Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2.1 - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Creating the cepp.conf file (Celerra or VNX devices)

You must create a configuration file (cepp.conf file) before using the CEPA auditing feature to monitor file system activity on EMC Celerra or VNX storage devices. The cepp.conf file contains the information needed to connect Data Movers to the Windows computers where the CEE software is installed. It also defines the type of file system events that Data Governance Edition can collect from the EMC device.

To create and configure cepp conf file

  1. Using an SSH client (such as Putty.exe), connect to Control Station using its IP and port (the default is 22).
  2. Login using administrative credentials. The default user name and password on a Celerra system are nasadmin/nasadmin.
  3. Copy or create the cepp.conf file.

    • To copy the current configuration file from the Data Mover, run the following command: server_file movername -get.cepp.conf cepp.conf

      Where: movername is the name of your Data Mover. The default name is server_2.

    • To create the configuration file, open the VI text editor (or other preferred text editor) by running the following command: vi cepp.conf
  4. Using the text editor, edit the cepp.conf file and ensure the following configuration parameters are in the file:

    pool name=poolname servers=server1|server2 postevents=event1|event2|...

    Where: poolname is the name assigned to the set of Windows servers where the Event Enabler software from EMC is installed.

    Where: server1|server2 is the fully-qualified domain name of the Windows computers hosting the Event Enabler (CEE) software from EMC. If you have more than one server, separate them with a vertical bar (|).

    Where: event1|event2|... are the EMC events to be collected during security scans and activity collection. When specifying multiple events, separate them with a vertical bar (|).

    Note: Do not register for pre-events or post-err-events in the cepp.conf. These events are ignored by the Data Governance agent and add undue load on the EMC device.

    The following table shows events (postevents=) that can be registered in the cepp.conf and their mapping to Data Governance events that can be collected during security scanning and activity tracking.

    EMC cepp.conf event

    Data Governance Edition event
    CreateFile|CreateDir Create
    DeleteFile|DeleteDir Delete
    RenameDir Rename
    SetAclFile|SetAclDir SecurityChange
    CloseModified Write
    CloseUnmodified Read

    NOTE: If you configure your EMC managed host to collect real-time security changes and apply them to scanned data, you must include the following events:

    ...postevents=CreateFile|CreateDir|DeleteFile|DeleteDir|RenameDir|SetAclFile|SetAclDir

    For performance reasons, you may want to filter out the events that are not required, such as CloseUnmodified which are the "Read" events.

  5. Save the file. (Press Escape then type :wq)

  6. Run the following commands in the SSH client to publish the file to the Data Mover and restart the CEPA facility:

    server_cepp movername -service -stop

    server_file movername -put cepp.conf cepp.conf

    server_cepp movername -service -start

    Where: movername is the name of your Data Mover. The default name is server_2.

  7. Verify the CEPA status by running the following command:

    server_cepp movername -service -status

  8. Verify the pool configuration by running the following command:

    server_cepp movername -pool -info

Enabling system configuration auditing (Isilon devices)

EMC Isilon devices do not use the cepp.conf file; however, you must enable configuration change auditing and protocol access auditing in order for Data Governance Edition to perform security scans and collect resource activity on the EMC storage device.

Note: On the Data Governance server and all agent servers, you must have a Trusted Root Certificate Authority certificate to validate the Isilon server's HTTP certificate.

To enable auditing (OneFS web interface)

  1. Connect to the OneFS web interface.

  2. Select Cluster Management.
  3. Select Auditing.
  4. In the Settings pane, select the following check boxes:

    • Enable Configuration Change Auditing
    • Enable Protocol Access Auditing
  5. In the Audited Zones pane, add the zones to be audited:

    • Click the Add Zones button to add a zone.
  6. In the Event Forwarding pane, enter the following information:

    • CEE Server URIs: Enter the uniform resource identifier (URI) for the Windows server hosting the Common Event Enabler (CEE) software.

      Use the following format: http://<FullyQualifiedDomainName>:<Port>/cee.

      For example: http://server.test.abc.com:12228/cee

      The default CEE HTTP port is 12228.

      Click the Add another input field to add additional CEE server URIs.

    • Storage Cluster Name: Enter the resolved name of the EMC Isilon cluster.

      Use the following format: <ClusterName>.<DomainName>.com

      For example: Cluster1.test.abc.com

  7. Click Save Changes.

Additional configuration for NetApp filers

Data Governance Edition uses the NetApp Data ONTAP file screening policy (FPolicy) to track activities on the filer. This policy allows third-party file screening software to interact with the NetApp filer.

Understanding the following aspects of the deployment process are key to ensuring a successful deployment of NetApp managed hosts:

Permissions required to access NetApp filer

The service account for the remote agent responsible for scanning the NetApp filer must meet the following minimum permissions:

  • Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)
  • Must be a member of the local Administrators group on the NetApp filer.
  • Must have permissions to access the folders being scanned.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating