BROADCOM SANnav Global View Management Portal User Guide

SANnav™ Global View v2.3.1a
SANnav Global View v2.3.1a Release Notes (Digest Edition)
Version 1 (Digest Edition)

SANnav Global View Management Portal

Copyright © 2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
For more information, go to www.broadcom.com. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products or to view the licensing terms applicable to the open source software, please download the open source attribution disclosure document in the Broadcom Support Portal. If you do not have a support account or are unable to log in, please contact your support provider for this information.

Chapter 1: Preface

1.1 Contact Technical Support for your Brocade® Product
If you purchased Brocade product support directly from Broadcom, use one of the following methods to contact the Technical Assistance Center 24×7. For product support information and the latest information on contacting the Technical Assistance Center, go to www.broadcom.com/support/fibre-channel- networking/contact-brocade-support.

For nonurgent issues, the preferred method is to log on to the Support portal at support.broadcom.com. You must initially register to gain access to the Support portal. Once registered, log on and then select Brocade Products. You can now navigate to the following sites:
Case Management
Software Downloads
Licensing
SAN Reports
Brocade Support Link
Training & Education| For Severity 1 (critical) issues, call Brocade Fibre Channel Networking Global Support at one of the phone numbers listed at www.broadcom.com/support/fibre-channelnetworking/contact-brocade- support

If you purchased Brocade product support from a Broadcom OEM/solution provider, contact your OEM/solution provider for all your product support needs.

• OEM/solution providers are trained and certified by Broadcom to support Brocade products.
• Broadcom provides backline support for issues that cannot be resolved by the OEM/solution provider.
• Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise. For more information on this option, contact Broadcom or your OEM.

For questions regarding service levels and response times, contact your OEM/solution provider.
To expedite your call, have the following information immediately available:
General Information
– Technical support contract number, if applicable
– Switch model
– Switch operating system version and SANnav™ version
– Error numbers and messages received
– SANnav Support Data Capture (SSDC) and Switch supportSave command output and associated files
For dual-CP platforms, the supportSave command gathers information from both CPs and any AP blades installed in the chassis:
– Detailed description of the problem, including the SANnav and switch or fabric behavior immediately following the problem and any specific questions
– Description of any troubleshooting steps already performed and the results
– Serial console and telnet session logs
– Syslog message logs

Switch Serial Number
The switch serial number is provided on the serial number label, examples of which follow:
The serial number label is located as follows:
– Brocade G630, G620, G610, G720, and G730 – On the switch ID pull-out tab located on the bottom of the port side of the switch
– Brocade 7810 – On the pull-out tab on the front left side of the chassis underneath the serial console and Ethernet connection and on the bottom of the switch in a well on the left side underneath (looking from the front)
– Brocade X6-8, X6-4, X7-8, and X7-4 – Lower portion of the chassis on the non-port side beneath the fan assemblies
World Wide Name (WWN)
– When the Virtual Fabric feature is enabled on a switch, each logical switch has a unique switch WWN. Use the wwn command to display the switch WWN.
– If you cannot use the wwn command because the switch is inoperable, you can get the primary WWN from the same place as the serial number.
License Identifier (License ID)
– There is only one license ID associated with a physical switch or director/backbone chassis. This license ID is required as part of the ordering process for new FOS licenses.
– Use the license –show -lid command to display the license ID.
1.2 Related Documentation
White papers, data sheets are available at www.broadcom.com. Product documentation for all supported releases is available on the support portal to registered users. Registered users can also find release notes on the support portal.

Chapter 2: Locate Product Manuals and Release Notes

2.1 Locate Product Manuals onBroadcom.com
Complete the following steps to locate product manuals on the Broadcom website:

1. Go to www.broadcom.com, click Login, and enter your username and password.
2. Enter the product name or the software version number in the Search box. For example, the following search is for software and documentation files for SANnav.
3. The list of documents will be listed under Documentation tab in the search result screen as shown below:

2.2 Locate Product Manuals and Release Notes on the Support Portal
Complete the following steps to locate product manuals on the support portal:

1. Go to support.broadcom.com, click Login, and enter your username and password.
2. If you do not have an account, click Register to set up your account.
3. Select Brocade Storage Networking in the support portal.

ATTENTION Be sure to periodically check for newer versions updates of SANnav Release Notes and User Guide documents.
2.3 Document Feedback
Quality is our first concern and we have made every effort to ensure the accuracy and completeness of this document. If you find an error, omission or think that a topic needs further development, we want to hear from you. You can provide feedback by sending an email to documentation.PDL@broadcom.com. Provide the publication title, publication number, and as much detail as possible, including the topic heading and page number, as well as your suggestions for improvement.

Chapter 3: Release Contents

3.1 Brocade SANnav Global View v2.3.1a Release Overview
NOTE This Release Notes document covers SANnav Global View v2.3.1a. W ithin this document, SANnav
Global View might also be referred to as SANnav or SANnav GV.

• All features supported in SANnav Global View v2.3.1 are also supported in SANnav Global View v2.3.1a.
• There are no new features or RFEs addressed in this SANnav v2.3.1a patch.
• There are no new hardware platforms or blades supported in this SANnav v2.3.1a patch.
• SANnav Global View v2.3.1a is a stand-alone release (full installer patch). This means that SANnav GV can be installed without requiring any other previous version of SANnav GV to be installed. It is also possible to upgrade and migrate to SANnav GV v2.3.1a directly from previous releases of SANnav GV.
• The supported upgrade and migration paths are documented in subsequent sections of this document.

3.2 What’s New in SANnav Global View v2.3.1a

• Resolution of important defect fixes are listed in Chapter 9 of this document.

3.3 What’s New in SANnav Global View v2.3.1
SANnav v2.3.1 is introduced to provide all required functions and features to manage USF and IPS capabilities in a SAN Fabric as well as to introduce incremental enhancements in specific SANnav functional areas.
The USF and IPS related highlights are as follows:

• Hardware support and USF IPS Fabric Inventory
• IPS Inventory (Fabrics, Switches and Switch Ports only)

The non-USF-related highlights are as follows:

• Deployment
• OS Support
• Security enhancements
• User Management enhancements
• Miscellaneous enhancements

3.4 What’s New in SANnav Global View v2.3.0
SANnav v2.3.0 provides new features and feature enhancements that aim at simplifying and automating common and frequent operations.
The following new features or feature enhancements are provided in various functional areas of SANnav:

• Server Platform deployment, Installation, Upgrade, and Migration
• Security and Infrastructure
• SANnav Licensing
• UI/UX and Usability changes: enhanced overall UI/UX usability features in Inventory, Dashboards, and Reporting

Defect fixes included in this release are listed in the defect tables section of this document.
3.5 SANnav Global View Server Platform Support and OS Support
3.5.1 SANnav Global View v2.3.1x OS Support (VM and Bare Metal)
SANnav Global View v2.3.1a was fully qualified and tested with the following versions of RHEL:

• RHEL releases 8.8 and 9.2.

Note that SANnav v2.3.1 is the first release to officially support RHEL 9.x based OS releases, NOTE When installing SANnav on an untested or unqualified OS version, (i.e., 8.2, 8.3, 8.5, 8.6, 8.7, 8.9, 9.3), the installation script displays a warning message indicating that the SANnav Global View installation will proceed on an untested and unqualified OS version. Explicit end user acceptance is required for SANnav Global View installation to proceed. While it may be possible to successfully install SANnav on these OS versions, if an issue(s) occur while using SANnav it may be necessary to upgrade/downgrade to a fully qualified and tested OS version and reproduce the issue(s) to receive support.
The following table shows the various OS types and versions and the associated support in SANnav v2.3. Cells marked with (Blocked) indicate that the SANnav v2.3.1 installation/upgrade will not proceed and exit, while cells marked (Not Blocked) indicate the SANnav v2.3.1 installation/upgrade will proceed with explicit user acceptance that SANnav will run on an untested and unqualified OS Release.

*RHEL 8.10 and 9.4 will be GA sometime in May 2024, after the SANnav v2.3.1a patch is released.
For RHEL OS, the following must be set in the OS on which SANnav Global View server is installed:

• Language = English and Locale = US

Other Languages and Locales are not supported.
3.5.2 Other Installation and Deployment Features
3.5.2.1 SSL Certificate Expiry Notice
Starting with SANnav v2.3.1x, a SANnav Application Event is raised 30 days before the SANnav SSL certificate expires.
After that, and within the 30 days window, an event is sent daily asking the user to replace the current SSL certificates with new ones.
The following SANnav Application Events are raised for SANnav certificates expiration:

• SSMP-SMON-1005 – Warning – 30 to 6 days before expiration.
• SSMP-SMON-1006 – Major – 5 days to 3 days before expiration.
• SSMP-SMON-1007 – Critical – 2 days before expiration.

With SANnav v2.3.1x, the SAN administrator user can generate and replace the current (valid or expired) SSL certificates with a set of new self-signed certificates by running the script $INST_HOME/bin/generate-and-replace- selfsigned-certificates.sh
NOTE It is recommended to use Certificate Authority (CA) signed certificates (instead of self-signed certificates) and install them on the SANnav server for the highest security protection.
3.5.2.2 SANnav File System Permissions Change
With SANnav v2.3.0, all files under SANnav installation directory had Linux permissions 775 (rwx-rwx-r-x).
With SANnav v2.3.1, all files and folders under the SANnav installation directory now belong to UID/GID sannavmgr (UID/GID 56900) with file permissions set to 770 (rwx-rwx—-) as shown in one folder example below: drwxrwx— 2 sannavmgr sannavmgr 4096 Oct 16 19:18 templates
3.5.2.3 Stop and Start SANnav with Operating System
With SANnav v2.3.1x, when an administrator performs a graceful reboot of the OS on the machine where SANnav server is running, the SANnav application will be gracefully stopped and restarted properly after the OS reboots successfully.
3.5.2.4 Host Time Zone Check
SANnav needs a valid Time Zone set in operating system to operate properly. Starting SANnav v2.3.1x if the time zone settings are deleted accidentally, the SANnav server will not start.
An error message will be shown asking the administrator to set the time zone using the command timedatectl settimzone
3.5.3 FIPS-140 Enabled OS
SANnav GV v2.3.1x is supported on FIPS-140 enabled RHEL (VM or bare metal). Please refer to RHEL specific OS version for the exact command(s) to enable FIPS mode.
Note that SANnav itself is not FIPS-140 certified. SANnav v2.3.1x may be installed and run on an officially supported RHEL version with FIPS-140 enabled.

• On bare metal and VM deployments, FIPS-140 mode may be enabled prior to installing SANnav
• It is possible to enable FIPS after running SANnav in non FIPS-140 enabled OS by stopping the SANnav server, enabling FIPS-140 mode at the OS level, then starting the SANnav server again.

3.5.4 SE Linux Support
SANnav Global View v2.3.1x is not supported on Security Enhanced versions of Linux (SE Linux) in Enforcing or Permissive mode on either Rocky or RHEL. The only SE Linux mode supported is Disabled.
If SE Linux is found to be enabled (either Enforcing or Permissive) during SANnav installation, the installation script will stop and exit. Enabling SE Linux post SANnav installation is not supported as mentioned above.
Contact Brocade Technical Support for more information and details on SE Linux support.
3.6 Summary of New and/or Enhanced Software Features
3.6.1 Security and Infrastructure
3.6.1.1 Installation and Upgrade/Migration as sudo

• Prior to SANnav v2.3.x, only the root user could install and manage the SANnav server. sudo privileged users could not install/upgrade/run/manage SANnav server.
• With SANnav v2.3.x, users with sudo privileges can now install and manage SANnav server (in addition to the root user).
• sudo privileged users can install and manage SANnav server by prefixing the script execution with sudo (sudo ./install-sannav.sh).
• After installing SANnav v2.3.x, additional sudo users may be added to manage SANnav by executing the script adduser-to-sannavmgr-group.sh (script can be executed by sudo user).

NOTE The user to be added must have sudo privilege already. This script simply adds that user to the list of users that can manage/run SANnav.
3.6.1.2 Running SANnav Containers with no root or sudo Privileges

• With SANnav v2.3.x docker containers will run as a new user sannavmgr with UID/GID 56900. This new user does not require sudo privileges.
  – User sannavmgr cannot be used for remote SSH login to the SANnav server (for security reasons)

• During SANnav v2.3.x installation or upgrade/migration, this user sannavmgr with UID/GID 56900 will be created.
  Make sure it is available prior to starting SANnav v2.3.1 first time installation.

ATTENTION UIDs 56900 is not configurable in SANnav v2.3.x. If UID and GID 56900 is occupied by another
user on the SANnav host, the installation or upgrade will fail.
3.6.1.3 Important OS Level Customization for User sannavmgr (UID 56900)

• SANnav server needs ports lower than 1024 for running some of its services.
• Due to this, Linux ip_unprivileged_port_start parameter is set to 0 to allow sannavmgr to run services on ports lower than 1024.

