systems in sync with each other. Basically, this entails copying object creations, deletions, and metadata changes from one system to the other. HCP also replicates tenant and namespace configuration, data access accounts, retention classes, all compliance log messages, and most other tenant log messages. The HCP system in which the objects are initially created is called the primary system. The second system is called the replica. Typically, the two systems involved are in separate geographic locations and connected by a high-speed wide area network. HCP supports replication chains, in which one system replicates to a second system, which, in turn, replicates to a third system.
211
Search
Delete
Purge
Write
Read
Replication
If the primary system suffers irreparable damage, the replica can serve
as a source for disaster recovery.
If the two systems are widely separated, the replica may be able to
provide faster data access for some locations than the primary system can.
The namespace that contains the object is currently included in the replication of the tenant and has the read-from-replica feature enabled. The object has already been replicated. Users and applications can check object metadata to determine whether an object has been replicated.
For more information on this feature, see Enabling or disabling read from replica on page 6-22. Replication is implemented at the tenant and namespace level. When creating a tenant, the HCP system administrator indicates whether it is eligible to be replicated. HCP system administrators can change this setting from not allowing replication to allowing it. However, they cannot do the reverse. For each namespace, you can choose whether or not to include the namespace in the replication of the tenant. You can change this setting at any time.
212
The HCP system administrator selects tenants to be replicated from among those that are eligible. If a tenant has granted system-level administrative users access to itself, the system administrator can change the namespace selections for that tenant. HCP replicates the configuration of each selected tenant and the configuration and contents of all the namespaces selected for replication with the tenant. During replication, you cannot make any configuration changes to the tenant or any of its namespaces on the replica, nor can users and applications make any changes to the namespace content on the replica. Similarly, during data recovery, such changes are not allowed on the primary system. Replication is asynchronous with other HCP activity. If allowed by the system configuration, you can monitor replication progress in the Tenant Management Console. For information on this and on selecting namespaces for inclusion in replication of a tenant, see Monitoring and managing replication on page 5-22.
Note: Replication is an add-on feature to HCP. Not all systems include it.
213
214
3
General administrative information
As an HCP tenant administrator, you are responsible for managing a tenant and the namespaces it owns. Your primary job is to ensure that users and applications have the access they need to those namespaces. The tool you use for this purpose is a web application called the Tenant Management Console. Depending on the permissions you have, you can use the Console to configure and monitor the tenant and its namespaces, as well as perform compliance activities. This chapter:
31
32
HCP management API HCP includes an HTTP REST interface to a subset of its administrative functions. Using this interface, called the management API, you can modify your tenant and create, modify, and delete namespaces and data access accounts for the tenant. Additionally, you can create, modify, and delete retention classes for namespaces owned by the tenant. You use the Tenant Management Console to enable the management API. To use the management API, you need a user account that includes the applicable roles for the actions you want to take. For information on enabling the management API, see Controlling access to HCP through the management API on page 5-13. For information on using the HCP management API, see HCP Management API Reference.
For example, to access the Tenant Management Console for the tenant named Finance in the HCP system named hcp-ma.example.com, you would use this URL:
https://finance.hcp-ma.example.com:8000
Note: If you inadvertently use http instead of https in the URL, the browser prompts you to open or save a file. Cancel out of the prompt and try again, this time using https. Using a hosts file Typically, the HCP system is included as a subdomain in the corporate DNS setup. If this is not the case, you need to provide a mapping of the tenant hostname to an IP address for the HCP system. You specify hostname mappings in the hosts file on the client. The location of this file depends on the client operating system:
33
Each line in a hosts file is a mapping of a fully qualified hostname to an IP address. So, for example, if one of the IP addresses for the HCP system is 192.168.210.16, you would add this line to the hosts file on the client to enable access to the Tenant Management Console for the Finance tenant:
192.168.210.16 finance.hcp-ma.example.com
You can include comments in a hosts file either on separate lines or following a mapping on the same line. Each comment must start with a number sign (#). Blank lines are ignored. For the IP addresses for the HCP system, contact your HCP system administrator. Hostname mapping considerations An HCP system has multiple IP addresses. You can map the tenant hostname to more than one of these IP addresses in the hosts file. The way multiple mappings are used depends on the client platform. For information on how your client handles multiple mappings in a hosts file, see your client documentation. Note: If any of the IP addresses listed in the hosts file are unavailable, timeouts may occur when you use a hosts file to access the Tenant Management Console.
Logging in
To log into the Tenant Management Console: 1. Open a web browser window. 2. In the address field, enter the URL for your Tenant Management Console. The Tenant Management Console login page appears. This page shows the serial number, if any, for the HCP system. At the bottom right, the page also shows the specific version of the HCP release. Once you enter the Tenant Management Console, both the serial number and the version appear at the bottom of each page. 3. In the Username field, type your username. For the username to use when first logging into a new HCP system, see Starter account on page 4-7.
34
4. In the Password field, type your case-sensitive password. Important: You should change your password as soon as possible the first time you log into the Tenant Management Console. Note: If you try to log in with an invalid password multiple times in a row, you will be locked out of the Console. The exact number of times is configurable. For information on setting this value, see Changing user account and login settings on page 4-11. 5. Click on the Log In button. The Console displays the tenant Overview page or, if youre required to change your password, the Change Password page. For information on the tenant Overview page, see Understanding the tenant overview on page 5-2. For information on changing your password, see Changing your password on page 3-7.
35
Refreshing pages
Tenant Management Console pages do not automatically refresh themselves while they remain open. To see the most recent values on a page, click again on the menu option that opens that page. Note: Using the browser reload button to refresh a page that lets you create or modify an entity causes the Console to resubmit values you previously entered on the page.
Submitting changes
Tenant Management Console pages and panels on which you can modify information have action buttons (such as Create Retention Class and Update Settings) that submit your changes. Action buttons make the changes on a page permanent. These changes take effect immediately. You need to submit the changes you make before switching to a different page or panel. If you switch without submitting those changes, the Console does not retain them. For some checkbox options, selecting or deselecting the checkbox causes that change to take effect immediately. After you submit changes, the Console displays a message indicating whether HCP successfully made the changes. To hide the message, click on Dismiss in the message area.
36
In the Existing Password field, type your current password. In the New Password field, type your new password. Passwords can be up to 64 characters long, are case sensitive, and can contain any valid UTF-8 characters, including white space. To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other. The minimum length for passwords is specific to the tenant. Typically, its six or eight characters. For information on changing the minimum length for passwords, see Changing user account and login settings on page 4-11.
In the Confirm New Password field, type your new password again.
37
Administrative responsibilities
Logging out
To log out of the Tenant Management Console: 1. In the top right corner of the Console window, click on the Log Out link. 2. Close the browser window to ensure that other users cannot go back into the Tenant Management Console using your login. Tip: For extra security, clear the browser cache before closing the window.
Administrative responsibilities
Tenant-level administrative responsibilities consist of:
Managing user accounts Maintaining the tenant Creating and maintaining namespaces Monitoring the tenant and namespaces Managing namespace access Performing compliance activities
You perform these activities in the HCP Tenant Management Console. For information on using this Console, see Tenant Management Console on page 3-2. Managing user accounts To use the HCP Tenant Management Console, you need a user account. The account allows you to log into the Console and determines the actions you can perform after logging in. You use the Tenant Management Console to create, modify, delete, enable, and disable user accounts. You also use the Console to configure login settings that apply to all users. For information on managing user accounts and configuring login settings, see Chapter 4, Managing administrative users.
38
Administrative responsibilities
Maintaining the tenant HCP system-level administrators create tenants and maintain certain aspects of their configuration. Other aspects of tenant configuration, however, are maintained at the tenant level. As a tenant administrator, you are responsible for configuring:
Tenant contact information The tenant description The tenant permission mask System-level administrative access to the tenant Access to the Tenant Management Console Access to HCP through the management API Access to the Search Console for the tenant
For information on these activities, see Configuring the tenant on page 5-7. Creating and maintaining namespaces As a tenant administrator, you are responsible for creating and maintaining namespaces. After creating a namespace, you can change several of its properties:
Namespace name Namespace permission mask Namespace description Namespace quotas Default retention, shred, and index settings Which custom metadata operations are allowed for objects under
retention
39
Administrative responsibilities
Whether read from replica is enabled Data protection level Retention mode Whether its included in replication of the tenant
For information on creating namespaces, see Creating a namespace on page 6-7. For information on changing namespace properties, see Configuring a namespace on page 6-11 and Selecting or deselecting namespaces for replication on page 5-25. You are also responsible for managing search and indexing for the namespaces owned by the tenant. For information on these activities, see Managing search and indexing on page 6-27. Monitoring the tenant and namespaces HCP is a self-monitoring, self-healing system that automatically alerts you to any issues you may need to address (such as a namespace running low on space). The Tenant Management Console enables you to review tenant and namespace activity and take action to address certain issues. Using the Console, you can view:
Tenant statistics on page 5-2 Objects section on page 6-3 Usage section on page 6-4
Major tenant events on page 5-3 Viewing the complete tenant event log on page 5-17 Major namespace events on page 6-5 Viewing the complete namespace event log on page 6-30
310
Administrative responsibilities
Messages about security events (that is, attempts to log into the Tenant
Management Console with an invalid username). For information on this, see Viewing the tenant security log on page 5-17.
Messages about compliance events (that is, retention class activity and
privileged delete operations). For information on this, see:
Viewing the tenant compliance log on page 5-18 Viewing the namespace compliance log on page 6-30
Alerts warning you of conditions that may need your attention. For
information on this, see:
Setting the tenant and namespace data access permission masks. For
information on setting the tenant permission mask, see Changing the tenant permission mask on page 5-9. For information on setting the namespace permission mask, see Changing the namespace permission mask on page 6-12.
311
Administrative responsibilities
312
4
Managing administrative users
As a tenant security administrator, you are responsible for creating and managing user accounts. A user account gives a person permission to access the Tenant Management Console and to use the HCP management API. It also determines which actions the user is allowed to perform through the applicable interface. When creating a user account, you associate roles with the account and specify whether the account is authenticated locally or remotely when used to access an HCP interface. This chapter explains how to:
Create and manage user accounts Change Tenant Management Console login settings
For an introduction to the Tenant Management Console, see Tenant Management Console on page 3-2.
41
42
Available roles The roles you can associate with a user are:
Permission
Create, view, modify, delete, and otherwise manage user accounts Specify message text for the Tenant Management and Search Console login pages View the tenant overview Modify the tenant contact information, permission mask, and description Allow or disallow access to the Tenant Management Console by HCP system-level users
Security
Monitor
43
Permission
View and modify Tenant Management Console security settings View and modify HCP management API security settings View and modify Search Console security settings View tenant log messages about all events except compliance and security events View tenant log messages about compliance events View tenant log messages about security events View syslog and SNMP logging options Enable or disable syslog and SNMP logging Monitor replication Select namespaces for replication Generate chargeback reports View the namespace list View a namespace overview Create and delete namespaces Modify namespace names and quotas View namespace permission masks and descriptions Modify namespace permission masks and descriptions View namespace retention-related settings Modify namespace retention-related settings View namespace default shred settings Modify namespace default shred settings View namespace default index settings Modify namespace default index settings View namespace object versioning configurations Configure object versioning in namespaces
44
Security
Monitor
Permission
View namespace disposition settings Modify namespace disposition settings View namespace read-from-replica settings Modify namespace read-from-replica settings View namespace DPL settings Modify namespace DPL settings View namespace retention modes Modify namespace retention modes View namespace search and indexing settings Manage namespace search and indexing View the HTTP protocol configuration for namespaces Configure the HTTP protocol for namespaces View all namespace log messages except messages about compliance events View namespace log messages about compliance events View the list of irreparable objects Acknowledge irreparable objects View the syslog and SNMP logging configuration Modify the syslog and SNMP logging configuration View the list of data access accounts View an individual data access account Create, modify, and delete data access accounts View the list of retention classes View an individual retention class Create, modify, and delete retention classes Perform privileged delete operations
Security
Monitor
45
Permission
Download HCP Data Migrator Download the HCP client tools Change your own locally authenticated password in the Tenant Management Console View HCP documentation from the Tenant Management Console
User authentication
To use the Tenant Management Console, the user needs to log in and be authenticated by the HCP system. Note: The following discussion also applies to providing credentials in HCP management API requests. User login To log into the Tenant Management Console, the user specifies a username and password. HCP then checks that the combination of the specified username and password is valid and that the user account is enabled:
If the username and password are valid and the user account is
enabled, HCP lets the user into the Console.
