Wednesday, 28 May 2014

Generating SAN SSL certs for CDOT using 2008 AD CS

SAN = Subject Alternative Name

The following post runs through getting SAN certificates for use with Clustered ONTAP. The lab environment has Clustered Data ONTAP 8.2.1 and a Windows 2008R2 AD CS Root CA.

What SAN Names do we want in our SSL Certificate

To make life nice and easy, we’ll just request one SAN certificate for the entire cluster, with everything we could possibly require in.

We have a simple single node cluster, with the following LIFs:

NACLU1::> net int show -field address
vserver  lif          address
-------  ------------ ------------
NACLU1   cluster_mgmt 10.10.10.110
NACLU1N1 mgmt1        10.10.10.111
NACLU1N1 rep1         10.10.10.121
NASVM1   data1        10.10.10.131
NASVM1   data2        10.10.10.132

In DNS we’ve have the following Forward Lookup Host (A) entries. In this example, NASVM1.lab.priv has 2 entries in DNS for round-robin load-balancing.

Name                   Data         ReverseDNS?
---------------------- ------------ -----------
NACLU1.lab.priv        10.10.10.110 Yes
NACLU1N1.lab.priv      10.10.10.111 Yes
NACLU1N1-rep1.lab.priv 10.10.10.121 Yes
NASVM1.lab.priv        10.10.10.131 No
NASVM1.lab.priv        10.10.10.132 No
NASVM1-data1.lab.priv  10.10.10.131 Yes
NASVM1-data2.lab.priv  10.10.10.132 Yes

How to Create the Certificate Signing Request for CDOT

Run the command:

NACLU1::> security certificate generate-csr -common-name NACLU1.lab.priv -size 2048 -country US -state "" -locality "" -organization "" -unit "" -email-addr "it@lab.priv" -hash-function SHA256

Here the common-name is NACLU1.lab.priv (the cluster FQDN name with NETBIOS name in capitals - doesn’t really matter what the common-name is though since we’re going to append SAN names to it), the other switches are specific to organization.

An abridged output of the command is below:

Certificate Signing Request :
-----BEGIN CERTIFICATE REQUEST-----
MIICtDCCAZwCAQAwbzEYMBYGA1UEAxMPTkFDTFUxLmxhYi5wcml2MQswCQYDVQQG
...
z+AV+ZyhKSywDNof7Cm6Fa/O8OpLPgHr
-----END CERTIFICATE REQUEST-----

Private Key :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsXJsTx08SEI1+PjGTQvud7F0fxN49GXCw3HNQeLTCEj4VCcM
...
7WEw8Q1Gib8nP/2Axag5u+/w8rAuAqg7nC7ZwUAXdyJkFfmNDE4F
-----END RSA PRIVATE KEY-----

Note: Please keep a copy of your certificate request and private key for future reference.

It is important to record this output. The ‘CERTIFICATE REQUEST’ section will be provided to the Certification Authority for generation of the SSL cert. The ‘RSA PRIVATE KEY’ section will be used later when installing the certificate. Note: You will only see the complete output one time - if you later run ‘security certificate generate-csr show’ it actually creates a new CSR under the common-name ‘show’.

Copy the contents between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- into a text file and save as say CLUSTER.CSR.

Generating the SAN Certificate with 2008 R2 AD CS

Configure the CA to issue SAN certificates using the following command in the DOS prompt on the CA (if not done so already) and restart the CA service:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Then the following command will read the CLUSTER.CSR file as prepared earlier and add all SAN extensions to it, then output the SAN certificate as CLUSTER.CER:

certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=10.10.10.110&IPAddress=10.10.10.110&DNS=naclu1n1&DNS=naclu1n1.lab.priv&DNS=naclu1n1-rep1&DNS=naclu1n1-rep1.lab.priv&DNS=nasvm1&DNS=nasvm1.lab.priv&DNS=nasvm1-data1&DNS=nasvm1-data1.lab.priv&DNS=nasvm1-data2&DNS=nasvm1-data2.lab.priv" CLUSTER.CSR CLUSTER.CER

The above is going overboard on specifying every single DNS and NETBIOS entry used by the cluster for the SAN cert (and the cluster management IP address since logs via https://CLUSTERNAME/SPI redirects to https://CLUSTERIP/...) For the purposes of OCUM connections to the cluster management address, SPI, and logs via the node address, the following is totally sufficient:

certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=10.10.10.110&IPAddress=10.10.10.110&DNS=naclu1n1&DNS=naclu1n1.lab.priv” CLUSTER.CSR CLUSTER.CER

Note 1: IE requires IP Addresses after DNS=, other browsers after IPAddress=, which explains the cluster management IP address being in there twice.
Note 2: If you’re having problems inputting the above, and have copied from this post, check the formatting of the dash and quotation marks especially (delete and retype in DOS.)

Installing the Certificate in CDOT

Run the command:

NACLU1::> security certificate install -vserver NACLU1 -type server

As prompted, copy and paste in the certificate as contained in the CLUSTER.CER file, and the private key obtained from generating the CSR earlier.

Then run the following commands to apply the SSL certificate to the Cluster (Admin) Vserver:

NACLU1::> security certificate show -vserver NACLU1
NACLU1::> ssl show -vserver NACLU1
NACLU1::> ssl modify -vserver NACLU1 -ca lab-MSCSA1-CA -serial 6167DD8400000000000B -common-name NACLU1.lab.priv

Repeat for the node and data SVMs as required.

Testing the SSL Certificate in CDOT

Test over https://CLUSTER_NETBIOS/spi.

Image: No certificate error to https://naclu1/spi

Test over the SPI to logs.

Image: No certificate error to https://10.10.10.110/...

Check the SSL Certificate to see the Subject Alternative Name entries.

Image: SAN Entries including IP Address

THE END

Sunday, 25 May 2014

2008R2 ADCSCAWE: Fixing ‘Error “DEFAULT WEB SITE/CERTSRV” ... default document is not configured...’

Scenario

We have a Windows Server 2008R2 SP1 Enterprise Member server, with just the role: role service -

Active Directory Certificate Services: Certification Authority

Image: AD CS with Certification Authority Role Service Only
We install -

Active Directory Certificate Services: Certification Authority Web Enrollment

- using the ‘Add Role Services’ wizard and default selections, to install the ‘Web Server (IIS)’ role and required services.

Image: Add Role Services
In ‘Internet Information Services (IIS) Manager’ we see the web application ‘CertSrv’ and virtual directories - ‘CertEnroll’ and ‘en-US’.

Image: IIS Manager showing CertSrv and Folders
But when we go to http://localhost/certsrv we encounter the error:

Server Error Application “DEFAULT WEB SITE/CERTSRV”
HTTP Error 403.14 - Forbidden
Most likely causes: A default document is not configured...

Resolution

The fix came from a comment by Rexif in this Microsoft Technet Forum Question - thanks Rexif (or should I say Fixer...) Essentially - for some reason - the install has put the code in the wrong directory!

1) Stop the Default Web Site
2) Copy all the contents from C:\Windows\system32\CertSrv\en-US and paste in C:\Windows\system32\CertSrv
3) Open the file ‘default.asp’ from C:\Windows\system32\CertSrv in Notepad and edit the line that includes -

#include FILE="..\certdat.inc"

- to be:

#include FILE="certdat.inc"

Image: Edited CertSrv default.asp file
4) Start the Default Web Site

Internet Explorer Settings for AD CS CA Web Enrollment

We can now connect to http://localhost/certsrv

Image: IE10 Web Browser not Supporting Generation of Certificate Requests
If you’re using Internet Explorer 10, you might get the error:

This Web browser does not support the generation of certificate requests.

If so then, from the Tools menu, click on ‘F12 developer tools’.
From the ‘Developer Tools’ panel at the bottom of IE10, click on Browser Mode and Internet Explorer 10 Compatibility View:

Image: IE10 Developer Tools with IE10 Compatibility View Selected
Now the AD CS CA Web Enrollment site works!

THE END ... not quite!

The above gets http://localhost/certsrv working (it uses the default.asp which we’ve edited), unfortunately, to get the whole site to work, every ASP file has got to be edited similarly. Sort the contents of C:\Windows\System32\CertSrv by type, and make the change to the FILE path for certdat.inc in each file.

Image: ASP Files in CertSrv Folder

OnCommand Workflow Automation 2.2 - Quick Upgrade Guide

The following notes were taken whilst upgrading my lab WFA 2.2RC1 box to WFA 2.2GA. The notes apply pretty much to any upgrade from WFA 2.0/2.X to 2.X (pre 2.0 WFA must be upgraded to 2.0 first.)

Part 1) Backup the WFA Database

A WFA user with the role admin or backup can do this.

Image: WFA User Roles
Method 1: Using the Web Portal

Log in to the WFA web portal (i.e. https://WFASERVER)

Click Administration
Click Backup & Restore

Image: WFA Backup & Restore
Click Backup
And save the file to an accessible location (example filename - WFA_V2.2.0.2.4RC1_B2298704_05_25_14__11_08_22.sql.gz).

Image: WFA Backup
Method 2: Using PowerShell script

From a PowerShell prompt (i.e. PS C:\>):

& 'C:\Program Files\NetApp\WFA\bin\Backup.ps1' -user backup -password ********* -path C:\Backups\WFA_Backup_20140525

Note 1: Execution policy must be set to unrestricted - see with the PS command:
Get-ExecutionPolicy
- if this is not already so, first check if UAC is on, if UAC is on turn it off and reboot. Then run the PS command:
Set-ExecutionPolicy unrestricted

Image: WFA PowerShell Backup
Part 2) Uninstall the Existing Version of WFA

Start > Control Panel > Programs and Features >
Right-click the existing version of WFA
Select Uninstall

Image: Uninstalling WFA
Yes to ‘Please make sure to take a backup before...’
Yes to ‘Are you sure...’
OK to ‘WFA was successfully removed...’

Image: Uninstall Successful
Part 3) Install the New Version of WFA

This is a re-hash of the Installation part of this post: OnCommand Workflow Automation 2.2RC1 - Quick Install Guide

Download the software package from:

Installing the software:
Double-click the downloaded WFA-x64-V2.2.0.2.6-B2416155.exe

Setup - WFA: Welcome to the WFA Setup Wizard
Click Next >

Setup - WFA: License Agreement
Accept the agreement
Click Next >

Setup - WFA: Server Configuration
Override the default server configuration or leave as default (HTTP Port 80 and HTTPS Port 443)
Click Next >

Setup - WFA: Checking Prerequisites
Click Next >

Setup - WFA: Customer Information
Enter ‘Site Name’
Enter ‘Company Name’
Click Next >

Setup - WFA: Administrator User
Create a user by providing -
Username: admin (default)
Password: *********
Click Next >

Setup - WFA: Select Destination Location
Leave as or change the default (C:\Program Files\NetApp\WFA)
Click Next >

Setup - WFA: Ready to Install
Click Install

Setup - WFA: Please read …
Click Next >

Setup - WFA: Completing the WFA Setup Wizard
Click Finish

Part 4) Restore the WFA Database

Log in to the WFA web portal (i.e. https://WFASERVER)

Click Administration
Click Backup & Restore

Under ‘Restore’
Click Browse... and browse to the backup file
Click Restore

Image: Restore WFA’s Database
The portal will go grey, you’ll notice mysqld.exe and NA_WFA_SRV.exe in ‘Windows Task Manager’ running at a high CPU% utilization, and then - finally - will receive the message in the web portal:

Successfully restored WFA's database from file: wfa_backup.sql.gz

PS OnCommand Workflow Automation is an awesome and completely free automation tool.

