The CPM management console is accessed via a web browser over HTTPS.
When a new CPM Server is launched, the server will automatically generate a new self-signed SSL certificate. This certificate will be used for the web application in the configuration step.
If no other SSL certificate is uploaded to the CPM Server, the same certificate will be used also for the main CPM application.
Every CPM Server will get its own certificate.
Since the certificate is not signed by an external Certificate Authority, you will need to approve an exception in your browser to start using CPM.
When configuring the CPM server, define the following settings:
- AWS Credentials for the CPM root user
- Time zone for the server
- Whether to create a new CPM data volume, or attach an existing one from a previous CPM server
- Proxy settings. Configure proxy settings in case the CPM server needs to connect to the Internet via a proxy. These settings will also apply to the main application.
- The port the web server will listen on. The default is 443.
- Whether to upload an SSL certificate and a private key for the CPM server to use. If you provide a certificate, you will also need to provide a key, which must not be protected by a passphrase.
- Register the AWS account with N2W Software. This is mandatory only for free trials but is recommended for all users. It will allow N2W Software to provide quicker and enhanced support. Registration information is not shared.
For the configuration process to work, as well as for normal CPM operations, CPM needs to have outbound connectivity to the Internet, for the HTTPS protocol. Assuming the CPM server was launched in a VPC, it needs to have:
- A public IP, or
- An Elastic IP attached to it, or
- Connectivity via a NAT setup, Internet Gateway, or HTTP proxy.
If an access issue occurs, verify that the:
- Instance has Internet connectivity.
- DNS is configured properly.
- Security groups allow outbound connections for port 443 (HTTPS) or other (if you chose to use a different port).
Following are the configuration steps:
- Approve the end-user license agreement.
- Define the root username, email, and password.
- Define the time zone of the CPM Server.
- Fill in the rest of the information needed to complete the configuration process.
To initially be identified as the owner of this instance, you are required to type or paste the CPM server instance ID. This is just a security precaution.
In the first step of the configuration process, you will also be required to approve the end-user license agreement.
The AWS root user (IAM User) is no longer allowed to control the operation of the CPM server. A user with the Authentication credentials for CPM Instance IAM Role is the only user allowed to install CPM, log on to the system server and operate it. As in Figure 2‑1, you need to define the root user name, email, and password. This is the second step in the configuration process. The email may be used when defining Amazon Simple Notification Service (SNS) based alerts. Once created, choose to automatically add this email to the SNS topic recipients.
Also, if using the Free Trial or Bring Your Own License (BYOL) Edition, the License field is presented. Select I’m starting a free trial for a free trial. Alternatively, if your organization purchased a license directly from N2W Software, additional instructions are shown.
Note: Passwords: N2W Software does not enforce any password policy, however, it is recommended to use passwords that are difficult to guess and that are changed from time to time.
In the third step of the configuration process, define the time zone of the CPM Server. Choose whether to create a new data volume, or use an existing one, and you need to enter your AWS credentials that will be used for the data volume setup process. Additionally, you can configure proxy settings for the CPM server.
As you will see in section 4.1.2, all scheduling of backup is done according to the local time of the CPM Server. You will see all time fields displayed by local time, however, all time fields are stored in the CPM database in UTC. This means that if you wish to change the time zone later, all scheduling will still work as before.
As you can see in Figure 2‑2, the choice of new or existing data volume is done here. Actual configuration of the volume will be done at the next step.
AWS credentials are required to create a new Elastic Block Storage (EBS) data volume if needed and to attach the volume to the CPM Server instance.
If you are using AWS Identity and Access Management (IAM) credentials that have limited permissions, these credentials need to have permissions to view EBS volumes in your account, to create new EBS volumes, and to attach volumes to instances (see section 14.3). These credentials are kept for file-level recovery later on and are used only for these purposes.
If you assigned an IAM Role to the CPM Server instance, and this role includes the needed permissions, select Use Instance’s IAM Role and then you will not be required to enter credentials.
If the CPM server needs an HTTP proxy to connect to the Internet, in the Connect via web proxy drop-down list, choose Enabled. Define the proxy address, port, user, and password. The proxy settings will be kept as the default for the main application.
Anonymous Usage Reports
Leaving the Anonymous Usage Reports value as enabled allows CPM to send anonymous usage data to N2W Software. This data does not contain any identifying information:
No AWS account numbers or credentials.
No AWS objects or IDs like instances or volumes.
No CPM names of objects names, such as, policy and schedule.
It contains only details like:
How many policies run on a CPM server
How many instances per policy
How many volumes
What the scheduling is, etc.…
You can change this setting at any time using the enable/disable anonymous usage reports link at the bottom of CPM’s main page.
In the fourth step, you will fill in the rest of the information needed for the configuration of the CPM Server.
First thing you need is to finish configuring your data volume.
If you chose to create a new volume in the previous step, you will see the screen as in Figure 2‑3.
If you chose to use an existing volume, you will see a drop-down volume selection box instead of the capacity field.
New Data Volume
When creating a new data volume, the only thing you need to define is the capacity of the created volume. The volume is going to contain the database of CPM’s data, plus any backup scripts or special configuration you choose to create for the backup of your servers. The backup itself is stored by AWS, so normally the data volume will not contain a large amount of data.
The default size of the data volume is 5 GiB.
This is large enough to manage roughly 50 instances, and about 3 times as many EBS volumes.
If your environment is larger than 50 instances, increase the volume at about the ratio of 1 GiB per 10 backed-up instances.
The new volume will be automatically created in the same AZ as the CPM instance It will be named CPM Cloud Protection Manager Data. During the configuration process, the volume will be created and attached to the instance. The CPM database will be created on it.
Existing Data Volume
The Existing data volume option is used if:
You have already run CPM and terminated the old CPM server, but now wish to continue where you stopped.
You are upgrading to new CPM releases.
You are changing some of the configuration details.
The select box for choosing the volumes will show all available EBS volumes in the same AZ as the CPM Server instance. When choosing the volumes, consider the following:
It is important to create the instance in the AZ your volume was created in the first place.
Another option is to create a snapshot from the original volume, and then create a volume from it in the AZ you require.
Note: Although CPM data volumes typically have a special name, it is not a requirement. If you choose a volume name that was not created by a CPM server for an existing data volume, the application will not work.
Web Server Settings
Port 443 is the default port for the HTTPS protocol, which is used by the CPM manager. If you wish, you can configure a different port for the web server. But, keep in mind that the specified port will need to be open in the instance’s security groups for the management console to work, and for any Thin Backup Agents that will need to access it.
The final detail you can configure is an SSL certificate and private key.
If you leave them empty, the main application will continue to use the self-signed certificate that was used so far.
If you choose to upload a new certificate, you need to upload a private key as well. The key cannot be protected by a passphrase, or the application will not work.
After filling in the details in the last step, you are prompted to register. This is mandatory for free trials and optional for paid products.
Click Configure System to finalize the configuration. The configuration will take between 30 seconds and 3 minutes for new volumes, and usually less for attaching existing volumes. After the configuration is complete, a successful configuration notification page opens.
Click the here link. After a few seconds, you are redirected to the login screen of the CPM application. If you are not redirected, refresh the browser manually. If you are still not redirected, reboot the CPM server via AWS Management Console or another management tool, and it will come back up configured and running.
Most inputs you have in the configuration steps are validated when you click Next. You will get an informative message indicating what went wrong.
A less obvious problem you may encounter is if you reach the third step and get the existing volume select box with only one value in it: No Volumes found. This can arise for two reasons:
If you chose to use an existing volume and there are no available EBS volumes in the CPM Server’s AZ, you will get this response. In this case, you probably did not have your existing data volume in the same AZ.
To correct this:
- Terminate and relaunch the CPM server instance in the correct zone and start over the configuration process, or
- Take a snapshot of the data volume, and create a volume from it in the zone the server is in.
- If there is a problem with the credentials you typed in, the “No Instances found” message may appear, even if you chose to create a new data volume. This usually happens if you are using invalid credentials, or if you mistyped them.
- To fix, go back and enter the credentials correctly.
In rare cases, you may encounter a more difficult error after you configured the server. In this case, you will usually get a clear message regarding the nature of the problem. This type of problem can occur for several reasons:
- If there is a connectivity problem between the instance and the Internet (low probability).
- If the AWS credentials you entered are correct, but lack the permissions to do what is needed, particularly if they were created using IAM.
- If you chose an incorrect port, e.g. the SSH port which is already in use.
- If you specified an invalid SSL certificate and/or private key file.
- In case you cannot discover the problem, try again. If it persists, contact N2W Software support (email@example.com).
If the error occurred after completing the last configuration stage, it is recommended that you:
- Terminate the CPM server instance.
- Delete the new data volume (if one was already created).
- Try again with a fresh instance.
If you need to change the configuration of your CPM server after it has already been created, you may need to:
- Change the time zone
- Reset the CPM root user password
- Change SSL credentials
- Change the HTTPS port
The process to make these changes is to terminate the current CPM server instance and create a new one. After you terminate the CPM server, the data volume becomes available. Configure the server as needed and connect to the old (existing) data volume.
Note: Remember to launch the new server in the same AZ.
For the CPM root user, you may change the email or the password. The username of the root user cannot be changed. If, during the configuration process, you type a different username than the original, CPM will assume you forgot the root username. In that case, the username will not change, and a file named /tmp/username_reminder will be created on the CPM server. It will contain the username. You can connect to CPM server using SSH to view this file (see section 7.1).
From version 2.1.0, there is an option to configure CPM using a special “user data” script. The user data script is a configuration in ini file format, stating the configuration of the new CPM instance.
Create the user data file with CPMCONFIG in the first line, [SERVER] in the second line, followed by the configuration details.
CPM assumes that the CPM instance has an IAM role that is used for the configuration process, so no credentials are required.
Following is an example of the whole script:
user=<username for the cpm user>
volume_option=<new or existing>
volume_size=<in GB, used only for the new volume option>
volume_id=<Volume ID for the data volume, used only in the existing volume option>
snapshot_id=<snapshot ID to create the data volume from, used only with the existing volume option, and only if volume_id is not present>
Additionally, if you need the CPM server to connect to the internet via an HTTP proxy, add a proxy section:
proxy_server=<address of the proxy server>
proxy_user=<user to authenticate, if needed>
proxy_password=<password to authenticate, if needed>
The snapshot option does not exist in the GUI. It can be used for automation of a Disaster Recovery (DR) server recovery. Additionally, if you state a volume ID from another AZ, CPM will attempt to create a snapshot of that volume and migrate it to the AZ of the new CPM server. This option can be used in a high availability setup.
Note: You are not required to click to approve the license terms when using the silent configuration option, since you already approved the terms when subscribing to the product on AWS Marketplace.