46
Security
Monitor
Starter account
When creating a tenant, the HCP system administrator defines one user account for it. This account has only the security role and is authenticated locally. Before you can log into the Tenant Management Console for the first time, you need to get the username and password for this account from the system administrator. The first time you log in with the starter account, you are immediately required to change your password. Then you can create new accounts as needed, including new accounts with the security role. You can delete the starter account as long as at least one other locally authenticated account has the security role and is enabled.
47
The username. The system-supplied user ID for the account. HCP generates this ID
automatically when you create an account. User IDs are permanently associated with accounts. If you delete an account, HCP does not reuse its user ID for a new account, even if the new account has the same username as the deleted account.
Whether the account is enabled or disabled. The full name of the account user. Whether the user login is authenticated locally or remotely. Icons for the roles associated with the account:
Monitor: Administrator: Security: Compliance:
In the Username field, type a unique login name for the user account. Usernames must be from one through 64 characters long and can contain any valid UTF-8 characters but cannot start with an opening square bracket ([). White space is allowed. Usernames are not case sensitive.
48
The username for an administrative user account must be unique for the current tenant. Different tenants can have administrative accounts with the same username. You can reuse usernames that are not currently in use. So, for example, if you delete the account for a user and then recreate it, you can give the account the same username as before.
In the Full Name field, type the name of the person for whom youre creating the user account. This name must be from one through 64 characters long and can contain any valid UTF-8 characters, including white space. For the Authentication option, select either Local or, for remote authentication, RADIUS. If you select Local, the panel displays the Password and Confirm Password fields and Force password change on next login option. If you select RADIUS, these fields are hidden. For local authentication:
In the Password field, type a password for the user account. Passwords can be up to 64 characters long, are case sensitive, and can contain any valid UTF-8 characters, including white space. The minimum password length is configurable. To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other. For information on changing the minimum length for passwords, see Changing user account and login settings on page 4-11. Note: HCP does not save passwords in a recoverable format. If a user forgets his or her password, you need to assign a new one.
In the Confirm Password field, type the password again. Optionally, select the Force password change on next login option. When this option is selected, the next time a user uses the account to log into the Tenant Management Console, the Console automatically displays the Change Password page. The user cannot do anything else in the Console until the password is changed.
49
Once the user changes the password, the Force password change on next login option is automatically deselected.
In the Roles section, select at least one role for the user account. For descriptions of the available roles, see Roles and permissions on page 4-2. Optionally, in the Description field, type a description of the user account. This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space. Optionally, deselect the Enable account option to have the user account initially disabled.
410
411
User account and login settings apply to all users. These settings control:
The number of days a user account can remain inactive before its
automatically disabled. Valid values are integers in the range zero through 999. The default is 30 days. A value of zero means accounts are never automatically disabled due to inactivity. The last locally authenticated account with the security role is never automatically disabled due to inactivity.
412
413
414
5
Managing the current tenant
When you log into the Tenant Management Console, you do so for a particular tenant. You can then view all the available information about that tenant, change certain of its properties, and monitor its activity. This chapter:
Describes the tenant Overview page Contains instructions for configuring the current tenant Explains how to monitor tenant activity Explains how to monitor and manage tenant and namespace replication Describes chargeback reports and explains how to generate them
For an introduction to tenants, see Namespaces and tenants on page 1-3.
51
Tenant statistics
The tenant Overview page shows three categories of statistics:
Quota The total number of bytes available to the tenant for allocation to its namespaces. This is the hard quota for the tenant. Used The total number of bytes currently occupied by stored data in all the namespaces owned by the tenant. This includes object data, metadata, and any redundant data required to satisfy the namespace DPLs. Available The number of bytes still available for storing data in the namespaces owned by the tenant.
Quota The number of namespaces reserved for the tenant out of the total number of namespaces the system can have. This is also maximum number of namespaces the tenant can own at any given time. If the tenant doesnt have a quota, this field displays No Quota. Used The number of namespaces currently owned by the tenant. Available The number of additional namespaces the tenant can own if the tenant has a quota. If the tenant has no quota, this is the number of unallocated namespaces out of the total number of namespaces the system can have, minus the number of existing namespaces owned by tenants with no quota.
52
Ingested The total number of objects currently stored in all the namespaces owned by the tenant. Multiple versions of an object are each counted as a separate object. Indexed The total number of indexed objects currently stored in all the namespaces owned by the tenant. This item appears only if the tenant has the search feature and either of these is true:
The HDDS search facility is enabled at the HCP system level and is configured to show statistics. The HCP search facility is enabled at the HCP system level.
Accounts This category shows: Data Access The number of data access accounts defined for the tenant. Administrative The number of administrative user accounts defined for the tenant.
53
If the Overview page shows alerts instead of log messages, click on the Major Events tab to display the log messages. For information on the alerts display, see Tenant alerts below.
Tenant alerts
The Alerts section on the tenant Overview page shows alerts that indicate tenant-related conditions that may require human intervention (for example, the tenant is running low on unused space). This section is visible only if alerts currently exist for the tenant. Each alert is represented by an icon accompanied by descriptive text. For information on the alerts that can appear in the Alerts section, see Appendix A, Tenant Management Console alerts. If the Overview page shows log messages instead of alerts, click on the Alerts tab to display the alerts. For information on the log message display, see Major tenant events above. Note: If the tenant is read-only due to being a replication target or due to metadata unavailability, a notice of the situation appears at the top of every Tenant Management Console page. In this case, you cannot make any configuration changes to the tenant or to the namespaces it owns, nor can users and applications make any changes to namespace content. Additionally, in the case of metadata unavailability, statistics that describe namespace content may be inaccurate.
Tenant features
The Features section on the tenant Overview page shows which of these features the tenant has:
54
The tenant doesnt have the search feature, and you cannot enable search for namespaces. The tenant has the search feature but no search facility is enabled at the HCP system level. In this case, you can still enable and disable search for new and existing namespaces.
55
The contact information for a tenant is visible not only in the Tenant Management Console but also in the system-level administrative interface to the HCP system. HCP system administrators can use this information to notify you about systemwide events (such as a system shutdown for maintenance). Therefore, you should keep this information up to date. For information on updating the tenant contact information, see Changing the tenant contact information on page 5-7.
Tenant description
The Description section on the tenant Overview page shows the description of the tenant, if a description exists. This description is visible only in the Tenant Management Console. It is not visible to HCP system-level administrators who dont have administrative access to the tenant. The tenant description appears below the tenant name on the login page for the Tenant Management Console. For information on providing a description of the tenant, see Changing the tenant description on page 5-9.
56
The tenant contact information The tenant permission mask The tenant description Whether HCP system-level users have administrative access to the
tenant
Which IP addresses have access to the Tenant Management Console Whether the HCP management API is enabled and, if so, which IP
addresses it can be used from
Which IP addresses have access to the Search Console for the tenant
You can also configure the tenant to send log messages to syslog servers and/or SNMP managers if this is enabled at the HCP system level.
57
3. In the Contact Information window, fill in the contact information. The table below describes the values you can specify. Except as indicated, all fields are optional.
Field First Name Description
First name of the tenant contact. First names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. The last name of the tenant contact. Last names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. An email address for the tenant contact. Email addresses cannot be more than 254 characters long. A repeat of the email address for the tenant contact. This field is required if you specify an email address in the Email field. A telephone number for the tenant contact. Do not include a telephone number extension. Telephone numbers can contain only numbers, parentheses, hyphens (-), periods (.), plus signs (+), and spaces and can be up to 24 characters long (for example, (800) 123-4567).
Last Name
Extension
A telephone number extension for the tenant contact. Telephone number extensions can contain only numbers and can be up to five characters long. lines can be up to 100 characters long and can contain any valid UTF-8 characters, including white space.
Address Line 1 The first line of an address for the tenant contact. Address
Address Line 2 The second line of an address for the tenant contact. City
The city for the tenant contact. City names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. The state or province for the tenant contact. State and province names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. The postal code for the tenant contact. Postal codes can be up to 64 characters long and can contain only alphanumeric characters and hyphens (-). The country for the tenant contact. Country names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space.
Country
58
For more information on tenant contact information, see Tenant contact information on page 5-5.
59
To change the tenant description: 1. In the top-level menu in the Tenant Management Console, click on Overview. 2. On the tenant Overview page, click on the edit link for the Description section. 3. In the edit area for the description, type the new description of the tenant. The description can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space. 4. Click on the Submit button. For more information on the tenant description, see Tenant description on page 5-6.
To grant access, select the Allow HCP system-level users to manage me and across my space option. To deny access, deselect the Allow HCP system-level users to manage me and search across my space option.
For more information on system-level administrative access, see Systemlevel administrative access on page 2-13.
510
511
) for that
512
Selected
All IP addresses can access the Console. All IP addresses can access the Console.
Not selected
No IP addresses can access the Console. Only IP addresses in the Allow list can access the Console.
All IP addresses not in the Deny No IP addresses can access the list can access the Console. IP Console. addresses in the Deny list cannot. IP addresses appearing in both or neither of the lists can access the Console. IP addresses appearing in both or neither of the lists cannot access the Console.
513
To enable and configure the HCP management API, on the MAPI page:
514
Tenant Management Console logins Namespace creations Tenant and namespace configuration changes Creations, modifications, and deletions of retention classes Privileged delete operations performed through the Tenant
Management Console
Searches performed in the Search Console Warnings about used storage approaching the hard quota
Each recorded entry about an event is called a message. The tenant log contains all the messages written to it since the tenant was created.
515
The Tenant Management Console provides several views of the log, as outlined in the table below.
View
Tenant-level all events Tenant-level major events Tenant-level security events
Shows
All log messages recorded for the tenant and its namespaces A subset of the log messages in the tenant-level all-events view Only log messages about attempts to log into the Tenant Management Console with an invalid username All log messages about events that require the compliance role across all the namespaces owned by the tenant All log messages for a given namespace A subset of the log messages in the namespace-level all-events view All log messages about events that require the compliance role for a given namespace
More information
Viewing the complete tenant event log below Major tenant events on page 5-3 Viewing the tenant security log on page 5-17
Viewing the tenant compliance log on page 5-18 Viewing the complete namespace event log on page 6-30 Major namespace events on page 6-5 Viewing the namespace compliance log on page 6-30
In addition to these views of the log, HCP gives you the option of sending log messages to syslog servers and/or SNMP managers. For more information on this, see Enabling syslog logging on page 5-20 and Enabling SNMP logging on page 5-21. For information on the messages that can appear in the tenant log and how to respond to them, see Appendix B, Tenant log messages.
516
517
3. In the left side of the Tenant Events page, click on Security Events. For a description of the information provided by each log message, see Understanding log messages below. For information on managing the message display, see Managing the message list on page 5-20.
518
For events initiated by HCP service or support personnel by means other than the Tenant Management Console, the username is [service].
Additionally, when the tenant is being replicated, in the log messages on the replica, events initiated by an HCP system-level user on the primary system have a username of [remote admin].
Notice The event is normal and requires no special action. Events of this severity are informational only. Examples are:
Warning The event is out of the ordinary and may require manual intervention. Examples are:
Error The event is serious and most likely requires manual intervention. Examples are:
The date and time at which the event occurred, shown in the time zone
of the HCP system.
519
For user-initiated events, the port through which HCP received the
event request
For user initiated events, the IP address from which the event request
was sent
To display details for all the listed events, click on the expand all link.
To hide all details, click on the collapse all link.
) or back (
520
To enable or disable the logging of tenant log messages to syslog servers: 1. On the Syslog page, select (to enable) or deselect (to disable) the Enable syslog logging option. If the HCP system is not configured for syslog logging, selecting this option has no effect. 2. Click on the Update Setting button.
521
The tenant is currently selected for replication The HCP system is configured to show this information
Additionally, you use the Replication page to select and deselect namespaces to be replicated along with the tenant. To display the Replication page: 1. In the top-level menu in the Tenant Management Console, mouse over Services to display a secondary menu. 2. In the secondary menu, click on Replication. Roles: For you to view the Replication page, your user account must include the monitor or administrator role. For you to select and deselect namespaces for replication, your user account must include the administrator role. For an introduction to replication, see Replication on page 2-11.
Replicating On the primary system, data is being copied from the primary system to the replica. On the replica, data is being recovered from the replica to the primary system. Receiving On the replica, data is being copied from the primary system to the replica. On the primary system, data is being recovered from the replica to the primary system.
522
While it is receiving data, the tenant is read-only. You cannot make configuration changes to the tenant or its namespaces, and users and applications can read but not add to or modify namespace contents.
Not Replicating The tenant is eligible for replication but was not selected to be replicated.
Up to Date as Of The oldest change time for objects and configuration changes not yet replicated or recovered, as applicable. Backlog Time A progress bar that shows the backlog of replication or recovery activity for that namespace, along with this time as a numeric value in days or in hours if its less than a day. The length of the progress bar represents 30 days, with the right end representing the current time. For more information on replication backlog time, see Backlog time on page 5-24.
523
The approximate number of objects currently waiting to be replicated The approximate amount of data currently waiting to be replicated, in
KB
Backlog time
The backlog time for replication or recovery is the difference between these:
The oldest change time for objects and configuration changes not yet
replicated or recovered, as applicable
524
Operation rate
The Operations per Second section in the namespace replication panel contains a graph that shows the history of the rate of replication or recovery operations per second, as applicable. The section heading shows the current operation rate. If the graph is not currently visible, click on Operations per Second to display it. The x-axis in this graph marks the passage of time. It shows 30 days (or less if replication or recovery has been occurring for less than 30 days). The y-axis measures the operation rate. As the operation rate varies, the intervals on the y-axis grow or shrink as needed (for example, from tens to hundreds).
525
3. Click on the Update Settings button. Tip: You can also select or deselect a namespace for replication on the namespace Replication panel. For more in formation on this, see Enabling or disabling read from replica on page 6-22.
526
An hourly report includes statistics for the most recent full hour, plus
the statistics accumulated so far for the current hour. For example, if you request the report at 2:30:15 p.m., it will contain one set of statistics for the period of time between 1:00:00 p.m. and 1:59.59 p.m. and another set of statistics for the period of time between 2:00:00 p.m. and 2:30:15 p.m.
A daily report includes statistics for the most recent full day, plus the
statistics accumulated so far for the current day. For example, if you request the report at 2:30:15 p.m. on October 7th, it will contain 24 sets of statistics for the period of time between 00:00:00 and 23:59:59 on October 6th and 15 sets of statistics for the period of time between 00:00:00 and 2:30:15 p.m. on October 7th. Tip: You can use the HCP management API to generate chargeback reports that cover longer time periods and are in XML, JSON, or CSV format. This allows you to create applications that generate chargeback reports at regular intervals and feed those reports to a billing system. For information on using the management API to generate chargeback reports, see HCP Management API Reference. To generate a chargeback report: 1. In the top-level menu in the Tenant Management Console, mouse over Monitoring to display a secondary menu. 2. In the secondary menu, click on Chargeback. 3. On the Chargeback page, click on the Hourly Chargeback Report or Daily Chargeback Report link, as applicable, and select the browser-specific option for downloading the report. By default, the name of the downloaded report file is either HourlyChargeback-Report.csv or Daily-Chargeback-Report.csv, as applicable.
527
Type
N/A One of:
Value
The DNS name of the HCP system containing the tenant that owns the namespace to which the set of statistics in the line applies The DNS name of the HCP system containing the tenant to which the set of aggregated statistics in the line applies
tenantName
N/A
Either: The name of the tenant that owns the namespace to which the set of statistics in the line applies The name of the tenant to which the set of statistics in the line applies
namespaceName N/A
The name of the namespace to which the set of statistics in the line applies. In lines that contain tenant statistics, this field has no value.
528
Identifier
startTime
Type
N/A
Value
The start time of the reporting interval for the set of statistics in the line, in this format:
objectCount
ingestedVolume
storageCapacityUsed
bytesIn
529
Identifier
writes
Type
D
Value
The total number of write operations successfully performed in the identified namespace or in any of the namespaces owned by the identified tenant during the reporting interval. The total number of delete and purge operations successfully performed in the identified namespace or in any of the namespaces owned by the identified tenant during the reporting interval. One of: true For a namespace only, the namespace was deleted after the statistics in the set were collected. false The namespace or tenant currently exists. included For a tenant only, the statistics in the set include values for one or more namespaces that were subsequently deleted.
deletes
deleted
N/A
valid
N/A
The status of the set of statistics in the line. Possible values are: true HCP successfully collected all statistics in the set. false The statistics in the set do not reflect all the activity that occurred during the reporting interval. This may be due, for example, to a network failure or to other hardware issues.
530
systemName 2010-10-07 13:00:00 2010-10-07 13:59:59 2010-10-07 14:00:00 2010-10-07 14:30:15 2010-10-07 13:00:00 2010-10-07 13:59:59 2010-10-07 14:00:00 2010-10-07 14:30:15 1240 1247 705357 720896 692224 716720 2905 3927 376 162432 167936 0 376 162432 167936 494 529 247 561 0 1623 860499 888832 3927 247 1 2 1 1 0 1616 858071 884656 3399 1090 3 7 7 2 0 5 7
tenantName namespaceName
startTime
endTime
objectCount ingestedVolume storageCapacityUsed bytesIn bytesOut reads writes deletes deleted valid 0 FALSE 0 FALSE 0 FALSE 0 FALSE 0 FALSE 0 FALSE TRUE TRUE TRUE TRUE TRUE TRUE
hcp.example.com Finance
hcp.example.com Finance
hcp.example.com Finance
Accounts-Payable
hcp.example.com Finance
Accounts-Payable
hcp.example.com Finance
hcp.example.com Finance
531
532
6
Managing namespaces
When a tenant is first created, it has no namespaces. You use the Tenant Management Console to create them as needed. After creating a namespace, you can view all the available information about it, change its properties, and monitor its activity. You can also delete namespaces that have no objects. This chapter contains information on:
Understanding the information displayed for namespaces Creating and deleting namespaces Configuring namespaces Configuring the HTTP protocol for namespace access Monitoring namespace activity
61
The namespace name. The number of objects currently in the namespace. Multiple versions of
an object are each counted as a separate object.
Icons for any current alerts that apply to the namespace. Alerts
indicate conditions that may need your attention. To see the text that accompanies an alert icon, mouse over the icon. For information about the alerts that can appear on the Namespaces page, see Appendix A, Tenant Management Console alerts.
The number of bytes used out of the hard quota for the namespace,
along with a graphical representation of the amount of storage used. To the right of the Create Namespace heading, the Namespaces page shows the number of bytes used in all the namespaces owned by the tenant out of the hard quota for the tenant, along with a graphical representation of the amount of storage used.
62
2. In the list of namespaces, click on the name of the namespace you want. Roles: For you to view the namespace Overview panel, your user account must include the monitor, administrator, or compliance role. To return to the namespace Overview panel from other namespace panels, click on Overview in the row of tabs below the namespace name.
Namespace URL
The top of the namespace Overview panel shows the URL for access to the the namespace content. If the HTTP or HTTPS protocol is enabled for the namespace, this URL is a link that opens the Namespace Browser for the namespace. For information on the Namespace Browser, see Using a Namespace. A namespace URL has this format:
https://namespace-url-name.tenant-url-name.hcp-name.domain-name
For example, the URL for access to the content of the Accounts-Receivable namespace owned by the Finance tenant in the HCP system named hcp-ma.example.com is:
https://accounts-receivable.finance.hcp-ma.example.com
Note: If HTTPS is not enabled, the URL contains http instead of https. For information on enabling or disabling HTTP and HTTPS, see Configuring the HTTP protocol on page 6-25.
Objects section
The Objects section in the namespace Overview panel contains a graph showing the number of objects in the namespace during the past 30 days (or since the namespace was created if thats less than 30 days). Multiple versions of an object are each counted as a separate object.
63
The graph also shows the total number of indexed objects in the namespace during the past 30 days if the namespace is search enabled and either of these is true:
The HDDS search facility is enabled at the HCP system level and is
configured to show statistics. Note: For any period during which HCP cannot retrieve statistics from HDDS (for example, because the network connection is broken), the Objects graph shows the number of indexed objects as zero.
Usage section
The Usage section in the namespace Overview panel contains a graph showing information about the namespace storage during the past 30 days (or since the namespace was created if thats less than 30 days). The xaxis in the graph marks the passage of time. The y-axis marks the amount of storage in gigabytes or terabytes, depending on the namespace size. The graph heading indicates the current measurement unit (gigabytes (GB) or terabytes (TB)). The Usage graph shows:
Total storage capacity The hard quota for the namespace. For
information on the hard quota, see Storage quotas on page 2-2.
64
Ingested volume The total size of the stored data and custom
metadata before it was added to the namespace. This value tells you how much data you have stored. The graph legend shows the current value for each item. Below the Usage section, the Overview panel shows the date and time the Objects and Usage sections were last updated. To show the most current information in these sections, click on the Refresh Now link.
Namespace alerts
The Alerts section in the namespace Overview panel shows alerts that indicate namespace-related conditions that may require human intervention (for example, the namespace is running low on unused space). This section is visible only if alerts currently exist for the namespace.
65
Each alert is represented by an icon accompanied by descriptive text. For information on the alerts that can appear in the Alerts section, see Appendix A, Tenant Management Console alerts. If the Overview panel shows log messages instead of alerts, click on the Alerts tab to display the alerts. For information on the log message display, see Major namespace events above.
66
Creating a namespace
The DPL for the namespace. For more information on this, see Data
protection level on page 2-2.
Namespace description
The Description section in the namespace Overview panel shows the description of the namespace, if a description exists. For information on providing or modifying the description of the namespace, see Changing the namespace description on page 6-13.
Creating a namespace
You create namespaces in the Tenant Management Console. When you create a namespace, you set some of its properties. Other properties have default values, which you can then modify. For information on modifying namespace properties, see Configuring a namespace on page 6-11. Roles: For you to create a namespace, your user account must include the administrator role. Note: During failover to a replica thats an HCP release 4.1 system, you cannot create namespaces on the replica. However, if the replica is an earlier release of HCP, you can create namespaces on it.
67
Creating a namespace
To create a namespace: 1. In the top-level menu in the Tenant Management Console, click on Namespaces. 2. On the Namespaces page, click on Create Namespace. The Create Namespace panel opens. Below the Namespace Name field, this panel shows the number of namespaces the tenant currently owns and the number of additional namespaces currently available for the tenant to create. 3. In the Create Namespace panel:
In the Namespace Name field, type a name for the namespace. Namespace names must be from one through 63 characters long and can contain only alphanumeric characters and hyphens (-) but cannot start or end with a hyphen. The namespace name is used in the URL for access to the namespace. Namespace names are not case sensitive. The namespace name must be unique for the current tenant. Different tenants can have namespaces with the same name. You can change the namespace name any time after you create the namespace. However, when you change the name, the URL for the namespace may change as well. You can reuse namespace names that are not currently in use. So, for example, if you delete a namespace, you can give a new namespace the same name as the deleted namespace had.
Optionally, in the Description field, type a description of the namespace. The description can be up through 1,024 characters long and can contain any valid UTF-8 characters, including white space. In the DPL field, select the DPL for the namespace. The Dynamic option shows the current system-level DPL setting in parentheses. For information on DPL, see Data protection level on page 2-2. Important: Depending on the system configuration, setting the DPL to one (if allowed) without replicating the namespace can leave objects in the namespace unprotected. To find out whether objects are at risk with DPL one, contact your HCP system administrator.
68
Creating a namespace
In the Hash Algorithm field, select the cryptographic hash algorithm for the namespace. For information on namespace hash algorithms, see Cryptographic hash algorithm on page 2-3.
In the Hard Quota field, type the number of gigabytes or terabytes of storage to allocate to the namespace and select either GB or TB to indicate the measurement unit. Valid values are decimal numbers with up to two places after the period. The minimum is 1 (one) for GB and .01 for TB. Tip: To the right of the Hard Quota field, the panel shows the amount of space the tenant has already allocated to its namespaces and the amount of space it still has available to allocate. For more information on hard quotas, see Storage quotas on page 2-2.
In the Soft Quota field, type the percentage point at which you want HCP to notify the tenant that free storage space for the namespace is running low. Valid values are integers in the range ten through 95. For more information on soft quotas, see Storage quotas on page 2-2.
Under Retention, select either Enterprise or Compliance to set the retention mode for the namespace. The Compliance option is available only if the tenant is allowed to create namespaces in compliance mode. For information on retention mode, see Retention mode on page 2-3.
