ibm spectrum protect for linux: installation guide...2010/08/01 · chapter 4. installing an ibm...

IBM Spectrum Protectfor LinuxVersion 8.1.10

Installation Guide

IBM

Note:

Before you use this information and the product it supports, read the information in “Notices” on page191.

This edition applies to version 8, release 1, modification 10 of IBM Spectrum® Protect (product numbers 5725-W98,5725-W99, 5725-X15), and to all subsequent releases and modifications until otherwise indicated in new editions.© Copyright International Business Machines Corporation 1993, 2020.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

About this publication..........................................................................................viiWho should read this guide........................................................................................................................viiInstallable components............................................................................................................................. viiPublications .............................................................................................................................................. viii

What's new.......................................................................................................... ix

Part 1. Installing and upgrading the server.............................................................1

Chapter 1. Planning to install the IBM Spectrum Protect server................................................................3What you should know first....................................................................................................................3What you should know about security before you install or upgrade the server................................. 3

Applying security updates................................................................................................................ 7Troubleshooting security updates..................................................................................................12

Planning for optimal performance....................................................................................................... 17Planning server hardware and operating system.......................................................................... 17Planning server database disks......................................................................................................21Planning server recovery log disks.................................................................................................23Planning container storage pools...................................................................................................24Planning DISK or FILE storage pools............................................................................................. 34Planning storage technology.......................................................................................................... 37Installation best practices..............................................................................................................39

Minimum system requirements........................................................................................................... 40Minimum Linux x86_64 server requirements................................................................................41Minimum Linux on System z server requirements.........................................................................44Minimum Linux on Power Systems (little endian) server requirements....................................... 47

Compatibility of the IBM Spectrum Protect server with other IBM Db2 products on the system.....49IBM Installation Manager.................................................................................................................... 50Worksheets for planning details for the server................................................................................... 51Capacity planning................................................................................................................................. 52

Database space requirements....................................................................................................... 52Recovery log space requirements..................................................................................................55Monitoring space utilization for the database and recovery logs..................................................66Deleting installation rollback files ................................................................................................. 67

Server naming best practices.............................................................................................................. 68Installation directories for the IBM Spectrum Protect server............................................................ 69

Chapter 2. Installing the server components........................................................................................... 71Obtaining the installation package...................................................................................................... 71Using the installation wizard................................................................................................................72Using the console installation wizard.................................................................................................. 73Using silent mode.................................................................................................................................73Installing server language packages................................................................................................... 74

Server language locales..................................................................................................................74Configuring a language package.....................................................................................................75Updating a language package........................................................................................................ 76

Chapter 3. Taking the first steps after you install IBM Spectrum Protect............................................... 77Tuning kernel parameters....................................................................................................................77

Updating parameters......................................................................................................................77

iii

Suggested settings .........................................................................................................................78Creating the user ID and directories for the server instance..............................................................78Configuring the IBM Spectrum Protect server.................................................................................... 80

Using the configuration wizard.......................................................................................................80Using the manual configuration steps............................................................................................81

Configuring server options for server database maintenance............................................................ 88Starting the server instance................................................................................................................. 89

Verifying access rights and user limits...........................................................................................89Starting the server from the instance user ID................................................................................91Automatically starting servers on Linux systems.......................................................................... 91Starting the server in maintenance mode......................................................................................93

Stopping the server.............................................................................................................................. 94Registering licenses............................................................................................................................. 94Preparing the server for database backup operations ....................................................................... 94Running multiple server instances on a single system....................................................................... 95Monitoring the server........................................................................................................................... 95

Chapter 4. Installing an IBM Spectrum Protect fix pack.......................................................................... 97

Chapter 5. Upgrading the server to V8.1................................................................................................ 101Upgrading to V8.1.............................................................................................................................. 101

Planning the upgrade....................................................................................................................102Preparing the system....................................................................................................................102Installing the server and verifying the upgrade...........................................................................104

Upgrading the server in a clustered environment.............................................................................107Upgrading IBM Spectrum Protect in a clustered environment .................................................. 107

Chapter 6. Reference: Db2 commands for server databases................................................................ 109

Chapter 7. Uninstalling IBM Spectrum Protect...................................................................................... 113Uninstalling IBM Spectrum Protect by using a graphical wizard......................................................113Uninstalling IBM Spectrum Protect in console mode....................................................................... 113Uninstalling IBM Spectrum Protect in silent mode...........................................................................114Uninstalling and reinstalling IBM Spectrum Protect.........................................................................114Uninstalling IBM Installation Manager..............................................................................................115

Part 2. Installing and upgrading the Operations Center.......................................117

Chapter 8. Planning to install the Operations Center.............................................................................119System requirements for the Operations Center.............................................................................. 119

Operations Center computer requirements................................................................................ 120Hub and spoke server requirements............................................................................................120Operating system requirements.................................................................................................. 123Web browser requirements..........................................................................................................123Language requirements................................................................................................................124Requirements and limitations for IBM Spectrum Protect client management services............124

Administrator IDs that the Operations Center requires....................................................................126IBM Installation Manager.................................................................................................................. 126Installation checklist..........................................................................................................................127

Chapter 9. Installing the Operations Center...........................................................................................131Obtaining the Operations Center installation package..................................................................... 131Installing the Operations Center by using a graphical wizard.......................................................... 131Installing the Operations Center in console mode........................................................................... 132Installing the Operations Center in silent mode............................................................................... 132

Encrypting passwords in silent installation response files......................................................... 133

iv

Chapter 10. Upgrading the Operations Center....................................................................................... 135

Chapter 11. Getting started with the Operations Center....................................................................... 137Configuring the Operations Center.................................................................................................... 137

Designating the hub server...........................................................................................................137Adding a spoke server.................................................................................................................. 138Sending email alerts to administrators........................................................................................139Adding customized text to the login screen................................................................................ 141Configuring the Operations Center web server to use the standard TCP/IP secure port...........142Enabling REST services................................................................................................................ 143

Configuring for secure communication............................................................................................. 143Between the Operations Center and the hub server................................................................... 143Between the hub server and a spoke server............................................................................... 145Between the Operations Center and web browsers....................................................................147Deleting and reassigning the password for the Operations Center truststore file..................... 158

Starting and stopping the web server................................................................................................160Opening the Operations Center......................................................................................................... 160Collecting diagnostic information with the client management service.......................................... 161

Installing the client management service by using a graphical wizard...................................... 161Installing the client management service in silent mode........................................................... 162Verifying the installation...............................................................................................................163Configuring the Operations Center to use the client management service................................ 164Starting and stopping the client management service................................................................165Uninstalling the client management service............................................................................... 166Configuring the client management service for custom client installations...............................166

Chapter 12. Troubleshooting the Operations Center installation..........................................................181Chinese, Japanese, or Korean fonts are displayed incorrectly........................................................ 181

Chapter 13. Uninstalling the Operations Center.....................................................................................183Uninstalling the Operations Center by using a graphical wizard...................................................... 183Uninstalling the Operations Center in console mode....................................................................... 183Uninstalling the Operations Center in silent mode........................................................................... 183

Chapter 14. Rolling back to a previous version of the Operations Center.............................................185

Appendix A. Installation log files........................................................................187

Appendix B. Accessibility...................................................................................189

Notices..............................................................................................................191Glossary............................................................................................................ 195

Index................................................................................................................ 197

v

About this publication

This publication contains installation and configuration instructions for the IBM Spectrum Protect server,server languages, license, and device driver.

Instructions for installing the Operations Center are also included in this publication.

Who should read this guideThis publication is intended for system administrators who install, configure, or upgrade the IBMSpectrum Protect server or Operations Center.

Installable componentsThe IBM Spectrum Protect server and licenses are required components.

