====== Spectrum Protect container cloud (Azure,S3...) ======
As cloud container can be slow to destage data, it's recommended to use a cache on disk to hold daily backups.
===== Validate the connexion to S3 storage =====
The user and password are provided by S3 storage.
Here 2 connexion test, one is OK and second is failed:
Protect: ISP2>validate cloud CLOUDType=S3 CLOUDUrl=HTTPS://s3.local.lu:9021 IDenti=isp2-p-s3-admin PAssword=xxxxxxxxxxxxxxxxxxxxxx BUCKETName=isp2-p-arc3
ANR3557I The cloud service provider URL and credentials were verified.
Protect: ISP1>validate cloud CLOUDType=S3 CLOUDUrl=HTTPS://s3.local.lu:9021 IDenti=isp11-t-s3-admin PAssword=xxxxxxxxxxxxxxxxxxxxx BUCKETName=isp2-t-arc3
ANR3556E The server cannot connect to the cloud service provider with the specified cloud URL of HTTPS://s3.local.lu:9021 when using the cloud ID of
isp2-t-s3-admin and its password.
ANS8001I Return code 41.
===== Create a Cloud stgpool =====
Protect: isp2>def stgpool COS01 stgtype=cloud pooltype=primary cloudtype=S3 cloudlocation=onpremise CLOUDUrl=HTTPS://s3.local.lu:9021|HTTPS://s3_01.local.lu:9021|HTTPS://s3_02.local.lu:9021 IDenti=isp2-t-s3-admin PAssword=xxxxxxxxxxxxxxxxxxxxx CLOUDLocation=ONPREMISE bucketname=isp2-t-arc3 ACCess=READWrite encrypt=yes compress=yes CLOUDSTORAGEClass=Default
Protect: ISP2>q stg COS01 f=d
Storage Pool Name: COS01
Storage Pool Type: Primary
Device Class Name:
Storage Type: CLOUD
Cloud Type: S3
Cloud URL: HTTPS://s3.local.lu:9021|HTTPS://s3_01.local.lu:9021|HTTPS://s3_02.local.lu:9021
Cloud Identity: isp2-t-s3-admin
Cloud Location: ONPREMISE
Estimated Capacity:
Space Trigger Util:
Pct Util:
...
Cloud Space Allocated (MB): 0
Cloud Space Utilized (MB): 0
Bucket Name: isp2-t-arc3
Local Estimated Capacity: 0.0 G
Local Pct Util: 0.0
Local Pct Logical: 0.0
Cloud Storage Class: Default
Remove Restored Cpy Before End of Life:
===== Add cache to Cloud stgpool =====
It's highly recommended because S3 storage is slow
Protect: isp2>def stgpooldir COS01 /isp2/pool/COS0101
Protect: ISP2>q stg COS01 f=d
Storage Pool Name: COS01
...
Local Estimated Capacity: 15.0 G
===== Add a certificate for the connection =====
2 ways to add a certificate:
* manually, you may lose it at every Spectrum upgrade
* put into a folder, will be checked at every Spetrum protect start, and add automatically in keystore
==== Get the S3 certificate ====
[root@isp2]/opt/tivoli/tsm/jre/lib/security # openssl s_client -showcerts -connect s3.local.lu:9021 < /dev/null
CONNECTED(00000003)
depth=0 CN = DataService
....
i:/CN=DataService
-----BEGIN CERTIFICATE-----
GGf3hsS85DxXt6izIUQVdNxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
-----END CERTIFICATE-----
---
Server certificate
...
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Create a folder called **certs** in the SP home folder (homedir for user which owns the instance)
For example :
mkdir /home/tsminst1/certs
Now put the S3 storage certificate into a file in this directory (you can have multiple files):
# cat /home/tsminst1/certs/s3_local_lu.crt
-----BEGIN CERTIFICATE-----
GGf3hsS85DxXt6izIUQVdNxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
-----END CERTIFICATE-----
If the folder is placed into the right place, a stop of TSM server and start will automatically import the certificates into the keystore into **/opt/tivoli/tsm/jre/lib/security/cacerts**
To manually import the certificates using command line, you have to ask "Y" to trust the certificate:
# /opt/tivoli/tsm/jre/bin/keytool -import -keystore /opt/tivoli/tsm/jre/lib/security/cacerts -alias S3_local_lu -file /home/tsminst1/certs/s3_local_lu.crt -storepass changeit
...
Trust this certificate? [no]: yes
Certificate was added to keystore
Check if the certificate exists:
# /opt/tivoli/tsm/jre/bin/keytool -list -v -keystore /opt/tivoli/tsm/jre/lib/security/cacerts -storepass chan
Alias name: digicertassuredidrootca
Alias name: comodorsaca
...
Alias name: S3_local_lu
**You have to stop and start TSM server**
===== Syntaxe =====
>>-DEFine STGpool--pool_name--STGType--=--CLoud----------------->
.-POoltype--=--PRimary-.
>--+----------------------+--+-----------------------------+---->
'-POoltype--=--PRimary-' '-DESCription--=--description-'
.-CLOUDType--=--SWift-------------.
>--+---------------------------------+-------------------------->
'-CLOUDType--=--+-AZure---------+-'
+-S3------------+
+-IBMCLoudswift-+
+-SWift---------+
'-V1Swift-------'
(1)
>--CLOUDUrl--=--cloud_url--IDentity--=--cloud_identity---------->
>--PAssword--=--password---------------------------------------->
.-CLOUDLocation--=--OFfpremise-----.
>--+----------------------------------+------------------------->
'-CLOUDLocation--=--+-OFfpremise-+-'
'-ONpremise--'
>--+--------------------------------+--------------------------->
| (2) |
'-BUCKETName--=--bucket_name-----'
.-ACCess--=--READWrite-------.
>--+----------------------------+------------------------------->
'-ACCess--=--+-READWrite---+-'
+-READOnly----+
'-UNAVailable-'
.-MAXWriters--=--NOLimit-------------.
>--+------------------------------------+----------------------->
'-MAXWriters--=--+-NOLimit---------+-'
'-maximum_writers-'
.-REUsedelay--=--1----. .-ENCRypt--=--Yes---------.
>--+---------------------+--+-------------------------+--------->
'-REUsedelay--=--days-' | (3) |
'-ENCRypt--=--+-Yes-+-----'
'-No--'
.-COMPRession--=--Yes-----.
>--+-------------------------+---------------------------------><
'-COMPRession--=--+-Yes-+-'
'-No--'
=== Example: ===
define stgpool cloudstg01 stgtype=cloud cloudtype=swift cloudurl=http://123.234.123.234:5000/v2.0 identity=admin:admin password=protect8991 maxwr=99 reusedelay=2
=== Example: ===
Define local storage for a cloud-container storage pool
Create a storage pool directory that is named DIR3 in a cloud-container storage pool that is named CLOUDLOCALDISK1.
Protect> define stgpooldirectory cloudstg01 c:\storage\dir3
===== Advanced debug =====
==== Tracing ====
Lancer la trace
Protect: ISP1>trace disable *
Protect: ISP1>trace enable SDCLOUD SDCLOUDJ SDCLOUDDETAIL CLOUDDETAIL ADDMSG
Protect: ISP1>trace begin /tmp/trace.txt maxsize=4000
==== S3 algorithm ====
Check which protocol and algorithm is used by S3 storage:
# nmap -p 443 -Pn 10.10.10.10 --script +ssl-enum-ciphers
Starting Nmap 6.40 ( http://nmap.org ) at 2022-01-13 14:41 CET
Nmap scan report for xxxxxxxxxxx (xxxxxxxxxx)
Host is up (0.00091s latency).
PORT STATE SERVICE
443/tcp open xxxxxxxxxxx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
Tt returns "TLS_RSA_WITH_AES_128_CBC_SHA256" from TLSv1.2
Ciphers. this is the cipher was disabled in our v8.1.10,
v8.1.11 and v8.1.12.0 code.
# for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
> for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
> openssl s_client -connect s3.local.lu:9021 \
> -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
> done
> done
tls1_2: DHE-RSA-AES256-GCM-SHA384
tls1_2: AES256-GCM-SHA384
tls1_2: AES256-SHA256
tls1_2: DHE-RSA-AES128-GCM-SHA256
tls1_2: AES128-GCM-SHA256
tls1_2: AES128-SHA256