Under Replication, select On to replicate the namespace along with the tenant or Off to exclude it from replication. The Replication option is present only if the tenant is allowed to create namespaces with replication enabled. Note: Depending on current replication requirements, if the tenant is being replicated, this option may be selected automatically. In this case, you cannot deselect it. For information on replication, see Replication on page 2-11.
69
Creating a namespace
Under Versioning, select On to enable object versioning in the namespace or Off to disable it. The Versioning option is present only if the tenant is allowed to create namespaces with versioning enabled. When you select On, you can also enable version pruning:
To enable version pruning on the current system, select the Prune versions older than ... days option under Primary System and, in the field for that option, type the number of days old versions of objects must remain in the namespace before they are pruned. Valid values are integers in the range zero through 36,500 (that is, 100 years). A value of zero means prune immediately. To enable version pruning on a replica, select the Prune versions older than ... days option under Replica System, and, in the field for that option, type the number of days old versions of objects must remain in the namespace on the replica before they are pruned. Valid values are integers in the range zero through 36,500 (that is, 100 years).
Under Search, select On to enable search for the namespace or Off to disable search. The Search option is present only if the tenant is allowed to create namespaces with search enabled. For information on enabling and disabling search, see Managing search and indexing on page 6-27.
4. Click on the Create Namespace button. If the value in the DPL field is either 1 or Dynamic (1) and the Replication option is set to Off, a confirming message appears. In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then click on the Create Namespace button.
610
Configuring a namespace
Configuring a namespace
You can change these properties of a namespace:
Name Permission mask Description Hard and soft quotas Default retention setting Default shred setting Default index setting Which custom metadata operations are allowed for objects under
retention
Whether custom metadata XML checking is enabled Whether object versioning is enabled and, if so, the amount of time to
keep old versions
Whether disposition is enabled Whether read from replica is enabled DPL setting Retention mode (only from enterprise to compliance) HTTP protocol configuration Whether search and indexing are enabled
You can also select or deselect a namespace to be included in replication of the tenant. For information on this, see Selecting or deselecting namespaces for replication on page 5-25.
611
Configuring a namespace
Roles: For you to change the name of a namespace, your user account must include the administrator role. To change the name of a namespace: 1. In the top-level menu in the Tenant Management Console, click on Namespaces. 2. In the list of namespaces, click on the name of the namespace you want. 3. In the namespace Overview panel, click on the Modify name link. 4. In the Modify Namespace Name window, type a new name for the namespace. 5. Click on the Update Name button.
612
Configuring a namespace
3. In the namespace Overview panel, click on the edit link for the Permissions section. The Console displays a set of checkboxes for the permissions. The permissions that are currently in the namespace permission mask are selected. 4. Select or deselect permissions as needed to modify the permission mask. Selecting Purge causes Delete to be selected automatically. Selecting Search causes Read to be selected automatically. 5. Click on the Submit button. For an introduction to permission masks, see Data access permission masks on page 2-9. For more information on the namespace permission mask, see Namespace permission mask on page 6-7.
613
Configuring a namespace
In the Hard Quota field, type the number of gigabytes or terabytes of storage to allocate to the namespace and select either GB or TB to indicate the measurement unit. Valid values are integers greater than or equal to one. In the Soft Quota field, type a new soft quota for the namespace. Valid values are integers in the range ten through 95.
4. Click on the Update Quota button. For more information on hard and soft quotas, see Storage quotas on page 2-2.
An offset from the time the object is created. You specify an offset as
numbers of years, months, and/or days. For example, you could specify an offset of two years. Then, an object added to the namespace on November 10, 2009, at 9:45 a.m. would expire on November 10, 2011, at 9:45 a.m.
614
Configuring a namespace
Initial Unspecified The object cannot be deleted, but can have its retention setting changed to any other retention setting.
A fixed date in the future. In this case, the retention period for the
object ends at the end of the specified day. Tip: If you specify a fixed date, remember to change the default retention setting again before that date occurs. Otherwise, the default retention setting reverts to Deletion Allowed when the specified date arrives. Roles: For you to view the default retention setting for a namespace, your user account must include the monitor, administrator, or compliance role. For you to change the default retention setting for a namespace, your user account must include the compliance role. To change the default retention setting for a namespace: 1. In the top-level menu in the Tenant Management Console, click on Namespaces. 2. In the list of namespaces, click on the name of the namespace you want. 3. In the row of tabs below the namespace name, click on Policies. 4. In the left side of the Policies panel, click on Retention.
615
Configuring a namespace
3. In the calendar window that opens, click on the date you want.
The date you select must be later than the current date. To display the next or previous month, click on the forward or back pointer, respectively, in the area showing the month and year. 6. Click on the Update Setting button. For more information on the default retention setting, see Default retention setting on page 2-5. For more information on retention settings in general, see Using a Namespace.
616
Configuring a namespace
617
Configuring a namespace
To change the default index setting for a namespace: 1. In the top-level menu in the Tenant Management Console, click on Namespaces. 2. In the list of namespaces, click on the name of the namespace you want. 3. In the row of tabs below the namespace name, click on Policies. 4. In the left side of the Policies panel, click on Indexing. 5. In the Indexing panel, select (to index) or deselect (not to index) the Index objects option. 6. Click on the Update Setting button. For more information on the default index setting, see Default index setting on page 2-6.
618
Configuring a namespace
To allow the addition, deletion, and replacement of custom metadata for objects under retention, select the Add, delete, and replace option. To allow only the addition of custom metadata for objects under retention, select the Add only option. To disallow all custom metadata operations for objects under retention, select the None option.
6. Click on the Update Setting button. For more information on the custom metadata handling, see Custom metadata operations for objects under retention on page 2-7. For more information on custom metadata in general, see Using a Namespace.
To enable custom metadata XML checking, select the Check on ingestion that XML in custom metadata files is well-formed option.
619
Configuring a namespace
To disable custom metadata XML checking, deselect the Check on ingestion that XML in custom metadata files is well-formed option.
6. Click on the Update Setting button. For more information on custom metadata XML checking, see XML checking for custom metadata on page 2-7.
620
Configuring a namespace
4. In the left side of the Policies panel, click on Versioning. 5. In the Versioning panel, do either of these:
To enable object versioning, select the Enable versioning option. Then, optionally:
To enable version pruning on the current system, select the Prune versions older than ... days option under Primary System and, in the field for that option, type the number of days old versions of objects must remain in the namespace before they are pruned. Valid values are integers in the range zero through 36,500 (that is, 100 years). A value of zero means prune immediately. To enable version pruning on a replica, select the Prune versions older than ... days option under Replica System and, in the field for that option, type the number of days old versions of objects must remain in the namespace on the replica before they are pruned. Valid values are integers in the range zero through 36,500 (that is, 100 years).
6. Click on the Update Settings button. For more information on object versioning, see Versioning on page 2-8.
621
Configuring a namespace
3. In the row of tabs below the namespace name, click on Services. 4. In the left side of the Services panel, click on Disposition. 5. In the Disposition panel, select or deselect the Enable disposition option to enable or disable disposition, respectively. 6. Click on the Update Setting button. For more information on disposition, see Disposition on page 2-9.
622
Configuring a namespace
To enable read from replica, select the Enable read from replica option. To disable read from replica, deselect the Enable read from replica option.
6. Click on the Update Settings button. For more information on read from replica, see Replication on page 2-11.
623
Configuring a namespace
5. In the DPL field, select the DPL you want. The Dynamic option shows the current system-level DPL setting in parentheses. Important: Setting the DPL to one without replication in effect for the namespace leaves objects in the namespace unprotected. 6. Click on the Update Setting button. If the value in the DPL field is either 1 or Dynamic (1), a confirming message appears. In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then click on the Update Setting button. For more information on DPL, see Data protection level on page 2-2.
624
Configuring a namespace
2. In the list of namespaces, click on the name of the namespace you want. 3. In the row of tabs below the namespace name, click on Settings. 4. In the Settings panel, select the Compliance option. 5. Click on the Update Setting button. A confirming message appears. 6. In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then click on the Update Setting button.
625
Configuring a namespace
To configure the HTTP protocol for a namespace: 1. In the top-level menu in the Tenant Management Console, click on Namespaces. 2. In the list of namespaces, click on the name of the namespace you want. 3. In the row of tabs below the namespace name, click on Protocols. 4. In the Protocols panel:
To enable the HTTP protocol without SSL security, select the Enable HTTP option. To enable and secure the HTTP protocol, select the Enable HTTPS option.
Then click on the Update Settings button. Note: The Enable HTTP and Enable HTTPS options are independent of each other. If you select both, users and applications can send both secure and unsecure data through the HTTP protocol.
Optionally, specify IP addresses to be allowed or denied HTTP access to the namespace. For instructions on doing this, see Adding and removing entries in Allow and Deny lists on page 5-12. To specify how HCP should handle IP addresses that appear in both or neither of the Allow and Deny lists, select or deselect the Allow request when same IP is used in both lists option. For the effects of this option, see Allow and Deny list handling on page 5-13.
626
Configuring a namespace
If the HDDS search facility is enabled when you enable search for a
namespace and the conditions described in Search and indexing on page 2-4 are true, HDDS automatically indexes the namespace. If you disable search for the namespace, the existing index for the namespace remains but is not maintained. If you subsequently reenable search, HDDS brings the index up to date and continues to maintain it.
If the HCP search facility is enabled when you enable search for a
namespace, HCP automatically indexes the namespace. If you disable search for the namespace, HCP deletes the search index. If you subsequently reenable search, HCP has to rebuild the index from the beginning. The amount of time required to rebuild the search index depends on the amount of data in the namespace. With a very large amount of data, this process can take several days. While the HCP search facility is enabled, you can pause and resume the indexing process for a search-enabled namespace. You can also restart indexing from a specified point or from the beginning. However, you should do this only if explicitly told to do so by your HCP system administrator.
627
Configuring a namespace
option. If you select the Objects modified after option, either type a date in the associated field or click on the calendar icon ( ) to select a date. If you type a date, use this format: mm/dd/yyyy
628
Monitoring a namespace
If you enter an invalid date using the correct date format, HCP tries to convert it to a real date. For example, if you enter 13/32/2010, HCP converts it to 02/01/2011.
b. Click on the Reindex Objects button.
If you selected the All objects option, a confirming message appears. In the window with the confirming message, select I understand to confirm that you understand the consequences of the action you chose. Then click on the Reindex Objects button. 2. If indexing was previously disabled, restart it, as described in Stopping or restarting HCP indexing above.
Monitoring a namespace
While the namespace Overview panel in the Tenant Management Console gives you a view of a namespace as a whole, these namespace views of the tenant log let you monitor namespace activity on a more detailed level:
629
Monitoring a namespace
630
Monitoring a namespace
3. In the row of tabs below the namespace name, click on Monitoring. 4. In the left side of the Monitoring panel, click on Compliance Events. For a description of the information provided by each log message, see Understanding log messages on page 5-18. For information on managing the message display, see Managing the message list on page 5-20. For information on retention classes, see Chapter 8, Working with retention classes. For information on privileged delete, see Chapter 9, Using privileged delete.
631
Deleting a namespace
You can delete irreparable objects from a namespace through normal delete operations as long as the objects are not under retention (or by using privileged delete if the objects are under retention). When you delete an object, HCP removes it from the list of irreparable objects. Note: Acknowledging that an object is irreparable does not delete the object from the namespace. By default, the objects in the Irreparable Objects panel are listed ten at a time in reverse chronological order by discovery time:
) or back (
To acknowledge one or more objects in the list of irreparable objects: 1. In the Irreparable Objects panel, individually select the objects you want to acknowledge, or click on the select all link to select all the unacknowledged objects on the current page. To undo all your selections, click on the deselect all link. 2. Click on the Acknowledge Selected button. Tip: To acknowledge all objects, whether selected or not, on all pages in a single operation, click on the Acknowledge All button. For information on deleting objects from namespaces, see Using a Namespace.
Deleting a namespace
You can delete an empty namespace (that is, a namespace that doesnt contain any objects). You cannot delete namespaces that are not empty. Note: If a tenant is currently selected for replication, you cannot delete any of its namespaces on the replica, regardless of whether or not the tenant on that system is currently read-only.
632
Deleting a namespace
Tips:
To empty a namespace, use HCP Data Migrator. With HCP-DM, you can
delete multiple directories and objects in a single job. For information on doing this, see Using HCP Data Migrator.
633
Deleting a namespace
634
7
Managing data access accounts
Data access accounts give users and applications access to namespaces. These accounts exist at the tenant level. They define credentials for namespace access and specify which operations the user or application can perform in each namespace owned by the tenant. This chapter describes data access accounts and provides instructions for creating, modifying, and deleting them.
71
View and retrieve objects, including object metadata View and retrieve previous versions of objects List directory contents View the retention classes defined for a namespace View namespace access permissions View statistics about namespace usage List namespaces that are accessible with the data access account
Store objects Modify object metadata (except retention hold) Add or replace custom metadata
Delete Lets users and applications delete objects and custom metadata. Purge Lets users and applications delete all versions of an object with a single operation. Purge operations also require delete permission.
72
Delete or purge objects that are under retention, provided that the data access account also includes the delete or purge permission for the applicable namespace Hold or release objects, provided that the data access account also includes the write permission for the applicable namespace
Search Lets users use the HCP metadata query API and the HCP Search Console, if search is supported, to query or search the applicable namespace. These operations also require read permission.
For each namespace, the account can grant none, one, or more of these permissions. Users and applications can perform the operations allowed by these permissions only if the effective permission mask for the target namespace also allows them. You can enable and disable data access accounts as needed. You might decide to disable an account, for example, while the user for whom you created it is on vacation. A tenant can have at most 100 data access accounts. Note: HCP logs failed namespace access attempts with a given username once an hour. This prevents repeated log messages in the case where an application specifies invalid credentials. The message thats logged indicates the number of failed attempts that occurred in the past hour.
73
The Data Access Accounts page lists the existing data access accounts defined for the current tenant. For each account, the list shows:
The username for the account The status of each account either Enabled or Disabled
To view more information about a listed data access account, click on the account username. This opens a panel in which you can both view and modify the account information.
In the Username field, type a username for the data access account. Usernames must be from one through 64 characters long and can contain any valid UTF-8 characters, including white space, but cannot start with an opening square bracket ([). Usernames are not case sensitive. The username for a data access account must be unique for the current tenant. Different tenants can have data access accounts with the same username. You can reuse usernames that are not currently in use. So, for example, if you delete a data access account, you can give a new account the same username as the deleted account had.
In the Password field, type a password for the data access account. Passwords can be up to 64 characters long, are case sensitive, and can contain any valid UTF-8 characters, including white space. The minimum password length is configurable. To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other.
74
For information on changing the minimum length for passwords, see Changing user account and login settings on page 4-11. Note: HCP does not save passwords in a recoverable format. If a user forgets his or her password, you need to assign a new one.
In the Confirm password field, type the password again. Optionally, in the Description field, type a description of the data access account. The description can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space. Optionally, deselect the Enable account option to have the data access account initially disabled. In the list of namespaces, for each namespace to which you want to allow access, select each permission you want to grant for the namespace. To select all the permissions for a namespace, click on the select all link for it. Selecting Purge causes Delete to be selected automatically. Selecting Search causes Read to be selected automatically. Note: Namespaces do not necessarily have all the features for which you can grant permissions. For example, you can grant the search permission for a namespace that does not have search enabled. Granting permission for a feature that is not present has no effect. However, if the feature is subsequently enabled, the permission becomes meaningful.
75
To modify an existing data access account: 1. In the top-level menu in the Tenant Management Console, click on Data Access Accounts. 2. In the list of data access accounts on the Data Access Accounts page, click on the username for the account you want. 3. In the panel that opens, make the changes you want. For information on the fields and options in this panel, see Creating a data access account above. 4. Click on the Update Access Account button.
76
8
Working with retention classes
Retention classes provide a means to consistently manage data that must remain in a namespace for a specific amount of time. For example, if local law requires that medical records be kept for a specified number of years, you can use a retention class to enforce that requirement. Retention classes are defined on a per-namespace basis. The classes you create for one namespace are not visible in any other namespace. You create retention classes in the Tenant Management Console. Users and applications can then use those classes as retention settings for objects. This chapter describes retention classes and explains how to create, modify, and delete them. For information on how users and applications use retention classes, see Using a Namespace.
81
An offset from the time the object is created. You specify an offset as
numbers of years, months, and/or days. For example, you could create a retention class named HlthReg-107 with an offset of 21 years. Then, all objects assigned HlthReg-107 as their retention setting could not be deleted for 21 years after theyre created.
The retention period for an object assigned to a retention class is calculated from the value of that class. So, for example, if an object stored on October 8, 2010, is assigned to a retention class with an offset value of one year, the retention period for that object expires on October 8, 2011. You can choose to have HCP automatically delete the objects assigned to a retention class when they expire. This applies only to retention classes with a value thats an offset. It does not apply to retention classes with special values.
82
Autodeletion of expired objects in retention classes occurs only if disposition is enabled. For information on disposition, see Disposition on page 2-9. Roles: For you to view retention classes, your user account must include the monitor, administrator, or compliance role. For you to create, modify, and delete retention classes, your user account must include the compliance role.
The retention class name. Whether the retention class value is an offset or a special value. The retention class value.
A value thats an offset has this format:
A+ny+nM+nd
In this format, y is the number of years, M is the number of months, and d is the number of days. Only the measurement units with nonzero values are shown. For example, an offset of two years and 5 days looks like this:
A+2y+5d
83
To view the description of a listed retention class, click on the class name.
In the Retention Class Name field, type a name for the retention class. Retention class names must be from one through 64 characters long and can contain only alphanumeric characters, hyphens (-), and underscores (_). These names are not case sensitive. Do one of these:
To make the retention class value an offset, in the Retention Method field, select Offset. Then do one or more of: In the Years field, type a number of years. Valid values are integers in the range zero through 9,999. In the Months field, type a number of months. Possible values are integers in the range zero through 9,999. In the Days field, type a number of days. Possible values are integers in the range zero through 9,999.
84
Optionally, in the Description field, type a description of the retention class. The description can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space. Optionally, select the Allow Disposition service to delete objects when expired option to have HCP automatically delete expired objects in the retention class. This option is present only when the retention method is offset.
From an offset to a larger offset From Deletion Allowed to an offset or Deletion Prohibited
If the namespace is in enterprise mode, you can decrease the value of a retention class at any time. These changes decrease the value:
From an offset to a smaller offset From an offset to Deletion Allowed From Deletion Prohibited to an offset or Deletion Allowed
If the value of a retention class is Initial Unspecified, you can change it to any other value at any time. You can change the value to Initial Unspecified only from Deletion Allowed. You can enable or disable the autodeletion feature at any time. You can also change the class description at any time. To modify an existing retention class: 1. In the top-level menu in the Tenant Management Console, click on Namespaces. 2. In the list of namespaces, click on the name of the namespace in which the retention class is defined. 3. In the row of tabs below the namespace name, click on Compliance.
85
4. In the left side of the Compliance panel, click on Retention Classes. 5. In the list of retention classes, click on the edit control ( retention class you want to modify. ) for the
6. In the Edit Retention Class window, make the changes you want. For information on the fields and options in this panel, see Creating a retention class above. 7. Click on the Update Settings button.
6. In response to the confirming message, click on the Delete Retention Class button.
86
9
Using privileged delete
Namespaces in enterprise mode support privileged delete operations. Users and applications with the applicable data access account permissions can perform these operations through the HTTP namespace access protocol and the Search Console. If your administrative user account includes the compliance role, you can perform these operations through the Tenant Management Console. This chapter describes the privileged delete feature and explains how to use the Tenant Management Console to perform privileged delete operations. For information on performing privileged delete operations through the HTTP protocol, see Using a Namespace. For information on performing these operations through the Search Console, see Searching Namespaces.
91
Object specification
With privileged delete, you can delete only one object at a time. To specify the object, you need to include the full path to it in its namespace (starting after rest). The path must begin with a forward slash (/). For example, to delete the Lee_Green_1254 object from the Corporate/Employees directory, you would specify:
/Corporate/Employees/Lee_Green_1254
Directory and object names are case sensitive. The separator is the forward slash (/).
92
Non-UTF-8 characters in directory and object names must be percent encoded. To avoid ambiguity, you should also percent-encode the characters listed in the table below.
Character
Space Tab New line Carriage return + % # ? & %20 %09 %0A %0D %2B %25 %23 %3F %26
Percent-encoded value
In the Object to Delete field, type the path to and name of the object you want to delete. For information on identifying objects for deletion, see Object specification above.
93
Optionally, select the Purge all versions of this object option to change the delete operation to a purge operation. In the Reason for Deletion field, type the reason for which youre deleting the object. This text must be from one through 1,024 characters long and can contain any valid UTF-8 characters, including white space.
94
10
Downloading HCP Data Migrator
HCP Data Migrator runs on both Windows and Unix clients. You download the applicable HCP-DM installation file from the Tenant Management Console. That file is then used to install HCP-DM on the client computers. This chapter describes the system requirements for running HCP-DM and contains instructions for downloading the applicable installation file. For an introduction to HCP-DM, see HCP Data Migrator on page 1-5. For information on installing and using HCP-DM, see Using HCP Data Migrator.
101
hcpdm.exe or hcpdm.zip
Roles: You can download an HCP-DM installation file while logged into the Tenant Management Console with any user account. To download the HCP-DM installation file you want to use, in the Tenant Management Console: 1. In the top right corner of the Console window, mouse over the tools icon ( ) to open a dropdown menu. 2. In the dropdown menu, click on the option for the HCP-DM installation file you want:
HCP-DM (Windows Installer) for hcpdm.exe HCP-DM (zip) for hcpdm.zip HCP-DM (tgz) for hcpdm.tgz
102
11
Installing the HCP client tools
The HCP client tools run on a variety of client platforms. The tools come as compiled executables for some platforms. They also come as source code that you can compile to run on other platforms. In either case, you need to download a client tools installation file from the Tenant Management Console. This chapter lists the platforms for which compiled executables are available and contains instructions for downloading the applicable installation file for either one of those platforms or the source code. For an introduction to the client tools, see HCP client tools on page 1-6. For information on installing and using the client tools, see Using the HCP Client Tools.
Installing the HCP client tools Managing a Tenant and Its Namespaces
111
Compiled-executable platforms
Compiled-executable platforms
The HCP client tools come as compiled executables for these client platforms:
Sun Solaris 10 SPARC Red Hat Enterprise Linux ES 5 IBM AIX 5.3 HP-UX 11i v3 (11.31) on PA-RISC
112
Installing the HCP client tools Managing a Tenant and Its Namespaces
A
Tenant Management Console alerts
The Tenant Management Console uses icons to report tenant and namespace status on the tenant Overview and Namespaces pages and on the namespace Overview panel. These icons, called alerts, are accompanied by text on the tenant Overview page and namespace Overview panel. On all pages on which they appear, alerts have text thats displayed when you mouse over them. This appendix describes the alerts that can appear on the Console pages and shows the mouse-over text for each alert. Where applicable, the appendix also tells you how to respond to the alerts.
A1
Alert text
Soft quota exceeded
Description
The amount of storage used by all namespaces owned by the tenant exceeds the soft quota configured for the tenant. Consider deleting some objects from the namespaces or requesting an increase in the hard quota for the tenant. The tenant owns one or more namespaces that have a DPL of one and are not being replicated. All HCP namespaces with a DPL of one should be replicated to ensure that the stored data is protected. If replication is not available, increase the DPL of the affected namespaces. The indicated namespace contains irreparable objects. Please contact your HCP system administrator. To see which objects are irreparable, open the Irreparable Objects panel for the namespace. For information on this panel, see Working with irreparable objects on page 6-31.
Irreparable objects
Alert text
Hard quota exceeded
Description
The amount of storage used by the namespace exceeds the hard quota configured for the namespace. Clients will not be able to add data to the namespace until either some existing objects are deleted or you increase the hard quota. The amount of storage used by the namespace exceeds the soft quota configured for the namespace. Consider deleting some objects from the namespace or increasing its hard quota. The namespace has a DPL of one and is not being replicated. All HCP namespaces with a DPL of one should be replicated to ensure that the stored data is protected. If replication is not available, increase the namespace DPL.
A2
Alert icon
Alert text
Irreparable objects found
Description
The namespace contains irreparable objects. Please contact your HCP system administrator. To see which objects are irreparable, open the Irreparable Objects panel for the namespace. For information on this panel, see Working with irreparable objects on page 6-31.
Alert text
Hard quota exceeded
Description
The amount of storage used by the namespace exceeds the hard quota configured for the namespace. Clients will not be able to add data to the namespace until either some existing objects are deleted or you increase the hard quota. The amount of storage used by the namespace exceeds the soft quota configured for the namespace. Consider deleting some objects from the namespace or increasing its hard quota. The namespace has a DPL of one and is not being replicated. All HCP namespaces with a DPL of one should be replicated to ensure that the stored data is protected. If replication is not available, increase the namespace DPL. The namespace contains irreparable objects. Please contact your HCP system administrator. To see which objects are irreparable, open the Irreparable Objects panel for the namespace. For information on this panel, see Working with irreparable objects on page 6-31.
Irreparable objects
A3
A4
B
Tenant log messages
The tenant log contains messages about events that happen at the tenant and namespace levels. The table in this appendix lists the messages HCP can write to the tenant log. The messages are listed in order by event ID. For each message, the table shows:
The event ID The short form of the message, which identifies the event to which the
message applies
An explanation of the message The action, if any, you should take in response to the message The message severity
For more information on the system log, see Monitoring the tenant on page 5-15.
B1
ID
2006 2028
Event
HCP found an irreparable object HCP found an irreparable object HCP found an irreparable object Object has been shredded Disposition service finished: run complete Disposition service stopped without finishing
Explanation
HCP found a broken object it could not repair. HCP was unable to repair the object. The repair may be retried at a later time. HCP found a broken object it could not repair. An object was shredded. The disposition service finished successfully. The disposition service stopped without completing its run. The service will resume at some point in the future. The disposition service finished successfully. The disposition service stopped without completing its run. The service will resume at some point in the future. The indicated namespaces were selected to be included in replication of the tenant. The indicated namespaces were removed from replication of the tenant.
Action
Contact your HCP system administrator. Contact your HCP system administrator. Contact your HCP system administrator. No action is required. No action is required. No action is required.
Severity
Error Error
2089 2090
Disposition service finished: run complete Disposition service stopped without finishing
Notice Warning
2154
Additional namespaces included in tenant replication One or more namespaces removed from tenant replication
No action is required.
Notice
2155
No action is required.
Notice
B2
(Continued)
ID
2156
Event
Replication automatically paused for this tenant
Explanation
Replication of the tenant was automatically paused for the indicated reason.
Action
If the cause is one or more namespace name collisions, rename each indicated namespace. If the cause is that the replica does not support the DPL of one or more namespaces, lower the DPL of each indicated namespace. Alternatively, in either case, you can deselect the namespace from being replicated. After you make the necessary changes, notify your HCP system administrator that the problem has been resolved. If the cause is one or more namespace name collisions, rename each indicated namespace. If the cause is that the replica does not support the DPL of one or more namespaces, lower the DPL of each indicated namespace. Alternatively, in either case, you can deselect the namespace from being replicated. After you make the necessary changes, notify your HCP system administrator that the problem has been resolved. Reenable indexing for the namespace to start rebuilding the search index. No action is required.
Severity
Error
2157
A namespace replication collision was detected, possibly requiring intervention from the tenant administrator.
Notice
2613
A user reset search indexing for a namespace, which has automatically disabled indexing. A user requested a privileged delete operation. A privileged delete operation succeeded.
Warning
2900
Notice
2901
No action is required.
Notice
B3
(Continued)
ID
2902 2903 2904 2905 2906 2907
Event
Privileged delete failed Retention class created Retention class modified Retention class deleted Retention mode set Privileged purge requested Privileged purge succeeded Privileged purge failed Namespace created Namespace updated Namespace deleted Data access account created Data access account updated Data access account deleted Data access account is disabled Data access account disabled Data access account enabled Data access account password changed
Explanation
A privileged delete operation failed. A user created a retention class. A user modified a retention class. A user deleted a retention class. The namespace retention mode has been changed. A user requested a privileged purge operation. A privileged purge operation succeeded. A privileged purge operation failed. A user created a namespace. A user updated a namespace. A user deleted a namespace. A user created a data access account. A user updated a data access account. A user deleted a data access account. A user tried to log in with a disabled data access account. A data access account has been disabled. A data access account has been enabled. A user changed the password for a data access account.
Action
No action is required. No action is required. No action is required. No action is required. No action is required. No action is required.
Severity
Notice Notice Notice Notice Notice Notice
No action is required. No action is required. No action is required. No action is required. No action is required. No action is required. No action is required. No action is required. Reenable the user account to allow the user to log in. No action is required. No action is required. No action is required.
B4
(Continued)
ID
3018
Event
Data access account failed login
Explanation
A user tried to log in with a username and password that are not valid for any data access account. A user tried to log into the Search Console with a username and password that are not valid for any data access account. The amount of storage used by the namespace exceeds the configured hard quota. The amount of storage used by the namespace is under the configured hard quota The amount of storage used by the namespace exceeds the configured soft quota. The amount of storage used by the namespace is under the configured soft quota. The amount of storage used by all namespaces owned by the tenant exceeds the soft quota configured for the tenant. The amount of storage used by all namespaces owned by the tenant is under the soft quota configured for the tenant. An attempt to log into a tenant failed because the data access account could not be authenticated. The number of namespaces is equal to the maximum allowed for this tenant.
Action
Have the user log in with a username and password that are valid for a data access account. Have the user log into the Search Console with a username and password for that are valid for a data access account. Delete some objects from the namespace or increase the hard quota. No action is required.
Severity
Warning
3019
Warning
3020
Warning
3021
Warning
3022
Consider deleting some objects from the namespace or increasing the hard quota for the namespace. No action is required.
Warning
3023
Warning
3024
Consider deleting some objects from the namespaces or requesting an increase in the hard quota for the tenant. No action is required.
Warning
3025
Warning
3028
No action is required.
Warning
3032
No action is required.
Warning
B5
(Continued)
ID
3033
Event
Tenant over namespace quota
Explanation
The number of namespaces is greater than the maximum allowed for this tenant. HCP found a broken object it could not repair. A user enabled or disabled search. A user enabled or disabled search indexing. HCP encountered an object it could not index. A user created a user account. A user modified a user account. A user deleted a user account. A user login to the Tenant Management Console was successfully authenticated. A user tried to log in with an unknown username. A disabled security user account has been automatically reenabled. A user tried to log in with a disabled account. A user tried to log in with an account that was disabled due to inactivity. A user tried to log in with an account that does not include a required role. A user tried to log in with an invalid password.
Action
Either delete one or more namespaces or have your HCP system administrator increase the namespace quota. Contact your HCP system administrator. No action is required. No action is required. Contact your HCP system administrator. No action is required. No action is required. No action is required. No action is required.
Severity
Warning
HCP found an irreparable object Search enabled or disabled Search indexing enabled or disabled Indexer failure User account created User account updated User account deleted User authenticated
4006
Authentication attempt by unknown user Account reenabled by timer Account is disabled Account has been inactive for too long Account does not include the required roles Password is invalid
Have the user log in with a valid username and password. No action is required.
Warning
4007
Notice
4008 4009
Reenable the user account to allow the user to log in. Reenable the user account to allow the user to log in. Modify the account to include the required role to allow the user to log in. Have the user log in with a valid username and password.
Warning Warning
4010
Warning
4011
Warning
B6
(Continued)
ID
4012
Event
Remote authentication server error
Explanation
The login for a remotely authenticated user failed due to of an error communicating with a RADIUS server. A user changed the password for a user account. A user account has been enabled. A user account has been disabled. A user account has been automatically disabled due to too many failed login attempts. A security user account will be reenabled automatically after a waiting period. A user login to the Search Console was successfully authenticated. A user changed a configuration value of an HCP component. A user changed a configuration value of an HCP component. A user acknowledged an irreparable object. A user acknowledged all irreparable objects. A user has requested an operation that is not authorized for the user account. A user created a data access account. A user updated a data access account.
Action
Contact your HCP system administrator.
Severity
Warning
4013
Password changed
No action is required.
Notice
Account enabled Account disabled Account disabled due to too many failed logins
No action is required. No action is required. Reenable the user account and have the user log in with a valid username and password. No action is required.
4017
Notice
4018
User authenticated
No action is required.
Notice
4019
Configuration changed
No action is required.
Notice
4020
Configuration changed
No action is required.
Notice
No action is required. No action is required. If the user should be allowed to perform this operation, add the required role to the user account. No action is required. No action is required.
4024 4025
Notice Notice
B7
(Continued)
ID
4026 4027
Event
Data access account deleted Data access account is disabled Data access account disabled due to too many failed logins Data access account disabled Data access account password changed Object replicated with collisions
Explanation
A user deleted a data access account. A user tried to log in with a disabled data access account. A data access account has been automatically disabled due to too many failed login attempts. A data access account has been disabled. A user changed the password for a data access account. An object being replicated conflicts with an existing object on the target system. The object has been stored in the .lost+found directory on the target system. An object was not replicated. An object was not replicated. Replication of the object will be retried later.
Action
No action is required. Reenable the data access account to allow the user to log in. Reenable the data access account to allow the account user to log in. No action is required. No action is required.
Severity
Notice Warning
4028
Warning
4029 4031
Notice Notice
4100
No action is required.
Warning
4101 4102
Object did not replicate Object did not replicate; will retry later
Contact your HCP system administrator. Monitor the replica to see whether this object is eventually replicated. If the object does not replicate within one week, contact your HCP system administrator.
Error Warning
B8
Glossary
A
access protocol
See namespace access protocol.
alert
A graphic that indicates the status of some particular element of an HCP system in the Tenant Management Console.
allow list
A list of IP addresses that are allowed access to the HCP system when using a particular external interface (such as the HTTP protocol).
arcfind
The HCP client tool used to generate a list of files that meet a set of specified criteria.
arcmkdir
The HCP client tool used to create empty directories in a local or remote file system or in the default namespace in an HCP system.
arcmv
The HCP client tool used to copy or move files from a location on a client computer or a namespace in an HCP system to another location on a client computer or another namespace.
Glossary1
Managing a Tenant and Its Namespaces
authentication
authentication
See namespace access authentication and user authentication.
C
chargeback report
A report that contains historical statistics about tenant or namespace capacity and bandwidth usage, broken out either by hour or by day.
client tools
See HCP client tools.
compliance mode
The retention mode in which objects under retention cannot be deleted through any mechanism. This is the more restrictive retention mode.
CSV file
See comma-separated-values (CSV) file.
custom metadata
One or more user-defined properties that provide descriptive information about an object. Custom metadata, which is normally specified as XML, enables future users and applications to understand and repurpose object content.
D
data access account
A set of credentials that give a user or application access to one or more HCP namespaces. For each namespace, the account specifies which operations the user or application can perform.
Glossary2
Managing a Tenant and Its Namespaces
enterprise mode
deny list
A list of IP addresses that are denied access to the HCP system when using a particular external interface (such as the HTTP protocol).
DNS
See domain name system (DNS).
domain
A group of computers and devices on a network that are administered as a unit.
DPL
See data protection level (DPL).
dynamic DPL
A namespace data protection level that, at any given time, matches the system-level DPL setting.
E
enterprise mode
The retention mode in which these operations are allowed:
Privileged delete
Glossary3
Managing a Tenant and Its Namespaces
expired object
Changing the retention class of an object to one with a shorter duration Reducing retention class duration Deleting retention classes
expired object
An object that is no longer under retention.
F
fixed-content data
A digital asset ingested into HCP and preserved in its original form as the core part of an object. Once stored, fixed-content data cannot be modified.
H
hard quota
For a tenant, the total amount of storage available to the tenant for allocation to its namespaces. For a namespace, the total amount of storage available for storing objects in the namespace.
hash value
See cryptographic hash value.
HCP
See Hitachi Content Platform (HCP).
Glossary4
Managing a Tenant and Its Namespaces
hold
HCP namespace
A namespace that requires user authentication for data access. An HCP system can have multiple HCP namespaces.
HCP service
See service.
HDDS
See Hitachi Data Discovery Suite (HDDS).
hold
A condition that prevents an object from being deleted by any means and from having its metadata modified, regardless of its retention setting, until it is explicitly released.
Glossary5
Managing a Tenant and Its Namespaces
HTTP
HTTP
Hypertext Transfer Protocol. The protocol HCP uses to provide access to the contents of a namespace. Additionally, the HCP Tenant Management and Search Consoles use HTTP to communicate with Console clients.
HTTPS
HTTP with SSL security. See HTTP and SSL.
I
index
See search index.
index setting
The property that specifies whether an object should be indexed.
L
local authentication
Authentication wherein HCP internally checks the validity of the specified username and password.
M
management API
See HCP management API.
metadata
System-generated and user-supplied information about an object. Metadata is stored as an integral part of the object it describes, thereby making the object self-describing.
