Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Use the Ops Center Portal

The Ops Center portal is a single point of access for Ops Center products. You can add data centers, configure portal password security, limit access to groups of users, and manage licenses for Ops Center products.

Launching Ops Center products

All Ops Center users have access to the portal.

Before you begin

You must apply Hitachi Ops Center product licenses before use.

Procedure

  1. Log in to the Ops Center portal.

  2. Click on the Inventory tab.

  3. In the Inventory window, find the product instance you want to launch.

  4. Click the link for the application.

    The product main window opens.

Product status

Products in the Inventory tab have a status field that normally indicates Ready. The other indicators are:
  • Unknown: the product is inaccessible because the URL cannot be reached.
  • Configuration problem: there is a problem with the SSO configuration. For example, the trust relationship has been reset.
  • License not activated: the product license has not been applied.
  • License warning: the product license has a problem, such as an expiration or the licensed capacity has been exceeded.
  • Ready (login required): the product does not support SSO, so you must log in manually.

When you click Filter, you can choose to display all products with the selected Status.

Applying Ops Center product licenses

You must apply Hitachi Ops Center product licenses before use.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. In the Inventory window, find products with a status of License Not Activated or License Warning.

  3. Click the status link to access the License window for the product.

  4. Apply the license, and then verify that the status has changed to Ready.

Configuring Ops Center Active Directory settings

You can add a directory service and configure authentication for the Ops Center portal so that AD groups can access portal functions and products with a single sign-in.

Before you begin

NoteWhenever you make changes to existing Active Directory settings, be sure and do the following:
  • Click Sync groups to apply the changes to Active Directory groups configured in Ops Center.
  • Click Test connection and Test authentication.
If any errors are reported, confirm your changes are valid.

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click the Settings (gear) icon in the upper right corner and select User federation.

  3. Click the + (plus) icon.

    The Add user directory service window opens.
  4. Enter a name for the service.

  5. Although it is not used at this time, you must enter a value for Priority.

  6. Select the Authentication protocol.

    If you choose Kerberos, choose the Realm name from the displayed list.
  7. Enter the Connection URL (for example: ldap://ldap.example.com) and click Test connection.

    NoteSpecify the same hostname as the CN or SANs in the Active Directory server certificate.
  8. Enter the BIND user DN (for example: CN=bind-user,OU=foo,OU=bar,DC=example,DC=com) and the password and click Test authentication.

    NoteThe BIND User DN only requires read permissions (not admin or modify).
  9. Enter the Base DN (for example: OU=foo,OU=bar,DC=example,DC=com).

  10. By default, the Add all users under Base DN to opscenter-users group option is disabled. This means that only members of groups (next step) are allowed to log in to the portal. If you enable this option, all users under the Base DN are assigned to the opscenter-users group and can also log in.

  11. Provide entries for the Group entry list. For example, if you created AD groups named sanadmin and sanoperator, you can eventually assign roles and permissions appropriate to each group:

    "CN=sanadmin,CN=Users,DC=home,DC=us"
    "CN=sanoperator,CN=Users,DC=home,DC=us"
    Click +Add Group DN to add entries.
    NoteThe group DN must be included in the subtree of the DN specified in the Base DN.
  12. Click Submit when your settings are complete.

Results

Note
  • The Active Directory entries are added to Manage users Groups and are displayed with the DN designation.
  • AD users are not visible under Manage users Users and cannot be added to local (non-AD) groups.

Next steps

  • By default, AD group users are assigned the opscenter-user role, which allows them to log in to the Ops Center portal and access the Inventory tab, but not launch Ops Center products. If you want to assign a role to an AD group that will allow users access to administrative functions outside the Inventory tab and log in to all Ops Center products with full admin privileges, you can assign the opscenter-administrator role. See Assigning portal-level roles to Ops Center groups for more information.
  • To assign product-level roles to an AD group that will permit members to access individual Ops Center products, refer to Assigning product-level roles from the Ops Center portal for more information.
  • Confirm the Active Directory entries appear in Manage users Groups.
  • Ensure Active Directory users can log in. AD users must log in using the sAMAccoutName (no domain).

Setting up Kerberos authentication for Ops Center

You can configure Kerberos authentication for the Ops Center directory service.
NoteWhenever you make changes to Kerberos authentication, be sure to retest the authentication for the Directory service (in the User federation tab).

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click the Settings (gear) icon in the upper right corner and select User federation.

  3. Click Kerberos connection settings.

  4. To use DNS instead of KDC to look up the Kerberos server, enable DNS lookup KDC.

  5. Use Clock skew to control the maximum time difference between the system clocks on the Ops Center server and the Kerberos server (default: 300 seconds). When this value is exceeded, an authentication error occurs.

  6. Enter the Realm name that identifies the Kerberos domain. The Realm name is case-sensitive and must match the name on the Kerberos server. Although the realm can be any ASCII string, the convention is to make it the same as your domain name in upper-case letters (EXAMPLE.COM).

  7. If you are not using DNS, click +Add KDC to provide a list of Kerberos KDC server entries.

  8. Click Submit when your settings are complete.

Adding data centers

You can add information for data centers associated with Ops Center products.

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click the Data Centers tab at the top of the screen.

  3. In the Data centers window, click the plus (+) icon.

  4. Provide the following information:

    • Name: Name of the data center
    • Description: Optional site description
    • Management products: Select the Ops Center product associated with the data center.
    • City: Select the city where the data center is located. This will create a clickable site on the world map.
    • Location: If the location is not listed, you can enter a Latitude and Longitude. You can also place the cursor and double-click a spot on the world map to set an approximate location.
    TipWhen you select the city from the drop-down list, the Latitude and Longitude are set automatically.
  5. Click Submit or Submit and add another data center to save the settings.

Ops Center roles (privileges)

Rather than use a single sysadmin account to administer Ops Center, you can assign local users to a group that has administrative privileges. For Active Directory users, you can assign appropriate roles to the group. For local users only, the built-in opscenter-administrators group grants full administrative privileges.

There are two types of roles (also known as privileges):

  • Portal-level: global roles that control access to functions within the Ops Center portal. The opscenter-user role allows users to log in to the Ops Center portal and access the Inventory tab. The opscenter-administrator role allows users to access all the portal tabs and create local users, add groups, and assign roles (even at the product-level). This role should not be assigned lightly.
  • Product-level: roles specific to each product. For example, Administrator has roles called StorageAdministrator, SystemAdministrator, and SecurityAdministrator that control access to different functions in the Administrator UI. Members of the local opscenter-administrators group have default roles assigned that allow access to all Ops Center products.

Assigning portal-level roles to Ops Center groups

As an alternative to using the built-in local opscenter-administrators group, you can assign portal-level roles to local and Active Directory groups.

Before you begin

NoteLocal users are automatically members of the opscenter-users group. By default, Active Directory users who are under the Base DN but not members a group are not allowed to log in to the portal. (This is controlled by the Add all users under Base DN to opscenter-users group option described in Configuring Ops Center Active Directory settings.) Instead, only AD group users are allowed to log in (because they are assigned the opscenter-user role).

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Manage users tab and select Groups from the Asset type list.

  3. In the Groups window, find the entry for the group and click the role (profile with star) icon.

    You can can assign the following roles:
    • opscenter-system-administrator

      Manage portal users, groups, product registration, user federation (Active Directory/LDAP), and access all admin functions within the component products.

    • opscenter-security-administrator

      Similar to the system-administrator role, except that it does not grant full access to admin functions within the component products. Instead, this role grants access to the Access product-level roles link in the Inventory tab. This controls the mapping of component-level roles to the roles defined in the Ops Center portal. For example, a member of a group with the opscenter-security-administrator role connecting to Automator will only see the Administration tab with Resources and Permissions; none of the other Administration categories (or other dashboard tabs) are visible.

  4. From the Available roles list, select the role you want to assign and click the left arrow. To remove a role from a group, select the role from the Assigned roles list and click the right arrow.

  5. When you are finished, click in the upper left corner of the window to return to the list of groups.

Assigning product-level roles from the Ops Center portal

Because each Ops Center product includes a unique set of roles or permissions that determine what users can do within each product UI, the portal provides a direct link to access these roles and associate them with groups.

To simplify the process of assigning roles associated with each product, the Ops Center portal includes links for each entry in the Inventory tab. The Access product-level roles link takes you directly to the product screen where roles are assigned or access to resources is configured. Where applicable, defaults are pre-assigned to members of the opscenter-administrators group (local only). You can also use this link to assign product-level roles to local and AD groups.

NoteOps Center includes a special role, opscenter-security-administrator, that gives a user or group access to the Access product-level roles link (without access to any other admin functions). Refer to Assigning portal-level roles to Ops Center groups for details.
Ops Center Product Destination of "Access product-level role" link Default roles assigned to opscenter-administrators group
Administrator Dashboard Security Settings StorageAdministrator, SystemAdministrator, SecurityAdministrator
Analyzer Administration User Group Management User Groups and Permissions Admin, Modify, StorageOps
Analyzer viewpoint Configuration Users Admin
Automator The link opens the Administration tab. Select User Groups under Resources and Permissions. Admin, plus access to all service groups
Protector Dashboard Access Control Protector Admin (assigned under ACP Association "opscenter Administrators")

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Open the Inventory tab.

  3. Click the Access product-level roles link for the product.

  4. Refer to the procedures that follow for the product you have selected.

For Administrator

  1. In the Ops Center Security Management screen, enter the group name and select it.

  2. Select the permissions to be assigned and click Submit.

For Analyzer

  1. In the Administration screen, click on User Groups and Permissions under User Group Management.

  2. Select the group name and click Edit Permission Mapping.

  3. In the "Edit User Groups" section, select all permissions and click OK.

For Automator

  1. In the Administration screen, click on User Groups under Resources and Permissions.

  2. Select the group and click Assign under "Service Groups."

  3. Select "All Service Groups" and then click Add to move it to "Assigned Service Groups."

  4. Change the Role from Submit to Admin and click OK.

For Protector

Instead of assigning a role to a group, you must create an association that connects a group with a profile (that has a defined role and access to resources).

  1. In the Access Control screen, click Manage ACP Associations.

  2. Click the plus (+) icon.

  3. Enter a name for the association and click Next.

  4. Select Group, and then select "opscenter" from the Space list.

  5. Click Browse and select the Group Name.

  6. Click Next.

  7. Click a profile under "Available Profiles" to add it to "Selected Profiles."

  8. Click Finish.

Changing your Ops Center login info and password

Users can change their own account information and password.

Non-admin users do not have access to the Manage users tab. Instead, they can change their login information and password using the Profile menu.

Procedure

  1. Click the user icon at the upper-right corner and select Profile.

  2. Choose Account or Password and click Submit after making your changes.

Controlling local (non-AD) portal access

In Hitachi Ops Center, you can configure the security settings that are applied when a local user logs in.

You can control access to the portal with the following settings:

  • Password requirements
  • Account lock settings
  • User groups
  • Login banner

Changing the password policy

You can set restrictions (such as password length and valid characters) on the passwords for login accounts.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Settings (gear) icon in the upper right corner and select Password Policy.

    The following table describes the password controls. We recommend changing the default values to be more restrictive.

    Item

    Description Default value

    Minimum length

    Minimum length of a password (1-256).

    4

    Uppercase characters

    Minimum number of uppercase alphabetic characters (0-256).

    0

    Lowercase characters

    Minimum number of lowercase alphabetic characters (0-256).

    0

    Digits

    Minimum number of numeric characters (0-256).

    0

    Special characters

    Minimum number of symbols (0-256).

    The following symbols can be used: !, #, $, %, &, ', (, ), *, +, -, ., =, @, \, ^, _, |

    0

    Brute force prevention

    Limits the number of unsuccessful login attempts (to prevent so-called brute force attacks). Click Enable and enter a Max Login Failures value to specify the number of login attempts permitted before an account is automatically locked (1-256).

    Disabled

  3. Click Submit when your changes are complete.

Assigning privileges to local (non-AD) Ops Center users

You can assign administrative privileges by adding local users to the opscenter-administrators group.

NoteThis procedure is for accounts created locally in the Ops Center portal and does not apply to Active Directory users.

The following default groups are available:

  • opscenter-users

    The default group assigned to users that grants access to the Ops Center portal. These users can launch products, but they cannot view other users or groups, add products, or change portal settings.

  • opscenter-administrators

    Members of the this group can access all portal management functions in the Ops Center, including managing users, groups, or products, and changing portal settings.

You can also assign special privileges (roles) to a group that you have created. Refer to Assigning portal-level roles to Ops Center groups for details.

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Manage users tab and select Users from the Asset type list.

  3. Click the GUID-07455789-0AFC-4330-9C33-DC75A42B6051-low.png icon for the user account. (Use the search box if the user account is not visible.)

    The group selection window appears.
  4. From the Available Groups list, select the group you want to assign and click the left arrow. To remove a user from a group, select the group from the Group Membership list and click the right arrow.

  5. When you are finished, click in the upper left corner of the window to return to the list of users.

Enabling or disabling login accounts

You can disable accounts to prevent them from being used and enable accounts that have been locked.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Manage users tab and select Users from the Asset type list.

  3. Locate the user account that you want to enable or disable in the Users window and click the Edit User icon.

  4. Click Disable or Enable, and then click Submit.

Adding a login warning banner for the Ops Center Portal

You can add a warning banner to display information about system access on the portal login page.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Settings icon and select Warning banner.

  3. You can customize the default message or compose your own. Click Submit when your changes are complete.

Managing local (non-AD) users and groups

You can create and manage local (non-AD) Ops Center accounts and groups.

Creating and editing Ops Center user accounts

You can create user accounts in Hitachi Ops Center.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Manage users tab and select Users from the Asset type list.

    To change a user account, locate the entry and click the edit (pencil) icon. You can view the details of an account by clicking on the name.
  3. In the Users window, click +.

  4. Provide the account information and click Submit.

    The Change password screen opens.
  5. Enter a password, confirm it, and click Submit

Changing a user password

You can change the passwords for Ops Center portal users.
NoteUsers can change their own passwords by clicking the User icon in the upper-right corner and selecting Profile Password.

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Manage users tab and select Users from the Asset type list.

  3. In the Users window, locate the entry and click the Change password icon (lock) associated with the user account.

  4. Enter the new password, confirm it, and then click Submit.

Adding Ops Center groups

You can create groups of Hitachi Ops Center users.
NoteThere are two built-in groups that control access to portal functions: opscenter-users and opscenter-administrators. See Assigning privileges to local (non-AD) Ops Center users for details.

Procedure

  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.

  2. Click on the Manage users tab and select Groups from the Asset type list.

    To change the group name or description, click the edit (pencil) icon. You can view the details of a group by clicking on the name.
  3. In the Groups window, click +.

  4. Provide a name and description, and then click Submit or Submit and add another group.

  5. You can assign roles to a group by clicking the role (star) icon.

    All groups are automatically assigned the opscenter-user role. You can also can also assign opscenter-system-administrator or opscenter-security-administrator roles. Refer to Assigning portal-level roles to Ops Center groups for details.

 

  • Was this article helpful?