These components are in several different installation packages.

Table 1. IBM Spectrum Protect installable components

IBM SpectrumProtect component

Description Additional information

Server (required) Includes the database,the Global Security Kit(GSKit), IBM® Java™Runtime Environment(JRE), and tools to helpyou configure andmanage the server.

“Installing IBM Spectrum Protect by using the installationwizard” on page 72

Language package(optional)

Each language package(one for each language)contains language-specific information forthe server.

See “Installing server language packages” on page 74.

Licenses (required) Includes support for alllicensed features. Afteryou install this package,you must register thelicenses you purchased.

Use the REGISTER LICENSE command.

Devices (optional) Extends mediamanagement capability.

A list of devices that are supported by this driver is availablefrom the IBM Support Portal.

© Copyright IBM Corp. 1993, 2020 vii

http://www.ibm.com/support/entry/portal/support

Table 1. IBM Spectrum Protect installable components (continued)

IBM SpectrumProtect component

Description Additional information

Storage agent(optional)

Installs the componentthat allows clientsystems to write datadirectly to, or read datadirectly from, storagedevices that are attachedto a storage areanetwork (SAN).

Remember: IBMSpectrum Protect forStorage Area Networks isa separately licensedproduct.

For more information about storage agents, see TivoliStorage Manager for Storage Area Networks (V7.1.1).

Operations Center(optional)

Installs the OperationsCenter, which is a web-based interface formanaging your storageenvironment.

See Part 2, “Installing and upgrading the OperationsCenter,” on page 117.

PublicationsThe IBM Spectrum Protect product family includes IBM Spectrum Protect Plus, IBM Spectrum Protect forVirtual Environments, IBM Spectrum Protect for Databases, and several other storage managementproducts from IBM.

To view IBM product documentation, see IBM Knowledge Center.

viii IBM Spectrum Protect for Linux: Installation Guide

http://www.ibm.com/support/knowledgecenter/SSSQZW_7.1.1/com.ibm.itsm.sta.doc/c_overview.htmlhttp://www.ibm.com/support/knowledgecenter/SSSQZW_7.1.1/com.ibm.itsm.sta.doc/c_overview.htmlhttp://www.ibm.com/support/knowledgecenter

What's new in this release

This release of IBM Spectrum Protect introduces new features and updates.

For a list of new features and updates, see What's new.

If changes were made in the documentation, they are indicated by a vertical bar (|) in the margin.

© Copyright IBM Corp. 1993, 2020 ix

http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/srv.common/r_wn_tsmserver.html

x IBM Spectrum Protect for Linux: Installation Guide

Part 1. Installing and upgrading the serverInstall and upgrade the IBM Spectrum Protect server.

© Copyright IBM Corp. 1993, 2020 1

2 IBM Spectrum Protect for Linux: Installation Guide

Chapter 1. Planning to install the serverInstall the server software on the computer that manages storage devices and install the client softwareon every workstation that transfers data to IBM Spectrum Protect server-managed storage.

What you should know firstBefore installing IBM Spectrum Protect, be familiar with your operating systems, storage devices,communication protocols, and system configurations.

Server maintenance releases, client software, and publications are available from the IBM Support Portal.

Restriction: You can install and run the IBM Spectrum Protect server on a system that already has IBMDb2® installed on it, whether Db2 was installed independently or as part of some other application, withsome restrictions.

For details, see “Compatibility of the IBM Spectrum Protect server with other IBM Db2 products on thesystem” on page 49.

Experienced Db2 administrators can choose to perform advanced SQL queries and use Db2 tools tomonitor the database. Do not, however, use Db2 tools to change Db2 configuration settings from thosethat are preset by IBM Spectrum Protect, or alter the Db2 environment for IBM Spectrum Protect in otherways, such as with other products. The server has been built and tested extensively using the datadefinition language (DDL) and database configuration that the server deploys.

Attention: Do not alter the Db2 software that is installed with IBM Spectrum Protect installationpackages and fix packs. Do not install or upgrade to a different version, release, or fix pack of Db2software because doing so can damage the database.

What you should know about security before you install or upgrade theserver

Review information about the enhanced security features in the IBM Spectrum Protect server and therequirements for updating your environment.

Before you beginBeginning in Version 8.1.2, enhancements were added to IBM Spectrum Protect that enforce strictersecurity settings. Before you install or upgrade IBM Spectrum Protect, complete the following steps:

• In IBM Knowledge Center, in the What's New topic, review the information in the Security sections tolearn about security updates for each version.

• If you have previous versions of the server in your environment, review the restrictions and knownissues in technote 2004844. To avoid these restrictions and take advantage of the latest securityenhancements, plan to update all IBM Spectrum Protect servers and backup-archive clients in yourenvironment to the latest version.

Security enhancements

The following security enhancements were added beginning in V8.1.2:Security protocol that uses Transport Layer Security (TLS)

IBM Spectrum Protect V8.1.2 and later software has an improved security protocol that uses TLS 1.2for authentication between the server, storage agent, and backup-archive clients.

Automatic Secure Sockets Layer (SSL) configuration and distribution of certificatesServers, storage agents, and clients using V8.1.2 or later software are automatically configured toauthenticate with each other by using TLS.

Installing the IBM Spectrum Protect server

© Copyright IBM Corp. 1993, 2020 3

http://www.ibm.com/support/entry/portal/supporthttp://www-01.ibm.com/support/docview.wss?uid=swg22004844

Using the new protocol, each server, storage agent, and client has a unique self-signed certificate thatis used to authenticate and allow TLS connections. IBM Spectrum Protect self-signed certificatesenable secure authentication between entities, enable strong encryption for data transmission, andautomatically distribute public keys to client nodes. Certificates are automatically exchangedbetween all clients, storage agents, and servers that use V8.1.2 or later software. You do not have tomanually configure TLS or manually install the certificates for every client. The new TLSenhancements do not require options changes, and certificates are transferred to clientsautomatically upon first connection unless you are using a single administrator ID to access multiplesystems.

By default, self-signed certificates are distributed, but you can optionally use other configurationssuch as certificates that are signed by a certificate authority. For more information about usingcertificates, see SSL and TLS communication in IBM Knowledge Center.

Combination of TCP/IP and TLS protocols for secure communication and minimal impact toperformance

In previous versions of IBM Spectrum Protect software, you had to choose either TLS or TCP/IP toencrypt all communication. The new security protocol uses a combination of TCP/IP and TLS to securecommunication between servers, clients, and storage agents. By default, TLS is used only to encryptauthentication and metadata, while TCP/IP is used for data transmission. Since TLS encryption isprimarily used for authentication only, performance for backup and restore operations is not affected.

Optionally, you can use TLS to encrypt data transmission by using the SSL client option for client-to-server communication, and the SSL parameter in the UPDATE SERVER command for server-to-servercommunication.

Backward compatibility makes it easier to plan upgrades in batchesUpgraded versions of IBM Spectrum Protect servers and clients can continue to connect to olderversions when the SESSIONSECURITY parameter is set to TRANSITIONAL.

You are not required to update backup-archive clients to V8.1.2 or later before you upgrade servers.After you upgrade a server to V8.1.2 or later, nodes and administrators that are using earlier versionsof the software will continue to communicate with the server by using the TRANSITIONAL value untilthe entity meets the requirements for the STRICT value. Similarly, you can upgrade backup-archiveclients to V8.1.2 or later before you upgrade your IBM Spectrum Protect servers, but you are notrequired to upgrade servers first. Communication between servers and clients that are using differentversions is not interrupted. However, you will not have the benefits of the security enhancements untilboth clients and servers are upgraded.

Enforce strict security with the SESSIONSECURITY parameterTo use the new security protocol, the server, client node, or administrator entities must be using IBMSpectrum Protect software that supports the SESSIONSECURITY parameter. Session security is thelevel of security that is used for communication among IBM Spectrum Protect client nodes,administrative clients, and servers. You can specify the following values for this parameter:STRICT

Enforces the highest level of security for communication between IBM Spectrum Protect servers,nodes, and administrators, which is currently TLS 1.2.

TRANSITIONALSpecifies that the existing communication protocol (for example, TCP/IP) is used until you updateyour IBM Spectrum Protect software to V8.1.2 or later. This is the default. WhenSESSIONSECURITY=TRANSITIONAL, stricter security settings are automatically enforced ashigher versions of the TLS protocol are used and as the software is updated to V8.1.2 or later.After a node, administrator, or server meets the requirements for the STRICT value, sessionsecurity is automatically updated to the STRICT value, and the entity can no longer authenticateby using a previous version of the client or earlier TLS protocols.

If SESSIONSECURITY=TRANSITIONAL and the server, node, or administrator has never met therequirements for the STRICT value, the server, node, or administrator will continue to authenticate byusing the TRANSITIONAL value. However, after the server, node, or administrator meets therequirements for the STRICT value, the SESSIONSECURITY parameter value automatically updates



from TRANSITIONAL to STRICT. Then, the server, node, or administrator can no longer authenticateby using a version of the client or an SSL/TLS protocol that does not meet the requirements forSTRICT.

Restriction: After an administrator successfully authenticates with a server by using IBM SpectrumProtect V8.1.2 or later software or Tivoli® Storage Manager V7.1.8 or later software, the administratorcan no longer authenticate with the same server by using client or server versions earlier than V8.1.2or V7.1.8. This restriction also applies to the destination server when you use functions such ascommand routing, server-to-server export that authenticates with the destination IBM SpectrumProtect server as an administrator from another server, administrator connections using theOperations Center, and connections from the administrative command-line client.

For client and administrative sessions, administrative command routing sessions might fail unless theadministrator ID has already acquired certificates for all servers to which the administrator ID willconnect. Administrators that authenticate by using the dsmadmc command, dsmc command, or dsmprogram cannot authenticate by using an earlier version after authenticating by using V8.1.2 or later.To resolve authentication issues for administrators, see the following tips:

• Ensure that all IBM Spectrum Protect software that the administrator account uses to log on isupgraded to V8.1.2 or later. If an administrator account logs on from multiple systems, ensure thatthe server's certificate is installed on each system.

• If necessary, create a separate administrator account to use only with clients and servers that areusing V8.1.1 or earlier software.

Before you upgrade

Before you upgrade a server, review the guidelines in the following checklist.

Table 2. Planning checklist

Guideline Description

Back up the following server files:

• Key databases (cert.kdb and dsmkeydb.kdb)• Stash files (cert.sth and dsmkeydb.sth)

Beginning with IBM Spectrum Protect Version8.1.2, a master encryption key is automaticallygenerated when you start the server if the masterencryption key did not previously exist.

The master encryption key is stored in a keydatabase, dsmkeydb.kdb. Server certificates arestill stored in the cert.kdb key database andaccessed by the stash file cert.sth. You mustprotect both the key databases (cert.kdb anddsmkeydb.kdb) and the stash files (cert.sth anddsmkeydb.sth) that provide access to each of thekey databases. By default, the BACKUP DBcommand protects the master encryption key inthe same manner in which the volume history anddevconfig files are protected. You must rememberthe database backup password to restore thedatabase. The IBM Spectrum Protect serverdsmserv.pwd file, which was used to store themaster encryption key in previous releases, is nolonger used.


Chapter 1. Planning to install the server 5

Table 2. Planning checklist (continued)

Guideline Description

Carefully plan upgrades for administrator IDs Identify all systems that administrator accountsuse to log in for administration purposes.

After a successful authentication to V8.1.2 or latersoftware, administrators cannot authenticate toearlier versions of IBM Spectrum Protect softwareon the same server. If a single administrator ID isused to log in to multiple systems, plan to upgradeall of those systems with V8.1.2 or later softwareto ensure that the certificate is installed on allsystems that the administrator logs in to.

Tip: You will not get locked out of a server if theSESSIONSECURITY parameter for all of youradministrator IDs is updated to the STRICT value.You can manually import the server’s publiccertificate to a client from which you issue thedsmadmc command.

If you're using TLS with previous versions of theclient that use the "TSM Server SelfSigned Key"(cert.arm) certificate, update your clients to V8.1.4or later.

In releases prior to V7.1.8, the default certificatewas labeled "TSM Server SelfSigned Key" and hadan MD5 signature, which does not support the TLS1.2 protocol that is required by default for V8.1.2or later clients and the Operations Center. Toresolve this issue, complete one of the followingsteps:

• Upgrade the server to V8.1.4 or later. Beginningwith V8.1.4, servers that use the MD5-signedcertificate as the default are automaticallyupdated to use a default certificate with a SHAsignature that is labeled "TSM Server SelfSignedSHA Key". A copy of the new default certificate isstored in the cert256.arm file, which is locatedin the server instance directory.

Tip: Before you update the server to use the newdefault certificate with a SHA signature,distribute the cert256.arm file to clients toprevent client backup failures. Each client mustobtain and import the new certificate before theycan connect to a server that is using the newdefault SHA certificate. You do not need toremove previous certificates.

• To manually update your default certificate,follow the instructions in technote 2004844.

What to do next

• Follow the procedure in “Applying security updates” on page 7 to install or upgrade an IBM SpectrumProtect server.

• For information about troubleshooting communication issues related to security updates, see“Troubleshooting security updates” on page 12.

• For FAQ information, see FAQ - Security updates in IBM Spectrum Protect.



http://www-01.ibm.com/support/docview.wss?uid=swg22004844http://www.ibm.com/support/docview.wss?uid=ibm10718441

• For information about using the IBM Spectrum Protect backup-archive web client in the new securityenvironment, see technote 2013830.

Applying security updatesApply security updates that are delivered with new releases of IBM Spectrum Protect.

Before you begin

Review the following information:

• For details about security updates delivered with a release, see the What's New topic in IBM KnowledgeCenter.

• For information about the updates and any restrictions that can apply, see “What you should knowabout security before you install or upgrade the server” on page 3.

• To determine the order in which you upgrade the servers and clients in your environment, answer thefollowing questions:

Table 3. Questions for consideration before upgrading

Question Consideration

What is the role of the server in the configuration? In general, you can upgrade the IBM SpectrumProtect servers in your environment first and thenupgrade backup-archive clients. However, incertain circumstances, for example, if you usecommand routing functions, the server can act asthe client in your configuration. In that instance,to prevent communication issues, the suggestedapproach is to upgrade clients first. Forinformation about different scenarios, seeUpgrade scenarios.



http://www-01.ibm.com/support/docview.wss?uid=swg22013830

Table 3. Questions for consideration before upgrading (continued)


What systems are used for administratorauthentication?

For administrator accounts, the sequence inwhich you upgrade is important to preventauthentication issues.

– Clients on multiple systems that log on by usingthe same ID (either node or administrative ID)must be upgraded at the same time. Servercertificates are transferred to clientsautomatically upon first connection.

– Before you upgrade your server, consider allendpoints that the administrator uses toconnect to for administration purposes. If asingle administrative ID is used to accessmultiple systems, ensure that the server'scertificate is installed on each system.

– After an administrator ID authenticatessuccessfully with the server by using IBMSpectrum Protect V8.1.2 or later software orTivoli Storage Manager V7.1.8 or later software,the administrator can no longer authenticatewith that server by using client or serverversions earlier than V8.1.2 or V7.1.8. This isalso true for a destination server when youauthenticate with that destination IBMSpectrum Protect server as an administratorfrom another server. For example, this is truewhen you use the following functions:

- Command routing- Server-to-server export- Connecting from an administrative client in

the Operations Center



Table 3. Questions for consideration before upgrading (continued)


In what sequence should I upgrade my systems? – If you upgrade servers before you upgradeclient nodes:

- Upgrade the hub server first and then anyspoke servers.

- When you upgrade a server to V8.1.2 or later,nodes and administrators that use earlierversions of the software can continue tocommunicate with the new server by usingthe existing communication protocol. TheSESSIONSECURITY is set to TRANSITIONALand if the server, node, or administrator hasnever met the requirements for the STRICTvalue, the server, node, or administratorcontinues to authenticate by using theTRANSITIONAL value. However, as soon asthe server, node, or administrator meets therequirements for the STRICT value, theSESSIONSECURITY parameter valueautomatically updates from TRANSITIONALto STRICT.

– If you upgrade client nodes before youupgrade servers:

- Upgrade administrative clients first, and thenupgrade non-administrative clients. Clients atlater release levels continue to communicatewith servers at earlier levels.

Important: If you upgrade any one of theadministrative clients in your environment, allother clients that use the same ID as theupgraded client must be upgraded at thesame time.

- It is not necessary to upgrade all of your non-administrative clients at the same time,unless multiple clients are using the same IDto log on. Then, all other clients that use thesame ID as the upgraded client must beupgraded at the same time and the server'scertificate must be installed on each system.

About this task

If your environment includes IBM Spectrum Protect backup-archive clients or IBM Spectrum Protectservers that are earlier than V7.1.8 or V8.1.2, you might have to customize your configuration to ensurethat communication between servers and clients is not interrupted. Follow the default procedure in thistopic for installing or upgrading your environment.

Review Upgrade scenarios for other example scenarios that might apply to your environment.

Tip: To take advantage of the latest security enhancements, plan to update all IBM Spectrum Protectservers and backup-archive clients in your environment to the latest release level.



Procedure

1. Install or upgrade IBM Spectrum Protect servers in your environment. For more information, see theInstalling and upgrading the server topic in IBM Knowledge Center.a) Upgrade the Operations Center and the hub server. For more information, see Part 2, “Installing

and upgrading the Operations Center,” on page 117.b) Upgrade spoke servers.c) Configure or verify server-to-server communications. For more information, see the following

topics:

• The UPDATE SERVER command in IBM Knowledge Center.• The Configuring SSL communications between the hub server and a spoke server topic in IBM

Knowledge Center.• The Configuring the server to connect to another server by using SSL topic in IBM Knowledge

Center.

Tip:

• Beginning in IBM Spectrum Protect V8.1.2 and Tivoli Storage Manager V7.1.8, the SSL parameteruses SSL to encrypt communication with the specified server even if the SSL parameter is set toNO.

• Beginning with V8.1.4, certificates are automatically configured between storage agents, libraryclients, and library manager servers. Certificates are exchanged the first time a server-to-serverconnection is established to a server with enhanced security.

2. Install or upgrade administrative clients. For more information, see the Installing and configuringclients topic in IBM Knowledge Center.

3. Enable secure communications between all systems that administrators use to log in foradministration purposes.

• Ensure that the IBM Spectrum Protect software that the administrator account uses to log on isupgraded to V8.1.2 or later.

• If an administrative ID logs on from multiple systems, ensure that the server's certificate is installedon each system.

4. Install or upgrade non-administrative clients. For more information, see the Installing and configuringclients topic in IBM Knowledge Center.

Remember: You can upgrade your non-administrative clients in phases. You can continue to connectto servers at later release levels from clients at earlier release levels by issuing the UPDATE NODEcommand and setting the SESSIONSECURITY parameter to TRANSITIONAL for each node.

update node nodename sessionsecurity=transitional

What to do next

Other upgrade scenarios might apply to your environment. Review example upgrade scenarios in thefollowing table.



Table 4. Upgrade scenarios

Scenario Considerations Suggested upgrade approach

I use administrative commandrouting functions to routecommands to one or more servers.I want to connect to an IBMSpectrum Protect server that isearlier than V8.1.2.

• With command routing, the servercan act as the administrativeclient.

• Command routing uses the IDand the password of theadministrator who is issuing thecommand.

• If you use a single administrativeID to access multiple systems,ensure that the server'scertificate is installed on eachsystem.

• Upgrade the administrative clientfirst.

Important: Clients on multiplesystems that log on by using thesame node or administrative IDmust be upgraded at the sametime.

• On each server to whichcommands are being routed,verify that the followinginformation is configured:

– The same administrator ID andpassword

– The required administrativeauthority on each server

– The required certificates areinstalled

• Upgrade the servers that theadministrator account uses to logon to V8.1.2 or later.

My administrative client is at thelatest release version, and I use thesame administrator ID toauthenticate to different systemsby using the dsmadmc command. Ihave authenticated successfully toan IBM Spectrum Protect server inmy environment that is running atthe latest version. I now want toauthenticate to a server at a versionearlier than V8.1.2.

• After an administratorauthenticates to an IBMSpectrum Protect server V8.1.2or later by using a version of theclient at V8.1.2 or later, theadministrative ID can onlyauthenticate with that server onclients or servers that are usingV8.1.2 or later.

• If you use a single administrativeID to access multiple systems,plan to upgrade all of thosesystems with V8.1.2 or latersoftware to ensure that theserver's certificate is installed onall systems to which theadministrator logs on.

• Ensure that all IBM SpectrumProtect software that theadministrators use to log on isupgraded to V8.1.2 or later. Thepreferred action is to upgrade allthe servers in your environmentto the latest version.

• If necessary, create a separateadministrator account to use onlywith clients and servers that areusing V8.1.1 or earlier software.



Table 4. Upgrade scenarios (continued)

Scenario Considerations Suggested upgrade approach

The IBM Spectrum Protect server isalready upgraded to the latestrelease level. I have anadministrative client at releaselevel V8.1.0 and I want to connectto the server from the OperationsCenter.

• If you upgrade any one of theadministrative clients in yourenvironment, all other clients thatuse the same ID as the upgradedclient must be upgraded at thesame time.

• To use an administrator ID in amultiple-server configuration, theID must be registered on the huband spoke servers with the samepassword, authority level, andrequired certificates.

• On each server, verify that thefollowing information is set up:

– The same administrator ID andpassword

– The required administrativeauthority on each server

– The required certificates• Upgrade non-administrative

clients in a phased manner.

I use node replication to protect mydata.

• The replication heartbeat initiatesa certificate exchange when thefirst server-to-server connectionis established after you upgradethe server.

• Upgrade your servers before youupgrade your clients; follow thedefault procedure.

I want to upgrade my backup-archive clients before I upgrade myservers.

• After you upgrade a server toV8.1.2 or later, nodes andadministrators that are usingearlier versions of the softwarewill continue to communicatewith the server by using theTRANSITIONAL value until theentity meets the requirements forthe STRICT value.

• Communication between serversand clients will not beinterrupted.

• If you upgrade your clients beforeyou upgrade your servers,upgrade administrative clientsfirst, and then upgrade non-administrative clients. Clients atlater release levels continue tocommunicate with servers atearlier levels.

Troubleshooting security updatesTroubleshoot issues that might occur after you upgrade IBM Spectrum Protect.

Symptom Resolution

An administratoraccount cannot log into a system that isusing software earlierthan V8.1.2.

After an administrator successfully authenticates with the server by using IBMSpectrum Protect V8.1.2 or later software, the administrator can no longerauthenticate with that server that uses client or server versions earlier thanV8.1.2. This restriction also applies to the destination server when you usefunctions such as command routing, server-to-server export thatauthenticates with the destination IBM Spectrum Protect server as anadministrator from another server, administrator connections that use theOperations Center, and connections from the administrative command-lineclient.

To resolve authentication issues for administrators, complete the followingsteps:

1. Identify all systems from which administrators log in and which use theadministrative ID to log in. Upgrade the system software to IBM Spectrum



Symptom Resolution

Protect V8.1.2 or later, and ensure that the server's certificate is installedon each system.

2. Set the administrator’s SESSIONSECURITY parameter value toTRANSITIONAL by issuing the command update admin admin_namesessionsecurity=transitional

3. Retry the administrator connection.

Tip: If necessary, create a separate administrator account to use only withclients and servers that are using V8.1.1 or earlier software.

Certificate distributionfailed for a node,administrator, orserver.

A node, administrator, or server that is using V8.1.2 or later software has aSESSIONSECURITY value of STRICT, but you has to reset the value toTRANSITIONAL to retry certificate distribution.

When using the new protocol, the automatic transfer of a server’s publiccertificate is performed only on the first connection to a server with enhancedsecurity. After the first connection, the SESSIONSECURITY parameter value ofa node changes from TRANSITIONAL to STRICT. You can temporarily update anode, administrator, or server to TRANSITIONAL to allow another automatictransfer of the certificate. While in TRANSITIONAL, the next connectionautomatically transfers the certificate if needed and resets theSESSIONSECURITY parameter to STRICT.

Update the value of the SESSIONSECURITY parameter to TRANSITIONAL byissuing one of the following commands:

• For client nodes, issue:update node node_name sessionsecurity=transitional

• For administrators, issue:update admin admin_name sessionsecurity=transitional

• For servers, issue:update server server_name sessionsecurity=transitional

Alternatively, you can manually transfer and import the public certificate byusing the dsmcert utility to issue the following commands:

openssl s_client -connect tapsrv04:1500 -showcerts > tapsrv04.arm

dsmcert -add -server tapsrv04 -file tapsrv04.arm

If you are using CA-signed certificates, you must install the CA-root and anyCA-intermediate certificates on each key database for the client, server, andstorage agent that initiates SSL communication.

Certificate exchangebetween IBM SpectrumProtect servers was notsuccessful.

When using the new protocol, the automatic transfer of a server’s publiccertificate is performed only on the first connection to a server with enhancedsecurity. After the first connection, the SESSIONSECURITY parameter value ofa server changes from TRANSITIONAL to STRICT. Retry certificate exchangebetween two IBM Spectrum Protect servers. For information, see Retryingcertificate exchange between servers.

Certificate exchangebetween an IBMSpectrum Protectserver and a client

When using the new protocol, the automatic transfer of a server’s publiccertificate is performed only on the first connection to a server with enhancedsecurity. After the first connection, the SESSIONSECURITY parameter value ofa node changes from TRANSITIONAL to STRICT. To retry certificate exchange



Symptom Resolution

node was notsuccessful.

between clients and servers at versions earlier than V8.1.2, complete thesesteps:

1. For existing clients that are configured to use SSL with the cert.armcertificate, reconfigure them to use the cert256.arm certificate. Forinstructions, see Configuring storage agents, servers, clients, and theOperations Center to connect to the server by using SSL in IBM KnowledgeCenter.

2. Update the default certificate by issuing the following command from theserver instance directory:gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

3. Restart the server.

For clients and servers at V8.1.2 and later, the certificates are automaticallydistributed. If communication between clients or servers fails, complete thesesteps to retry certificate acquisition:

1. For nodes and administrators, set the SESSIONSECURITY parameter toTRANSITIONAL by issuing the following commands for each node oradministrator that you want to retry:update node nodename sessionsecurity=transitional update admin adminname sessionsecurity=transitional

Tip: Administrators that authenticate by using the dsmadmc command,dsmc command, or dsm program cannot authenticate by using an earlierversion after authenticating by using V8.1.2 or later. To resolveauthentication issues for administrators, see the following tips:

• Ensure that all IBM Spectrum Protect software that the administratoraccount uses to log in is upgraded to V8.1.2 or later. If an administratoraccount logs on from multiple systems, ensure that the server'scertificate is installed on each system before the administrator account isused for command routing.

• After an administrator authenticates to a V8.1.2 or later server by using aV8.1.2 or later client, the administrator can authenticate only on clientsor servers that are using V8.1.2 or later. An administrator command canbe issued from any system. If necessary, create a separate administratoraccount to use only with clients and servers that are using V8.1.1 orearlier software.

2. For storage agents, update the STASESSIONSECURITY option in thestorage agent options file dsmsta.opt by changing the STRICT value toTRANSITIONAL.

3. Restart the servers. Certificate changes do not take effect until you restartthe servers or storage agents.

4. If you are still unable to exchange certificates after completing Steps 1-4,manually add the certificates to the servers and storage agents and restartthem. For instructions, see Configuring storage agents, servers, clients, andthe Operations Center to connect to the server by using SSL in IBMKnowledge Center.

You want to manuallydistribute certificatesto client systems.

The IBM Spectrum Protect server administrator can automatically deploy abackup-archive client to update workstations where the backup-archive clientis already installed. For information, see Automatic backup-archive clientdeployment in IBM Knowledge Center.



Symptom Resolution

To manually add certificates to clients, see Configuring IBM Spectrum Protectclient/server communication with Secure Sockets Layer in IBM KnowledgeCenter.

You want to resetcertificates for client-to-client sessions.

The dsmcert utility that is installed with the IBM Spectrum Protect backup-archive client is used to create a certificate store for server certificates. Usethe dsmcert utility to delete the files and re-import the certificates.

As a root user, youwant to allow non-rootusers to manage yourfiles.

The trusted communications agent (TCA), previously used by non-root users inV8.1.0 and V7.1.6 and earlier IBM Spectrum Protect clients, is no longeravailable. Root users can use the following methods to allow non-root users tomanage their files:

Help desk methodWith the help desk method, the root user runs all backup and restoreoperations. The non-root user must contact the root user to requestcertain files to be backed up or restored.

Authorized user methodWith the authorized user method, a non-root user is given read/writeaccess to the password store by using the passworddir option to point toa password location that is readable and writable by the non-root user.This method allows non-root users to back up and restore their own files,use encryption, and manage their passwords with the passwordaccessgenerate option.

For more information, see Enable non-root users to manage their own datain IBM Knowledge Center.

If neither of these methods are satisfactory, you must use the earlier clientsthat included the TCA.

You want to resolveGSKit compatibilityissues.

When multiple applications that use GSKit are installed on the same system,incompatibility issues might occur. To resolve these issues, see the followinginformation:

• For IBM Spectrum Protect clients, see Technote 2011742.• For Db2, see Technote 7050721.• For IBM Spectrum Protect server, see Technote 2007298.• For IBM Spectrum Protect server and client on the same Windows system,

see Technote 7050721.

For more information about troubleshooting security updates, see technote 2004844.

Retrying certificate exchange between serversIf the certificate exchange between servers fails, you can attempt another exchange.

Procedure

1. Remove the certificate from the partner server's database by issuing the following command on bothservers:

update server servername forcesync=yes

Tip: The server might be using the wrong certificate if you are still getting error messages for eachserver-to-server session after you have completed the steps in this task and restarted the servers. Ifyou determine that the server is attempting to use the wrong certificate, delete the certificate from thekey database by issuing the following command:



https://www-01.ibm.com/support/docview.wss?uid=swg22011742http://www-01.ibm.com/support/docview.wss?uid=swg27050721http://www-01.ibm.com/support/docview.wss?uid=swg22007298http://www-01.ibm.com/support/docview.wss?uid=swg27050721http://www-01.ibm.com/support/docview.wss?uid=swg22004844

gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label certificate_labelname

2. Delete the server definition by issuing the DELETE SERVER command for both the server and thepartner server. If you cannot delete the server definition, you must configure the certificates manually.For instructions about manually configuring certificates, see Configuring storage agents, servers,clients, and the Operations Center to connect to the server by using SSL in IBM Knowledge Center.

3. To reacquire the certificate, cross-define the servers to each other and allow them to exchangecertificates by issuing the following commands on both servers:

set crossdefine on set serverhladdress hladdress set serverlladdress lladdress set serverpassword password

4. Issue the following command on one of the servers that you are cross defining:

define server servername crossdefine=yes ssl=yes

5. Repeat step 3 for all other Version 8.1.2 or later server pairs.6. Restart the servers.7. To verify that certificates were exchanged, issue the following command from the server instance

directory of each server that you want to verify:

gsk8capicmd_64 -cert -list -db cert.kdb -stashed

Example output:

example.website.com:1542:0

Tip: If you use replication, the replication heartbeat runs approximately every 5 minutes and initiates acertificate exchange during the first connection after you upgrade the server. This connection causesmessages ANR8583E and ANR8599W to appear in the log once, before a certificate exchange takesplace. If you do not use replication, certificates are exchanged the first time a server-to-server sessionis initiated, except for server configurations without a server defined on both computers.

8. For servers that are defined as a virtual volume, complete the following steps:a) Remove the partner certificate from the server's database by issuing the following command on

both servers:


b) Ensure that the same password is used for the server password value on the DEFINE SERVERcommand on the source server, the password value on the REGISTER NODE command on thevirtual volume server, and the SET SERVERPASSWORD value on the virtual volume server. Ifnecessary, update a password by using the UPDATE SERVER, UPDATE NODE, or SETSERVERPASSWORD commands, respectively. Certificates are exchanged after the first client backupoperation from the virtual volume server to the source server.

9. If you are still unable to exchange certificates between servers, complete the following steps:a) In the server definition for each of the communicating servers, verify that you specified a server

name that matches the name that was set by issuing the SET SERVERNAME command on thepartner server.

b) Verify that server definitions have passwords that are specified with the SET SERVERPASSWORDcommand. The passwords must match the value that is specified with the SET SERVERNAMEcommand for the partner server.

c) After completing steps a and b, reissue the following command:


d) Retry steps 1 through 3.



Planning for optimal performanceBefore you install the IBM Spectrum Protect server, evaluate the characteristics and configuration of thesystem to ensure that the server is set up for optimal performance.

About this taskThe optimal IBM Spectrum Protect environment is set up by using the IBM Spectrum Protect Blueprints.

Procedure

1. Review “What you should know first” on page 3.2. Review each of the following subsections.

Planning for the server hardware and the operating systemUse the checklist to verify that the system where the server is installed meets requirements for hardwareand software configuration.

QuestionTasks, characteristics,options, or settings More information

Does the operatingsystem andhardware meet orexceedrequirements?

• Number andspeed ofprocessors

• System memory• Supported

operatingsystem level

If you are using theminimum requiredamount of memory, youcan support a minimalworkload.

You can experiment byadding more systemmemory to determinewhether theperformance isimproved. Then, decidewhether you want tokeep the systemmemory dedicated tothe server. Test thememory variations byusing the entire dailycycle of the serverworkload.

If you run multipleservers on the system,add the requirementsfor each server to getthe requirements for thesystem.

Review operating system requirements at technote 1243309.

Additionally, review the guidance in Tuning tasks for operatingsystems and other applications.

For more information about requirements when these featuresare in use, see the following topics:

• Checklist for data deduplication• Checklist for node replication

For more information about sizing requirements for the serverand storage, see the IBM Spectrum Protect Blueprint.

Are disksconfigured foroptimalperformance?

The amount of tuningthat can be done fordifferent disk systemsvaries. Ensure that theappropriate queuedepths and other disksystem options are set.

For more information, see the following topics:

• "Planning for server database disks"• "Planning for server recovery log disks"• "Planning for storage pools in DISK or FILE device classes"



https://www.ibm.com/support/pages/node/1146352http://www.ibm.com/support/docview.wss?uid=swg21243309http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/r_srv_sw_tuning_os.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/r_srv_sw_tuning_os.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_dedup_optimconfig.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_noderep_optimconfig.htmlhttps://www.ibm.com/support/pages/node/1146352


Does the serverhave enoughmemory?

Heavier workloads andadvanced features suchas data deduplicationand node replicationrequire more than theminimum systemmemory that is specifiedin the systemrequirementsdocument.

For databases that arenot enabled for datadeduplication, use thefollowing guidelines tospecify memoryrequirements:

• For databases lessthan 500 GB, youneed 16 GB ofmemory.

• For databases with asize of 500 GB - 1 TB,you need 24 GB ofmemory.

• For databases with asize of 1 TB - 1.5 TB,you need 32 GB ofmemory.

• For databases greaterthan 1.5 TB, you need40 GB of memory.

Ensure that you allocateextra space for theactive log and thearchive log forreplication processing.

For more information about requirements when these featuresare in use, see the following topics:

• Checklist for data deduplication• Checklist for node replication• Memory requirements

Does the systemhave enough hostbus adapters(HBAs) to handlethe dataoperations thatthe IBM SpectrumProtect servermust runsimultaneously?

Understand whatoperations require useof HBAs at the sametime.

For example, a servermust store 1 GB/sec ofbackup data while alsodoing storage poolmigration that requires0.5 GB/sec capacity tocomplete. The HBAsmust be able to handleall of the data at thespeed required.

See Tuning HBA capacity.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_dedup_optimconfig.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_noderep_optimconfig.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/r_srv_mem_reqs.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_hbas.html


Is networkbandwidth greaterthan the plannedmaximumthroughput forbackups?

Network bandwidthmust allow the systemto complete operationssuch as backups in thetime that is allowed orthat meets service levelcommitments.

For node replication,network bandwidthmust be greater thanthe planned maximumthroughput.

For more information, see the following topics:

• Tuning network performance• Checklist for node replication

Are you using apreferred filesystem for IBMSpectrum Protectserver files?

Use a file system thatensures optimalperformance and dataavailability. The serveruses direct I/O with filesystems that supportthe feature. Using directI/O can improvethroughput and reduceprocessor use. For moreinformation about thepreferred file system foryour operating system,see IBM SpectrumProtect server-supported file systems.

For more information, see Configuring the operating system fordisk performance.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_network_tuning.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_noderep_optimconfig.htmlhttp://www.ibm.com/support/docview.wss?uid=swg21902417http://www.ibm.com/support/docview.wss?uid=swg21902417http://www.ibm.com/support/docview.wss?uid=swg21902417http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_perf_dskos.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_perf_dskos.html


Are you planningto configureenough pagingspace?

Paging space, or swapspace, extends thememory that is availablefor processing. Whenthe amount of free RAMin the system is low,programs or data that isnot in use are movedfrom memory to pagingspace. This actionreleases memory forother activities, such asdatabase operations.

Restriction: Do not usepaging space to addmemory to your system.Paging space isintended to provide onlya limited and temporaryextension of space. Ifyour system uses pagingspace, system memoryis full and must beextended.

Use a minimum of 32GB of paging space or50% of your RAM,whichever value islarger.

Are you planningto tune the kernelparameters afterinstallation of theserver?

You must tune kernelparameters.

See the information about tuning kernel parameters: Linux®:Tuning kernel parameters for Linux systems



http://www.ibm.com/support/knowledgecenter/SSGSG7_7.1.7/srv.install/t_srv_krnlparms_lnx-linux.htmlhttp://www.ibm.com/support/knowledgecenter/SSGSG7_7.1.7/srv.install/t_srv_krnlparms_lnx-linux.html

Planning for the server database disksUse the checklist to verify that the system where the server is installed meets requirements for hardwareand software configuration.

QuestionTasks, characteristics, options, orsettings More information

Is the database on fast, low-latencydisks?

Do not use the following drives forthe IBM Spectrum Protectdatabase:

• Nearline SAS (NL-SAS)• Serial Advanced Technology

Attachment (SATA)• Parallel Advanced Technology

Attachment (PATA)

Do not use internal disks that areincluded by default in most serverhardware.

Enterprise-grade solid-state disks(SSD), with Fibre Channel or SASinterface, offer the bestperformance.

If you plan to use the datadeduplication functions of IBMSpectrum Protect, focus on diskperformance in terms of I/Ooperations per second (IOPS).

For more information, see Checklistfor data deduplication.

Is the database stored on disks orLUNs that are separate from disksor LUNs that are used for the activelog, archive log, and storage poolvolumes?

Separation of the server databasefrom other server componentshelps reduce contention for thesame resources by differentoperations that must run at thesame time.

Tip: The database and the archivelog can share an array when youuse solid-state drive (SSD)technology.

If you are using RAID, do you knowhow to select the optimal RAIDlevel for your system? Are youdefining all LUNs with the same sizeand type of RAID?

When a system must do largenumbers of writes, RAID 10outperforms RAID 5. However,RAID 10 requires more disks thanRAID 5 for the same amount ofusable storage.

If your disk system is RAID, defineall your LUNs with the same sizeand type of RAID. For example, donot mix 4+1 RAID 5 with 4+2 RAID6.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_dedup_optimconfig.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_dedup_optimconfig.html


If an option to set the strip size orsegment size is available, are youplanning to optimize the size whenyou configure the disk system?

If you can set the strip size orsegment size, use 64 KB or 128 KBsizes on disk systems for thedatabase.

The block size that is used for thedatabase varies depending on thetable space. Most table spaces use8 KB blocks, but some use 32 KBblocks.

Are you planning to create at leastfour directories, also called storagepaths, on four separate LUNs forthe database?

Create one directory per distinctarray on the subsystem. If you havefewer than three arrays, create aseparate LUN volume within thearray.

Heavier workloads and use of somefeatures require more databasestorage paths than the minimumrequirements.

Server operations such as datadeduplication drive a high numberof input/output operations persecond (IOPS) for the database.Such operations perform betterwhen the database has moredirectories.

For server databases that are largerthan 2 TB or are expected to growto that size, use eight directories.

Consider planned growth of thesystem when you determine howmany storage paths to create. Theserver uses the higher number ofstorage paths more effectively ifthe storage paths are present whenthe server is first created.

Use the DB2_PARALLEL_IO variableto force parallel I/O to occur ontable spaces that have onecontainer, or on table spaces thathave containers on more than onephysical disk. If you do not set theDB2_PARALLEL_IO variable, I/Oparallelism is equal to the numberof containers that are used by thetable space. For example, if a tablespace spans four containers, thelevel of I/O parallelism that is usedis 4.

For more information, see thefollowing topics:

• Checklist for data deduplication• Checklist for node replication

For help with forecasting growthwhen the server deduplicates data,see technote 1596944.

For the most recent informationabout database size, databasereorganization, and performanceconsiderations for IBM SpectrumProtect servers, see technote1683633.

For information about setting theDB2_PARALLEL_IO variable, seeRecommended settings for IBMDb2 registry variables.

Are all directories for the databasethe same size?

Directories that are all the samesize ensure a consistent degree ofparallelism for databaseoperations. If one or moredirectories for the database aresmaller than the others, theyreduce the potential for optimizedparallel prefetching.

This guideline also applies if youmust add storage paths after theinitial configuration of the server.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_dedup_optimconfig.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_noderep_optimconfig.htmlhttp://www.ibm.com/support/docview.wss?uid=swg21596944http://www.ibm.com/support/docview.wss?uid=swg21452146http://www.ibm.com/support/docview.wss?uid=swg21452146https://www.ibm.com/support/knowledgecenter/SS3JSW/sb2b_home/product_welcome_kc_b2bi.htmlhttps://www.ibm.com/support/knowledgecenter/SS3JSW/sb2b_home/product_welcome_kc_b2bi.html


Are you planning to raise the queuedepth of the database LUNs on AIX®systems?

The default queue depth is oftentoo low.

See Configuring AIX systems fordisk performance.

Planning for the server recovery log disksUse the checklist to verify that the system where the server is installed meets requirements for hardwareand software configuration.


Are the active log and archive logstored on disks or LUNs that areseparate from what is used for thedatabase and storage poolvolumes?

Ensure that the disks where youplace the active log are not used forother server or system purposes.Do not place the active log on disksthat contain the server database,the archive log, or system files suchas page or swap space.

Separation of the server database,active log, and archive log helps toreduce contention for the sameresources by different operationsthat must run at the same time.

Are the logs on disks that havenonvolatile write cache?

Nonvolatile write cache allows datato be written to the logs as fast aspossible. Faster write operationsfor the logs can improveperformance for server operations.

Are you setting the logs to a sizethat adequately supports theworkload?

If you are not sure about theworkload, use the largest size thatyou can.Active log

The maximum size is 512 GB,set with the ACTIVELOGSIZEserver option.

Ensure that there is at least 8GB of free space on the activelog file system after the fixedsize active logs are created.

Archive logThe size of the archive log islimited by the size of the filesystem on which it is located,and not by a server option.Make the archive log at least aslarge as the active log.

• For log sizing details, see therecovery log information intechnote 400357.

• For information about sizing whenyou use data deduplication, seeChecklist for data deduplication.

Are you defining an archive failoverlog? Are you placing this log on adisk that is separate from thearchive log?

The archive failover log is foremergency use by the server whenthe archive log becomes full.Slower disks can be used for thearchive failover log.

Use theARCHFAILOVERLOGDIRECTORYserver option to specify the locationof the archive failover log.

Monitor the usage of the directoryfor the archive failover log. If thearchive failover log must be used bythe server, the space for the archivelog might not be large enough.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_perf_diskos_aix.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_perf_diskos_aix.htmlhttps://www.ibm.com/support/pages/node/400357http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/c_dedup_optimconfig.html


If you are mirroring the active log,are you using only one type ofmirroring?

You can mirror the log by using oneof the following methods. Use onlyone type of mirroring for the log.

• Use the MIRRORLOGDIRECTORYoption that is available for theIBM Spectrum Protect server tospecify a mirror location.

• Use software mirroring, such asLogical Volume Manager (LVM) onAIX.

• Use mirroring in the disk systemhardware.

If you mirror the active log, ensurethat the disks for both the active logand the mirror copy have equalspeed and reliability.

For more information, seeConfiguring and tuning the recoverylog.

Planning for directory-container and cloud-container storage poolsReview how your directory-container and cloud-container storage pools are set up to ensure optimalperformance.


Measured in terms of input/outputoperations per second (IOPS), areyou using fast disk storage for theIBM Spectrum Protect database?

Use a high-performance disk for thedatabase. Use solid-state drivetechnology for data deduplicationprocessing.

Ensure that the database has aminimum capability of 3000 IOPS.For each TB of data that is backedup daily (before datadeduplication), add 1000 IOPS tothis minimum.

For example, an IBM SpectrumProtect server that is ingesting 3 TBof data per day would need 6000IOPS for the database disks:

3000 IOPS minimum + 3000 (3 TB x 1000 IOPS) = 6000 IOPS

For recommendations about diskselection, see "Planning for serverdatabase disks."

For more information about IOPS,see the IBM Spectrum ProtectBlueprints.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_tuning_rlog.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_tuning_rlog.htmlhttps://www.ibm.com/support/pages/node/1146352


Do you have enough memory forthe size of your database?

Use a minimum of 40 GB of systemmemory for IBM Spectrum Protectservers, with a database size of 100GB, that are deduplicating data. Ifthe retained capacity of backupdata grows, the memoryrequirement might need to behigher.

Monitor memory usage regularly todetermine whether more memoryis required.

Use more system memory toimprove caching of database pages.The following memory sizeguidelines are based on the dailyamount of new data that you backup:

• 128 GB of system memory fordaily backups of data, where thedatabase size is 1 - 2 TB

• 192 GB of system memory fordaily backups of data, where thedatabase size is 2 - 4 TB

Memory requirements

Have you properly sized the storagecapacity for the database active logand archive log?

Configure the server to have aminimum active log size of 128 GBby setting the ACTIVELOGSIZEserver option to a value of 131072.

The suggested starting size for thearchive log is 1 TB. The size of thearchive log is limited by the size ofthe file system on which it islocated, and not by a server option.Ensure that there is at least 10%extra disk space for the file systemthan the size of the archive log.

Use a directory for the databasearchive logs with an initial freecapacity of at least 1 TB. Specifythe directory by using theARCHLOGDIRECTORY server option.

Define space for the archive failoverlog by using theARCHFAILOVERLOGDIRECTORYserver option.

For more information about sizingfor your system, see the IBMSpectrum Protect Blueprints.



http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/r_srv_mem_reqs.htmlhttps://www.ibm.com/support/pages/node/1146352


Is compression enabled for thearchive log and database backups?

Enable the ARCHLOGCOMPRESSserver option to save storagespace.

This compression option is differentfrom inline compression. Inlinecompression is enabled by defaultwith IBM Spectrum Protect V7.1.5and later.

Restriction: Do not use this optionif the amount of backed up dataexceeds 6 TB per day.

For more information aboutcompression for your system, seethe IBM Spectrum ProtectBlueprints.

Are the IBM Spectrum Protectdatabase and logs on separate diskvolumes (LUNs)?

Is the disk that is used for thedatabase configured according tobest practices for a transactionaldatabase?

The database must not share diskvolumes with IBM SpectrumProtect database logs or storagepools, or with any other applicationor file system.

For more information about serverdatabase and recovery logconfiguration, see Server databaseand recovery log configuration andtuning.

Are you using a minimum of eight(2.2 GHz or equivalent) processorcores for each IBM SpectrumProtect server that you plan to usewith data deduplication?

If you are planning to use client-side data deduplication, verify thatclient systems have adequateresources available during a backupoperation to complete datadeduplication processing. Use aprocessor that is at least theminimum equivalent of one 2.2 GHzprocessor core per backup processwith client-side data deduplication.

• Effective planning and use ofdeduplication

• IBM Spectrum Protect Blueprints



https://www.ibm.com/support/pages/node/1146352http://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srvtune_dbrec.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srvtune_dbrec.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srvtune_dbrec.htmlhttp://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Storage%20Manager/page/Effective%20Planning%20and%20Use%20of%20IBM%20Tivoli%20Storage%20Manager%20V6%20Deduplicationhttp://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Storage%20Manager/page/Effective%20Planning%20and%20Use%20of%20IBM%20Tivoli%20Storage%20Manager%20V6%20Deduplicationhttps://www.ibm.com/support/pages/node/1146352


Did you allocate enough storagespace for the database?

For a rough estimate, plan for 100GB of database storage for every 25TB of data that is to be protected indeduplicated storage pools.Protected data is the amount ofdata before data deduplication,including all versions of objectsstored.

For database backup operationswith a large number of small files,where the average size of the file isless than 512 KB, you need moredatabase space. For smaller objectsizes, plan on 100 GB of databasespace for every 10 TB stored.

As a best practice, define a newcontainer storage pool exclusivelyfor data deduplication. Datadeduplication occurs at thestorage-pool level, and all datawithin a storage pool, exceptencrypted data, is deduplicated.

The optimal IBM Spectrum Protectenvironment is set up by using theIBM Spectrum Protect Blueprints.

Have you estimated storage poolcapacity to configure enough spacefor the size of your environment?

You can estimate capacityrequirements for a deduplicatedstorage pool by using the followingtechnique:

1. Estimate the base size of thesource data.

2. Estimate the daily backup sizeby using an estimated changeand growth rate.

3. Determine retentionrequirements.

4. Estimate the total amount ofsource data by factoring in thebase size, daily backup size, andretention requirements.

5. Apply the deduplication ratiofactor.

6. Apply the compression ratiofactor.

7. Round up the estimate toconsider transient storage poolusage.

For an example of using thistechnique, see Effective planningand use of deduplication.



https://www.ibm.com/support/pages/node/1146352http://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Storage%20Manager/page/Effective%20Planning%20and%20Use%20of%20IBM%20Tivoli%20Storage%20Manager%20V6%20Deduplicationhttp://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Storage%20Manager/page/Effective%20Planning%20and%20Use%20of%20IBM%20Tivoli%20Storage%20Manager%20V6%20Deduplication


Have you distributed disk I/O overmany disk devices and controllers?

Use arrays that consist of as manydisks as possible, which issometimes referred to as widestriping. Ensure that you use onedatabase directory per distinctarray on the subsystem.

Set the DB2_PARALLEL_IO registryvariable to enable parallel I/O foreach table space used if thecontainers in the table space spanmultiple physical disks.

When I/O bandwidth is availableand the files are large, for example1 MB, the process of findingduplicates can occupy theresources of an entire processor.When files are smaller, otherbottlenecks can occur.

Specify eight or more file systemsfor the deduplicated storage pooldevice class so that I/O isdistributed across as many LUNsand physical devices as possible.

For guidelines about setting upstorage pools, see "Planning forstorage pools in DISK or FILEdevice classes."

For information about setting theDB2_PARALLEL_IO variable, seeRecommended settings for IBMDb2 registry variables.

Have you scheduled dailyoperations based on your backupstrategy?

The best practice sequence ofoperations is in the following order:

1. Client backup2. Storage pool protection3. Node replication4. Database backup5. Expire inventory

• Scheduling data deduplicationand node replication processes

• Daily operations for directory-container storage pools

Have you scheduled auditoperations to identify corruptedfiles in storage pools?

To schedule audit operations, usethe DEFINE STGRULE commandand specify theACTIONTYPE=AUDIT parameter.

As a best practice, to ensure thataudit operations run continuously,do not specify the DELAYparameter.



https://www.ibm.com/support/knowledgecenter/SS3JSW/sb2b_home/product_welcome_kc_b2bi.htmlhttps://www.ibm.com/support/knowledgecenter/SS3JSW/sb2b_home/product_welcome_kc_b2bi.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_sched_deduprep.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_sched_deduprep.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_tuning_daily_cont.htmlhttp://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.10/perf/t_srv_tuning_daily_cont.html


Do you have enough storage tomanage the IBM Db2 lock list?

If you deduplicate data thatincludes large files or largenumbers of files concurrently, theprocess can result in insufficientstorage space. When the lock liststorage is insufficient, backupfailures, data management processfailures, or server outages canoccur.

File sizes greater than 500 GB thatare processed by datadeduplication are most likely todeplete storage space. However, ifmany backup operations use client-side data d

ibm spectrum protect for linux: installation guide...2010/08/01 · chapter 4. installing an ibm...

Documents