Glossary6
Managing a Tenant and Its Namespaces
permission
N
namespace
A logical partition of the objects stored in an HCP system. A namespace consists of a grouping of objects such that the objects in one namespace are not visible in any other namespace. Namespaces are configured independently of each other and, therefore, can have different properties.
namespace quota
The number of namespaces HCP reserves for an HCP tenant out of the total number of namespaces the system can have.
O
object
An exact digital representation of data as it existed before it was ingested into HCP, together with the system and custom metadata that describes that data. An object is handled as a single unit by all transactions and services, including shredding, indexing, versioning, and replication.
object disposition
The automatic deletion of expired objects.
P
permission
One of these:
In a data access permission mask, the condition of allowing a specific type of operation to be performed in a namespace.
Glossary7
Managing a Tenant and Its Namespaces
permission mask
In a data access account, the granted ability to perform a specific type of operation in a given namespace. The granted ability to access the HCP Tenant Management Console and to perform a specific activity or set of activities in that Console.
permission mask
See data access permission mask.
policy
One or more settings that influence how transactions and services work on objects. Such a setting can be a property of an object, such as retention, or a property of a namespace, such as versioning.
privileged delete
A delete operation that works on objects regardless of their retention settings, except for objects on hold. This operation is available only to users and applications with explicit permission to perform it. Privileged delete operations work only in namespaces in enterprise mode.
privileged purge
The operation that deletes all versions of an object regardless of whether the object is under retention, except if the object is on hold. This operation is available only to users and applications with explicit permission to perform it. Privileged purge operations work only in namespaces in enterprise mode.
protocol
See namespace access protocol.
purge
The operation that deletes all versions of an object.
Q
query
A request submitted to HCP to return objects that satisfy a specified set of criteria. Also, to submit such a request.
Glossary8
Managing a Tenant and Its Namespaces
REST
query API
See metadata query API.
R
RADIUS
Remote Authentication Dial-In User Service. A protocol for authenticating credentials that authorize access to an IP network.
remote authentication
Authentication wherein HCP uses a remote service to check the validity of the specified username and password.
replica
The target system to which the replication service copies objects and other information from the primary system during replication.
replication
The process of keeping selected tenants and namespaces in two HCP systems in sync with each other. Basically, this entails copying object creations, deletions, and metadata changes from one system to the other. HCP also replicates tenant and namespace configuration, data access accounts, retention classes, all compliance log messages, and all HCP tenant log messages.
repository
The aggregate of the namespaces defined for an HCP system.
REST
Representational State Transfer. A software architectural style that defines a set of rules (called constraints) for client/server communication. In a REST architecture:
Resources (where a resource can be any coherent and meaningful concept) must be uniquely addressable. Representations of resources (for example, as XML) are transferred between clients and servers. Each representation communicates the current or intended state of a resource. Clients communicate with servers through a uniform interface (that is, a set of methods that resources respond to) such as HTTP.
Glossary9
Managing a Tenant and Its Namespaces
retention class
retention class
A named retention setting. The value of a retention class can be a duration, Deletion Allowed, Deletion Prohibited, or Initial Unspecified.
retention hold
See hold.
retention mode
A namespace property that affects which operations are allowed on objects under retention. A namespace can be in either of two retention modes: compliance or enterprise.
retention period
The period of time during which an object cannot be deleted (except by means of a privileged delete).
retention setting
The property that determines the retention period for an object.
role
A named collection of permissions that can be associated with an HCP user account, where each permission allows the user to perform some specific interaction or set of interactions with the HCP Tenant Management Console. Roles generally correspond to job functions.
S
Search Console
The web application that provides interactive access to the search functionality of the active search system.
search facility
An interface between the search functionality provided by a system such as HDDS or HCP and the HCP Search Console. Only one search facility can be enabled at any given time.
search index
An index of the metadata and key terms in namespace objects. The active search system builds, maintains, and stores this index.
Glossary10
Managing a Tenant and Its Namespaces
service
A background process that performs a specific function that contributes to the continuous tuning of the HCP system. In particular, services are responsible for optimizing the use of system resources and maintaining the integrity and availability of the data stored in the HCP repository.
shred setting
The property that determines whether a data object will be shredded or simply removed when its deleted from HCP.
shredding
The process of deleting a data object and overwriting the locations where its bytes were stored in such a way that none of its data or metadata can be reconstructed. Also called secure deletion.
SNMP
Simple Network Management Protocol. A protocol HCP uses to facilitate monitoring and management of the system through an external interface.
soft quota
The percentage point at which HCP notifies a tenant that allocated storage space is being used up. For a tenant, the soft quota measures the space used in all the namespaces the tenant owns relative to the hard quota for that tenant. For a namespace, the soft quota measures the space used in only that namespace relative to the hard quota for that namespace.
SSL
Secure Sockets Layer. A key-based Internet protocol for transmitting documents through an encrypted link.
syslog
A protocol used for forwarding log messages in an IP network. HCP uses syslog to facilitate system monitoring through an external interface.
Glossary11
Managing a Tenant and Its Namespaces
system metadata
system metadata
System-managed properties that describe the content of an object. System metadata includes policies, such as retention and data protection level, that influence how transactions and services affect the object.
T
tenant
An administrative entity created for the purpose of owning and managing namespaces and data access accounts. Tenants typically correspond to customers, business units, or individuals.
U
Unix
Any UNIX-like operating system (such as UNIX itself or Linux).
user account
A set of credentials that gives a user access to the Tenant Management Console and HCP management API.
user authentication
The process of checking that the combination of a specified username and password is valid when a user tries to log into the Tenant Management Console.
user role
See role.
Glossary12
Managing a Tenant and Its Namespaces
WORM
V
versioning
A feature that allows the creation and management of multiple versions of an object.
version pruning
The automatic deletion of previous versions of objects that are more than a specified amount of time old.
W
WORM
Write once, read many. A data storage property that protects the stored data from being modified or overwritten.
Glossary13
Managing a Tenant and Its Namespaces
WORM
Glossary14
Managing a Tenant and Its Namespaces
Index
Symbols
[internal] event initiator 5-18 [remote adminl] event initiator 5-19 [service] event initiator 5-19 default index setting 6-176-18 default retention setting 6-156-16 default shred setting 6-17 DPL setting 6-236-24 hard quota for namespaces 6-14 login settings 4-13 namespace descriptions 6-13 namespace names 6-12 namespace permission masks 6-126-13 passwords 3-7 retention class values 8-5 retention mode 6-246-25 soft quota for namespaces 6-14 tenant contact information 5-75-9 tenant description 5-95-10 tenant permission mask 5-9 Chargeback page 5-27 chargeback reports about 5-26 content 5-285-30 generating 5-27 HCP management API 5-27 sample 5-305-31 statistics collection 5-28 status of statistics 5-30 types 5-27 client tools about 1-6 downloading 11-2 platforms 11-2 compliance activities, performing 3-12 Compliance Events panel namespaces 6-306-31 tenant 5-18 compliance mode 2-3 See also retention mode compliance role 4-3
A
acknowledging irreparable objects 6-316-32 active search system 1-7 adding IP addresses to Allow/Deny lists 5-12 administrative user accounts See user accounts administrator role 4-3 alerts namespace 6-2, 6-56-6, A-2A-3 tenant 5-4, A-2 All Events panel namespaces 6-30 tenant 5-17 Allow lists adding IP addresses 5-12 deleting IP addresses 5-12 entries 5-12 HTTP protocol handling of 5-13 Search Console handling of 5-13 Tenant Management Console handling of 5-13 automatic deletion See disposition
B
backlog time, replication 5-24
C
Change Password page 3-7 changing See also configuring; modifying custom metadata operations allowed for objects under retention 6-186-19
Index1
Managing a Tenant and Its Namespaces
configuring
configuring See also changing; modifying; setting HTTP protocol 6-256-26 namespaces 6-11 tenant 5-7 Console login page 3-43-5 Console pages See also Tenant Management Console Change Password 3-7 Chargeback 5-27 Console Security 4-11, 5-11 Data Access Accounts 7-37-4 login 3-43-5 MAPI 5-135-14 Namespaces 6-2 Overview, tenant 5-25-6 refreshing 3-6 Replication 5-225-26 Search Security 5-145-15 SNMP 5-21 Syslog 5-205-21 Tenant Events 5-175-18 Users 4-7 Console Security page changing user account and login settings 4-11 controlling access to Tenant Management Console 5-11 contact information changing 5-75-9 viewing 5-55-6 Contact Information window 5-8 controlling access to Search Console 5-145-15 access to Tenant Management Console 5-11 HCP management API access 5-135-14 system-level administrative access to tenant 5-10 Create Data Access Account panel 7-47-5 Create Namespace panel 6-86-10 Create Retention Class panel 8-48-5 Create User Account panel 4-84-10 creating data access accounts 7-47-5 namespaces 3-9, 6-76-10 retention classes 8-48-5 user accounts 4-84-10 cryptographic hash algorithms about 2-3 setting 6-9 viewing 6-6 cryptographic hash values 2-3 current tenant 3-5 custom metadata about 1-2 operations allowed for objects under retention 2-7 operations allowed for objects under retention, changing 6-186-19 XML checking 2-72-8 XML checking, enabling/disabling 6-196-20
D
daily chargeback reports 5-27 data access accounts about 1-8, 7-27-3 creating 7-47-5 deleting 7-6 list 7-4 modifying 7-57-6 number of 5-3 Data Access Accounts page Create Data Access Account panel 7-47-5 data access account list 7-37-4 data access permission masks 2-92-11 See also namespace permission masks; tenant permission mask Data Migrator See HCP Data Migrator data protection level See DPL data transmission rate, replication 5-25 default index setting about 2-6 changing 6-176-18 default retention setting about 2-5 changing 6-156-16 valid values 6-146-15 default shred setting about 2-6 changing 6-17 delete permission in data access accounts 7-2 in data access permission masks 2-9 deleting data access accounts 7-6 IP addresses from Allow/Deny lists 5-12 irreparable objects 6-32 namespaces 6-326-33 objects under retention 9-29-4 retention classes 8-6 user accounts 4-11 Deletion Allowed 2-5, 6-15, 8-2 Deletion Prohibited 6-15, 8-2
Index2
Managing a Tenant and Its Namespaces
HCP
Deny lists adding IP addresses 5-12 deleting IP addresses 5-12 entries 5-12 HTTP protocol handling of 5-13 Search Console handling of 5-13 Tenant Management Console handling of 5-13 descriptions data access accounts 7-5 namespaces, changing 6-13 namespaces, specifying initially 6-8 namespaces, viewing 6-7 retention classes 8-5 tenant, changing 5-95-10 user accounts 4-10 deselecting namespaces for replication 5-25 5-26, 6-226-23 disabling custom metadata XML checking 6-196-20 disposition 6-216-22 HTTP access to namespaces 6-256-26 read from replica 6-226-23 replication for namespaces 6-9 search 6-10, 6-276-28 user accounts 4-2, 4-10 user accounts automatically 4-12 versioning for namespaces 6-10, 6-206-21 disposition about 2-9 with autodeletion of objects in retention classes 8-3 enabling/disabling 6-216-22 Disposition panel 6-22 documentation, viewing 3-6 downloading client tools 11-2 HCP Data Migrator 10-2 HCP documentation 3-6 DPL about 2-22-3 changing 6-236-24 dynamic 2-2 and replication 6-8, 6-24 setting 6-8 viewing 6-7 dynamic DPL 2-2 dynamic statistics 5-28 effective permission mask namespaces 6-7 tenant 5-6 enabling custom metadata XML checking 6-196-20 disposition 6-216-22 HTTP access to namespaces 6-256-26 read from replica 6-226-23 replication for namespaces 6-9 search 6-10, 6-276-28 user accounts 4-2, 4-10 versioning for namespaces 6-10, 6-206-21 enterprise mode 2-4 See also retention mode Error (event severity) 5-19 events See also log messages initiator 5-185-19 severity 5-19
F
failed logins to namespaces 7-3 failover 2-12 features namespaces 6-6 tenant 5-45-5 files hosts 3-33-4 objects stored for 1-2 fixed date as default retention setting 6-15 fixed-content storage system 1-2 forcing password changes 4-94-10, 4-12
G
generating chargeback reports 5-27
H
hard quota about 2-2 namespaces, changing 6-14 namespaces, setting initially 6-9 namespaces, viewing 6-2, 6-4 tenant, viewing 5-2, 6-2 hash algorithms See cryptographic hash algorithms hash values 2-3 HCP about 1-11-2 documentation 3-6 serial number 3-4 version 3-4
E
Edit Retention Class window 8-6 Edit User Account window 4-10
Index3
Managing a Tenant and Its Namespaces
L
local authentication 4-64-7 log messages about 5-185-20 descriptions B-1B-8 details 5-195-20 event severity 5-19 managing list of 5-20 sending to SNMP managers 5-21 sending to syslog servers 5-205-21 viewing 5-155-16 logging into Tenant Management Console 3-4 logging out of Tenant Management Console 3-8 login settings about 4-124-13 changing 4-13
M
Mac OS X hosts file 3-3 maintaining namespaces 3-93-10 tenant 3-9 major events See also log messages namespaces 6-5 tenant 5-35-4 managing namespace access 3-113-12 tenant log message list 5-20 user accounts 3-8 MAPI page 5-135-14 mappings, hostname 3-4 message text for Console login pages 4-13 metadata 1-2 Metadata panel 6-196-20 metadata query API 1-61-7 minimum length for passwords 4-12 Modify Namespace Name window 6-12 Modify Namespace Quota window 6-14
I
inactive user accounts 4-12 index settings about 2-6 default 2-6 indexing See also search; search index about 2-42-5 HCP search facility 6-27 HDDS search facility 6-27 restarting 6-286-29 setting checkpoint 6-286-29 stopping 6-28
Index4
Managing a Tenant and Its Namespaces
Namespaces page
modifying See also changing; configuring; setting data access accounts 7-57-6 retention classes 8-58-6 user accounts 4-10 monitor role 4-3 monitoring namespaces 3-103-11, 6-29 replication 5-22 tenant 3-103-11, 5-155-16 effective permissions 2-102-11 enabling/disabling custom metadata XML checking 6-196-20 enabling/disabling HTTP access to 6-256-26 enabling/disabling search 6-276-28 failed logins 7-3 features 6-6 hard quota 6-2, 6-4, 6-9 hard quota, changing 6-14 indexed object count 6-4 list 6-2 maintaining 3-93-10 major events 6-5 managing access to 3-113-12 monitoring 3-103-11, 6-29 name 6-8 names, changing 6-12 number of 5-2 object count 6-2, 6-36-4 permission mask 6-7 permission masks, changing 6-126-13 read from replica 2-12, 6-226-23 read-only 2-11 replication 2-122-13, 6-6, 6-9 retention mode 2-32-4, 6-6, 6-9, 6-24 6-25 search feature 6-6, 6-10 search index 2-42-5 selecting/deselecting for replication 5-25 5-26, 6-226-23 soft quota 6-9 soft quota, changing 6-14 statistics in chargeback reports 5-285-30 storage quotas 2-2 storage usage 6-2, 6-46-5 URLs 6-3 versioning 2-8, 6-6, 6-10, 6-206-21 Namespaces page alerts A-2A-3 changing namespace quotas 6-14 Create Namespace panel 6-86-10 Create Retention Class panel 8-48-5 deleting namespaces 6-33 namespace All Events panel 6-30 namespace Compliance Events panel 6-30 6-31 namespace Disposition panel 6-22 namespace Indexing panel 6-18 namespace Irreparable Objects panel 6-31 6-32 namespace list 6-2 namespace Metadata panel 6-196-20
N
names namespaces, about 6-8 namespaces, changing 6-12 retention classes 8-4 Namespace Browser 1-41-5 namespace permission masks See also data access permission masks about 2-10 changing 6-126-13 viewing 6-7 namespace quota 5-2 namespace-level view of replication 5-245-25 namespaces about 1-3 access to 1-4 alerts 6-2, 6-56-6, A-2A-3 all events 6-30 chargeback reports 5-26 compliance events 6-306-31 configuring 6-11 creating 3-9, 6-76-10 cryptographic hash algorithm 2-3, 6-6, 6-9 custom metadata allowed for objects under retention 2-7 custom metadata operations allowed for objects under retention, changing 6-18 6-19 custom metadata XML checking 2-72-8 default index setting 2-6 default index setting, changing 6-176-18 default retention setting 2-5 default retention setting, changing 6-15 6-16 default shred setting 2-6 default shred setting, changing 6-17 deleting 6-326-33 description 6-7, 6-8 description, changing 6-13 disposition 2-9, 6-216-22 DPL 2-22-3, 6-7, 6-8 DPL, changing 6-236-24
Index5
Managing a Tenant and Its Namespaces
O
object versioning See versioning objects about 1-2 hash value 2-3 index setting 2-6 indexed per tenant 5-3 list of irreparable 6-31 number of indexed over time 6-4 number of over time 6-36-4 number of per namespace 6-2 number of per tenant 5-3 retention setting 2-3, 2-5 shred setting 2-6 specifying for privileged delete 9-29-3 versions 1-2 operation rate, replication 5-25 Overview page, tenant alerts A-2 changing tenant contact information 5-75-8 changing tenant descriptions 5-10 changing tenant permission masks 5-9 granting/denying system-level administrative access 5-10 understanding 5-25-6 Overview panel, namespace alerts A-3 changing namespace descriptions 6-13 changing namespace names 6-12 changing namespace permission masks 6-13 understanding 6-26-7
Q
query API 1-61-7 quotas See hard quota; namespace quota; soft quota
R
read from replica about 2-12 enabling/disabling 6-226-23 read permission in data access accounts 7-2 in data access permission masks 2-9 read-only tenants 5-4 refreshing Console pages 3-6 remote authentication 4-64-7 replica about 2-11 version pruning 2-8 replication about 2-112-13 backlog time 5-24 data transmission rate 5-25 and DPL 6-8, 6-24
P
passwords changing your own 3-5, 3-7 data access accounts 7-47-5 forcing changes 4-94-10, 4-12
Index6
Managing a Tenant and Its Namespaces
stopping indexing
failover 2-12 monitoring 5-22 namespace-level view 5-245-25 namespaces 6-6 namespaces, enabling/disabling for 6-9 operation rate 5-25 selecting/deselecting namespaces for 5-25 5-26, 6-226-23 tenant eligibility 5-5 tenant-level view 5-225-23 Replication page 5-225-26 Replication panel 6-226-23 reports, chargeback 5-265-31 responsibilities, tenant administrator 3-83-12 restarting indexing 6-286-29 retention classes about 8-18-3 automatically deleting expired objects in 8-28-3 creating 8-48-5 deleting 8-6 description 8-5 list 8-38-4 modifying 8-58-6 name 8-4 Retention Classes panel 8-38-4 retention mode about 2-32-4 changing 6-246-25 selection 5-4 setting initially 6-9 viewing 6-6 Retention panel custom metadata operations allowed for objects under retention 6-19 default retention setting 6-16 retention periods 2-3 retention settings about 2-3 default 2-5 roles 4-24-3 search facilities 1-71-8 See also HCP search facility; HDDS search facility search index See also indexing; search about 2-42-5 objects included in 2-6 Search panel 6-276-29 search permission in data access accounts 7-3 in data access permission masks 2-10 Search Security page 5-145-15 secure deletion 2-6 Security Events panel 5-175-18 security role 4-3 selecting namespaces for replication 5-255-26, 6-226-23 serial number 3-4 session timeout 4-12 setting See also changing; configuring; modifying cryptographic hash algorithm 6-9 DPL 6-8 hard quota for namespaces 6-9 indexing checkpoint 6-286-29 retention mode 6-9 soft quota for namespaces 6-9 Settings panel 6-25 severity, events 5-19 shortcut keys 3-5 shred setting, default 2-6 shredding 2-6 See also default shred setting Shredding panel 6-17 SNMP logging 5-21 SNMP page 5-21 soft quota about 2-2 namespaces, changing 6-14 namespaces, setting for 6-9 specifying days for version pruning 6-10, 6-21 namespace descriptions 6-8 objects for privileged delete 9-29-3 starter account 4-7 statistics in chargeback reports 5-285-30 collection for chargeback reports 5-28 dynamic 5-28 point in time 5-28 status in chargeback reports 5-30 statistics, tenant 5-25-3 stopping indexing 6-28
S
search See also indexing; search index enabling/disabling 6-10, 6-276-28 namespace feature 6-6 tenant feature 5-5 Search Console about 1-7 Allow/Deny list handling 5-13 controlling access to 5-145-15 login page message text 4-13
Index7
Managing a Tenant and Its Namespaces
storage
storage amount used per object 2-3 namespace usage 6-2, 6-46-5 tenant usage 5-2 submitting changes in Tenant Management Console 3-6 syslog logging 5-205-21 Syslog page 5-205-21 system metadata 1-2 system-level administrative access to tenant about 2-13 controlling 5-10 systemwide permission mask 2-10 configuring 5-7 contact information 5-55-6, 5-75-9 current 3-5 description 5-6, 5-95-10 effective permissions 2-10 features 5-45-5 hard quota 5-2, 6-2 maintaining 3-9 major events 5-35-4 monitoring 3-103-11, 5-155-16 namespace quota 5-2 permission mask 5-6, 5-9 read-only 5-4 replication 2-122-13, 5-5 search support 5-5 security events 5-175-18 statistics 5-25-3 statistics in chargeback reports 5-285-30 storage quotas 2-2 system-level administrative access to 2-13, 5-10 versioning 5-5 text for Console login pages 4-13 transfer rate, replication 5-25
T
tenant administrators responsibilities 3-83-12 roles 4-3 Tenant Events page All Events panel 5-17 Compliance Events panel 5-18 Security Events panel 5-175-18 tenant log 5-155-16 See also log messages; Tenant Events page Tenant Management Console See also Console pages about 3-2 Allow/Deny list handling 5-13 controlling access to 5-11 logging in 3-4, 4-6 logging out 3-8 login page message text 4-13 session timeout 4-12 sessions 3-2 starter account 4-7 submitting changes 3-6 system-level administrative access to 3-2 tenant description on 5-6 URL 3-3 user accounts 4-24-7 using 3-5 tenant permission mask See also data access permission masks about 2-10 changing 5-9 viewing 5-6 tenant-level view of replication 5-225-23 tenants about 1-3 administrator responsibilities 3-83-12 alerts 5-4, A-2 all events 5-17 compliance events 5-18
U
Unix hosts file 3-3 URLs namespaces 6-3 Tenant Management Console 3-3 user accounts about 3-2, 4-2 creating 4-84-10 deleting 4-11 disabling automatically 4-12 enabling/disabling 4-2, 4-10 inactive 4-12 list 4-8 managing 3-8 modifying 4-10 number of 5-3 starter 4-7 user IDs 4-8 user authentication 4-64-7 user IDs 4-8 user roles about 4-24-3 permissions granted by 4-34-6 usernames data access accounts 7-4 user accounts 4-84-9 Users page 4-7 using Tenant Management Console 3-5
Index8
Managing a Tenant and Its Namespaces
V
version pruning See versioning version, HCP 3-4 versioning about 1-2, 2-8, 6-20 enabling/disabling for namespaces 6-20 6-21 namespace feature 6-6 namespaces, enabling/disabling for 6-10 privileged purge 9-2 specifying days for pruning 6-21 tenant feature 5-5 version pruning 2-8, 6-10 Versioning panel 6-21 viewing all namespace events 6-30 all tenant events 5-17 HCP documentation 3-6 irreparable objects 6-31 namespace compliance events 6-306-31 namespace descriptions 6-7 namespace permission mask 6-7 namespace retention mode 6-6 tenant compliance events 5-18 tenant contact information 5-55-6 tenant description 5-6 tenant permission mask 5-6 tenant security events 5-175-18 volume, ingested 6-5
W
Warning (event severity) 5-19 Windows hosts file 3-3 WORM 1-2 write permission in data access accounts 7-2 in data access permission masks 2-9
X
XML checking for custom metadata about 2-72-8 enabling/disabling 6-196-20
Index9
Managing a Tenant and Its Namespaces
Index10
Managing a Tenant and Its Namespaces
Hitachi Data Systems Corporate Headquarters 750 Central Expressway Santa Clara, California 95050-2627 U.S.A. Phone: 1 408 970 1000 www.hds.com info@hds.com Asia Pacific and Americas 750 Central Expressway Santa Clara, California 95050-2627 U.S.A. Phone: 1 408 970 1000 info@hds.com Europe Headquarters Sefton Park Stoke Poges Buckinghamshire SL2 4HD United Kingdom Phone: + 44 (0)1753 618000 info.eu@hds.com
MK-99ARC025-04