NetApp SteelStore Cloud Integrated Storage 3.2 Deployment Guide

NetApp® SteelStore Cloud Integrated Storage 3.2

Deployment Guide

NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S.

Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support telephone: +1 (888) 463-8277 Web: www.netapp.com Feedback: [email protected]

Part number: 215-09590_A0 December 2014

http://www.netapp.com/

mailto:[email protected]

© 2014 NetApp, Inc. All rights reserved.

No portions of this document may be reproduced without prior written consent of NetApp, Inc. Specifications are subject to change without notice. NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Cloud ONTAP, Clustered Data ONTAP, Customer Fitness, Data ONTAP, DataMotion, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexArray, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexVol, FPolicy, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore, NetApp Insight, OnCommand, ONTAP, ONTAPI, RAID-DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, Unbound Cloud, WAFL and Whitewater are trademarks or registered trademarks of NetApp, Inc. and its affiliated entities in the United States and/or other countries. SteelStore [and Riverbed] are trademarks of Riverbed Technology used pursuant to license. Any other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. A current list of certain of NetApp trademarks is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.

Contents

Contents

Contents ..................................................................................................................................................... iii

Preface.........................................................................................................................................................1

About This Guide .............................................................................................................................................1

Audience....................................................................................................................................................1Document Conventions .............................................................................................................................2

Documentation and Release Notes ...................................................................................................................2

How to Send Your Comments ..........................................................................................................................2

Chapter 1 - SteelStore Overview ...............................................................................................................5

What Is SteelStore?...........................................................................................................................................5

SteelStore Model Types ....................................................................................................................................5

Chapter 2 - Deployment Guidelines..........................................................................................................9

SteelStore Deployment Guidelines...................................................................................................................9

SteelStore-v Deployment Guidelines..............................................................................................................10

Chapter 3 - SteelStore Sizing Guidelines ...............................................................................................13

Sizing Questions .............................................................................................................................................13

Factors That Influence SteelStore Sizing........................................................................................................14

Sizing Calculation...........................................................................................................................................14

SteelStore-v Sizing Guidelines .......................................................................................................................15

Chapter 4 - Active Directory Domain ......................................................................................................17

Joining the SteelStore to the AD Domain.......................................................................................................17

Configuring CIFS Shares................................................................................................................................20

Adding CIFS Share Users...............................................................................................................................21

Editing User Permissions for a CIFS Share....................................................................................................22

Chapter 5 - Disaster Recovery ................................................................................................................23

Benefits of the SteelStore in Disaster Recovery.............................................................................................23

Performing Disaster Recovery........................................................................................................................24

Preparing for Disaster Recovery .............................................................................................................25

NetApp SteelStore Cloud Integrated Storage Deployment Guide iii

Contents

Prepopulating Data ..................................................................................................................................29Time-Based Automatic Prepopulation ....................................................................................................35

Chapter 6 - Remote Management Port ...................................................................................................37

Configuring the Remote Management Port....................................................................................................37

Remote Management Port Configuration Example........................................................................................38

Chapter 7 - Cloud Agility..........................................................................................................................41

Cloud Agility Overview .................................................................................................................................41

Migration Process ...........................................................................................................................................42

Chapter 8 - Monitoring Peer Appliances ................................................................................................43

Configuring Appliance Monitoring ................................................................................................................43

Configuring REST API Access ......................................................................................................................43

Specifying the API Access Code....................................................................................................................45

Chapter 9 - Configuring Peer Replication ..............................................................................................47

Peer Replication Overview.............................................................................................................................47

Configuring Peer Replication Settings ...........................................................................................................49

Viewing Peer Replication Reports..................................................................................................................52

Handling Fail-Over Scenarios ........................................................................................................................52

Scenario 1 Service Interruption on Secondary Appliance.......................................................................52Scenario 2 Service Interruption on Primary Appliance...........................................................................53Scenario 3 Secondary Appliance Service Fails .......................................................................................53Scenario 4 Primary Appliance Service Fails ...........................................................................................53

Chapter 10 - Using the SteelStore with Amazon Glacier ......................................................................55

Amazon Glacier Overview .............................................................................................................................55

Best Practices..................................................................................................................................................57

Configuring Amazon Glacier Cloud Provider Settings ..................................................................................57

Chapter 11 - SteelStore Security .............................................................................................................61

Appliance Security .........................................................................................................................................61

Operating System Security ......................................................................................................................62Role-Based Management.........................................................................................................................62Logging and Auditing..............................................................................................................................62Services....................................................................................................................................................62Analytics..................................................................................................................................................63

Data Security ..................................................................................................................................................63

Disk and Cloud Contents.........................................................................................................................64Encryption Key Protection ......................................................................................................................64

iv NetApp SteelStore Cloud Integrated Storage Deployment Guide

Contents

Key Rotation............................................................................................................................................64

Transport Security...........................................................................................................................................65

Internal Network Security .......................................................................................................................65External Network Security ......................................................................................................................65SSL/TLS Versions ...................................................................................................................................66Data Center Topology..............................................................................................................................67

Compliance .....................................................................................................................................................68

FIPS 140-2...............................................................................................................................................68Vulnerability Scanning ............................................................................................................................68NetApp Internal Security.........................................................................................................................68

Chapter 12 - Troubleshooting..................................................................................................................69

Troubleshooting SteelStore.............................................................................................................................69

Longer Timeouts......................................................................................................................................69Cloud Capacity Alarm.............................................................................................................................69Cloud Bucket Disparity Alarm................................................................................................................70Storage Optimization Service Displays “Replaying”..............................................................................70over_capacity Alarm and License Limits................................................................................................70Storage Optimization Service Alarm.......................................................................................................71

Troubleshooting SteelStore-v .........................................................................................................................71

Allocating Memory .................................................................................................................................71Allocating Space......................................................................................................................................71Resolving the High CPU Utilization Alarm............................................................................................72Sizing the Datastore.................................................................................................................................72Expanding the Data Store ........................................................................................................................73Checking the Amount of Data in the Cloud ............................................................................................74

Troubleshooting Backup Applications ...........................................................................................................74

EMC Networker ......................................................................................................................................74BackupExec.............................................................................................................................................75Veeam ......................................................................................................................................................75Oracle RMAN .........................................................................................................................................76

Index ..........................................................................................................................................................77

NetApp SteelStore Cloud Integrated Storage Deployment Guide v

Contents

vi NetApp SteelStore Cloud Integrated Storage Deployment Guide

Preface

Welcome to the NetApp SteelStore Cloud Integrated Storage Deployment Guide. Read this preface for an overview of the information provided in this guide and the documentation conventions used throughout, hardware and software dependencies, and contact information. This preface includes the following sections:

“About This Guide” on page 1

“Documentation and Release Notes” on page 2

“How to Send Your Comments” on page 2

About This Guide

The NetApp SteelStore Cloud Integrated Storage Deployment Guide serves as a design guide that helps you deploy and troubleshoot the NetApp SteelStore Cloud Integrated Storage (SteelStore).

This guide assumes that you are familiar with using the SteelStore command-line interface as described in the NetApp SteelStore Cloud Integrated Storage Command-Line Interface Reference Manual.

NetApp has acquired the SteelStore product line. Any references to Riverbed Technology in the attached are in error and should be assumed to be NetApp. For more information, see www.netapp.com.

Audience

This guide is written for storage and backup administrators familiar with Storage Area Network (SAN), Network Attached Storage (NAS), and cloud storage. NetApp assumes that you are already familiar with SteelStore and how it functions.

You must also be familiar with:

installing and configuring the SteelStore. For details, see NetApp SteelStore Cloud Integrated Storage User’s Guide.

connecting to the SteelStore command-line interface. For details, see the NetApp SteelStore Cloud Integrated Storage Installation Guide.

NetApp SteelStore Cloud Integrated Storage Deployment Guide 1

Preface Documentation and Release Notes

Document Conventions

This guide uses the following standard set of typographical conventions.

Documentation and Release Notes

To obtain the most current version of all NetApp documentation, go to the NetApp Support site at https://mysupport.netapp.com.

If you need more information, see the NetApp Knowledge Base for any known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. For more information, see the NetApp Support site at https://mysupport.netapp.com.

Each software release includes release notes. The release notes identify new features in the software as well as known and fixed problems. To obtain the most current version of the release notes, go to the Software and Documentation section of the NetApp Support site at https://mysupport.netapp.com.

Examine the release notes before you begin the installation and configuration process.

How to Send Your Comments

You can help us to improve the quality of our documentation by sending us your feedback.

Your feedback is important in helping us to provide the most accurate and high-quality information. If you have suggestions for improving this document, send us your comments by email to [email protected]. To help us direct your comments to the correct division, include in the subject line the product name, version, and operating system.

You can also contact us in the following ways:

NetApp, Inc., 495 East Java Drive, Sunnyvale, CA 94089 U.S.

Telephone: +1 (408) 822-6000

Fax: +1 (408) 822-4501

Convention Meaning

italics Within text, new terms, emphasized words, and REST API URIs appear in italic typeface.

boldface Within text, CLI commands, CLI parameters, and REST API properties appear in bold typeface.

