Reference
This section contains information about troubleshooting, information on using the command-line interface, and information on using the REST API.
Troubleshooting
| Issue | Description/Resolution |
|
The event log contains instances of event id 6007 with this message: Service service-name health check against HTTP /health port cannot succeed because it is on a different network than service Cluster-Worker. Health check ignored to prevent service interruption. |
Your system uses both internal and external networks, but the service specified by the event is on a different network type from the Cluster-Worker service. Because of this, the system cannot perform an additional health verification on the specified service. You can ignore this event. The additional health verification is not required and does not affect the other health verifications used to display the service status on the Monitoring > Services page in the System Management application. |
| The MAPI Gateway service becomes unresponsive. |
If you're working with a storage component that is configured with multiple retries and long timeouts, and if the endpoint for the storage component is unreachable, and if as a result you send multiple verification or activation requests to the endpoint, the MAPI Gateway service can become unresponsive. If the MAPI Gateway service becomes unresponsive, use the System Management application Services function Repair on it. |
Users can't write to storage components, objects read from storage components are encrypted, and you receive the critical alert Failed to connect to KMS server. |
The Key Management System service is down. The service should restart automatically. When it restarts, log in to HCP for cloud scale on port 8200 and provide a quorum of unseal keys. |
You receive a warning that the bucket mirroring transfer queue ( |
Reconfigure the external source:
|
CLI reference
An administrative CLI is provided for system management. This interface lets you perform all tasks relating to system setup and configuration. Any administrative activity that you can perform in the Admin App or REST API can be performed through the CLI. You can avoid using an internet connection or a browser.
Your system can also include additional, product-specific CLI tools.
Accessing the CLI tools on a system instance
You can access the CLI tools from any instance
Procedure
-
Log in directly to or use SSH to log in to a system instance.
-
Navigate to the CLI tool:
cd <installation-folder>/cli/ -
Navigate to the folder for the CLI tool you want. For example:
cd admin
Installing CLI tools on your computer
You can install your system's CLI tools on a Linux computer.
To install the CLI tools, you must have version 1.8 of the Java Runtime Environment (JRE) installed.
Your system's CLI tools are distributed in .tgz files along with the software installation package.
Procedure
-
Store the .tgz file in a folder on your computer.
-
Unpack the file:
tar zxvf filename
Syntax
The CLI tools have this syntax:
<tool-name> [options] [command] [command-specific-options]
-c, --command <command|category>
Specifies the command you want to run. When used with the --help option, displays information about the specified command.
You can also use this option to specify a category of commands when using the --help option. Doing this displays information about all commands within the specified category.
-d, --model-definition <name>
Returns information about the specified request model.
--debug
Includes verbose debug output for troubleshooting purposes.
-h, --help <all>
Displays help information. If you specify the all argument, displays information an all commands. If you specify the --help option, displays information about commands in the specified category.
-k, --check-ssl-cert <true|false>
Whether to enable SSL security verification. When false, insecure connections are allowed.
-m, --model-schema <ModelName>
Returns the JSON-formatted schema for the specified request model.
-p, --password <password>
Password for the specified user account.
--port
The port for the system application that supports the CLI tool.
-r, --realm <realm>
Security realm where your user account is defined.
-s, --server <server>
The hostname or IP address of a system instance.
-u, --username <username>
Username for an account that has permission to access system.
-V, --version
Displays the CLI version.
Viewing available commands
- To view all available commands, run:
<cli-tool-name> --help all - To view all command categories, run:
<cli-tool-name> --help - To view all commands within a category, run:
<cli-tool-name> --help -c <category>For example:
admincli --help -c instances - To view all information about a single command, run:
<cli-tool-name> --help -c <command>For example:
admincli --help -c listInstances
Viewing request models
Some commands need a JSON-formatted request body along with the command. The command's request model determines how you need to format the request body.
The help command for an individual command indicates what request model it needs.
For example, this help command output indicates that a command to update a service needs a ServiceUpdateModel request:
# ./admincli -c updateServiceConfig -h usage: updateServiceConfig Name: updateServiceConfig Description: Configure service instances Added: 1.0 Usage: admincli -c updateServiceConfig <options> Options: --service-update-model <ServiceUpdateModel> File containing JSON text representing a ServiceUpdateModel for the command updateServiceConfig. Use the -m and -d options to retrieve information on request and response models.
To view detailed information about the contents of a request model, run:
<cli-tool-name> -d <ModelName>
For example:
admincli -d ServiceUpdateModelTo view the JSON format for the request model, run:
<cli-tool-name> -m <ModelName>Editing configuration preferences
You can use the CLI tool's .conf file to specify settings to use every time you run a CLI command.
The CLI configuration file has this format:
{
"defaultSettings": {
"checkSSLCert": "[false|true]",(optional)
"server": "<hostname>",(optional)
"realm": "[local|<security-realm-name>]",(optional)
"username": "<your-username>",(optional)
"password": "<your-password>" (optional)
}
}
For example, with the following configuration, all commands:
- Are run against the
system.example.comsystem - Verify the SSL certificate for the system before connecting
- Uses the
exampleUsersEastsecurity realm to authenticate the specified username and password
{
"defaultSettings": {
"checkSSLCert": "true",
"server": "system.example.com",
"realm": "exampleUsersEast"
}
}
You can configure CLI preference by editing the existing .conf files in the CLI installation folder.
The options you specify explicitly in a CLI command override the options specified in the .conf file.
System error responses
If a CLI request reaches the system and the system returns an error, the CLI response contains:
- An HTTP status code
- Conditionally, a product-specific error code
- A JSON-formatted error response body
This table describes the typical reasons why these HTTP status codes are returned.
| Status code | Meaning | Description |
| 400 | Bad Request |
The request body contains one or more of these:
If the request includes a UUID, the UUID might be incorrectly formatted. |
| 401 | Unauthorized | The provided credentials are incorrect. |
| 403 | Forbidden | You do not have permission to perform the request. |
| 404 | No Found | The resource you are trying to retrieve or edit cannot be found. |
| 409 | Conflict | The resource you are trying to create already exists. |
| 500 | Internal Server Error | The system experienced an error. |
| 599 | Network Connection Timeout Error | The CLI request timed out while trying to connect to the system or one of its instances. |
Some CLI requests return product-specific error codes in addition to an HTTP status code. These error codes are listed in the errorCodes field in the JSON response body. This table describes these error codes.
| Status code | Description |
| 4000 | SSL certificate not trusted. |
Error response bodies have this format:
{
"statusCode": <HTTP-status-code>,
"errorCode": <product-specific-error-code>,
"errorMessage": <message>,
"errorProperties": [
{
"name": <error-property>,
"message": <error-property-message>
}
]
}
REST API reference
HCP for cloud scale includes a RESTful API that you can use for writing scripts that manage the system. Anything you can do in either the Object Storage Management application or the System Management application you can also do using their REST APIs.
For information specific to the Object Storage Management management API, see the Management API Reference or the Swagger information available from within that application. For information specific to the System Management API, see the Swagger information available from within that application.
Getting started with the management APIs
HCP for cloud scale includes RESTful HTTP management application programming interfaces (MAPIs) for the Object Storage Management application and the System Management application. These MAPIs are separate and use separate ports.
You can execute all functions supported in the System Management application using MAPI methods. The System Management methods are served by the Admin service from any HCP for cloud scale node.
All URLs for the System Management MAPI methods have the following base, or root, uniform resource identifier (URI):
https://hcpcs_cluster:8000/api/admin/
The System Management MAPI is described in Swagger, available from the System Management user interface. Those methods are not described in this document.
You can execute all functions supported in the Object Storage Management application and the S3 Console application using MAPI methods. The Object Storage Management management API (MAPI) supports management of the following:
- Storage components and Amazon Simple Storage Service (Amazon S3) settings
- Storage component encryption
- KMIP (Key Management Interoperability Protocol) servers
- Administrative resources such as serial numbers and system events
- User resources such as S3 user credentials and OAuth tokens
- Public information such as available public ports
The Object Storage Management MAPI methods are served by the MAPI Gateway service from any HCP for cloud scale node.
All URLs for the Object Storage Management MAPI methods have the following base, or root, uniform resource identifier (URI):
https://hcpcs_cluster:9099/mapi/v1/
The Object Storage Management MAPI is described in the Management API Reference. It is also described in Swagger, available from the Object Storage Management user interface.
Input and output formats
The API accepts and returns JSON.
The REST API accepts and returns JavaScript Object Notation (JSON). It does not support HTTPS 1.0 requests; all HTTPS 1.0 requests are denied. When the body of the request has contents, the MAPI accepts and returns JSON; when the body is empty, JSON format is unnecessary.
Access and authentication
To use the Object Storage Management or System Management MAPIs, you need a user account that has permission to perform the actions you want.
After you have a user account, you must request an authentication token from the system. To do this, you send an HTTP POST request to the method /auth/oauth.
When you generate a new access token, a refresh token also gets generated automatically.
Here's an example using the cURL command-line tool:
curl -ik -X POST https://mysystem.example.com:8000/auth/oauth/ \
-d grant_type=password \
-d username=user1 \
-d password=password1 \
-d scope=* \
-d client_secret=my-secret \
-d client_id=my-client \
-d realm=marketingUsers
In response to this request, you receive a JSON response body containing an access_token field. The value for this field is the token. For example:
{
"access_token": "eyJr287bjle..."
"expires_in": 7200
}
- To get a list of security realms for the system, send an HTTP GET request to the method
/setup. For example, to do this with cURL:curl -k -X GET --header 'Accept: application/json' \ 'https://mysystem.example.com:8000/api/admin/setup' - To get an access token for the local admin user account, you can omit the realm option for the request, or specify a realm value of Local.
You must specify the access token as part of all REST API requests that you make. You do this by submitting an Authorization header along with the request. Here's an example that uses cURL:
curl -X GET --header "Accept:application/json" \
https://mysystem.example.com:8000/api/admin/instances \
--header "Authorization: Bearer eyJr287bjle..."
You can use the MAPI to change the system's password using the following cURL commands, where $1=server_name, $2=current_password, and $3=new_password:
TOKEN=$(curl -ik -X POST https://$1.mysystem.com:8000/auth/oauth/ \
-d grant_type=password -d username=admin -d password=$2 \
-d scope=* -d client_secret=client-secret -d client_id=client-id \
-d realm=local 2>&1 | grep access_token | awk -F: '{print $2}' \
| awk -F\" '{print $2}')
curl -v -X POST --header 'Content-Type: application/json' \
--header "Authorization: Bearer $TOKEN" \
https://$1.mysystem.com:8000/api/admin/setup/password \
-d '{"password": "'"$3"'"}'
Viewing and using MAPI methods
Your system includes web-based documentation pages where you can view the MAPI methods for both the Object Storage Management and System Management applications, including the request bodies, request URLs, response bodies, and return codes for each. You can also use these pages to run each MAPI method.
You can use the MAPI documentation pages to experiment with the MAPI. Any requests you submit on the page take effect on the system.
To use the MAPI page to run a method:
Procedure
-
In either the Object Storage Management App or the System Management App, select the user profile icon, in the upper right portion of the page.
-
Select:
- In the Object Storage Management App, select REST API.
- In the System Management App, select REST API - Admin.
-
Expand the category containing the method you want.
-
Select the row for the method you want.
-
To use an Object Storage Management method, enter the XSRF token in the field X-XSRF-TOKEN Header.
-
If the method you want needs a UUID:
-
Select the row for the
GETmethod for the resource type that you want. -
Click Try it out.
-
In the JSON response body, copy the value in the field
uuidfor the resource that you want.
-
-
If the method you want needs a request body:
-
In the section Parameters, under Model Schema, click inside the JSON text box.
The JSON text is added to the field Value.
-
Edit the JSON in the field Value as needed.
NoteSome methods might need other information in addition to or instead of UUIDs or JSON-formatted text. Some methods need particular string values or need you to browse for and select a file to upload.
-
-
Click Execute.
The method is executed and the results appear in the section Responses.
HTTP status response codes
When an HTTP request is sent to a server, the server sends back an HTTP response message. The HTTP response message consists of an HTTP header and, optionally, a message body. The response header contains an HTTP status code that gives the status of the request.
When an API request fails, the API returns:
- An HTTP status code
- Conditionally, a system-specific error code
- A JSON-formatted error response body
The following table contains a list of HTTP status codes, their descriptions, and the types of HTTP requests that can generate each status code.
| Status code | Meaning | Description | Methods |
| 200 | OK | The request was executed successfully. |
PATCH POST |
| 400 | Bad Request | The request body contains one or more of these:
|
PATCH POST |
| 401 | Unauthorized | Your access is not authorized. Possible reasons:
|
PATCH POST |
| 403 | Forbidden | You do not have permission to perform the request. |
PATCH POST |
| 404 | Not Found | The resource you are trying to retrieve, edit, or delete cannot be found. |
PATCH POST |
| 405 | Method Not Allowed | A request was made using a request method not supported by that resource; for example, using GET with a form that needs data to be presented using POST. |
PATCH POST |
| 409 | Conflict | The resource you are trying to create already exists. |
POST |
| 500 | Internal Server Error | The system experienced an error. | |
| 501 | Unimplemented | An API was invoked that HCP for cloud scale doesn't support. |
PATCH POST |
| 503 | Service Unavailable | The service is not available. Possible reasons:
|
POST |
Some API requests return system-specific error codes in addition to an HTTP status code. These error codes are listed in the errorCodes field in the JSON response body. This table describes these error codes.
| Status code | Description |
| 4000 | SSL certificate not trusted. |
REST API error responses have this format:
{
"statusCode": <HTTP-status-code>,
"errorCode": <system-specific-error-code>,
"errorMessage": <message>,
"errorProperties": [
{
"name": <error-property>,
"message": <error-property-message>
}
]
}
Configuring and deploying the Pulse vADC load balancer
This information is intended to help users configure and deploy the Pulse Secure vADC load balancer software to communicate with HCP for cloud scale services.
For more information about Pulse Secure vADC, visit Getting Started with Pulse vADC or the Pulse Secure Virtual Traffic Manager: User’s Guide.
Log in and install the license key
-
Log in to Pulse Secure vADC.
-
Download the license key, using the password provided to you by your Hitachi Vantara representative to access it.
-
On the Install a License Key page, click Choose File and select the downloaded license key.
-
Click Install Key.
Configure the network settings
-
Services > Traffic IP Groups > Traffic IP Networks > Network Settings > Traffic IP Network Settings > Add Network: Your system's subnet IP address
-
Click Update.
-
System > Networking > Networking Summary: Find your subnet IP listed in the table and note its associated interface value.
-
Services > Traffic IP Groups > Traffic IP Networks > Network Settings > Traffic IP Network Settings > Default interface: Your system's interface value noted from above
-
Click Update.
Create a traffic IP group
-
Services > Traffic IP Groups > Create a New Traffic IP Group:
-
Name: Client Network
-
Traffic Managers: Add
-
IP Addresses: ip_address
-
IP Mode: Raise each address on a single machine (Single-Hosted mode)
-
-
Click Create Traffic IP Group.
Add the Management Services
-
Create a new pool.
Services > Pools:
-
Pool Name: HCPCS Management Services
-
Pool Type: Static
-
Nodes: ip_address:8000, …, ip_address:8000
-
Monitor: Ping
-
Click Create Pool. Your new pool appears under the Pools tab.
-
-
Configure the new pool.
-
Services > Pools > HCPCS Management Services > Load Balancing > Algorithm: Least Connections
-
Click Update.
-
Services > Pools > HCPCS Management Services > SSL Settings > ssl_encrypt: Yes
-
Click Update.
-
-
Create a virtual server.
-
Services > Virtual Servers > Create a new Virtual Server:
- Virtual Server Name: HCPCS Management Services
- Protocol: HTTP
- Port: 8000
- Default Traffic Pool: HCPCS Management Services
NoteThis value will only appear if a new pool has been created.
-
Click Create Virtual Server. Your new virtual server appears under the Virtual Servers tab.
-
-
Create a self-signed certificate.
-
Catalogs > SSL > SSL Server Certificates catalog > Create new SSL certificate > Create Self-Signed Certificate / Certificate Signing Request:
- Name: hcpcs
- Subject Alternative Name(s): Your cluster name
- Common Name (CN): Your cluster name
- Organization (O): Your department name
- Organizational Unit (OU): Your company name
- Location (L): Your town or city of residence
- State (S): Your state of residence
- Country (C): Your country of residence
- Expires in: 1 year
- Key types: 2048 bit RSA
-
Click Create certificate.
-
-
Configure the virtual server.
-
Services > Virtual Servers > HCPCS Management Services > Basic Settings:
- Enabled: Yes
- Listening on: Traffic IP Groups
- Traffic IP Group: Client Network
NoteThis value will only appear if a traffic IP group has been created.
-
Click Update.
-
Services > Virtual Servers > HCPCS Management Services > Protocol Settings > HTTP-Specific Settings:
- add_cluster_ip: No
- dd_x_forwarded_for: Yes
-
Click Update.
-
Services > Virtual Servers > HCPCS Management Services > SSL Decryption:
- ssl_decrypt: Yes
- certificate > Default Certificate: hcpcs
NoteThis value will only appear if a self-signed certificate has been created. See step 4.
-
Click Update.
-
Click the Home tab and verify that the HCPCS Management Services pool you've created is running and has a green status. If it's not running, click the play icon to start the service.
-
-
Create a new monitor.
-
Catalogs > Monitors > Create new monitors:
- Name: Monitor for HCPCS Management Services
- type: HTTP Monitor
- scope: Node
-
Click Create Monitor.
-
-
Configure the new monitor.
-
Catalogs > Monitors > Monitor for HCPCS Management Services:
- Basic Settings > back_off: No
- Additional Settings > use_ssl: Yes
- Additional Settings > status_regex: 200
-
Click Update.
-
-
Add the new monitor.
-
Services > Pools > HCPCS Management Services > Health Monitoring > Monitors:
- Add monitor: Monitor for HCPCS Management Services
- Ping: Remove
-
Click Update.
-
Navigate to Services > Pools > HCPCS Management Services and verify that all listed nodes match the added service. To add missing nodes, enter them into the Add Node(s) field and then click Update. To delete incorrect nodes, click the Delete box next to their names and then click Update.
-
Add the Object Storage Service
-
Create a new pool.
Services > Pools:
-
Pool Name: HCPCS Object Storage Services
-
Pool Type: Static
-
Nodes: ip_address:9099, …, ip_address:9099
-
Monitor: Ping
-
Click Create Pool. Your new pool appears under the Pools tab.
-
-
Configure the new pool.
-
Services > Pools > HCPCS Object Storage Services > Load Balancing > Algorithm: Least Connections
-
Click Update.
-
Services > Pools > HCPCS Object Storage Services > SSL Settings > ssl_encrypt: Yes
-
Click Update.
-
-
Create a virtual server.
-
Services > Virtual Servers > Create a new Virtual Server:
- Virtual Server Name: HCPCS Object Storage Services
- Protocol: HTTP
- Port: 8000
- Default Traffic Pool: HCPCS Object Storage Services
NoteThis value will only appear if a new pool has been created.
-
Click Create Virtual Server. Your new virtual server appears under the Virtual Servers tab.
-
-
Configure the virtual server.
-
Services > Virtual Servers > HCPCS Object Storage Services > Basic Settings:
- Enabled: Yes
- Listening on: Traffic IP Groups
- Traffic IP Group: Client Network
NoteThis value will only appear if a traffic IP group has been created.
-
Click Update.
-
Services > Virtual Servers > HCPCS Object Storage Services > Protocol Settings > HTTP-Specific Settings:
- add_cluster_ip: No
- dd_x_forwarded_for: Yes
-
Click Update.
-
Services > Virtual Servers > HCPCS Object Storage Services > SSL Decryption:
- ssl_decrypt: Yes
- certificate > Default Certificate: hcpcs
NoteThis value will only appear if a self-signed certificate has been created. See Add the HCP-CS Management Services.
-
Click Update.
-
Click the Home tab and verify that the HCPCS Object Storage Services pool you've created is running and has a green status. If it's not running, click the play icon to start the service.
-
-
Create a new monitor.
-
Catalogs > Monitors > Create new monitors:
- Name: Monitor for HCPCS Object Storage Services
- type: HTTP Monitor
- scope: Node
-
Click Create Monitor.
-
-
Configure the new monitor.
-
Catalogs > Monitors > Monitor for HCPCS Object Storage Services:
- Basic Settings > back_off: No
- Additional Settings > use_ssl: Yes
- Additional Settings > status_regex: 200
-
Click Update.
-
-
Add the new monitor.
-
Services > Pools > HCPCS Object Storage Services > Health Monitoring > Monitors:
- Add monitor: Monitor for HCPCS Object Storage Services
- Ping: Remove
-
Click Update.
-
Navigate to Services > Pools > HCPCS Object Storage Services and verify that all listed nodes match the added service. To add missing nodes, enter them into the Add Node(s) field and then click Update. To delete incorrect nodes, click the Delete box next to their names and then click Update.
-
Add the Metrics Service
-
Create a new pool.
Services > Pools:
-
Pool Name: HCPCS Metrics Services
-
Pool Type: Static
-
Nodes: ip_address:9191, …, ip_address:9191
-
Monitor: Ping
-
Click Create Pool. Your new pool appears under the Pools tab.
-
-
Configure the new pool.
-
Services > Pools > HCPCS Metrics Services > Load Balancing > Algorithm: Least Connections
-
Click Update.
-
Services > Pools > HCPCS Metrics Services > SSL Settings > ssl_encrypt: Yes
-
Click Update.
-
-
Create a virtual server.
-
Services > Virtual Servers > Create a new Virtual Server:
- Virtual Server Name: HCPCS Metrics Services
- Protocol: HTTP
- Port: 8000
- Default Traffic Pool: HCPCS Metrics Services
NoteThis value will only appear if a new pool has been created.
-
Click Create Virtual Server. Your new virtual server appears under the Virtual Servers tab.
-
-
Configure the virtual server.
-
Services > Virtual Servers > HCPCS Metrics Services > Basic Settings:
- Enabled: Yes
- Listening on: Traffic IP Groups
- Traffic IP Group: Client Network
NoteThis value will only appear if a traffic IP group has been created.
-
Click Update.
-
Services > Virtual Servers > HCPCS Metrics Services > Protocol Settings > HTTP-Specific Settings:
- add_cluster_ip: No
- dd_x_forwarded_for: Yes
-
Click Update.
-
Services > Virtual Servers > HCPCS Metrics Services > SSL Decryption:
- ssl_decrypt: Yes
- certificate > Default Certificate: hcpcs
NoteThis value will only appear if a self-signed certificate has been created. See Add the HCP-CS Management Services.
-
Click Update.
-
Click the Home tab and verify that the HCPCS Metrics Services pool you've created is running and has a green status. If it's not running, click the play icon to start the service.
-
-
Create a new monitor.
-
Catalogs > Monitors > Create new monitors:
- Name: Monitor for HCPCS Metrics Services
- type: HTTP Monitor
- scope: Node
-
Click Create Monitor.
-
-
Configure the new monitor.
-
Catalogs > Monitors > Monitor for HCPCS Metrics Services:
- Basic Settings > back_off: No
- Additional Settings > use_ssl: Yes
- Additional Settings > status_regex: 200
-
Click Update.
-
-
Add the new monitor.
-
Services > Pools > HCPCS Metrics Services > Health Monitoring > Monitors:
- Add monitor: Monitor for HCPCS Metrics Services
- Ping: Remove
-
Click Update.
-
Navigate to Services > Pools > HCPCS Metrics Services and verify that all listed nodes match the added service. To add missing nodes, enter them into the Add Node(s) field and then click Update. To delete incorrect nodes, click the Delete box next to their names and then click Update.
-
How to backup and import configurations
To backup and export your Pulse Secure vADC load balancer configuration, navigate to Services > Config Summary > Export configuration document > Export Configuration archive and click Export Configuration.
The downloaded file can be used to restore functionality to your load balancer in the event of system failure. To import it, navigate to System > Backups > Import a backup and upload the exported archive.
Additionaly, you can backup your configuration settings within the Pulse Secure vADC load balancer software: System > Backups > Create a Backup.