There are a number of reasons for performing a recovery:
Hardware failures.
Software failures.
Power outages.
Human error.
Changing storage platforms.
Moving data around the world.
True natural disaster.
Performing a recovery procedure on the Nasuni Management Console does not affect any of your Nasuni Edge Appliances or access to your data.
Recovering the Nasuni Management Console
The NMC Recovery Guide contains the complete procedure for recovering the Nasuni Management Console in the event of a disaster or planned transition. This section is a summary of suggestions before you recover the Nasuni Management Console.
Note: Downloading and executing the installation program for the virtual appliance is contingent upon the virtual platform you are using.
Important: When using virtual machine Edge Appliances or NMCs, Nasuni recommends running under a hypervisor that is still supported by its vendor. If a customer runs an Edge Appliance or NMC on an unsupported hypervisor version, a warning is logged at boot time. The warning is of the form:
“Nasuni recommends running the Management Console on ESX 7.0 or later.”
To recover the Nasuni Management Console, follow these steps:
Safeguard at least one of the encryption keys for the Nasuni Management Console. See “Encryption Keys” on page 468.
Obtain the serial number and authorization code for the Nasuni Management Console. You use these in step 10. If you have the credentials to log in to your Nasuni.com account (https:// account.nasuni.com/account/login/), you can obtain the serial number and authorization code there. If you don’t have these credentials, obtain the serial number and authorization code from the person who has the credentials.
Important: Authorization codes (also called “Auth codes”) are intended for a single use, and are not permanent. Authorization codes change if the associated serial number is used successfully, if the authorization code is refreshed via the NMC (Account Status --> Serial Numbers, then click Refresh), and if the authorization code is regenerated via the NOC (visit https://account.nasuni.com/account/serial_numbers/, then click show, then click regen).
Download the Nasuni Management Console software appropriate for your platform. For details, see “Installing the Nasuni Management Console Software” on page 41.
Note: You can perform the recovery process to the same version of the software that you were running, or to a newer version than you were running, but not to an older version.
Install the Nasuni Management Console software for your platform.
After you obtain the initial IP address, open the specific URL to continue. The Install Wizard — Network Configuration page appears.
Figure 13-1: Install Wizard — Network Configuration page.
In the Hostname box, a default hostname for the Nasuni Management Console appears. You can accept the default hostname or change it to a customized hostname. The name that you enter is the name you provide to users so they can access the Nasuni Management Console. You can use ASCII letters a through z, digits 0 through 9, and hyphens.
Note: The Nasuni Management Console attempts to register the hostname in the DNS server, so that users can access this host by name.
To change this name later, see “Networking” on page 524.
From the Network Type drop-down list, select either Static or DHCP.
If you select DHCP (Dynamic Host Configuration Protocol), the IP Address, Netmask, Default Gateway, and MTU Value fields become unavailable.
If you select Static, you must provide Network Device Settings and System Settings. See your IT administrator for assistance.
If you select Static as a source, enter the following information:
Enter the static IP address in the IP Address text box.
Enter a netmask address in the Netmask text box.
Enter a default gateway address in the Default Gateway text box. The gateway address must match a subnet of a defined static network.
Enter the MTU value in the MTU Value text box. MTU settings above 1500 are supported.
The maximum transmission unit (MTU) is the size (in bytes) of the largest protocol data unit that the layer can pass onwards. A larger MTU brings greater efficiency, because each packet carries more user data while protocol overheads, such as headers, remain fixed; the resulting higher efficiency means a slight improvement in the bulk protocol throughput. A larger MTU also means processing fewer packets for the same amount of data. However, large packets can occupy a slow link for some time, causing greater delays to following packets, and increasing lag and minimum latency.
In the System Settings area:
If you selected DHCP (Dynamic Host Configuration Protocol), the Search Domain, Primary DNS Server, and Secondary DNS Server fields become unavailable.
If you select Static as a source, enter the following information:
Enter one or more local search domains in the Search Domain text box. If you enter multiple search domains, make sure you include a space between each entry. You must enter valid hostnames.