Setting up the Data ONTAP PowerShell Toolkit for Ease of Use with COT.PS1 and CDOT

Sort of carrying on from the previous post...

If you’re an avid reader of this blog, you might remember the following posts from December 2013:


Note: At the time of writing, the posted version is 6.0. Unfortunately, I don’t have time to update the post every time I amend something. Currently I’m using v6.2 which has a bug fix and an addition. If by some miracle you’re actually interested in cot.ps1, drop me an email and I’ll send you the latest.
r6.1: A bug fix - noticed if cot add fails, leaves Current-NcConnections in limbo, so now we clear all connections if connect fails!
r6.2: Added cot {IP/DNS} {USER} PROMPT or P to get prompt for password + cot creds added (alongside cot cred since I kept typing creds).

COT.PS1 handles the Import-Module DataONTAP as well as lots of other stuff. To invoke the function automatically every time PowerShell loads, read below.

When you open PowerShell, by default it puts you in:

C:\Users\USERNAME>

Place cot.ps1 in the folder C:\Users\USERNAME - this will be our working directory.

By default there’s no PowerShell profile, its default location is here:

C:\Users\USERNAME\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Ensure the folder in Documents (displayed as “My Documents”) called ‘WindowsPowerShell’ exists, then run the following commands from the PowerShell PS C:\Users\USERNAME> prompt:

$profile
test-path $profile
New-Item -path $profile -itemtype file -force
notepad $profile

In Notepad, enter the following line (there is a space in between the two dots), then save and close it:

. .\cot.ps1

Close and reopen PowerShell, and cot.ps1 should automatically have been loaded!
From the PS C:\Users\USERNAME> prompt run:

cot help

- which should display something like the below:

cot = Returns currently connected to controllers.
cot ? = List of commands and description.
cot help = List of commands and description.
cot clear = Clears current connections.
cot cred(s) = List credentials - IP/DNS and user.
Note: Current users credential file path = C:\Users\naadmin\PS_creds_naadmin.txt
cot rcred {IP/DNS} = Removes credentials for specified IP/DNS.
cot rcred {IP/DNS} {USER} = Removes credentials for specified pair.
cot {IP/DNS} = Connects with specified arg (or fails to).
cot {IP/DNS} {USER} = Connects with specified args (or fails to).
cot {IP/DNS} {USER} {PASSWORD} = Connects with specified args (or fails to).
cot {IP/DNS} {USER} PROMPT = As above but prompts for password (also P works.)
cot add {IP/DNS} = Creates an additional connection as specified.
cot add {IP/DNS} {USER} = Creates an additional connection as specified.
cot add {IP/DNS} {USER} {PASSWORD} = Creates an additional connection as specified.
cot add {IP/DNS} {USER} PROMPT = As above but prompts for password (also P works.)
cot remove {IP/DNS} = Removes the specified connection.
cot remove {IP/DNS} {USER} = Removes the specified connection.

Creating a Read Only Domain User Account for Use with PowerShell

Note:  You can’t use AD authentication over RPC as with 7-Mode and PowerShell, the credentials need to be specified!

To create a read-only domain login account on the cluster - assuming that there’s either a vserver cifs or vserver active-directory setup done to the domain containing your AD user account.

Create a domain tunnel and a login for the AD user account as below:

NACLU1::> domain-tunnel create -vserver NASVM1
NACLU1::> security login create LAB\naadmin -application ontapi -authmethod domain -role readonly

Now test connecting to a cluster in PowerShell.

PS C:\Users\naadmin> cot NACLU1 LAB\naadmin ********

Creating a Read Only Domain User Account for Use with SSH

Ontapi is all that’s required for normal PowerShell commands, but to use invoke-ncssh and standard clustershell commands, a login needs to be created with ssh application access.

NACLU1::> security login create LAB\naadmin -application ssh -authmethod domain -role readonly

Testing

In the following example I connect to 5 clusters at once (the credentials were previously cached using cot DNS USER PASSWORD):

PS C:\Users\naadmin> cot NACLU1
PS C:\Users\naadmin> cot add NACLU2
PS C:\Users\naadmin> cot add NACLU3
PS C:\Users\naadmin> cot add NACLU4
PS C:\Users\naadmin> cot add NACLU5

Run one simple command and it will bring back information from every cluster. For example, try:

PS C:\Users\naadmin> get-ncvol
PS C:\Users\naadmin> invoke-ncssh vserver show -fields language

Shutting Down Multiple Clusters with One Command

In a lab environment, you might want once command that shuts down every cluster and every node in every cluster. If we connect using an admin user, this one command shuts down the entire lab:

PS C:\Users\naadmin> invoke-ncssh halt -node *

Installing the Data ONTAP PowerShell Toolkit on Windows 7 under Domain Restrictions

It’s fairly typical in Enterprise IT environments that the provided Windows 7 desktops are locked down. This blog post walks through installing the Data ONTAP PowerShell Toolkit in such an environment, where there are certain restrictions, but fortunately not enough to stop us from installing and using the Data ONTAP PowerShell Toolkit.

Data ONTAP PowerShell Toolkit Requirements

System Requirements:
1) .NET 3.5
2) PowerShell 2 or higher

Windows 7 has .NET 3.5 by default.
Using PowerShell 2 must be permitted on the corporate desktop.

Windows 7 Desktop Setup

In order to run the DataONTAP module in PowerShell, the Execution Policy must be set to unrestricted.

Check by running:

PS C:\> Get-ExecutionPolicy

If it says Restricted, you’ll need to turn off UAC (User Account Control), reboot and then run:

PS C:\> Set-ExecutionPolicy unrestricted

This may be where you’ll encounter a problem with your corporate desktop - you may not be able to turn off UAC! If you’re in luck and the Execution Policy is already/now unrestricted, we can continue.

Downloading the Data ONTAP PowerShell Toolkit

Note: The latest version at the time of writing is 3.3.1 from 18-Apr-2014

Go to:

The Data ONTAP PowerShell Toolkit comes in two forms - an MSI file and a ZIP file. The MSI is super simple to install, but if your corporate security policy blocks downloading MSIs -

Image: Download MSI Security Alert

- then hopefully it will let you download the DataONTAP.zip file. And we carry on from having downloaded the ZIP file.

Installing the Data ONTAP PowerShell Toolkit from DataONTAP.zip

Important! Before unzipping, click the ‘Unblock’ button from the file properties.

Image: File Properties -> Unblock

Unzipping DataONTAP.zip reveals a folder inside called DataONTAP with a few other folders and files in (mostly DLLs.) Copy this folder.

The Data ONTAP PSTK can be installed in two locations:

1) C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
2) C:\Users\USERNAME\Documents\WindowsPowerShell\Modules

{Where USERNAME = your username}

Note: In Windows 7 the document folder that displays as ‘My Documents’ is Documents

Assuming the corporate security policy blocks adding stuff into system32 (also, perhaps you only want this for your login); here we’ll use option 2.

Firstly, create the folder structure \WindowsPowerShell\Modules in Documents if it does not exist.

Then copy the DataONTAP folder into:

C:\Users\USERNAME\Documents\WindowsPowerShell\Modules

Data ONTAP in PowerShell

In PowerShell, run the command:

PS C:\> Get-Module -ListAvailable

DataONTAP should be listed.

Image: PowerShell Modules

Finally, to import the DataONTAP PowerShell module:

PS C:\> Import-Module DataONTAP

Sunday, 18 May 2014

7MTT 1.2 CLI Commands Reference

I’d not come across a 7MTT 1.2 CLI Commands Reference (perhaps I’ve not been looking in the right place, if this is the case please let me know) so, since one would be useful and interesting, thought to grab the ? outputs and make notes.

Recommended reading:

7-Mode Transition Tool 1.2
Data and Configuration Transition Guide
For Transitioning to Clustered Data ONTAP

- and the section entitled ‘Transitioning volumes using the 7-Mode Transition Tool (CLI)’.

7MTT 1.2 CLI Commands Reference

7-Mode Transition Tool>?

NAME
transition -- Transition 7-Mode volumes and configuration to Cluster-Mode by using the 7-Mode Transition tool.

COMMANDS
transition abort - Aborts the transition session.
transition add-cluster-info - Add the cluster information to the given session.
transition add-primary-seven-mode-system - Add information about a 7-Mode primary system to a transition session.
transition add-secondary-cluster-mode-system - Add information about a Cluster-Mode secondary system to the session.
transition complete - Completes the transition to Cluster-Mode.
transition create - Create a transition session.
transition delete - Deletes a transition session.
transition job-results - View the results of a job.
transition job-status - See the status of a job.
transition jobs - This command displays the list of jobs ran or running on the given session and operation.
transition menu - Wizard that helps in completing the end-to-end transition workflow.
transition modify - Modify a transition session.
transition pause - Pause data transfers from 7-Mode to Cluster-Mode volumes.
transition precheck - Verify compatibility of the 7-Mode and Cluster-Mode systems for transition.
transition property-get - Gets the value of a specific session property.
transition property-reset - Clears the value of a specific session property.
transition property-set - Sets value for a specific session property.
transition remove-primary-seven-mode-system - Remove a 7-Mode primary system from the session.
transition remove-secondary-cluster-mode-system - Remove a Cluster-Mode secondary system that has been added the session.
transition resume - Resume data transfers from the 7-Mode to Cluster-Mode volumes.
transition setup - A wizard that helps in preparing a session.
transition show - Display the list of transition sessions or display information about a given session.
transition show-primary-seven-mode-systems - Display the list of 7-Mode primary systems added to the session.
transition show-secondary-cluster-mode-systems - Display the list of Cluster-Mode secondary systems added to the session.
transition start - Start data copy from 7-Mode volumes to Cluster-Mode volumes.
transition version - Display the version of 7-Mode Transition Tool.

CATEGORIES
transition credentials - Transition credentials management commands.
transition lif - LIF management commands.
transition volumepair - Transition volume pair commands.

DESCRIPTION
The 7-Mode Transition Tool enables transitioning 7-Mode volumes and configurations to a new Cluster-Mode system. The tool provides a CLI-based wizard and commands to perform the transition.

Valid options for all commands are:
[-r] no - Disable interactive nature of this command.

COMMANDS

7-Mode Transition Tool>transition abort ?

NAME
abort -- Aborts the transition session.

SYNOPSIS
transition abort -s {session-name} [ -r {interactive} ]

DESCRIPTION
This command stops all data transfers from the 7-Mode to the Cluster-Mode volumes, and deletes the SnapMirror relationships. Session must be in 'copy-baseline', 'copy-pause' or 'copy-update' to run this command.

Valid options are:
-s {session-name}  - Session name

7-Mode Transition Tool>transition add-cluster-info ?

