Cohesity Deployment
This page describes how to provision the Model9 Management Server from the Cohesity marketplace.
The Model 9 Cloud Data Manager is featured in the Cohesity Marketplace

Step 1: Obtain a license key

Open a license request in the Model9 service portal.
The output of the z/OS command “D M=CPU” is required.

Step 2: Download the Model9 files

Create an NFS Cohesity view

The Model9 configuration and meta-data files should reside on a Cohesity view, defined as NFS only.
The name of this view must be set to model9home (case sensitive).

Mount the NFS

Mount the NFS share on a Linux machine and configure initial settings:
1
# Change user to root
2
sudo su -
3
# Mount the model9home cohesity view
4
mkdir -p /data/model9/nfs
5
mount cohesity.ip.addr:/model9home /data/model9/nfs/
6
# Set the model9 target installation path
7
export MODEL9_HOME=/data/model9/nfs
Copied!
Upload the Cohesity zip installation file to the NFSs share mount point (for example: /data/model9/nfs) in binary mode:
model9-v1.5.4_build_6fa60a89-cohesity.zip

Unzip the installation file

Use a Linux server to mount the newly created view and unzip the uploaded installation zip file:
1
# Change user to root
2
sudo su -
3
# Change the directory to $MODEL9_HOME
4
cd $MODEL9_HOME
5
# Unzip the server’s installation file, on Linux issue:
6
unzip model9-v1.5.4_build_6fa60a89-cohesity.zip
Copied!

Optional: Replace the default self-signed certificate

The base installation provides a self-signed certificate for encrypting access to the Model9 user interface. See the section below, "Optional: Generate a self-signed certificate", for instructions on how to replace the default certificate for the WEB UI. Communications between the Model9 Server and the Model9 Agent are encrypted by default and further action should only be taken if site certificates are preferred.

Step 3: Edit the parameters file

The model9-local.yml file residing in the $MODEL9_HOME/conf/ path contains some of the default parameters. The main section is model9 (lower-case) and all parameters must be indented under the model9 title. Only hard spaces can be used to indent the hierarchies within the parameter file.
1
model9:
2
licenseKey: null
3
master_agent:
4
name: "<ip_address>"
5
port: <port>
6
objstore:
7
# resources.container.name: model9-data
8
endpoint:
9
# api.id: s3
10
api.s3.v4signatures: true
11
# no.verify.ssl: true
12
url: https://cohesity:3000
13
userid: <object store access key>
14
password: <object store secret>
15
# The dataSource tag should start from first column and not under model9 tag
16
dataSource:
17
user: postgres
18
password: model9
19
url: jdbc:postgresql://127.0.0.1:5432/model9
Copied!
Parameter
Description
Mandatory
licenseKey
A valid Model9 license key as obtained in the prerequisites section. When using multiple keys for multiple CPCs, specify one of the keys in the server’s yml file. The server-initiated actions are carried out by the agent using its own defined license. The license key specified for the server is used for displaying a message regarding the upcoming expiration of the license
YES
master_agent
The agent running on z/OS which verifies the UI login credentials, hostname, IP address and port number. Specifying a distributed virtual IP address (Distributed VIPA) can provide high availability by allowing the use of agent groups and multiple agents. See the Administrator and User Guide for more details.
YES
resources.container.name
Container/bucket name
YES
url
URL address of local or remote object storage, both HTTP and HTTPS** are supported
YES
userid
Access key to object storage
YES
password
Secret key to object storage
YES
api.id
The object storage api name. Default: s3
NO
api.s3.v4signatures
Set this parameter to true in addition to specifying api.id: s3.
YES
no.verify.ssl
when using the https protocol, whether to avoid ssl certificate verifications. Using HTTPS for the object storage URL parameter enables Data-in-Flight encryption. Default: true
NO
datasource.url
Update the postgresql address to point to localhost (i.e. 127.0.0.1)
YES

Step 4: Edit the environment configuration file

The model9-stdenv.sh file residing in the $MODEL9_HOME/conf/ path contains some of the default parameters.
Update the timezone setting according to the server location.

Step 5: Start the Model9 management server

1. Go to the Apps section in the Cohesity UI, and click on the Run App button located next to the loaded application:
Could not load image
2. Grant permission to access the NFS view created for Model9 (The view name is model9home).
Could not load image
1543602350
3. Click on Run App to start the application.

Optional: Generate a self-signed certificate

The default Model9 installation provides a self-signed web certificate. This certificate is used to encrypt the web information passed between your browser and the Model9 management server.
It is strongly recommended to generate a site-defined certificate to accommodate production-level workloads. Contact your security administrator if you wish to generate such a certificate.
You can also generate your own self-signed certificate to avoid browser security notifications.
To generate the self-signed certificate:
1. Verify that the server has a valid hostname. Issue the following command:
1
hostname -s
Copied!
2. Generate self-signed keys by issuing the following commands. The parameters are described below:
1
cd $MODEL9_HOME/keys
2
keytool -genkey -alias tomcat -keystore $(hostname -s)_web_self_signed_keystore.p12 -storetype pkcs12 -storepass <password> -keyalg RSA -ext SAN=dns:<server_dns>,ip:<server_ip> -dname "cn=<BackupServer>, ou=Java, o=Model9, c=IL" -validity 3650
3
chown root:root $(hostname -s)_web_self_signed_keystore.p12
4
chmod 600 $(hostname -s)_web_self_signed_keystore.p12
5
keytool -exportcert -alias tomcat -keystore $(hostname -s)_web_self_signed_keystore.p12 -storetype pkcs12 -storepass <password> -file $(hostname -s)_web_self_signed.cer
Copied!
3. Edit the following parameters:
Parameter
Description
<password>
The keystore password
<server_dns>
The server DNS name (optional)
<server_ip>
The server IP address
<BackupServer>
The certificate common name: edit according to site standards
Note
When not specifying <server_dns>, remove the dns: section from the command.
4. Update your workstation. Add the exported certificate (.cer file) to your local workstation trusted CA according to site standards and security policies.
5. Update the server. If a site certificate or new self-signed certificate was created, update the server configuration file by adding the following line:
1
vi $MODEL9_HOME/conf/connectorHttpsModel9.xml
Copied!
6. Update the keystoreFile, keystorePass, keyAlias and keyPass settings to match the information provided by the security administrator, as shown in the following example:
1
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
2
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
3
keystoreFile="/model9/keys/web_self_signed_keystore.p12"
4
keystoreType="PKCS12" keystorePass="changeit" keyAlias="tomcat"
5
clientAuth="false" sslProtocol="TLS" />
Copied!
Java strictly follows the HTTPS specification for server identity (RFC 2818, Section 3.1) and IP address verification. When using a host name, it is possible to fall back to the Common Name in the Subject DN of the server certificate instead of using the Subject Alternative Name. However, when using an IP address, there must be a Subject Alternative Name entry - AN IP address, not a DNS name - in the certificate.
Last modified 3mo ago