Courier Code examples appears in Courier font:

amnesiac > enableamnesiac # configure terminal

< > Values that you specify appear in angle brackets: interface <ipaddress>

[ ] Optional keywords or variables appear in brackets: ntp peer <addr> [version <number>]

{ } Required keywords or variables appear in braces: {delete <filename>}

| The pipe symbol represents a choice to select one keyword or variable to the left or right of the symbol. The keyword or variable can be either optional or required: {delete <filename> | upload <filename>}

2 NetApp SteelStore Cloud Integrated Storage Deployment Guide

https://mysupport.netapp.com


https://support.riverbed.com

How to Send Your Comments Preface

Support telephone: +1 (888) 463-8277

NetApp SteelStore Cloud Integrated Storage Deployment Guide 3

Preface How to Send Your Comments

4 NetApp SteelStore Cloud Integrated Storage Deployment Guide

CHAPTER 1 SteelStore Overview

This chapter provides an overview of SteelStore. It includes the following section:

“What Is SteelStore?” on page 5

“SteelStore Model Types” on page 5

What Is SteelStore?

SteelStore is a disk-to-disk data backup and archive storage optimization system with unique cloud storage integration. SteelStore integrates seamlessly with your existing backup technologies and cloud storage provider APIs to provide rapid replication of data to the cloud for offsite storage and rapid retrieval for disaster recovery.

SteelStore is a replacement for tape, virtual tape library (VTL), and disk-to-disk technology. SteelStore becomes the backup target for the enterprise. Rather than writing to tape, disk-to-disk, or VTL, a backup server writes its backups to SteelStore.

SteelStore is an inexpensive solution to store a very large number of backups, without the cost and maintenance of a secondary data center. It is like having a tape library, a vaulting system, an offsite storage facility, and a secondary data center in one 3U appliance.

SteelStore Model Types

There are two types of SteelStore deployments:

Physical hardware appliance with options

Virtual appliance

For more information about model types, see the Riverbed SteelStore Installation Guide. For more information about deployment scenarios, see Chapter 2, “Deployment Guidelines.”

NetApp SteelStore Cloud Integrated Storage FIPS Administrator’s Guide 5

SteelStore Overview SteelStore Model Types

Figure 1-1 shows an overview of the physical SteelStore deployment.

Figure 1-1. Physical SteelStore Deployment

In Figure 1-1, the application servers, email servers, and file servers connect to the backup server, typically through their backup agents. SteelStore easily integrates into your existing backup infrastructure. You can use your existing backup software, such as Symantec, NetBackup, Symantec Backup Exec, or IBM Tivoli Storage Manager (TSM). The SteelStore acts as a storage target for your existing infrastructure. SteelStore appears to the backup server as a shared disk, using Common Internet File System (CIFS) or Network File System (NFS) protocols.

When it is time for a backup, the backup server contacts the backup client. Next, the backup server contacts the backup media (in this case, the SteelStore) and starts writing an image of the clients or objects it is backing up.

When you back up to SteelStore, it performs inline (real-time) deduplication of the backup data and replicates data into the cloud. SteelStore uses the local disk to store enough data for recovery of most recent backups. Such a mechanism provides LAN performance for the most likely restores. This deduplication process uses variable segment length inline deduplication plus compression, which is superior to other techniques such as fixed block. Many competitors’ deduplication technique uses mostly compression so they report deduplication levels of 3x. SteelStore deduplication level typically ranges between 10 and 30x. Deduplication performance depends on the incoming data type so turn off encryption and compression in the backup applications. Use the native encryption and deduplication in SteelStore to get higher data reduction rates than typical software products.

SteelStore writes a copy of the data into the cloud storage provider. After SteelStore fills the capacity of its cache, it removes the least recently used data and replaces it with new incoming data. This process is called eviction. Evicted data can be recalled from the cloud transparently without user interaction in typical configurations, with most clouds. Amazon Glacier, which is also supported, changes the workflow to be less transparent.

SteelStore also optimizes restores from the cloud because it recalls only deduplicated data (which is not in the local cache) from the cloud. So if the customer is getting 10x deduplication, for example, and he or she needs to restore 10 TB of data, the SteelStore needs only about 1 TB to restore. Over a 100-Mb line, this results in a time saving of days.

Data moves from the backup client to the backup server, to SteelStore, and then to the cloud. When you restore data, data moves from the cache in the SteelStore, in which it is expanded to its original size to the backup server and to the backup client. If the data is not local, it moves from the cloud to the SteelStore, to the backup server, and to the backup client.

6 NetApp SteelStore Cloud Integrated Storage FIPS Administrator’s Guide

SteelStore Model Types SteelStore Overview

Figure 1-2 shows the backup applications and cloud providers that SteelStore supports.

Figure 1-2. SteelStore Cloud Integrated Storage


SteelStore Overview SteelStore Model Types


CHAPTER 2 Deployment Guidelines

This chapter provides the guidelines for physical and virtual SteelStore deployments. It includes the following sections:

“SteelStore Deployment Guidelines” on page 9

“SteelStore-v Deployment Guidelines” on page 10

SteelStore Deployment Guidelines

Use the following guidelines to deploy a physical SteelStore:

Size a SteelStore solution based on a clear understanding of the amount of source data to be backed up, the backup strategy used, the daily change rate, the annual data growth rate, the makeup of the source data set, and WAN bandwidth available for replication. Correct sizing helps ensure that data is processed and replicated to the cloud within an acceptable time to provide off-site protection. Contact NetApp to perform an analysis and determine the appropriate size.

Consider the following example:

– Source data set size: 20 TB

– Backup strategy: Using Symantec NetBackup, implementing a Saturday full backup plus daily incremental backup, keeping four full backups and two weeks of incremental backups in local SteelStore disk cache storage

– Daily change rate: 5%

– Annual data growth rate: 10%

– Data set makeup: File server

– WAN speed: OC3 - 155 Mbps

Given these parameters—and estimated assumptions about the deduplication rates of 2x for the first full, 20x for subsequent fulls, and 7x for increments—a WWA-2030 might be required. This appliance would hold an estimated 14 TB of full backups and 2 TB of incremental backups to store the necessary versions of data for the time frame requested. This result varies, depending on the data set analysis that can significantly alter the overall backup and deduplication rates achieved with SteelStore for full and incremental backups.


Deployment Guidelines SteelStore-v Deployment Guidelines

You can configure SteelStore folder shares to help describe a policy target. For example, you can configure a backup application to direct critical system backups to point to a critical folder on one SteelStore data connection, while noncritical backups might be directed by a backup application to point to a non-critical folder on the remaining SteelStore data connections. This method helps balance priorities of data over the network and organize data for recovery in case of a disaster.

If possible, organize your backup policies so that generations of the same data arrive at the same SteelStore unit. For example, if you are backing up a Windows server farm to multiple SteelStore appliances, operating system backups are likely to have the best deduplication rates when grouped together to the same SteelStore. File and application server backups obtain better deduplication when grouped together, because similar data might be stored in each location.

If you are choosing to move from one provider to another, you can use the cloud agility feature. Using a few CLI commands, you designate the new cloud bucket and data is systematically copied from the old provider to the new one.

For more information about cloud agility, see Chapter 7, “Cloud Agility.”

SteelStore exports its configuration to a file called steelstore_config_(HOSTNAME)_(DATETIME).tgz. NetApp recommends that you store the configuration file in different physical locations. You should also keep the exported configuration within the disaster recovery site. The configuration file contains information about the configuration, including the encryption key. Alternatively, you can just export the encryption key alone.

Note: To access the encrypted data, you need an encryption key. If you lose the encryption key, SteelStore cannot reconstitute the encrypted data.

You can deploy each SteelStore to only one cloud storage provider at a time. If a SteelStore must back up to a different cloud storage provider than the one configured, you must clear the SteelStore cache before reconfiguring the new cloud storage provider credentials. All existing data associated with the previous cloud storage provider remains, and you can recover it using SteelStore-v if necessary.

If the SteelStore storage capacity is less than the space used in the cloud during disaster recovery, you can still initiate the recovery process. However, in this case the SteelStore only recovers as much actual data as the size of its storage. If the recovery process attempts to restore more data than the disaster recovery SteelStore can handle, then the recovery process might fail.

SteelStore-v Deployment Guidelines

The following table shows additional hardware and software requirements for the SteelStore-v.

Component SteelStore-v

Virtual CPUs 2 minimum; 4 recommended.

Physical CPUs 2.3 GHz + Xeon (or similar).

Memory 6 GB minimum; 8 GB to 12 GB recommended on WWV-110, 12 GB minimum on WWV-210, and 24 GB minimum on WWV-410.


SteelStore-v Deployment Guidelines Deployment Guidelines

Use the following guidelines to deploy SteelStore-v:

NetApp recommends that you use a dedicated physical drive for the SteelStore-v data store. Because this is the device that deduplicates and stores data from SteelStore-v, sharing this drive with other virtual machines (VMs) might impact the overall performance of the SteelStore-v disaster recovery operations.

Use at least a Gigabit link for interfaces. For optimal recovery performance, connect the virtual interfaces to physical interfaces that are capable of at least 1 Gbps.

Do not share physical NICs. For optimal performance, assign a physical NIC to a single interface. Do not share physical NICs destined for virtual interfaces with other VMs running on the ESX host. Doing so might create performance bottlenecks.

Always reserve virtual CPUs. To ensure SteelStore-v performance during disaster recovery (DR), it is important that the SteelStore-v receives a fair share of CPU cycles. To allocate CPU cycles, reserve the number of virtual CPUs for the SteelStore-v and also reserve the number of clock cycles (in terms of CPU MHz).

Always reserve RAM. Memory is another very important factor in determining SteelStore-v performance during DR. Reserve the RAM that is needed by the SteelStore-v model plus 5 percent more for the VMware overhead, which provides a significant performance boost.

Do not use low-quality storage for the datastore disk. Make sure that the SteelStore-v disk used for the datastore VMDK uses a disk medium that supports a high number of Input/Output Operations Per Second (IOPS), because DR requires high responsiveness from the disk. For example, use NAS, SAN, or dedicated SATA disks.

Do not share host physical disks. VMware recommends that to achieve near-native disk I/O performance, you do not share host physical disks (such as SCSI or SATA disks) between VMs. While deploying a SteelStore-v, allocate an unshared disk for the datastore disk.

After disaster recovery, if you are using a SteelStore at a disaster recovery site to subsequently perform backup tasks, NetApp recommends that you use a SteelStore that is of equivalent make and size as the lost production SteelStore instead of using SteelStore-v.

Networking Adaptor type VMXNET3.

Disk • Minimum 22 GB and maximum 220 GB for the WWOS source disk.

• 1.8 TB for WWV-110, 4.3 TB for WWV-210, 8 TB for WWV-410, 16 TB for WWV-810, or 32 TB for WWV-1610 for the second hard disk that you add to the SteelStore-v.

• Use RAID-1 or a high-throughput disk subsystem. Use separate disk subsystems from the one used for back up servers. The disk must be equal to or greater than 1/5 of the licensed cloud capacity. See the Riverbed SteelStore Installation Guide for specific details.

Component SteelStore-v


Deployment Guidelines SteelStore-v Deployment Guidelines


CHAPTER 3 SteelStore Sizing Guidelines

This chapter provides guidelines to determine the size of the SteelStore that you require. It includes the following sections:

“Sizing Questions” on page 13

“Factors That Influence SteelStore Sizing” on page 14

“Sizing Calculation” on page 14

“SteelStore-v Sizing Guidelines” on page 15

Sizing Questions

When sizing SteelStore for your network, consider the following questions:

How much data do you have to back up?

How fast do backups need to write? This speed is typically calculated from the backup window.

How long do you want data to remain local on the appliance for restores?

How long do you keep your backups?

How much does the data change daily (net daily change rate)?

How fast is your annual data growth rate?

How many backup versions do you protect?

What is your WAN bandwidth? The available bandwidth can impact the speed at which SteelStore operates.


SteelStore Sizing Guidelines Factors That Influence SteelStore Sizing

Factors That Influence SteelStore Sizing

Consider the following factors when you size your SteelStore:

Ingress performance (backup operations received by the SteelStore) - What are the network requirements for the backup operation window on a daily incremental or weekly full basis? Divide the amount transferred from a daily incremental or weekly full by the backup window to identify the highest backup performance required by the SteelStore. Compare your result to the SteelStore specification sheet to determine the appropriate fit.

Egress performance (data sent to the cloud by the SteelStore) - What is the size of the WAN connection? Assuming a 2.5 to 3x deduplication on the first full backup operation received by the SteelStore, calculate the amount of time required to send the largest data set to the cloud considering the WAN speed. Is the resulting time acceptable for your situation (typical seeding periods can be up to two to four weeks, but it depends on your requirements).

Cache capacity - How many recent backup versions do you want the SteelStore local cache to store? Assuming the first full backup operation size and the number of subsequent backup versions (subsequent full backup operations are typically only 5 to 20 percent of the first full backup operation), determine what cache capacity is required to fulfill the local restore requirement. Annual growth rate and daily changes increase the cache capacity requirements over time. The cache should also consider transient data awaiting replication to the cloud. The SteelStore cannot evict data from the cache until the data is replicated. This transient data can increase the space requirements if the WAN link sending the data to the cloud is slow.

Cloud capacity - Each SteelStore provides a specific cloud capacity. Consider all of the factors described in this section and the retention requirements for long-term backup operations (monthly, yearly, or archive), and determine the amount of space required in the cloud by adding up the consumed deduplicated space for each backup version. If the cloud consumption exceeds the license capacity for a given model, select the next largest SteelStore model.

Sizing Calculation

To calculate how much space you need to allocate to your SteelStore, use the following formula:

Divide the amount of data you intend to back up (in gigabytes) up by the initial average deduplication ratio.

The initial average deduplication ratio is typically 2.5, but that value only takes into account the initial backups of the data, so it may increase over time. For example, if you plan to backup 3 TB of data, the calculation would be:

3 TB = 3000 GB

3000 / 2.5 = 1200 GB or 1.2 TB.

For example, assume that you have a total data set of 1 TB with a 2 percent net daily change rate. You have a 6-hour backup window and you want to keep data for 30 days.

In this case, the initial backup is 1 TB and needs to be completed in 6 hours. The processing rate is approximately 167 GB per hour. The net daily change rate is 20 GB per day, which is equivalent to 100 GB weekly. The total set for one week of data is 1.1 TB.


SteelStore-v Sizing Guidelines SteelStore Sizing Guidelines

Also, for example, if there is 10 percent annual growth rate, at the end of the first week there is approximately 1 TB + (100 GB/52) -->1 TB + 2 GB = 1.002 TB. Therefore, at the end of the first week, SteelStore size (base + change + growth) might be:

1 TB + 100 GB + .002 TB = 1.102 TB.

Initially, SteelStore ingests a seed backup as the first full backup, which is 1 TB. For the next five days, it ingests what has changed that day. In this example, it is 20 GB per day. In five days, the total amount of data ingested by SteelStore is 1.1 TB. Now, when the next full backup runs, SteelStore obtains almost 100 percent deduplication because it has already transferred all of the data in the seed backup and the daily increments.

The second full data set is 1.1 TB. The WWA-730 has a maximum ingest rate of 1 TB/hr of backup data and a 8-TB cache. Therefore, the second backup completes in roughly the same time frame as the first full, and well under the 6-hour window available. It also gives you plenty of room for data growth that is protected by SteelStore.

SteelStore-v Sizing Guidelines

Use the following sizing guidelines when deploying SteelStore-v:

The maximum size of a VMware virtual disk is 32 TB for WWV-1610. Refer to the “SteelStore Deployment Guidelines” on page 9 for details.

Do not use low-quality storage for the datastore disk. Make sure that the SteelStore-v disk used for the datastore VMDK uses a disk medium that supports a high number of Input/Output Operations Per Second (IOPS): for example, use NAS, SAN, or dedicated SATA disks.

Do not share host physical disks. VMware recommends that to achieve near-native disk I/O performance, you do not share host physical disks (such as SCSI or SATA disks) between VMs. While deploying SteelStore-v, allocate an unshared disk for the datastore disk.

While 32 TB is the data store size limit, you can start with a smaller size data store and grow the volume size (up to 32 TB) over time. You can restart SteelStore-v after expanding the volume; it recognizes the new size and extends the usable cache accordingly.

SteelStore-v supports the use of iSCSI disk or native disk to VMware ESX or ESXi as the basis for the SteelStore data store. However, be aware of the performance profile and network capabilities if using iSCSI disk.

Performance of physical SteelStores typically exceed the performance of SteelStore-v. For example, both WWA-730 and SteelStore-v can have 8 TB usable cache, but a WWA-730 with RAID-6 disks and 1.5 TB per hr ingest rate has much better performance due to its additional hardware resources.


SteelStore Sizing Guidelines SteelStore-v Sizing Guidelines


CHAPTER 4 Active Directory Domain

The SteelStore v2.0 and later provides a new option to join the appliance with a Windows Active Directory (AD) domain. This chapter describes how to configure an AD domain for Common Internet File System (CIFS) share-level access control. There are four basic steps for a SteelStore to join an AD domain, which are futher detailed in the following sections:

1. “Joining the SteelStore to the AD Domain” on page 17

2. “Configuring CIFS Shares” on page 20

3. “Adding CIFS Share Users” on page 21

4. “Editing User Permissions for a CIFS Share” on page 22

Joining the SteelStore to the AD Domain

You can add the SteelStore to only one domain; you cannot add it to multiple domains.

The SteelStore supports only CIFS authentication. It does not support Kerberos authorization.

The SteelStore v2.0 or later does not support IP-based authentication. You can use firewall rules instead of this authentication, but the rules apply only to management or auxiliary interfaces.


Active Directory Domain Joining the SteelStore to the AD Domain

To join the SteelStore to the AD domain

1. Choose Configure > Storage > CIFS to display the CIFS page.

Figure 4-1. CIFS Page


Joining the SteelStore to the AD Domain Active Directory Domain

Figure 4-2. CIFS Page - Joining an AD Domain

2. Add the SteelStore to a Windows AD domain and enable domain users to access SteelStore CIFS shares.

Ensure that you have permissions to join appliances to the domain and add users who can access the domain. To join the SteelStore to an AD domain, complete the configuration as described in this table.

Control Description

Join Domain Displays the controls to add the SteelStore to your AD domain.

Domain Name Specify the fully qualified domain name of the AD that the SteelStore must join.

If your system has an AD domain, then you can add the SteelStore to your AD domain and create share permissions for AD users and groups.

User Name Specify the username of a user to access the AD domain. The username must be a part of the AD and the user must have permissions to add computers to the domain.

Password Specify the password to authenticate the user.

DNS Domain Optionally, specify the DNS name of the domain.


Active Directory Domain Configuring CIFS Shares

Click Advanced Settings to display Advanced Settings to (optionally) configure the domain. Complete the configuration as displayed in this table.

After you join an AD domain, you can add users who can access the domain.

Configuring CIFS Shares

The Common Internet File System (CIFS) is the standard way that computer users share files across corporate intranets and the Internet. CIFS complements Hypertext Transfer Protocol (HTTP) while providing more sophisticated file sharing and file transfer than older protocols, such as FTP.


2. To add a CIFS share, complete the configuration as described in this table.

The share you configured appears in the list of shares on the page.

When you add a CIFS share to the SteelStore, you can enable authentication or leave it disabled (allowing all users to access the CIFS share). If you enable authentication, you must add CIFS users who can access the share. To enable authentication, ensure that you delete the user Everyone from the access control list of the share.

Control Description

Organization Unit Optionally, specify the organization unit within the domain to which the SteelStore must join. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. For an overview of organizational units, go to:

http://technet.microsoft.com/library/cc758565.aspx

Hostname Optionally, specify the hostname that the SteelStore must use to join the domain. SteelStore then appears as the specified hostname in the AD.

Host DNS Domain Optionally, specify the host DNS hostname that is used to join the SteelStore to the domain. The default domain name is the AD domain name.

Control Description

Add CIFS Share Displays the controls to add a new CIFS share.

Share Name Specify the name of the share to be added.

Path Specify the pathname to the share to be added. It starts with a forward slash (/).

Comment Specify a comment about the share. You can only use alphanumeric, underscore (_), hyphen (-) characters, and space in this field.

Read Only Select this check box if you want the share to be a read-only share.

Allow Everyone Access Select this check box to enable all clients connected to the SteelStore system to access the CIFS share. Clear this check box to enable authentication.

Remove Selected Deletes the selected CIFS share.

Add Share Adds the CIFS share to the SteelStore CIFS server. The share you add appears in the list of shares on the page.


Adding CIFS Share Users Active Directory Domain

Adding CIFS Share Users

You can add users who can access the CIFS share using one of the following formats:

NTLM style: <DomainName>\<UserName>

Kerberos style: <UserName>@<DomainName>

To add users who can access the CIFS share


2. Complete the configuration as described in this table.

The username and account status you add appears in the table below.

Note: You do not need to add CIFS users if you joined the SteelStore to an AD domain.

Windows provides the ability to sign CIFS messages to prevent man-in-the-middle attacks when sharing files. Each CIFS message has a unique signature, which prevents the message from being tampered with.

3. Under Global CIFS Settings, specify the values for SMB (Server Message Block) Signing and Guest Account. This setting overrides the setting under Add CIFS User.

Select one of the following values for SMB Signing:

Disabled - The CIFS server does not offer SMB signing. This is the default value.

Auto - Enables SMB signing automatically. The CIFS server offers SMB signing but does not enforce it. You can choose to enable or disable it.

Mandatory - The CIFS server enforces SMB signing. You must use SMB signing if you select this option.

Control Description

Add CIFS User Displays the controls to add a user to the SteelStore CIFS server.

User Name Specify the username of a user to access the CIFS shares.

Password Specify the password to authenticate the user.

Password Confirm Specify the password again to confirm authentication.

Account Select one of the following options from the drop-down list:

• Enabled - Enables the CIFS user to access the SteelStore CIFS share.

• Disabled - Disables the CIFS user from accessing the SteelStore CIFS share.

Remove Selected Deletes the selected username from the CIFS server.

Add Adds the username and password to the SteelStore CIFS server.


Active Directory Domain Editing User Permissions for a CIFS Share

Select one of the following values for Guest Account:

Enabled - Activates the guest account. A user may authenticate as a guest user and access a CIFS share (which allows guest users) using any username and password. If you want to enable any user to access the share, you can use this feature.

Disabled - Deactivates the guest account.

Note: Enabling SMB signing degrades the SteelStore performance.

Editing User Permissions for a CIFS Share

You can edit and change permissions for users accessing the CIFS share.

To edit domain user permissions

1. Choose Configure > Storage > CIFS and click the name of the CIFS share to display the CIFS share page.

2. Click the share name to display the controls to edit the share.

3. Under User or Group, click the name of the user to display a detailed list of permissions.

4. Under Edit Permissions, click Allow, Deny, or Default to enable each permission, disable it, or use the default permissions.

5. Click Apply to apply your configuration changes.

The share you configured appears in the list of shares on the page.

Permission Description

List Directory Allows or denies the user from viewing filenames and subfolder names in the folder. The List Directory permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder that you are setting the permission on is listed in the folder list.

Add File Applies only to folders and allows or denies the user from creating files in the folder.

Traverse Applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders.

Delete Child Applies only to folders and allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted for the subfolder or file.

Read Attributes Allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. Attributes are defined by NTFS.

Write Attributes Allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply that you can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder.


CHAPTER 5 Disaster Recovery

This chapter describes how to perform disaster recovery using SteelStore. Disaster recovery is the process of recovering the technology infrastructure critical to an organization after a natural or man-made disaster. SteelStore supports disaster recovery by enabling you to retrieve your data in case of a failure.

This chapter includes the following sections:

“Benefits of the SteelStore in Disaster Recovery” on page 23

“Performing Disaster Recovery” on page 24

“Using Prepopulation with Amazon Glacier Cloud Storage” on page 35

“Automatic Prepopulation” on page 35

Benefits of the SteelStore in Disaster Recovery

SteelStore provides the following benefits during disaster recovery:

Ease of use - You manage the SteelStore with the SteelStore Management Console that you can access directly from the appliance. You can manage multiple appliances remotely.

Interoperability - The SteelStore is designed to drop into an organization's existing backup environment seamlessly, as a standard network-attached storage target. Additionally, it supports all of the major backup applications currently available and in use by companies throughout the world.

WAN optimization - Using industry-leading compression and deduplication technologies that are the cornerstone of current NetApp solutions, WAN optimization provides performance gains when replicating data to the cloud. By reducing the footprint of storage requirements significantly (from 10 to 30 times reduction), storage and access costs associated with protecting data reduce significantly.

Security - The SteelStore uses dual-level encryption standards to protect data both at rest (using AES 256-bit encryption) and in transit (using SSLv3 encryption). It uses an encryption key to protect data.

Stateless appliance - The SteelStore can store and rebuild the most recent backups locally and for all older backups the appliance can restore from the cloud, as necessary.

Scalability - With SteelStores being able to address up to 15 PB of backup capacity, even the largest enterprises can achieve offsite data protection for all their data with just a few appliances. Because cloud storage is elastic, you can increase or decrease capacity instantaneously.


Disaster Recovery Performing Disaster Recovery

Performing Disaster Recovery

You can enable a SteelStore at the disaster recovery site to access backups that originated from a SteelStore at the affected data center. Depending on the data size, you can also use SteelStore-v at the recovery site.

Note: You do not need a license to restore data in read-only mode in the SteelStore. You can download SteelStore-v for free from the NetApp Support site at https://mysupport.netapp.com and use it to recover your data.

For example, consider a data center with a SteelStore located at Site A (shown in Figure 5-1). The backup site is Site B, located in a different physical location (such as different city, country, or continent). If there is a disaster at Site A, the data still resides in the cloud. Site B contains a passive SteelStore that is not powered on.

You can also use a SteelStore-v at Site B, depending on the size of the data that you need to restore. SteelStore-v can store data up to 32 TB. NetApp recommends that you use an appliance in the disaster recovery site (Site B) that has the same or greater local storage capacity as the affected SteelStore (in Site A). If the appliances at the two sites do not match, you can still initiate the recovery process; however, it recovers only as much data as the size of the storage on the SteelStore at the disaster recovery site. If the recovery process attempts to bring back more data than the disaster recovery SteelStore can handle, then the recovery process might fail.

For details about SteelStore sizes, see the NetApp SteelStore Cloud Integrated Storage Installation Guide.

Figure 5-1. Disaster Recovery Process

If the disaster completely destroys Site A, power on the SteelStore at Site B and configure it to perform disaster recovery.

You can use the peer replication feature in the SteelStore to provide the same level of protection and recovery performance at the secondary disaster recovery sites as at the primary production sites.



Performing Disaster Recovery Disaster Recovery

You can assign the secondary SteelStore in the disaster recovery location as the peer replication pair to a primary SteelStore at the production data center.

The primary SteelStore transmits cache data to the secondary SteelStore and at the same time it replicates the cache data to the cloud. Therefore, the secondary SteelStore cache is a mirror view of the primary appliance cache.

During disaster recovery, the secondary appliance switches over to the primary SteelStore, and it can be immediately used for disaster recovery because it has the full contents of the cache that might have been lost from the primary SteelStore. In this scenario, the data exchange with cloud storage is minimal because the cache contents already provide the data to be restored.

Preparing for Disaster Recovery

Assume that Site A uses the Amazon S3 cloud provider. To authenticate the SteelStore with Amazon S3, you configure an access key, a secret key, and a bucket name (bucket_name) for the cloud provider. You also configure an encryption key. NetApp recommends that you store the encryption key in a different physical location and also distribute it to multiple storage locations (for redundancy) in your company. Keep the encryption key within the disaster recovery site.

For details about preparing for disaster recovery, see the best practices of the backup application documentation.

To prepare for disaster recovery, export your current configuration file from the SteelStore at Site A, steelstore_config_(HOSTNAME)_(DATETIME).tgz, and store it in your computer.

To export your configuration file

1. Click Export Configuration in the SteelStore wizard dashboard to display the Export Configuration Wizard page.

Figure 5-2. Export Configuration Wizard Page

2. Type the password for the encryption key in the password field. The password field appears only if you specified a password for your encryption key when you generated it in the cloud settings wizard page.

3. Click Export Configuration to download the current SteelStore configuration file SteelStore_config_(HOSTNAME)_(DATETIME).tgz.

4. Click Exit to close the Export Configuration Wizard page and go back to the dashboard.



5. Click Exit to close the dashboard.

Restoring Data

If you are restoring data for disaster recovery testing, you must first disable replication on the SteelStore at Site A.

To restore your data for disaster recovery or disaster recovery testing

1. Log in to the SteelStore Management Console.

2. Choose Configure > Storage > Cloud Settings to display the Cloud Settings page.

Figure 5-3. Cloud Settings Page - Replication

3. Click the Replication tab.

4. Check the Suspend Replication check box to pause replication until you resume it again.

To restore your data from the SteelStore at Site B

1. At Site B, plug a serial cable into the console port and a terminal.

2. Configure the SteelStore network information through the serial console. For details, see NetApp SteelStore Cloud Integrated Storage Installation Guide.

3. Connect to the SteelStore Management Console.



4. Click Import Configuration in the wizard dashboard to display the Import Configuration page. Import to the SteelStore in Site B, the configuration exported from the appliance in Site A. Ensure that the new appliance in Site B uses the same cloud provider credentials, bucket name, and encryption key that Site A uses.

Figure 5-4. Import Configuration Wizard Page

5. Select Local File and click Choose a File to select a local configuration file from your computer.

6. Leave the Import Shared Data Only check box selected (by default) to import only the following common settings (the system does not automatically copy the other settings):

Cloud settings

Email settings

Logging

NTP settings

SNMP settings

Statistics or Alarms settings

Time zone settings

Web and CLI preferences

CIFS and NFS configuration

When you select the Import Shared Data Only check box, the following settings are not imported:

General Security Settings

Static host configuration

Appliance licenses

Interface configuration, IP configuration, static routes, and virtual interfaces.

RADIUS protocol settings

Name server settings and domains



Scheduled jobs

SSH server settings and public or private keys

Hostname, Message of the Day (MOTD), and Fully Qualified Domain Name (FQDN)

TACACS protocol settings

Telnet server settings

7. Select the Password protect the Encryption Key check box to specify a password for the encryption key. If you select this option, you must enter the same password when you import or export the encryption key.

8. Click Import Configuration.

Caution: After this process completes, the system displays a prompt to restart the storage optimization service. Do not click the restart service button to restart the storage optimization service.

9. Connect to the SteelStore command-line interface using SSH.

10. To perform disaster recovery after a lost primary site, enter the following commands:

amnesiac > enableamnesiac # configure terminalamnesiac (config) # no service enableamnesiac (config) # datastore format localamnesiac (config) # replication recovery enableamnesiac (config) # service enableamnesiac (config) # show service

To test disaster recovery from a secondary site while the primary site is still alive, enter the following commands:

amnesiac > enableamnesiac # configure terminalamnesiac (config) # no service enableamnesiac (config) # datastore format localamnesiac (config) # replication dr-test enableamnesiac (config) # service enableamnesiac (config) # show service

This process can take anywhere from a few seconds to a few hours, depending on the backup(s) being restored. During the recovery process, the system communicates with the cloud provider and recovers all the namespace files that existed before the failure. The duration of this process depends on how many files you stored on SteelStore before the failure. Enter the show service command to determine the date and time until which the data store has been replicated.

After your service restarts, you can browse to your share and see your files. Because the recovery process downloads only the namespace and metadata, initial file access might be slow, because SteelStore downloads all of the data from the cloud.

11. You can retrieve the backup data from the cloud and populate the SteelStore with it locally so that the SteelStore has a local copy of the target data (which improves file access performance) either using the Management Console or using the command-line interface.



Prepopulating Data

NetApp recommends that you use the SteelStore prepopulation process because it is a more efficient way of restoring data from the cloud than using the backup application directly. Although, it might seem longer (because this is a step that occurs before the SteelStore restores data through the backup application), the prepopulation process improves restore times. It eliminates sporadic read operations for restore and uses sequential reads, thereby warming the SteelStore cache much more quickly.

To prepopulate data using the SteelStore Management Console

1. Choose Reports > Optimization > Prepopulation to display the Prepopulation page.

Figure 5-5. Prepopulation Page



2. Click Select File to display the Prepopulation File Browser that contains a list of files that can be prepopulated.

Figure 5-6. Prepopulation File Browser

The Prepopulation File Browser enables you to browse the files on the SteelStore shares. For each file, it displays the file size, modification time (appears when you hover the cursor over a specific file), and its estimated size on disk. Select a file or a list of files, and click Fetch Percent Locally Cached for selected files to obtain the locally cached percent in the SteelStore cache. This process can be slow for large files.

3. Select the check box next to the file you want to prepopulate.



4. Click Prepopulate Selected Files to prepopulate the files that you selected and display the Prepopulation Report Status page.

Figure 5-7. Prepopulation Report - Status Page

The Prepopulation Report Status page displays the status of the prepopulation task. The following table summarizes the various states.

5. Optionally, click Clear Completed Jobs to delete the completed prepopulation tasks (status is Completed).

After a prepopulation job is complete, the system sends an email notification to the email recipients configured to receive email notifications.

If the prepopulation job is successful, the email notification contains the following information:

For a successful prepop:Subject: Prepopulation Job CompletedBody: Prepopulation job #[job id] has completed successfully.

Status Description

Enqueued The prepopulation task has just been recorded. The SteelStore has not started processing it. You do not usually see this status (unless there is a large number of prepopulation tasks) because the prepopulation process is very fast and it quickly moves to the next step in the process.

Processing The SteelStore is identifying data that must be restored from the cloud.

Requested The system has requested all of the data required for the prepopulation request from the cloud.

Downloading The system has started downloading the data for the prepopulation request. When the cloud provider is Amazon Glacier, it usually takes about five hours for this state to appear.

Completed This state indicates that the prepopulation task is complete. The completion time also appears in a separate column.

Failed This state indicates that the SteelStore did not restore all of the data and the prepopulation task failed. Check the logs to determine the reason for failure.



If the prepopulation job fails, the email notification contains the following information:

Subject: Prepopulation Job FailedBody: Prepopulation job #[job id] has failed. Please check the system log for more information.

To prepopulate data using the command-line interface

1. Connect to the SteelStore command-line interface using SSH.

2. Enter the following command:

amnesiac (config) # datastore prepop {[num-days <number-of-days>] | [start-date *] [end-date *] | [pattern <pattern>]}

The following table shows the parameter options.

To view the current status of prepopulation, enter the following command:

amnesiac (config) # show datastore prepop

Parameter Description

num-days <number-of-days> Specify the number of last-modified days to start data retrieval (from the present date to the number of days you specify).

start-date <start-date> Specify the date from which the data retrieval should start. The system prepopulates the files modified on or before this date.

end-date <end-date> Specify the date on which the data retrieval should end. Stop prepopulating files on or after this date.

pattern <pattern> Filters the data retrieved by the pattern you specify. The pattern specified contains a required internal share name created on the SteelStore, one or more optional subfolder names from the external share name visible to the user, and finally a required regular expression describing the file or files to be prepopulated.

The asterisk (*) symbol with the regular expression matches all characters.



Example 1 Pattern-based Data Store Prepopulation

This example explains pattern-based data store prepopulation. Consider the directory structure shown in Figure 5-8.

Figure 5-8. Example Directory Structure

The following table shows different examples of the datastore prepop command for this directory structure.

The datastore prepop command operates from the local pathname for each CIFS share created as shown in Figure 5-9.

Figure 5-9. Creating CIFS Shares

Example 2 Time-based Data Store Prepopulation

This example explains time-based data store prepopulation.

Command Description

datastore prepop pattern cifs/* Populates only file1 and file2.

daastore prepop pattern cifs/* recursive Populates all of the files (file1 through file7) with directory1 and directory2.

datastore prepop pattern cifs/directory1/* Populates only file3 and file4.



Consider the directory structure shown in Figure 5-10.

Figure 5-10. Example Backup Times

To obtain the most recent files backed up, enter the following command on the SteelStore command-line interface:

datastore prepop num-days 7

This command fetches data that is seven days old from the cloud.

Example 3 Prepopulating From Backups

In this example, assume that:

all full backups are stored in a directory called fulls.

all full backups for Host A are stored in a subdirectory called hostA.

To prepopulate all backups for Host A that occurred for a 24-hour duration starting on 2014-01-01 (YYYY-MM0-DD), enter the following command:

amnesiac (config) # datastore prepop pattern fulls/hostA/*.img start-date 2014-01-01 end-date 2014-01-02 num-threads 64

To prepopulate all backups for Host A that occurred in the past 30 days (from the current time), enter the following command:

amnesiac (config) # datastore prepop num-days 30 pattern fulls/hostA/*.img num-threads 64

After this process finishes, you can initiate a restore process using the restore feature of the backup application. For details about how to restore your backups, refer to the relevant documentation for your backup application.

Backed up 30 days ago




Using Prepopulation with Amazon Glacier Cloud Storage Disaster Recovery

Using Prepopulation with Amazon Glacier Cloud StorageWhen you use Amazon Glacier as the cloud storage provider, it takes approximately four to five hours for data to be available for download, after you send the initial request to the cloud. Due to this delay, if data is not available on the local cache, it cannot be paged back from the cloud on demand.

In such cases, you must first restore the files to be read from the cloud to the local cache on the SteelStore using the prepopulation CLI commands. After the data is restored from the cloud, it can be read from the local cache.

Use the file browser in the SteelStore Management Console to initiate prepopulation of files.

Automatic PrepopulationYou can also use settings in the SteelStore to automatically trigger prepopulation of a file when you try to read the file and find that data must be restored from the cloud.

To enable automatic prepopulation:

1. Connect to the SteelStore CLI.

2. Type the following commands:

amnesiac(config)# rfsctl exec "-w decoder.file_local_check=true"amnesiac(config)# rfsctl exec "-w autoprepop.enable=true"

Time-Based Automatic Prepopulation

When you enable automatic prepopulation, you can also include files that have modification times in a given range relative to the file that is read for prepopulation.

For example, assume that a folder in the SteelStore share contains a file called testfile with a modification time stamp X. Assume you enabled automatic prepopulation of the file testfile. If the SteelStore cache does not contain the complete contents of the file testfile, then reading the file triggers a prepopulation job for the file testfile. For details, see “Automatic Prepopulation” on page 35.

Also, if you want to prepopulate all files in the same folder that have modification time stamps in the range (X-delta1, X+delta2), type the following commands on the SteelStore CLI:

amnesiac(config)# rfsctl exec "-w autoprepop.time_based.enable=true"amnesiac(config)# rfsctl exec "-w autoprepop.time_based.pre_delta=<delta1>"amnesiac(config)# rfsctl exec "-w autoprepop.time_based.post_delta=<delta2>"

The units for delta1 and delta2 are in seconds.


Disaster Recovery Automatic Prepopulation


CHAPTER 6 Remote Management Port

This chapter describes how to configure the remote management port. The port is labeled REMOTE on the back of each appliance.

This chapter includes the following sections:

“Configuring the Remote Management Port” on page 37

“Remote Management Port Configuration Example” on page 38

Configuring the Remote Management Port

Access to the SteelStore through the remote management port requires the use of the IPMItool utility. You can download a Linux version at http://sourceforge.net/projects/ipmitool/files/. You can obtain a Windows version of IPMItool on the Document CD that ships with your system or from the NetApp Support at https://mysupport.netapp.com.

This utility must to be run on an administrator system outside of the SteelStore to access the remote port functions. Check the man page for IPMItool for a full list of capabilities (although not all the commands are supported on the SteelStore OS hardware platforms).

To configure the remote management port

1. Physically connect the REMOTE port to the network. You cable the remote management port to the Ethernet network in the same manner as the Primary interface. For details, see the NetApp SteelStore Cloud Integrated Storage Installation Guide.

2. Install IPMItool on the client machine.

Assuming the IP address is 192.168.100.100, the netmask is 255.255.255.0, and the default gateway is 192.168.100.1, assign an IP address to the remote management port:

amnesiac (config) # remote dhcp

- or -

amnesiac (config) # remote ip address 192.168.100.100 amnesiac (config) # remote ip netmask 255.255.255.0 amnesiac (config) # remote ip default-gateway 192.168.100.1


http://sourceforge.net/projects/ipmitool/files/


Remote Management Port Remote Management Port Configuration Example

3. Verify that the IP address is set correctly:

amnesiac (config) # show remote ip

4. Ping the new management IP address from a remote computer, and verify it replies.

5. To secure the remote port, assign a password to the port:

amnesiac (config) # remote password <new-password>

6. Set the remote port bit-rate to match the current serial port bit-rate. Typically, this value is 9.6.

amnesiac (config) # remote bitrate 9.6

To activate the serial connection

1. Enter the following command to activate the serial connection:

ipmitool -I lanplus -H 192.168.100.100 -P "<password>" sol activate

2. Press the tilde key (~) to end the serial connection.

While the serial connection is established, the actual serial console is disabled. Ending the remote serial connection cleanly with a tilde (~) reenables the real serial port. If the session fails to exit cleanly, the actual serial port might not reactivate. If the serial port fails to reactivate, reconnect remotely and exit cleanly using tilde (~).

Remote Management Port Configuration Example

The following commands show an example of how to configure the remote management port.

1. Connect to a SteelStore:

SteelStoreamnesiac login: adminPassword:Last login: Thu Apr 12 13:32:56 from 10.18.5.230

2. Obtain the IP address of the remote appliance:

amnesiac > enableamnesiac (config) # show remote ipDHCP: EnabledIP Address: 10.1.19.58Netmask: 255.255.255.0Gateway: 10.1.19.1MAC Address: 00:0E:B6:98:80:42

3. Obtain the current bitrate configuration:

chief-csa6 (config) # show remote bitrateVolatile: 19.2 kbpsNon-Volatile: 19.2 kbps

4. Change the IPMI remote password:

chief-csa6 # configure terminalchief-csa6 (config) #chief-csa6 (config) # remote password password


CHAPTER 7 Cloud Agility

This chapter describes how to migrate data to a new cloud. It includes the following sections:

“Cloud Agility Overview” on page 41

“Migration Process” on page 42

Cloud Agility Overview

SteelStore writes the deduplicated, compressed, and encrypted data to a private or public cloud storage provider. When business requirements dictate that data be migrated to a new cloud (for example, migrating from public cloud to public cloud, private cloud to public cloud, or public cloud to private cloud), the data that resides in that cloud storage must be relocated to a new cloud storage through data migration.

SteelStore implements the cloud migration feature called Cloud Agility to address this requirement. See “Migration Process” on page 42 to see an example of the three commands used for cloud migration. The first two commands provide the cloud credentials and storage target of the new cloud storage service. The third command begins the migration. SteelStore copies all of the data from the first cloud storage to the second cloud storage.

Figure 7-1. Cloud Migration Process

SteelStore acts as a data replicator during the migration. As the data flows from the existing cloud, through the SteelStore, and then on to the new cloud, the SteelStore does not reprocess the data. Therefore, no data is evicted from the SteelStore cache during this process; the data simply flows through the networking components of the appliance. SteelStore also continues to accept data from backup applications, so no interruption to backup schedules occurs during migration.


Cloud Agility Migration Process

When the data migration process completes, SteelStore automatically updates the cloud storage provider credentials to the new provider and resumes replication of any pending data that was queued during the migration process.

Migration Process

Use the following commands to set up the cloud credentials and perform the migration. The command to set up the authentication type may be different depending on the provider you use.

To set cloud credentials:

replication migrate-to provider type <provider-name> bucket-name <bucket-name> hostname <host-name> port <port-value>replication migrate-to auth type <authentication-type> acc-key-id <access-key> secret-acc-key <secret-key>

To start cloud migration:

replication migrate-to enable [num-threads <value-1-to-128>]

To monitor cloud migration:

show replication migrate-to estimate

Note: Cloud Agility is not supported from Amazon Glacier to any other cloud storage provider.

If migrating from Amazon S3 to Amazon Glacier, use the command:

replication s3-to-glacier


CHAPTER 8 Monitoring Peer Appliances

This chapter describes how to configure the peer monitoring feature in the SteelStore. It includes the following sections:

“Configuring REST API Access” on page 43

“Specifying the API Access Code” on page 45

Configuring Appliance Monitoring

Any SteelStore can monitor a peer SteelStore. After you configure REST API access and add the API access code for the peer appliance, the Appliance Monitoring report enables you to view the health status, disk space, and cloud service status of the SteelStore.

The monitoring appliance probes the monitored peer appliances every 60 seconds by default.

To configure appliance monitoring

1. Enable REST-based access on the monitored appliance.

2. Generate the API access code on the monitored appliance.

3. Enter the API access code on the monitoring appliance.

Configuring REST API Access

The SteelStore uses REST APIs that you can access to set up peer appliance monitoring.

When you add an appliance to be monitored by the SteelStore, you must generate an API access code to enable authenticated communication between the monitoring appliance and the monitored peer appliance.

To configure REST API Access

1. Log in to the monitored SteelStore.


Monitoring Peer Appliances Configuring REST API Access

2. Choose Configure > Storage > REST API Access to display the REST API Access page.

Figure 8-1. REST API Access Page

3. Under REST API Access Settings, select the Enable REST API Access check box to enable access to the REST APIs.

4. Click Apply to apply your configuration.

5. Complete the configuration as described in this table.

The access code description added appears in the Access Code Description table, along with the name of the user who created it.

6. Click the Access Code Description to display the Access Code.

7. Copy the Access Code from the text field into a text editor such as Notepad.

Control Description

Add Access Code Displays the controls to add the API access code.

Description of Use Specify a clear description of the monitoring appliance, such as the hostname or IP address of the monitoring appliance, and a description.

Generate New Access Code Select to create a new REST API access code.

Use Existing Access Code Select to use an existing REST API access code. When you are monitoring multiple appliances, you can use the same access code instead of creating a new one for each appliance.

Add Adds the API access code to the SteelStore.

Remove Selected Deletes the selected REST API access code.


Specifying the API Access Code Monitoring Peer Appliances

Specifying the API Access Code

After you generate the REST API access code on the monitored appliance, you must enter the code in the monitoring appliance to authenticate the monitored appliance.

To specify the API access code in the monitoring appliance

1. Log in to the monitoring appliance.

2. Choose Reports > Appliance Monitoring to display the Appliance Monitoring page.

Figure 8-2. Appliance Monitoring Page

3. Complete the configuration as described in this table..

Control Description

Add Monitored Peer Displays the controls to add a monitored appliance.

Hostname/IP Address Specify a valid hostname or IP address for the monitored appliance.

API Access Key Specify the API access code that you obtained from the monitored appliance to access the monitored appliance.

To obtain the API access code, see “Configuring REST API Access” on page 43.

Remove Selected Peers Select the check box next to the name and click Remove Selected Peers to delete the monitored appliance from the system.


Monitoring Peer Appliances Specifying the API Access Code


CHAPTER 9 Configuring Peer Replication

This chapter describes how to configure the peer monitoring feature in the SteelStore. It includes the following sections:

“Peer Replication Overview” on page 47

“Configuring Peer Replication Settings” on page 49

“Viewing Peer Replication Reports” on page 52

“Handling Fail-Over Scenarios” on page 52

Peer Replication Overview

Peer replication joins two SteelStores into a primary and secondary pair. In addition to replicating data and metadata to the cloud, the primary appliance also replicates to the secondary appliance, which gives you access to all content on the secondary appliance. The primary appliance can both back up and restore data. The secondary appliance can only restore data.

On the secondary appliance, the data is read-only. In the event of a failure on the primary appliance, you can convert the secondary appliance to stand-alone mode. When the appliance is in stand-alone mode, you can read from and write to the appliance. This provides faster recovery than if all data has to be synchronized from the cloud to a new appliance.

Peer replication enables you to recover data faster during disaster recovery. You can set up backed-up data available at multiple locations for multiple data center customers. Peer replication enables you to share data between multiple locations. You can back up data at one location and restore data at another location.

Peer Replication enables:

immediate availability of data in the event of a disaster without long download delays.

continuous read-only access to data at a secondary site.

To set up peer replication

1. Configure two SteelStores paired together.

2. Set up one SteelStore to backup and restore data. This is the primary appliance.

3. Set up the other SteelStore to only restore data. This is the secondary appliance.


Configuring Peer Replication Peer Replication Overview

Figure 9-1 that the primary appliance updates the data on the secondary appliance by replicating to both the secondary appliance and the cloud.

Figure 9-1. Peer Replication Overview

When one of the peers is permanently available, you can convert the other peer appliance to a stand-alone appliance. This process is called switchover.


Configuring Peer Replication Settings Configuring Peer Replication

Switching the primary appliance to a stand-alone appliance (shown in Figure 9-2) is a seamless process. When you switch a secondary appliance to a stand-alone appliance, the system must ensure that the data on the secondary appliance disk is consistent with the data in the cloud. The SteelStore replication process ensures that the secondary appliance is always ahead of the cloud replication process. During switchover, the secondary appliance replicates extra data to the cloud ensuring that the cloud bucket is consistent.

Figure 9-2. Peer Replication During Disaster Recovery

Peer replication during recovery

1. SteelStore in the primary location has 30TB, of which 2 TB is still pending replication to the cloud and secondary SteelStore.

2. A secondary SteelStore at a backup site has 28TB, consistent with what is in the cloud.

3. Disaster happens at primary site and the primary SteelStore is lost, including the 2TB of pending data.

4. SteelStore at the secondary location is activated to become the stand-alone appliance, and validates the current contents with the cloud.

5. SteelStore at the secondary location then becomes the active owner of the cloud, and begins to service restores and backups.

Configuring Peer Replication Settings

You can configure peer replication settings in the Configure > Storage > Peer Replication Settings page.


Configuring Peer Replication Configuring Peer Replication Settings

Peer replication joins two SteelStores into a primary and secondary pair. In addition to replicating data and metadata to the cloud, the primary appliance also replicates to the secondary appliance, which gives you access to all content on the secondary appliance.

On the secondary appliance, the data is read-only. In the event of a failure on the primary appliance, you can convert the secondary appliance to stand-alone mode. When the appliance is in stand-alone mode, you can read from and write to the appliance. Converting the secondary appliance to stand-alone mode provides faster recovery than if all data has to be synchronized from the cloud.

If you specify a replication interface, then the SteelStore uses the same interface for replicating to the cloud and the peer appliance. If you do not specify a replication interface, then the SteelStore automatically chooses a replication interface according to the routing configured. You might have a scenario in which you replicate to the cloud through one interface and to the secondary appliance through another interface.

To configure peer replication settings

1. Choose Configure > Storage > Peer Replication Settings to display the Peer Replication Settings page.

Figure 9-3. Peer Replication Settings Primary Appliance Page

2. Select Primary from the Roles drop-down list to designate the appliance as the primary cloud storage appliance.

3. Copy the Megastore ID value from the Peer Replication Setting page.

4. Log in to the secondary SteelStore.

5. Choose Configure > Storage > Peer Replication Settings to display the secondary appliance Peer Replication Settings page.

Figure 9-4. Peer Replication Settings - Secondary Appliance Page


Configuring Peer Replication Settings Configuring Peer Replication

6. Select the role Secondary and complete the configuration as described in this table.

7. Click Apply to apply your changes to the running configuration.

The SteelStore displays the following message.

Figure 9-5. Peer Replication Page Message

8. Go back to the primary SteelStore and choose Configure > Storage > Peer Replication Settings to display the Peer Replication Settings page.

Figure 9-6. Peer Replication Settings Primary Appliance Page

9. Complete the peer configuration as described in this table.

Control Description

Shared Secret Specify the shared secret to authenticate your changes. The SteelStore stores the shared secret on the secure vault.

Megastore ID Specify the Megastore ID of the cloud provider that you copied from the primary SteelStore (Step 3). A valid Megastore ID is of the format xxxx-xxxx-xxxx-xxxx-xxxx where x is a hexadecimal value in the range a to f, A to F, or 0 to 9.

Port Specify a port number from 1025 to 65535 through which the primary appliance sends replication data to the secondary appliance.

Control Description

Role Leave the role as Primary in the drop-down list.


Configuring Peer Replication Viewing Peer Replication Reports


The SteelStore displays the following message.

Figure 9-7. Peer Replication Page Message

Viewing Peer Replication Reports

You can view the data replicated to the cloud on the Back-End Throughput Optimization Report page of the primary appliance (choose Reports > Optimization > Back-End Throughput).

On the secondary appliance:

Back-End Out graph (choose Reports > Optimization > Back-End Throughput) shows zero throughput.

Back-End In graph (choose Reports > Optimization > Back-End Throughput) shows some values if the system restored data from the cloud.

Front-End In graph (choose Reports > Optimization > Front-End Throughput) shows zero throughput.

Front-End Out graph (choose Reports > Optimization > Front-End Throughput) shows some throughput if the system performs restores.

The Replication report shows zero values.

Handling Fail-Over Scenarios

This section describes the disaster scenarios and how to configure peer replication to recover from the disaster.

Scenario 1 Service Interruption on Secondary Appliance

Service on the secondary appliance goes down temporarily.

Shared Secret Specify the shared secret to authenticate your changes. The SteelStore stores the shared secret on the secure vault.

Secondary URL Specify the URL to send replication data to the secondary appliance (hostname or the IP address and port number of the secondary appliance).

Control Description


Handling Fail-Over Scenarios Configuring Peer Replication

The primary appliance is unable to reach the secondary appliance and pauses replication.

The SteelStore replication process pauses both cloud and the secondary appliance replication.

When the secondary appliance restarts, the primary appliance resumes replication.

You do not need to take any action.

Scenario 2 Service Interruption on Primary Appliance

Service on the primary appliance goes down temporarily.

The secondary appliance operation remains unchanged.

After you resolve the temporary service outage, the SteelStore resumes replication.

Scenario 3 Secondary Appliance Service Fails

Service on the secondary appliance goes down permanently. To fix the problem, complete these steps:

1. Disable peer replication to initiate the primary appliance to stand-alone switchover.

2. Type the following command on the command-line interface of the primary appliance to unpair the appliances:

no replication peer enable

3. Choose Configure > Maintenance > Storage Optimization Service and click Restart to restart the storage optimization service.

Scenario 4 Primary Appliance Service Fails

Service on the primary appliance goes down permanently.

You must manually configure a switchover and assign the secondary appliance as the primary.

The secondary appliance resumes complete operations after the switchover.

To enable full read and write capabilities on the secondary appliance:

1. Disable peer replication to initiate the secondary appliance to stand-alone switchover.

2. Type the following command on the command-line interface of the secondary appliance to unpair the appliances:

no replication peer enable

3. Choose Configure > Maintenance > Storage Optimization Service on the secondary appliance, and click Restart to restart the storage optimization service.