NAME
add-cluster-info -- Add the cluster information to the given session.

SYNOPSIS
transition add-cluster-info -s {session-name} -h {host-name} -v {vserver-name} [ -g {aggregate} ]

DESCRIPTION
Add the cluster information to the given session.

Valid options are:-
-s {session-name} - Name of a session
-h {host-name}    - FQDN or IP address of the cluster-management LIF of the cluster
-v {vserver-name} - Vserver on the Cluster-Mode system
-g {aggregate}    - Aggregate name on which Vserver's root volume is created

7-Mode Transition Tool>transition add-primary-seven-mode-system ?

NAME
add-primary-seven-mode-system -- Add information about a 7-Mode primary system to a transition session.

SYNOPSIS
transition add-primary-seven-mode-system -s {session-name} -h {source-host} -f {management-ipaddress} -d {data-copy-ipaddress} [ -m {multipathing-ipaddress} ]

DESCRIPTION
Add information about a 7-Mode primary system to the session. This information is used by the tool to establish data-protection relationship with the 7-Mode primary volumes. This command is applicable only for 'secondary' type sessions. When transitioning a fan-in relationship, you can add information of more than one 7-Mode primary system.

Valid options are:-
-s {session-name}           - Name of a session
-h {source-host}            - FQDN or IP address of the source of data-protection relationship
-f {management-ipaddress}   - Management IP address of the source host
-d {data-copy-ipaddress}    - IP address over which data is copied
-m {multipathing-ipaddress} - Additional IP address that is used for data copy

7-Mode Transition Tool>transition add-secondary-cluster-mode-system ?

NAME
add-secondary-cluster-mode-system -- Add information about a Cluster-Mode secondary system to the session.

SYNOPSIS
transition add-secondary-cluster-mode-system -s {session-name} -h {c-mode-host-name} -v {vserver-name}

DESCRIPTION
Add information about a Cluster-Mode secondary system to the session. This information is used by the tool to establish data-protection relationship with the Cluster-Mode secondary volumes. This command is applicable only for 'primary' type sessions. When transitioning a fan-out relationship, you can add information about more than one Cluster-Mode system.

Valid options are:-
-s {session-name}     - Name of the session
-h {c-mode-host-name} - FQDN or IP address of the Cluster-Mode system.
-v {vserver-name}     - Name of the Vserver hosting the secondary volumes.

7-Mode Transition Tool>transition complete ?

NAME
complete -- Completes the transition to Cluster-Mode.

SYNOPSIS
transition complete -s {session-name} [ -m {safe-mode} ]
[ -h {ad-server-host-name} ]
[ -i {ad-server-ip-address} ]
[ -u {ad-server-admin-user-name} ]
[ -p {ad-server-password} ]
[ -x {kdc-server-host-name} ]
[ -y {kdc-server-admin-user-name} ]
[ -z {kdc-server-password} ] [ -r {interactive} ]

DESCRIPTION
The transition complete command completes the transition process.
This process involves:-
* Precheck to maximize success of this operation.
* Final data copy from 7-Mode to Cluster-Mode volumes.
* Transitioning Cluster-Mode volumes.
* Transitioning configuration from 7-Mode to Cluster-Mode system.
* Taking 7-Mode volumes offline and removing 7-Mode IP addresses.
* Creating Vserver data LIFs.
* Establish appropriate data Protection relationships for sessions of type primary and secondary

Valid options are:-
-s {session-name}               - Name of the session
-m {safe-mode}                  - Run transition in safe mode, where the 7-Mode volumes are not made offline, the 7-Mode IP addresses are not removed, and the Vserver LIFs are not brought to the 'up' state.
-h {ad-server-host-name}        - Active Directory server FQDN
-i {ad-server-ip-address}       - Active Directory server IP address
-u {ad-server-admin-user-name}  - Administrative user name of Active Directory server
-p {ad-server-password}         - Password of the administrative user of the Active Directory server
-x {kdc-server-host-name}       - KDC server FQDN
-y {kdc-server-admin-user-name} - Administrative user name of KDC
-z {kdc-server-password}        - Password of the KDC's administrative user.

You ensure that all the necessary manual steps are performed prior to invoking this command. After successfully completing this operation, carefully review the messages for any manual steps that might be required to be performed before enabling client access to the transitioned volumes.

7-Mode Transition Tool>transition create ?

NAME
create -- Create a transition session.

SYNOPSIS
transition create -s {session-name} -t {session-type} -n {7-mode-host-name} -c {data-copy-ipaddress} [ -f {vfiler} ]
[ -m {multipathing-ipaddress} ] [ -h {c-mode-host-name} ]
[ -v {c-mode-vserver-name} ] [ -g {vserver-rootvol-aggr} ]
[ -d {schedule-name} ] [ -a {apply-config} ]

DESCRIPTION
Create a session that is a unit of transition. It describes the 7-Mode objects and how they map to Cluster-Mode after transition.

Valid options are:-
-s {session-name}           - Name of the session
-t {session-type}           - Specifies whether the transitioning volume is the primary or secondary in a data protection relationship this session will transition. Valid values are: primary, secondary and standalone
-n {7-mode-host-name}       - FQDN or IP address of management interface of 7-Mode system
-c {data-copy-ipaddress}    - IP address over which data is copied
-f {vfiler}                 - Specifies the vFiler unit from which the volumes must be transitioned, if MultiStore is licensed on the 7-Mode system. The default value of this parameter is vfiler0.
-m {multipathing-ipaddress} - Additional IP address that will be used for data copy
-h {c-mode-host-name}       - FQDN or IP address of the cluster-management LIF of the cluster
-v {c-mode-vserver-name}    - Vserver on the Cluster-Mode system
-g {vserver-rootvol-aggr}   - Aggregate name on which Vserver's root volume is created
-d {schedule-name}          - Schedule to periodically update Cluster-Mode volumes
-a {apply-config}           - When set to true, all configurations of the volumes, protocol and services are transitioned to the Vserver. when set to false, only configurations of the volume are transitioned. Default value is true.