3.6.1.4 Change SANnav Server Security Password
With SANnav v2.3.x, it is now possible to change the SANnav password post installation.
SANnav Server Security password is used to encrypt SSL private key and to secure Kafka Keystore and Kafka truststore.
Prior to SANnav 2.3.x, this SANnav Server Security password cannot be changed post SANnav installation or upgrade.
With SANnav v2.3.x, this password can be changed by an authorized user after installation or upgrade completes. Invoke the SANnav console script manage- sannav-configurations.sh.

• This script has been renamed to manage-sannav-configurations.sh in SANnav v2.3.x from sannavmanagement-console.sh in previous releases.

3.6.1.5 Nested LDAP Groups

• With SANnav v2.3.x, it is now possible to fetch SANnav Group names (Authentication Groups) even if they defined them in a nested fashion. This was not possible with SANnav releases prior to SANnav v2.3.x.
• To fetch the complete hierarchy, the user can import the nested hierarchy from the topmost outer group.

3.6.1.6 MFA and SSO Support with SAML Compliant Protocol
SANnav v2.3.x now supports SAML 2.0 integration with various Identity Providers (IdP). SANnav v2.3.0 should work seamlessly with any IdP complying with SAML 2.0 REST specifications.
SANnav v2.3.0 has been specifically tested and validated with the following SAML 2.0 Identity Providers:

• Okta
• Microsoft Azure
• Microsoft ADFS
• Keycloak

3.6.2 User Management Enhancements
3.6.2.1 Email Addresses to External Authentication Users
When an external Authentication (LDAP, RADIUS, SAML2.0) is used, the user accounts are automatically created upon successful login for the first time in SANnav.
Prior to SANnav v2.3.1x, these accounts were not editable to add email addresses. This prevented these external users from receiving event notifications via email.
SANnav 2.3.1 now enables the fields Tags, Description, Email and Phone number Fields to be configured and used to forward event notifications and reports by email to those external users.
In addition, any external user may configure their own personal information (including email) under User Preferences > Personal Info UI form.
3.6.2.2 User Deletion Behavior Change
When a user is deleted from the SANnav database, the Filters that were associated with that user will be associated with the default System user.
Any other user can then save these System filters (Save As …) to retain them or delete them if no longer needed.
3.6.3 Miscellaneous Enhancements
3.6.3.1 SANnav Backup Policy and Auto Purge/Delete of SANnav Backups
A New Policy to delete/purge SANnav scheduled backups (currently on demand) is provided in SANnav v2.3.1x.Options to retain scheduled backups for 5, 10 or 15 days before purging them is provided.
This new purge schedule applies only to scheduled backups and not manually or on-demand taken backups. Those are excluded from the new purge schedule and is the reason why after migration the previous unwanted backups must be removed manually.
The time at which the backup is purged depends on the time at which it was scheduled to be taken with a possible buffer of 30 minutes. For example, if a backup was generated previously by the schedule at 3:00 PM and the purging is scheduled in five days, then the backup will get purged in five days at either 3:00 PM or 3:30 PM. This buffer is randomly added to avoid SANnav having to run all tasks at the same time.
SANnav v2.3.1x backup files will now be assigned to user (UID) sannavmgr and group (GID) sannavmgr (as opposed to root in previous releases) with Linux permissions 770 (rwxrwx—).
NOTE The backup files taken prior to SANnav v2.3.1x are upgraded and migrated however, their file permissions are left as is (that is, owned by root). It is the user’s responsibility to manually delete these backup files if they are no longer needed.
3.6.3.2 SANnav Support Save Simplification
SANnav Support Data collection provided several options when taking a Partial SANnav Support Data Capture (SSDC) (SANnav supportsave) prior to SANnav v2.3.1x.
With SANnav v2.3.1x, users will be able to select either Full or Partial SSDC for one day from the UI. All other options have been removed. Users will not have the option to select anything if taking the SSDC from the SANnav CLI console.
3.6.3.2.1 Inclusion of Summary Info in SANnav Support Data Collection (SSDC)
SANnav Support Data will include a summary file for quick and easy debugging by the support team. The name of this summary file will have information embedded in it as shown below: