This article covers the essential steps needed to integrate NetApp Clustered Data ONTAP (cDOT) with Quota Server. A successful integration between the two sources is mandatory for quota enforcement. This type of integration requires that your Northern Storage Suite installation is upgraded to version 9.6 or later. Version 9.61 SR1 is required if the ONTAP version is 8.3 or later.

NSS uses a proprietary interface when delivering quota functionality on NetApp systems. This interface is used to streamline quota monitoring, to allow for fail-open locking of hard quotas and for file blocking functionality. The API used is a NetApp technology called FPolicy.

In order to establish this interface, and begin receiving FPolicy notifications, NSS must register to FPolicy on the vserver. Note that this registration is only necessary for quota operations. It is not used for reporting purposes.

A basic knowledge of NetApp Clustered Data ONTAP administrative command-line is required. Further details are available in the official Clustered Data ONTAP administrator guide.

In order to understand when the FPolicy API is used, and why, it is useful to gather some background on the interfaces used by NSS when managing NetApp devices. (Additional information is available in KB - 1729.) NSS uses 3 APIs to communicate with a NetApp filer:

• CIFS
  The NSS services need to access the CIFS shares where quotas or reports are applied. Using CIFS, NSS has the amount of access to the vserver allowed by the user account used for the NSS Core Server Service and NSS Quota Server Service. When run under Administrator groups, both services will claim Backup rights for scanning operations.


• TCP
  The TCP protocol is used by the Quota Server component of NSS to retrieve and answer to FPolicy requests. The FPolicy requests and responses are sent on one TCP port per SVM


• HTTP/HTTPS
  The channel is used for the management of the FPolicy connection. NSS will use the HTTP/HTTPS configuration to connect to NetApp and create the FPolicy object required. It will also remove it on exit.

The fpolicy object is created or updated as soon as the Quota or File Block is added or removed. This can only be done if the following four pre-requisites are met:

1. The NSS Quota Server service account needs to be an administrator on each managed SVM.
   
   
2. Quota Server must connect to the CIFS server on the target SVM with the vsadmin-account or equivalent (ontapi rights required).
   
   
3. A TCP port needs to be opened for each managed SVM on the Windows Server where NSS is running. The default starting port defined in Quota Server is TCP port 9000. Each SVM connection claims a TCP port (e.g. if you have three SVMs to manage with NSS, TCP ports 9000, 9001 and 9002 need to be opened on the server running NSS).
   
   
4. The IP-address of the Management LIF needs to be specified for each CIFS-server. The procedure varies depending on the installed version of NSS.
   
   For version 9.61 SR5 or earlier
   The IP-address of the Management LIF needs to be statically resolved for each managed CIFS-server. This is done in the HOSTS & LMHOSTS-files on the NSS-server. The files are located at C:\Windows\System32\drivers\etc by default. Add the IP, followed by the fully qualified domain name for the CIFS-server. Save the file. 
   
   Example (hosts-file):
   
        10.20.30.40    cifs-server1.domain.com 
        10.20.30.50    cifs-server2.domain.com
        10.20.30.60    cifs-server3.domain.com 
   
   For version 9.7 SR1 or later:
   When adding the CIFS-server to the Quota Server NetApp settings (the NetApp filer field), specify the IP-address of the Management LIF after the CIFS-server name. Separate the name and the IP with an '@'-sign. Multiple CIFS-servers are separated with a semi-colon.
   
   Example: cifs-server1@10.20.30.40;cifs-server2@10.20.30.50;cifs-server3@10.20.30.60
   
   See the section 'Establishing the Fpolicy connection' a few steps below for more information on how to add the managed NetApp filers to Quota Server.
   
   

How to add the NSS Service account to the SVM Administrator group
Add the account used by the NSS Quota Server service in BUILTIN\Administrators on each managed vserver. This is needed because Quota Server needs to have permission to perform  operations on the vserver.

There are two ways to add the NSS Quota Server service account to the BUILTIN\Administrators group on the managed vserver:

1. Through the NetApp command station
2. Through the OnCommand GUI

1. Adding the account through the NetApp command station
Enter the NetApp command prompt and enter vserver cifs users-and-groups local-group.In the example below, the NetApp cluster is named NorthernCDOT:

When inside this section of the NetApp Client, type the following command to add the NSS Quota Server service account to the BUILTIN\Administrator group on the vserver:

add-members -group-name BUILTIN\Administrators -member-names DOMAIN\service_account -vserver XXXXX

The DOMAIN\service_account is your NSS Quota Server service account and XXXXX is the name of your vserver. Please make sure that the credentials are correctly set in terms of domain and account name!

The screenshot below illustrates how this looks in the NetApp command prompt. In this example, the name of the vserver is SNV-FieldCDOT:

The account is now a member of the BUILTIN\Administrators group. Repeat this process for all managed vservers.

2. Adding the account through the OnCommand interface
A more user friendly approach is through the NetApp OnCommand software. This software allows the administrator to manage the NetApp cluster from a graphical interface.

Open the OnCommand interface (preferrably version 3.1 or later). Navigate to Storage Virtual Machines\Cluster Name\Vserver Name\Configuration\Local Users and Groups\Windows.

In the example below, the pathway is Storage Virtual Machines\NorthernCDOT\SNV-FieldCDOT\Configuration\Local Users and Groups\Windows.

Select BUILTIN\Administrators in the list and Click on 'Edit' to modify the group:

'

Click on 'Add' under the Members-section: 

Add the NSS Quota Server service account:

Click on 'Modify' to apply the change:

The account is now a member of the BUILTIN\Administrators group. Repeat this process for all managed vservers.

How to create a local security account equivalent to vsadmin

Quota Server uses a local security account on the target SVM(s) for the fpolicy authorization. The already existing vsadmin-account the recommended account to use here.

If the vsadmin-account cannot be used (e.g. locked due to a security policy), a new local security account must be created locally on each managed SVM. The new account must have the same rights as the vsadmin account.

Access OnCommand and navigate to Storage Virtual Machines\Cluster Name\Vserver Name\Configuration\Security\Users.

Click on Add:

Specify the user name, password and grant the account ontapi & ssh-rights with the 'vsadmin'-role:

Click on Add and then verify that the account has the required roles:

Repeat this process for all managed vservers.

Establishing the FPolicy Connection

The fpolicy connection can be established in Quota Server when the steps above have been completed. Once confirmed, launch Quota Server and navigate to System\Quota Servers and select your Quota Server. Right Click the selected Quota Server and select 'Modify':

This enables the settings menu at the bottom of the screen. Click on 'NetApp Settings':

How to establish the fpolicy connection in Quota Server

• NetApp filer: Specify the name(s) of the CIFS Server(s) that you will be managing. Separate multiple CIFS Server names with a semicolon ';'. Note that the CIFS Server name might or might not be the same as Storage Virtual Machine (SVM) name, depending on the configuration of your NetApp environment.
  
  If you are running version 9.7 SR1 or later, please specify the IP-address of the Management LIF for each managed CIFS-server. Separate the CIFS-server name and the IP-address with an '@'-sign (e.g. SNV-FieldCDOT@10.1.0.248).


• Connection type: Specify the connection type you wish to use. Either HTTP or HTTPS.


• User name: Specify the vsadmin account or equivalent here. Our recommendation is to use the vsadmin account since this account has all the required rights to establish the fpolicy connection. It is possible to use another account, but this requires that the used account has the same rights on the vserver as the vsadmin account. Ontapi login rights are required. See the previous section for more information.


• Password: Specify the password of the account used for the authentication.


• TCP PortNo Start: Specify the starting TCP port that Quota Server will use to communicate to the vserver. The default port is set to 9000. Each vserver claims a port. An additional port needs to be opened for each managed vserver. I.e. if you want to manage 3 vservers, you need to open ports 9000, 9001 and 9002.

Optional settings
These settings are only relevant if the ambition is to encrypt the communication with an SSL-layer.

• CM SSL Auth: This settings dictates whether the connnection should be through SSL or not. The default value is set to 'No SSL'. The other two settings are 'Server' and 'Mutual'. These settings will enable SSL.
  
• QS Cert Name: Specify the name of your QS Certificate. 
• Cluster Cert Name: Specify the name of your Cluster Certificate.
• Cluster Cert Serial: Specify your Cluster Certificate Serial.
• Cluster Cert CA: Specify the Cluster Certificate CA.

Apply the changes by either pressing  'Enter' or by right clicking the screen and selecting 'Apply' in the menu. 

Authorization failed

If you see this it means that Quota Server is not able to connect to the NetApp Cluster due to a failed authorization. The most common problem is that the account username and/or password is incorrectly configured. Make sure that the credentials are correct and try again.

Before testing the locking and file blocking you need to verify that the following actions have been performed:

• Is the NSS Quota Server service account a member of the BUILTIN\Administrators group on all managed vservers?


• Are the login credentials correct in the Quota Server NetApp settings-tab? Is the local vsadmin account (or equivalent) properly configured? Does it have ontapi login rights? 


• Have you opened a TCP port for each managed vserver? I.e. 9000, 9001, 9002 etc.


• For 9.61 SR5 or earlier: On the NSS-server: Have you made sure that the IP-address of the Management LIF is specified and correctly resolved for each managed CIFS-server in the HOSTS and LMHOSTS-files at C:\Windows\System32\drivers\etc?


• For 9.7 SR1 or later: Have you specified the IP-address of the Management LIF for each CIFS-server? Does every CIFS server have a Management LIF defined in NetApp OnCommand (Cluster\Configuration\Network\Network Interfaces)?

Once this checklist has been completed and verified you can proceed to test the locking functionality. Please ensure that these tests are carried out with a regular user account on a different machine. File operations performed directly on the NSS server will by-pass the file policy rules (this is a behaviour dictated by FPolicy).

Example of a testing procedure

1. Create an Object quota, selecting NetApp as the platform, assign a locking action to a threshold.  Suggested value: 'Lock dir'


2. Copy files to the quota path, to push the folder over the locking threshold.  Use a network client for the copy action.


3. The first file passing through the quota activates the associated action, but it will be allowed to be saved. The next attempt to copy should be blocked if the settings are correct. In 9.7 SR1 and later it's possible to set the default error message to be displayed for blocked file types and quotas. See KB-3107 for more information.


4. Login to the NetApp Cluster Command Prompt and check if the FPolicy server object has been created and registered by typing vserver fpolicy show

For advanced troubleshooting, please contact the Technical Support team at Northern (support@northern.net).