To ensure that the transition session is created successfully, you must add credentials of the 7-Mode and Cluster-Mode systems by using the 'credentials add' command.

7-Mode Transition Tool>transition delete ?

NAME
delete -- Deletes a transition session.

SYNOPSIS
transition delete -s {session-name}

DESCRIPTION
This command deletes the specified transition session.

Valid options are:-

-s session-name  - Name of a session

7-Mode Transition Tool>transition job-results ?

NAME
job-results -- View the results of a job.

SYNOPSIS
transition job-results -j {job-id} [ -r {interactive} ]

DESCRIPTION
This command is used to retrieve results of a given job.

Valid options are:-
-j {job-id}  - Specifies the job ID

7-Mode Transition Tool>transition job-status ?

NAME
job-status -- See the status of a job.

SYNOPSIS
transition job-status -j {job-id}

DESCRIPTION
This command is used to monitor the progress of a given job.

Valid options are:-
-j {job-id} - Specifies the job ID

Job status can be one of the possible values: running, completed, rejected or aborted.

7-Mode Transition Tool>transition jobs ?

NAME
jobs -- This command displays the list of jobs ran or running on the given session and operation.

Valid options are:-
-s {session-name}    - Name of the session
-o {operation-name}  - Name of the operation.

SYNOPSIS
transition jobs -s {session-name} [ -o {operation-name} ]

DESCRIPTION
Displays the jobs information

7-Mode Transition Tool>transition menu ?

NAME
menu -- Wizard that helps in completing the end-to-end transition workflow.

SYNOPSIS
transition menu [ -s {session-name} ] [ -v  ]

DESCRIPTION
This wizard helps to transition a set of volumes and configuration from a 7-Mode system to a cluster.

Valid options are:-
-s {session-name} - Session name
[-v]              - Turn on verbose mode for this command

7-Mode Transition Tool>transition modify ?

NAME
modify -- Modify a transition session.

SYNOPSIS
transition modify -s {session-name} [ -c {data-copy-ipaddress} ]
[ -m {multipathing-ipaddress} ] [ -v {vserver-name} ]
[ -a {apply-config} ] [ -d {schedule-name} ]
[ -h {c-mode-host-name} ] [ -g {vserver-rootvol-aggr} ]

DESCRIPTION
This command can be used to modify composition of a transition session.

Valid options are:-
-s {session-name}           - Name of the session
-c {data-copy-ipaddress}    - IP address over which data is copied
-m {multipathing-ipaddress} - Additional IP address that will be used for data copy
-v {vserver-name}           - Vserver name
-h {c-mode-host-name}       - FQDN or IP address of cluster-management LIF of the cluster
-g {vserver-rootvol-aggr}   - Aggregate name on which Vserver's root volume is created
-d {schedule-name}          - Schedule to periodically update Cluster-Mode volumes
-a {apply-config}           - When set to true, all configurations of the volumes, protocol and services are transitioned to the Vserver. When set to false, only configurations of the volume are transitioned. Default value is true.

7-Mode Transition Tool>transition pause ?

NAME
pause -- Pause data transfers from 7-Mode to Cluster-Mode volumes.

SYNOPSIS
transition pause -s {session-name} [ -r {interactive} ]

DESCRIPTION
This command pauses data transfers from the 7-Mode volumes to the Cluster-Mode volumes. Session must be in 'copy-baseline' or 'copy-update' to run this command.

Valid options are:-
-s {session-name}  - Session name

7-Mode Transition Tool>transition precheck ?

NAME
precheck -- Verify compatibility of the 7-Mode and Cluster-Mode systems for transition.

SYNOPSIS
transition precheck -s {session-name} [ -p  ] [ -r {interactive} ]

DESCRIPTION
This command performs all the necessary validations to verify whether transition is possible with the objects provided in the session.

Valid options are:-
-s {session-name} - Name of the session
[-p]              - Verify 7-Mode configuration only. If this parameter is not specified, the compatibility between the 7-Mode and Cluster-Mode system for transition is also verified.

The command returns a detailed report of all the validations performed on the 7-Mode and Cluster-Mode systems. Each entry in the report is classified in one of the following categories:-

Error        : Feature or functionality that is not supported in Cluster-Mode. For example traditional volumes.

Warning      : Feature or functionality that is not supported in
               Cluster-Mode or some incompatible configuration between
               7-Mode and Cluster-Mode or feature or functionality
               that can be configured manually post transition.

Notification : Incompatibilities or restrictions that might cause
               some inconveniences post transition.

Informational: Successful validation performed as part of this operation.

7-Mode Transition Tool>transition property-get ?

NAME
property-get -- Gets the value of a specific session property.

SYNOPSIS
transition property-get -s {session-name} -p {property-name}

DESCRIPTION
Gets the value of a specific session property. Currently, only one property(cluster-audit-saveas-path) is valid, which represents the path for the Vserver audit logs.

Valid options for all commands are:
[-s] - Session name
[-p] - Property name

7-Mode Transition Tool>transition property-reset ?

NAME
property-reset -- Clears the value of a specific session property.

SYNOPSIS
transition property-reset -s {session-name} -p {property-name}

DESCRIPTION
Clears the value of a specific session property. Currently, only one property(cluster-audit-saveas-path) is valid, which represents the path for the Vserver audit logs.

Valid options for all commands are:
[-s] - Session name
[-p] - Property name

7-Mode Transition Tool>transition property-set ?

NAME
property-set -- Sets value for a specific session property.

SYNOPSIS
transition property-set -s {session-name} -p {property-name} -v {property-value}

DESCRIPTION
Sets value for the session properties. Currently, only one property(cluster-audit-saveas-path) is valid, which represents the path for the Vserver audit logs.

Valid options for all commands are:
[-s] - Session name
[-p] - Property name
[-V] - Property value

7-Mode Transition Tool>transition remove-primary-seven-mode-system ?

NAME
remove-primary-seven-mode-system -- Remove a 7-Mode primary system from the session.

SYNOPSIS
transition remove-primary-seven-mode-system -s {session-name} -h {source-host}

DESCRIPTION
This command removes a 7-Mode primary system from the transition session. This command is applicable only for 'secondary' type sessions.

7-Mode Transition Tool>transition remove-secondary-cluster-mode-system ?

NAME
remove-secondary-cluster-mode-system -- Remove a Cluster-Mode secondary system that has been added the session.

SYNOPSIS
transition remove-secondary-cluster-mode-system -s {session-name} -v {secondary-vserver}

DESCRIPTION
This command removes a Cluster-Mode secondary system from the transition session. This command is applicable only for 'primary' type sessions.

7-Mode Transition Tool>transition resume ?

NAME
resume -- Resume data transfers from the 7-Mode to Cluster-Mode volumes.

SYNOPSIS
transition resume -s {session-name} [ -r {interactive} ]

DESCRIPTION
This command resumes data transfers from the 7-Mode volumes to Cluster-Mode volumes. Session state must be in 'copy-pause' to run this command.

Valid options are:-
-s {session-name} - Session name

7-Mode Transition Tool>transition setup ?

NAME
setup -- A wizard that helps in preparing a session.

SYNOPSIS
transition setup [ -s {session-name} ] [ -v  ]

DESCRIPTION
This transition setup wizard helps in creating a transition session by walking through a series of prompts to collect information of 7-Mode and Cluster-Mode systems, volumes and IP addresses.

Valid options are:
[-v] - Turn on verbose mode for this command

7-Mode Transition Tool>transition show ?

NAME
show -- Display the list of transition sessions or display information about a given session.

SYNOPSIS
transition show [ -s {session-name} ] [ -c  ] [ -r {interactive} ]

DESCRIPTION
Display information about a given session such as session name, 7-Mode storage system, Vserver and session status.

Valid options are:-
-s {session-name} - Display detailed information about a session
[-c]              - Display copy status of all the volume-pairs in the session

7-Mode Transition Tool>transition show-primary-seven-mode-systems ?

NAME
show-primary-seven-mode-systems -- Display the list of 7-Mode primary systems added to the session.

SYNOPSIS
transition show-primary-seven-mode-systems -s {session-name}

DESCRIPTION
This command displays the list of 7-Mode primary systems added to the session. This command is applicable only for 'secondary' type sessions.

7-Mode Transition Tool>transition show-secondary-cluster-mode-systems ?

NAME
show-secondary-cluster-mode-systems -- Display the list of Cluster-Mode secondary systems added to the session.

SYNOPSIS
transition show-secondary-cluster-mode-systems -s {session-name}

DESCRIPTION
This commands displays the list of Cluster-Mode secondary system added to the session. This command is applicable only for 'primary' type sessions.

7-Mode Transition Tool>transition start ?

NAME
start -- Start data copy from 7-Mode volumes to Cluster-Mode volumes.

SYNOPSIS
transition start -s {session-name} [ -n  ] [ -r {interactive} ]

DESCRIPTION
This command starts the transition process. This process involves the following steps:
* Validating compatibility of 7-Mode system against Cluster-Mode system
* Creating Vserver and volumes on Cluster-Mode system, if required
* Start data copy from 7-Mode to Cluster-Mode volumes

The Cluster-Mode volumes are periodically updated according to the schedule specified in the session.

Valid options are:-
-s {session-name} - Name of the session
[-n]              - Skip precheck operation if no errors were reported in the last precheck operation.

Note that:-
* If the precheck operation reports any error, start operation fails. In this case, fix the errors reported before invoking this command again.
* Data copy operation can still fail after a successful start. Refer to relevant documentation for diagnostic and troubleshooting details.
* Monitor the progress of data copy process by using the "transition show" command.
* Data copy can be paused by using the "transition pause" command and resumed by using the "transition resume" command.

CATEGORIES: transition credentials

7-Mode Transition Tool>transition credentials ?

NAME
credentials -- Transition credentials management commands.

COMMANDS
transition credentials add    - Caches the credentials of a host in the transition server.
transition credentials get    - Retrieve the cached user name of a host.
transition credentials modify - Modifies the cached username and password of host.
transition credentials remove - Delete the cached entry of username and password of a host.

DESCRIPTION
Transition credentials management commands.

7-Mode Transition Tool>transition credentials add ?

NAME
add -- Caches the credentials of a host in the transition server.

SYNOPSIS
transition credentials add -h {host-name} -u {username}

DESCRIPTION
This command enables the tool to cache user name and password of any host, which is used in the work flow of transition.

Valid options are:-
-h {host-name} - FQDN or IP address of a host
-u {username}  - Administrative user name

7-Mode Transition Tool>transition credentials get ?

NAME
get -- Retrieve the cached user name of a host.

SYNOPSIS
transition credentials get -h {host-name}

DESCRIPTION
This command retrieves the cached user name of the specified host.

Valid options are:-
-h {host-name} - FQDN or IP address of a host

7-Mode Transition Tool>transition credentials modify ?

NAME
modify -- Modifies the cached username and password of host.

SYNOPSIS
transition credentials modify -h {host-name} -u {username}

DESCRIPTION
This command modifies the cached username and password of the specified host.

Valid options are:-
-h {host-name} - FQDN or IP address of a host
-u {username}  - Administrative user name

7-Mode Transition Tool>transition credentials remove ?

NAME
remove -- Delete the cached entry of username and password of a host.

SYNOPSIS
transition credentials remove -h {host-name}

DESCRIPTION
This command deletes the cached entry of username and password of the specified host.

Valid options are:-
-h {host-name}  - FQDN or IP address of a host

CATEGORIES: transition lif

7-Mode Transition Tool>transition lif ?

NAME
lif -- LIF management commands.

COMMANDS
transition lif add    - Adds a Vserver data LIF to given session.
transition lif modify - Modifies a Vserver data LIF of a session.
transition lif remove - Removes an IP addresses from a session.
transition lif show   - Lists all the IP addresses in a session.

DESCRIPTION
LIF management commands

7-Mode Transition Tool>transition lif add ?

NAME
add -- Adds a Vserver data LIF to given session.

SYNOPSIS
transition lif add -s {session-name} -i {ip-address} [ -m {netmask} ] [ -g {default-gateway} ] [ -p {home-port} ] [ -n {home-node} ]

DESCRIPTION
This command adds a Vserver data LIF to a specified session.

Valid options are:-
-s {session-name}    - Name of the session
-i {ip-address}      - IP address of the LIF
-m {netmask}         - Netmask
-g {default-gateway} - Default gateway
-p {home-port}       - LIF's home port
-n {home-node}       - LIF's home node

7-Mode Transition Tool>transition lif modify ?

NAME
modify -- Modifies a Vserver data LIF of a session.

SYNOPSIS
transition lif modify -s {session-name} -i {ip-address} [ -m {netmask} ] [ -g {default-gateway} ] [ -p {home-port} ] [ -n {home-node} ]

DESCRIPTION
This command modifies a Vserver data LIF of a given session.

Valid options are:-
-s {session-name}    - Name of the session
-i {ip-address}      - IP address of the LIF
-m {netmask}         - Netmask
-g {default-gateway} - Default gateway
-p {home-port}       - LIF's home port or interface group
-n {home-node}       - LIF's home node

7-Mode Transition Tool>transition lif remove ?

NAME
remove -- Removes an IP addresses from a session.

SYNOPSIS
transition lif remove -s {session-name} -i {ip-address}

DESCRIPTION
This command removes an IP addresses from a specified session.

Valid options are:-
-s {session-name} - Name of the session
-i {ip-address}   - IP address of the LIF

7-Mode Transition Tool>transition lif show ?

NAME
show -- Lists all the IP addresses in a session.

SYNOPSIS
transition lif show -s {session-name} [ -i {ip-address} ]

DESCRIPTION
This command lists all the IP addresses of a specified session.

Valid options are:-
-s {session-name} - Name of the session
-i {ip-address}   - IP address of the LIF

CATEGORIES: transition volumepair

7-Mode Transition Tool>transition volumepair ?

NAME
volumepair -- Transition volume pair commands.

COMMANDS
transition volumepair add    - Adds 7-Mode and Cluster-Mode volume pair to a session.
transition volumepair modify - Modifies the Cluster-Mode volume in the volume pair of the session.
transition volumepair remove - Removes the volume pairs from the session.
transition volumepair show   - Lists all the volume pairs in a session.

DESCRIPTION
Transition volume pair management commands.

7-Mode Transition Tool>transition volumepair add ?

NAME
add -- Adds 7-Mode and Cluster-Mode volume pair to a session.

SYNOPSIS
transition volumepair add -s {session-name} -v {volume-name-7-mode} [ -c {volume-name-c-mode} ] [ -g {aggregate-name} ]

DESCRIPTION
This command adds 7-Mode and Cluster-Mode volume pair to the specified session.

Valid options are:-
-s {session-name}       - Name of the session
-v {volume-name-7-mode} - 7-Mode volume name
-c {volume-name-c-mode} - Cluster-Mode volume name
-g {aggregate-name}     - Aggregate name that hosts the Cluster-Mode volume

7-Mode Transition Tool>transition volumepair modify ?

NAME
modify -- Modifies the Cluster-Mode volume in the volume pair of the session.

SYNOPSIS
transition volumepair modify -s {session-name} -v {volume-name-7-mode} [ -c {volume-name-c-mode} ] [ -g {aggregate-name} ]

DESCRIPTION
This command modifies the Cluster-Mode volume in the volume pair of the session.

Valid options are:-
-s {session-name}       - Name of the session
-v {volume-name-7-mode} - 7-Mode volume name
-c {volume-name-c-mode} - Cluster-Mode volume name
-g {aggregate-name}     - Aggregate name which hosts the Cluster-Mode volume

7-Mode Transition Tool>transition volumepair remove ?

NAME
remove -- Removes the volume pairs from the session.

SYNOPSIS
transition volumepair remove -s {session-name} -v {volume-name-7-mode}

DESCRIPTION
This command removes the volume pairs the transition session.

Valid options are:-
-s {session-name}       - Name of the session
-v {volume-name-7-mode} - 7-Mode volume name

7-Mode Transition Tool>transition volumepair show ?

NAME
show -- Lists all the volume pairs in a session.

SYNOPSIS
transition volumepair show -s {session-name} [ -v {volume-name-7-mode} ]

DESCRIPTION
This command displays all the volume pairs in a session.

Valid options are:-
-s {session-name}       - Name of the session
-v {volume-name-7-mode} - 7-Mode volume name