Leverage Your EMC Storage Investment with User Provisioning for Syncplicity:

Leverage Your EMC Storage Investment with User Provisioning for Syncplicity: Automate and simplify Syncplicity user/group management tasks EMC Global Solutions Abstract Make the most of your existing EMC storage footprint by delivering enterprise file sync and share capabilities via Syncplicity. This product guide provides information about the features, functionality, and deployment of the EMC user provisioning application for Syncplicity, which provides a simple solution for onboarding and managing users. October 2015

Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. Published October 2015 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC 2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Part Number H14529 2

Contents Contents Chapter 1 Introduction 4 Purpose of this guide... 5 Business value... 5 Audience... 6 Chapter 2 Application Overview 7 Application architecture... 8 Key components... 8 Active Directory... 8 User Provisioning Application... 8 Developer API Portal... 8 Syncplicity API Gateway... 9 Syncplicity orchestration... 9 EMC user provisioning application for Syncplicity... 9 Overview... 9 CREATE... 11 READ... 13 UPDATE... 15 DELETE... 17 Deploying the application... 19 Deployment prerequisites... 19 Manual deployment process... 20 Automatic deployment process... 21 Monitor Application log... 23 Configuration... 24 Prerequisites... 24 Configuration process... 24 Chapter 3 References 28 EMC documentation... 29 Syncplicity documentation... 29 3

Chapter 1 Introduction This chapter presents the following topics: Purpose of this guide... 5 Business value... 5 Audience... 6 4

Purpose of this guide Business value The EMC user provisioning application for Syncplicity provides a simple solution for onboarding users to the EMC Syncplicity file sync and share solution. The user provisioning application is helpful for EMC partners and customers who plan to implement new accounts or migrate customers to the solution on EMC Atmos, EMC Isilon, EMC Elastic Cloud Storage (ECS) and EMC VNX storage systems. This product guide introduces the application and provides the following information: A description of the architecture, functionality, and deployment of the application Instructions to add, remove, and manage Syncplicity users/groups EMC partners can use the user provisioning application when implementing the Syncplicity file sync and share solution to onboard users from the corporate identity provider (IDP) without using third-party identity management applications. The user provisioning application offers the following business benefits: Reduced compliance risk and increased control Businesses no longer need to expose their internal IDP to third-party single sign-on (SSO) and identity management software-as-a-service (SaaS) applications when implementing the Syncplicity file sync and share solution to onboard users in the Syncplicity account. Flexibility and ease of management Leverage your existing EMC storage infrastructure and extend its value with the deployment of the Syncplicity file sync and share solution. Syncplicity combined with EMC storage solutions offers the unmatched flexibility and ease of use of cloud-based file sync and sharing with a secure, on-premise storage infrastructure based on EMC storage products, such as Atmos, Isilon, ECS, VNX, and the storage-defined software ViPR. The next release of this application will provide information on Active Directory integration and synchronization of users. The next release will also demonstrate how this application can be leveraged to offer users self-service sign-up for the Syncplicity file sync and share solution when deployed onpremises through Federation Enterprise Hybrid Cloud and other methods. Scalability and user productivity Businesses with large-scale deployments of Syncplicity can benefit by quickly and efficiently scaling the application for hundreds of users. The automation allows for increased productivity of both IT administrators as well as end users. 5

Audience This guide is intended for internal EMC personnel and qualified EMC partners. This guide assumes that EMC partners who intend to deploy the Syncplicity file sync and share solution are: Qualified by EMC to sell, install, and configure Syncplicity solutions Qualified to sell, install, and configure Atmos, Isilon, ECS, VNX, or ViPR Part of the Global Solutions professional services group 6

Chapter 2 Application Overview This chapter presents the following topics: Application architecture... 8 Key components... 8 EMC user provisioning application for Syncplicity... 9 Deploying the application... 19 7

Application architecture Figure 1 shows the application architecture. Figure 1. Application architecture Key components Active Directory Active Directory user authentication confirms the identity of any user in the company. As part of the Syncplicity user on-boarding process, you must export the user list from Active Directory, which requires access to their Syncplicity file sync and share account. The user list is exported from any IDP with email, first name, and last name of the user in the form of a comma separated value (csv) file. Note: The user list, including email, first name, and last name, can be exported from any IDP using the.csv file format. User Provisioning Application Developer API Portal The user provisioning application was developed in Java and has a simple and easy navigational frontend user interface to run the required CREATE, READ, UPDATE, and DELETE (CRUD) functions. The user provisioning application uses Syncplicity application programming interface (API) calls to interact with the orchestration layer. The user provisioning application can be deployed on any system that is exposed to the Internet. The Syncplicity Developer API Portal provides step-by-step instructions for building applications using Syncplicity APIs. You need a Syncplicity Enterprise Edition (EE) license to use the Developer API Portal. 8

The user provisioning application must be registered from the MY APPS page in the Developer API Portal. Once the application is registered, the authorization keys (App Key and App Secret Key) are generated. Using these keys, the application can get authorization to communicate with Syncplicity API calls. The users APIs are provided to add, update, and delete users from the company account. The APIs are helpful for provisioning and onboarding users, as well as accessing the Syncplicity clients associated with a specific user. You can log in to the Developer API Portal using Syncplicity login credentials for more information on Syncplicity API calls. Syncplicity API Gateway Syncplicity orchestration The Syncplicity API Gateway enforces rate-limiting to prevent abuse by third-party services, applications, and/or users to further communicate with the Syncplicity orchestration layer. If an excessive level of API usage is reached, a standard HTTP Retry Header with 429 Too Many Requests error is returned. If back-to-back 429 error messages are received, we recommend implementing an exponential backoff algorithm for retrying, with the first retry starting after a minimum of 10 seconds. Syncplicity orchestration is a multitenant, cloud-based, SaaS that is common across all Syncplicity customers in which you are one of the customer s accounts. As a SaaS application, the orchestration layer frees IT departments from deployment and maintenance problems, delivers a constant stream of enhancements and innovations, and enables seamless enterprise collaboration across the extended enterprise. The orchestration layer controls the sync process, enabling sharing of files and folders between users and devices. Orchestration includes authentication (unless delegated to Security Assertion Markup Language [SAML]/OpenID SSO), authorization, account administration, metadata management, sharing and collaboration of the web application, and the API. EMC user provisioning application for Syncplicity Overview The application provides CREATE, READ, UPDATE, and DELETE (CRUD) functions to maintain user/group resources on your SaaS-based Syncplicity account using Syncplicity API calls. Figure 2 provides an overview of the application. 9

Figure 2. Application overview Figure 3 shows the application user interface. You can browse to http://localhost:8080/syncplicityuserprovisioningapp/home.xhtml to view the user interface after starting the Jboss application server, as outlined in Configuration process. 10

Figure 3. Application interface CREATE The CREATE function creates bulk Syncplicity user accounts using a.csv file, which is the user list exported from your IDP/Active Directory. A common use for the CREATE function is the periodic onboarding of Syncplicity users during the implementation of the new Syncplicity account at a customer site. Using the CREATE function prevents exposing a customers IDP data through the use of third-party cloud-based applications during the onboarding process. To use this function: 1. 2. 3. 4. 5. 6. Obtain the keys, as stated in Configuration process. Select CREATE_USER for the Job Name. Click Upload CSV file to upload the user list. Select LimitedBusiness for the Account Type for Creating User. Click Retrieve Groups to select the group. Click Schedule Job, as shown in Figure 4. 11

Figure 4. New user provisioning job for CREATE_USER function Figure 5 shows the Job Scheduled Successfully window. Figure 5. 7. 8. Job Scheduled Successfully window Select the scheduled job and click Run Job. Click Refresh to see the updated status, as shown in Figure 6. The status should be EXECUTING, followed by COMPLETED. 12

Figure 6. 9. Completed CREATE_USER job Log in to https://my.syncplicity.com/ and check the user accounts/group to ensure that the user accounts were created successfully. Note: You can enable Silent Onboarding auto-activate users and suppress Welcome/Activation email by configuring the existing SSO setup in the Syncplicity account. Select Admin > Settings > Custom domain and single sign-on. READ The READ function reads the Syncplicity account user/group information, which you can then view in one of the following ways: You can view the information on-screen, page by page. You can download the information using the.csv file download button from the home page. Common uses for the READ function include: Obtaining Syncplicity account user information for a specific purpose, such as the number of Syncplicity user lists Inputting information for other analytical software for billing and collaboration functionalities Determining how many users in a group have Syncplicity accounts. This information is useful, for example, if groups are charged based on the number of Syncplicity users accounts in that group. To use this function: 1. 2. 3. Obtain the keys, as stated in Configuration process. Select READ_USER for the Job Name. Click Schedule Job, as shown in Figure 7. 13

Figure 7. 4. 5. New user provisioning job for READ _USER function Select the scheduled job from the home page. Click Run Job to run the scheduled job. Note: After the READ_USER job is scheduled successfully, the job status automatically changes to COMPLETED, as shown in Figure 8. Do not run the READ job. Figure 8. Completed READ_USER job 14

6. Select the Job ID, and then select Retrieve All Users or Retrieve Group (depends on your requirement), as shown in Figure 9. If you select Retrieve All Users, the user information shows in the user list, and you can view the information page-by-page or download the information by clicking the.csv file button. If you select Retrieve Group, you must select the specific group that you want to list from that group. The user information shows in the user list, and you can view the information page-by-page or download the information by clicking the.csv file button. Figure 9. Retrieve all users or groups UPDATE The UPDATE function updates the Syncplicity account user/group information. Common uses for the UPDATE function include: Upgrading users from one group to another group to associate a group with a larger storage set, for example To associate users with multiple groups so that users from different groups can collaborate with each another To enable or disable user accounts To use this function: 1. 2. 3. Obtain the keys, as stated in Configuration process. Select UPDATE_USER for the Job Name. Select an option for the Update Users Task Type, as shown in Figure 10. 15

Figure 10. New user provisioning job for UPDATE _USER function 4. 5. Click Upload CSV file to upload the user list, as shown in Figure 11. Click Retrieve Groups to select the group. Figure 11. New user provisioning job for UPDATE_USER function 6. Click Schedule Job. Figure 12 shows the Job Scheduled Successfully window. 16

Figure 12. Job Scheduled Successfully window 7. 8. Select the scheduled job and click Run Job. Click Refresh to see the updated status. The status should be EXECUTING, followed by COMPLETED, as shown in Figure 13. Figure 13. Completed UPDATE_USER job 9. Log in to https://my.syncplicity.com/ and check the user accounts/group to ensure that the accounts were created successfully. DELETE The DELETE function deletes Syncplicity user accounts in bulk using the.csv file or a text file with the users email addresses. This function permanently removes the user accounts from Syncplicity. It also removes the data on all devices associated with the accounts, depending on the policy set up. This information is not recoverable. Common uses for the DELETE function include: Deleting users in bulk from a Syncplicity account. For example, if employees leave the company, their accounts are rarely, if ever, deleted. However, all employee accounts are disabled when they leave active service from a company. The company can then decide to permanently delete the employees from the Syncplicity account. Saving time when deleting users in bulk. The Syncplicity Administration Console is not scalable when deleting users; using this application to semiautomate the process provides a faster way to purge users in bulk. To use this function: 1. 2. 3. Obtain the keys, as stated in Configuration process. Select DELETE_USER for the Job Name. Click Upload CSV file to upload the user list. 17

4. Click Schedule Job, as shown in Figure 14. Figure 14. New user provisioning job for DELETE _USER function 5. Select the scheduled job and click Run Job, as shown in Figure 15. Figure 15. Run the scheduled job 18

6. Confirm the job to be run by selecting the warning message, as shown in Figure 16. Figure 16. Confirm run job Figure 17 shows the Job Scheduled Successfully window. Figure 17. Job Scheduled Successfully window 7. 8. Click Refresh to see the updated status. The status should be EXECUTING, followed by COMPLETED. Log in to https://my.syncplicity.com/ and check the user accounts/group to ensure that the user accounts were created successfully. Deploying the application Deployment prerequisites Table 1 lists the software requirements for deploying the application. 19

Table 1. Deployment prerequisites Description Java Development Kit (JDK) 1.7 Jboss application server/wildfly server Action You must install JDK 1.7 before deploying the application. Download the Jboss application server: http://download.jboss.org/ jbossas/7.1/jboss-as- 7.1.1.Final/jboss-as- 7.1.1.Final.zip Note: You can also use the Automatic deployment process to deploy the application. Manual deployment process To deploy the application manually: 1. 2. 3. 4. Download and install the deployment prerequisites listed in Table 2. Install the Jboss application servers and configure the derby database as follows. Create a \derby\main folder in: c:\<user-pro-app>\jboss-as- 7.1.1.Final\jboss-as-7.1.1.Final\modules\org\apache\. For example, C:\user-pro-app\jboss-as-7.1.1.Final\jboss-as- 7.1.1.Final\modules\org\apache\derby\main a. b. Place the following files in the folder created in Step 2a: i. module.xml: In Adobe Reader, click the Attachments icon. Under Attachments, double-click the attached file to open and save the file. ii. derby.jar file: Download the file from http://mvnrepository.com/artifact/org.apache.derby Edit the standalone.xml file to add the database location as c:\user-pro-app: a. b. c. Place the application library.war file in the following directory: c:\user- pro-app\jboss-as-7.1.1.final\jboss-as- 7.1.1.Final\standalone\deployments d. Use the standalone.xml file to replace the existing standalone.xml file. In Adobe Reader, click the Attachments icon. Under Attachments, doubleclick the attached file to open and save the file. Edit the database location, that is, open the standalone.xml file in the editor, and search for: <connection-url>jdbc:derby:c:\user-proapp;create=true</connection-url> Replace with the location where you want to store the database files. For example: c:\cuser-pro-app Create a folder named Uploads in the following directory: c:\user-proapp\jboss-as-7.1.1.final\jboss-as-7.1.1.final 20

5. 6. 7. Open the command prompt and browse to the following location: c:\user-proapp\jboss-as-7.1.1.final\jboss-as-7.1.1.final\bin Type the following command to start the server: standalone.bat b=<ipaddress of system where installed> Open the following URL: http://<ip-address of the system where Jboss is installed>:prot# (8080)/SyncplicityUserProvisioningApp/csvSUP.xhtml Automatic deployment process To deploy the application using the automation tool: 1. Install JDK 1.7 or higher. 2. Download jboss-as-7.1.1.final from http://jbossas.jboss.org/downloads. 3. Select the zip file, as shown in Figure 18. Figure 18. Download the zip file 4. 5. Unzip the downloaded file. Use the Server SUP_Server_Config.jar file to configure the server: a. Open the.jar file, either by double-clicking on the file or by right-clicking and opening the Java SE Platform library, as shown in Figure 19. 21

Figure 19. Open the.jar file Enter the location of the file, i.e., the unzipped location of jboss-as- 7.1.1.Final, as shown in Figure 20. b. 22

Figure 20. File location c. d. e. f. g. To start the server: 1. 2. 3. 4. 5. Enter the database name. Enter the location of the derby.jar file. Copy the derby.jar file to the desired location. Enter the location where you need to store the database files. Click Configure. Copy the.war file to SyncplicityUserProvisioningApp.war. Select the Start Server tab. Enter the port number and IP address of the system. Click Start Server. The command prompt opens and the server starts after a few seconds. Go to http://<ip Address of system>:<port-no>/ SyncplicityUserProvisioningApp to access the application. Note: The automation tool also provides an option to remove the configuration and add a new configuration. To remove the configuration, click Remove Configuration. Monitor Application log All application transactions are logged in the following log file. This file can be viewed in Notepad for debugging issues. 23

C:\API deployment\jboss-as-7.1.1.final\jboss-as-7.1.1.final\standalone\log\ server.log.2015-09-07 Configuration Prerequisites Table 2 lists the software configuration requirements for the application. Table 2. Functional prerequisites Requirement Notes Action Syncplicity EE license Application registration Edited user list You need a Syncplicity EE account to use the Syncplicity Developer API portal. Register the application in the Syncplicity Developer Portal. Obtain a.csv file user list exported from Active Directory. Edit the.csv file so that it contains email address, first name, and last name headers (case sensitive), and remove the remaining information. If you do not have a license, you must obtain one before using the application. Complete the steps in Configuration process. Edit the.csv file with email address, first name, and last name headers (case sensitive) and remove the rest of the information. Configuration process To configure the application: 1. Log in to the Syncplicity Developer Portal using your Syncplicity login credentials. 2. 3. Note: Only Syncplicity EE users are allowed to log in to the Developer Portal. Once you have successfully logged in for the first time, the Syncplicity Developer Portal automatically creates an EE sandbox account for developing and testing your application. Select MY APPS > CREATE APP to register your application. Type the following information: a. b. c. d. e. A unique name for your application. A description for your application. Note that this description is critical when you publish your application for production. The Syncplicity support team will review this information before approving the application. (Optional) Upload a 256x256 or 512x512 pixel icon for your application. Mark the box to accept the API Terms of Use and License. Click Save. Once the application is registered, the App Key and App Secret are generated, as shown in Figure 21. 24

Figure 21. MY APPS page 4. Publish your application. By default, all new applications are created in the Development Phase. This phase allows you to develop and test your application against your sandbox account. Once you have built, tested, and debugged your application, click APPLY FOR PRODUCTION from the MY APPS > Settings page. Your application will be reviewed by the Syncplicity team before being approved for the Production Phase. Once in production, you can continue to log in to the Developer Portal and monitor your application using metrics. Once your application is approved for production, you cannot change the settings for your application. To make changes, you must recall your application and downgrade it back to the developer phase. You can then apply your changes and resubmit the application for production. Note: Since the application is already tested, you can either move from the development phase to the production phase, or you can run tests using your sandbox account before moving to the production phase after registering the application. 5. Obtain the application token. 25

As shown in Figure 22, you can obtain the application token once you log in to your sandbox account or Production account. Figure 22. Manage Your Account page 6. Obtain and modify the user list: a. Type the following command to export the user list in the form of a.csv file from the Active Directory: CSVDE -m -f export4.csv -r "(&(objectclass=user)(objectcategory=person))" -l "objectclass,e-mail,givenname, sn b. Edit the first three column headers in the.csv file as emailaddress, firstname, and lastname in the same order, as shown in Figure 23. The.csv file is case sensitive. The rest of the information can be deleted and saved as a.csv file. 26

Figure 23. create_users_csv_file_new.csv 7. 8. 9. 10. 11. Go to http://<ipaddress of the system where Jboss is installed>:8080/syncplicityuserprovisioningapp/home.xhtml Click User Provision. Click Create New Job. Type the App Key, App Secret Key, and Syncplicity Application token to get authorization and establish communication with the Syncplicity API portal to run the user provision functionalities against the Syncplicity orchestration account. Select MY APPS > METRICS to monitor your application usage metrics, as shown in Figure 24. Figure 24. MY APPS > METRICS page 27

Chapter 3 References This chapter presents the following topics: EMC documentation... 29 Syncplicity documentation... 29 28

EMC documentation Syncplicity documentation The following documents, located on EMC Online Support or EMC.com, provide additional and relevant information: EMC Syncplicity File Sync and Share Solution Reference Architecture Guide EMC Syncplicity File Sync and Share Solution Design Guide EMC Syncplicity File Sync and Share Solution with EMC Atmos Storage Implementation Guide EMC Syncplicity File Sync and Share Solution with EMC Isilon Scale-Out NAS Implementation Guide EMC Syncplicity File Sync and Share Solution with EMC VNX Storage Implementation Guide The following documents, located on https://support.syncplicity.com, provide additional and relevant information: https://developer.syncplicity.com/ https://my.syncplicity.com/ 29