You can use search domains to avoid typing the complete address of domains that you use frequently. The search domains that you enter are automatically appended to names that you specify for purposes such as Active Directory configuration, HTTPS proxy, and NTP server. For example, if you specify the search domain “mycompany.com”, then typing “server1” for one of these purposes would connect to “server1.mycompany.com”.
Note: There are no search domains for LDAP.
Click Continue to proceed.
The Install Wizard — Proxy Network Configuration page appears.
Figure 13-2: Install Wizard — Proxy Network Configuration page.
To enable proxy support, click Proxy Support: On (enabled) or Off (disabled).
In the Proxy Server text box, enter the hostname or IP address of a host running an HTTPS proxy.
In the Port text box, enter the port number used by the HTTPS proxy server. For details about ports and firewalls, see Firewall and Port Requirements.
Optionally, enter a valid username (case-sensitive) as configured by the proxy server in the User Name text box and the password (case-sensitive) in the Password text box.
Caution: The Password cannot include the symbols “/” (slash) and “#” (pound sign).
Optionally, in the Do Not Proxy text box, enter a list of hostnames or IP addresses not to proxy (one per line). Enter one hostname or IP address per line. Do not use a leading period (“.”).
Tip: On Azure-based NMCs only, during an installation or recovery procedure, it is necessary to connect with IP address 169.254.169.254 in order to obtain information about the Azure VM instance. If you have configured an HTTPS proxy, this attempt to connect can cause a delay of several minutes. To avoid this delay, add the IP address 169.254.169.254 to the “Do Not Proxy” section of the HTTPS Proxy configuration.
Click Continue. To return to the previous page to change parameters, click Back.
The Install Wizard — Review Network Settings page appears.
Figure 13-3: Install Wizard — Review Network Settings page.
To accept the network settings, click Continue. return to the previous page to change parameters, click Back.
The Reconfiguring Network Settings page appears.
Figure 13-4: Configuring Network Settings page.
The Terms of Service and License Agreement page appears.
Figure 13-5: Terms of Service and License Agreement page.
You can print or download a copy of the Terms of Service and License Agreement by clicking the appropriate icon.
Select “I accept the Terms of Service”, then click Continue.
The Install Wizard — Authorization page appears.
Figure 13-6: Install Wizard — Authorization page.
Enter the NMC Serial Number and Authorization code, found under the Account section of www.nasuni.com. Click Continue to proceed.
Important: Authorization codes (also called “Auth codes”) are intended for a single use, and are not permanent. Authorization codes change if the associated serial number is used successfully, if the authorization code is refreshed via the NMC (Account Status --> Serial Numbers, then click Refresh), and if the authorization code is regenerated via the NOC (visit https://account.nasuni.com/account/serial_numbers/, then click show, then click regen).
The Install Wizard — Confirm NMC Recovery page appears.
Figure 13-7: Install Wizard — Confirm NMC Recovery page.
Note: If the “Confirm New NMC” page appears instead of the “Confirm NMC Recovery” page, contact Nasuni Technical Support.
Enter “Perform Disaster Recovery” in the Confirmation text box, then click Continue to proceed.
The Install Wizard — Disaster Recovery page appears.
Figure 13-8: Install Wizard — Disaster Recovery page.
Note: Only one of the NMC encryption keys is necessary for this step.
If you escrowed any of your encryption keys (including the backup key) with Nasuni, and you intend to use your escrow passphrase to de-escrow your escrowed encryption keys, perform the following steps:
Select “Yes - Escrow Passphrase” from the drop-down list.
Tip: You can select Yes even if you also have non-escrowed encryption keys, which you provide separately.
Tip: For details about the escrow passphrase, see “Escrow Passphrase” on page 340.
The Escrow Passphrase text box becomes available.
Figure 13-9: Escrow Passphrase text box.
If you set an encryption key escrow passphrase and you have the passphrase, enter the passphrase.
Alternatively, if you do not have an encryption key escrow passphrase available: Contact Nasuni Support to verify your identity and obtain your one-time-use recovery key. Then perform step 12 on page 577 again.
Tip: For details about the escrow passphrase, see “Escrow Passphrase” on page 340.
Click Continue.
Continue with step 14 on page 580.
Important: If you have previously escrowed your encryption keys with Nasuni, and you use these escrowed encryption keys as part of the recovery process, you MUST re-escrow those encryption keys with Nasuni if you want those encryption keys to continue to be escrowed with Nasuni. After the recovery is complete, the Nasuni Edge Appliance treats all encryption keys as if they were not created by this Nasuni Edge Appliance. For details, see, “Escrowing Encryption Keys with Nasuni” on page 337.
If you escrowed any of your encryption keys (including the backup key) with Nasuni, and you intend to have Nasuni de-escrow your escrowed encryption keys, perform the following steps:
Select “Yes - Recovery Key” from the drop-down list.
Tip: You can select Yes even if you also have non-escrowed encryption keys, which you provide separately.
The Recovery Key text box becomes available.
Figure 13-10: Recovery Key text box.
Contact Nasuni Support to verify your identity and obtain your one-time-use recovery key. Then enter the recovery key.
Tip: For details about the escrow passphrase, see “Escrow Passphrase” on page 340.
Read the text and then click the Acknowledgement box.
Click Continue.
Continue with step 14 on page 580.
Important: If you have previously escrowed your encryption keys with Nasuni, and you use these escrowed encryption keys as part of the recovery process, you MUST re-escrow those encryption keys with Nasuni if you want those encryption keys to continue to be escrowed with Nasuni. After the recovery is complete, the Nasuni Edge Appliance treats all encryption keys as if they were not created by this Nasuni Edge Appliance. For details, see, “Escrowing Encryption Keys with Nasuni” on page 337.
Otherwise, select No from the drop-down list, then click Continue.
This means that either you do not have any encryption keys escrowed with Nasuni at all, or that you do have encryption keys escrowed with Nasuni, but you intend to provide your escrowed encryption keys yourself.
If you selected No, the Install Wizard — Upload Encryption Keys page appears.
Figure 13-11: Install Wizard — Upload Encryption Keys page.
Click Choose File to navigate to your encryption key file, enter the Key Passphrase if necessary, then click Upload Key(s). All uploaded encryption keys must be at least 2048 bits long.
The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary. If a particular client has other limits, the smaller of the two limits applies.
Important: For security reasons, encryption keys that you upload cannot be downloaded from the system.
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.
Important: It is possible that not all encryption keys are uploaded as part of the recovery. After the recovery process is complete, the Encryption Keys page indicates which encryption keys were not uploaded. Uploading these encryption keys is optional.
Figure 13-12: Encryption Keys page.
The Install Wizard - About to Recover page appears.
Figure 13-13: Install Wizard - About to Recover page.
Click Continue. Recovery of the Nasuni Management Console begins.
After recovery, the Install Wizard - Recovery Complete page appears.
Figure 13-14: Install Wizard - Recovery Complete page.
The Install Wizard — Create Admin User page appears.
Figure 13-15: Install Wizard — Create Admin User page.
Create a Username (case-sensitive) and a Password (case-sensitive) for the administration of this Nasuni Management Console.
Important: It is not supported for users in the Active Directory Protected Users security group to log in to the NMC.
Important: You cannot use Active Directory passwords longer than 127 characters to log in to the NMC.
An indicator of password strength appears. Although password strength is not enforced, you should use strong passwords. Click Continue.
Figure 13-16: Rebooting page.
It can take several minutes for this process to complete.
The Login page appears.
Figure 13-17: Login page.
Log in to the Nasuni Management Console with your Username (case-sensitive) and Password
(case-sensitive). Click Log in.
Important: It is not supported for users in the Active Directory Protected Users security group to log in to the NMC.
Important: You cannot use Active Directory passwords longer than 127 characters to log in to the NMC.
The Nasuni Management Console Home page appears.
A message appears confirming that the recovery process is complete.
Important: After the recovery, it might be necessary to reconfigure the firewall, networking, proxy, time zone, and time server settings.
Important: The following settings, if configured, are not retained after the NMC Recovery procedure. You should record your settings so that you can reconfigure these settings after the NMC Recovery procedure.