Configuring Peer Replication Handling Fail-Over Scenarios


CHAPTER 10 Using the SteelStore with Amazon Glacier

This chapter provides an overview of Amazon Glacier and describes how to configure the Amazon Glacier cloud provider settings in the SteelStore. It includes the following sections:

“Amazon Glacier Overview” on page 55

“Best Practices” on page 57

“Configuring Amazon Glacier Cloud Provider Settings” on page 57

Amazon Glacier Overview

Amazon Glacier is the latest cloud storage service from Amazon. Complementing its industry-leading S3 cloud storage tier, Glacier is an extremely low-cost storage offering that provides secure and durable storage for data archiving and backup. With storage costs as low as $0.01 per gigabyte per month, Amazon Glacier targets data that is infrequently accessed, such as archives, yearly full backups, and other data sets that typically are written once and rarely read. This service directly addresses today's need for a low-cost cloud storage solution; enabling companies to more cost-effectively adhere to compliance and regulation requirements. To deliver this extremely low-cost storage offering, Amazon Glacier has restricted data retrieval times to several hours and has two types of recovery costs compared to one recovery cost for restoring data from S3 cloud storage.

Glacier helps reduce the costs companies typically over-pay for data archiving. It eliminates the requirements for a company to purchase an expensive archiving solution that does not include the ongoing cost for operational expenses such as power, facilities, staffing, and maintenance. By providing an elastic low-cost storage, target businesses do not have to guess what their capacity requirements and their corresponding costs are. Glacier eliminates concerns of over-provisioning or under-provisioning these environments and correctly estimating the respective budgets tied to these projects. With Amazon Glacier, you pay only for what you use.

SteelStores, when used with Glacier, can provide extremely low-cost, intelligent data tiering for businesses that are looking to reap the benefits of Amazon's Glacier service for very large data sets.

As data arrives on a SteelStore, it is deduplicated using a variable length, in-line deduplication algorithm. The resulting data is also compressed with LZ compression and encrypted with AES 256-bit encryption. The resulting data (called slabs), ranging between 2 to 4 MB in size, is written to the disk cache on the SteelStore and is replicated to Glacier for long-term retention in cloud storage. In effect, SteelStore plays two roles: further reducing the data footprint for these archive and long term backup data sets that get sent to Glacier, and acting as the warm caching tier to provide quick recovery of more recent data. In both cases, costs are minimized as shown in Figure 10-1.


Using the SteelStore with Amazon Glacier Amazon Glacier Overview

If your company manages huge amounts of data that must be protected for audit and compliance, using SteelStores enables you to shrink the backup and archive usage footprint by anywhere from 10 to 30 times. Bundled with the low-cost storage solution provided by Glacier, the SteelStore can help businesses quickly deliver ROI on both the SteelStore and the Glacier storage costs, because it reduces the operational costs.

For example, assume you have a 200 TB data set that experiences a 15 percent annual growth rate. Using a traditional tape solution based on LTO5, it could cost a company well in excess of $650,000 over the course of three years, just to buy tape volumes, to pay the vault costs for that data to be stored off-site in a secure location, and to administer the archiving solution that generates the tape volumes and delivers them to the archive courier service. But with a SteelStore and Glacier, this cost could be reduced to one tenth or just a little over $60,000. The savings might be even greater, considering the amount of administrative overhead saved, and because data stored in Glacier is not only duplicated within the target storage data center for redundancy, but also potentially geo-replicated to a secondary region to provide availability in the event of an outage at the primary region.

The following table compares the operational costs of Amazon Glacier compared to Tape as of June 2013.

Figure 10-1. Amazon Glacier and Tape Operational Costs

Because the SteelStore acts as an intelligent data cache, you can quickly retrieve the majority of the data stored on it by accessing the data directly on the cache. SteelStore provides local recoveries for most of the recent data. You do not need to access Glacier and can save Glacier recovery costs and associated delays for retrieving data.

As data continues to flow to the SteelStore and onwards to Glacier storage, the SteelStore eventually evicts data from its cache, based on the least-recently accessed data. This approach provides the following benefits:

The most likely restores also tend to be newer; therefore, more if not all of the data might be in the cache.

If the data were not all completely in the cache, the SteelStore only has to recall the data segments that correspond to the missing file components (Glacier only has to retrieve and then transmit a minimal amount of data.

Glacier costs more to restore data than S3 due to its two-stage cost structure (retrieval fee and then the data transfer fee). The SteelStore also leverages that complimentary 5% retrieval amount Glacier service offers users each month, so you can recover the additional data segments at minimal cost if you stay under that volume.


Best Practices Using the SteelStore with Amazon Glacier

Best Practices

Use the following best practices when you use the SteelStore with Glacier:

If you are using a backup application with Glacier, ensure that the backup files are NOT verified after the backup operation completes.

When you restore data from Glacier, prepopulate the data using the SteelStore Management Console prepopulation page (for details, see the NetApp SteelStore Cloud Integrated Storage Installation Guide).

Do not deduplicate data in the cloud.

Configuring Amazon Glacier Cloud Provider Settings

You can specify cloud settings in the Configure > Storage > Cloud Settings page of the SteelStore.

Note: Before you configure cloud settings, you must configure DNS settings to access the cloud service provider host machine. For details, see Riverbed SteelStore User’s Guide.

The cloud provider is a service provider that offers customers storage or software services available through a private (internal customer cloud) or public network (cloud). This enables you to access the storage and software through the Internet.

To configure cloud provider settings

1. Check to make sure that the data store is empty. If the data store is not empty, you cannot change the cloud provider, region, hostname, and bucket name.

2. If the data store is not empty, choose Configure > Maintenance > Storage Optimization Service and click Stop to stop the storage optimization service.

3. Log in to the SteelStore CLI and type the following command:

amnesiac (config) # datastore format local

This command formats and deletes all data stored locally on the SteelStore.

4. Choose Configure > Storage > Cloud Settings in the Management Console to display the Cloud Settings page.


Using the SteelStore with Amazon Glacier Configuring Amazon Glacier Cloud Provider Settings

5. Select the Cloud tab to display the cloud settings page.

Figure 10-2. Cloud Settings Page

If you select Amazon Glacier as the cloud service provider, the SteelStore stages data to Glacier through an Amazon S3 bucket.

The SteelStore does not create Glacier vaults. Therefore, you must use S3 credentials when you choose Glacier as your cloud service provider.

Even though data is sent to S3, it is migrated to Glacier (under 24 hours). Data is charged at the S3 rate for the staging duration (24 hours or less) and at Glacier rates after 24 hours.

If you select Amazon Glacier, specify the following:

Region - Select an Amazon Glacier region from the drop-down list. You can choose to store your data in the Amazon Glacier region that meets your regulatory, throughput, and geographic redundancy criteria. You can select one of the following regions:

– Asia Pacific (Tokyo)

– EU (Ireland)

– US Standard

– US-West (N. California)

– US-West (Oregon)

Access Key - Specify the access key (similar to the username) for your cloud service provider account.


Configuring Amazon Glacier Cloud Provider Settings Using the SteelStore with Amazon Glacier

Secret Key - Specify the secret key (password) for your cloud service provider account.

Enable Cloud Deduplication - Select this check box to specify that the SteelStore must check the incoming data for deduplication against the entire data set, both in the Glacier cloud and in the local disk cache. This is the same procedure that the SteelStore uses for other (non-Glacier) cloud providers.

Note: If you select the Enable Cloud Deduplication option, full deduplication is performed for data written to the SteelStore without data being restored from Glacier. However, when you verify the backup, it might require data to be restored from Glacier and can result in very slow verification and possible time-outs.

This option is not selected by default for Glacier.

Leave the Enable Cloud Deduplication check box deselected to specify that the SteelStore must check the incoming data for deduplication only against the local disk cache of the SteelStore. It does not match the incoming data with the data in the Glacier cloud.

The benefits of not selecting the Enable Cloud Deduplication option are:

– It minimizes impacts to cost and performance of reading data to find duplicate matches, because the SteelStore only references the local SteelStore disk cache.

– It provides the best possible deduplication, with the deduplication factor (ratio of expanded data to deduplicated data) at maximum value.

The disadvantages of not selecting the Enable Cloud Deduplication option are the deduplication factor might be low because the SteelStore does not consider the entire data set.

It can cause read operations to time-out. You must verify the backup because it might require data to be restored from Glacier, which results in very slow verification rates and possible time-outs because verifying backup might require data to be restored.

6. To enable proxy settings, complete the configuration as described in this table.


8. Click Save to save your configuration.

Control Description

Enable Proxy Select to configure a replication proxy server (which acts as an intermediary for requests from clients).

Hostname/IP Address Specify a valid hostname or IP address for the replication proxy server.

Port Optionally, specify the port number for replication proxy. If you do not specify the port number, it defaults to the value 1080.

Username Optionally, specify the name of the user who can log in to the replication proxy server.

Password Optionally, specify the password for the user who can access the replication proxy server. The SteelStore stores the password in the secure vault. For details about the secure vault, see Riverbed SteelStore User’s Guide.


Using the SteelStore with Amazon Glacier Configuring Amazon Glacier Cloud Provider Settings


CHAPTER 11 SteelStore Security

This chapter provides an overview of SteelStore security. It includes the following sections:

“Appliance Security” on page 61

“Data Security” on page 63

“Transport Security” on page 65

“Compliance” on page 68

SteelStore's security goals are as follows:

Appliance Security - The SteelStore is hardened against unauthorized access.

Data Security - User data is secure and confidential, both on disk and in the cloud.

Transport Security - User data is secure and confidential when it is transitioned between the appliance and the cloud.

The information in this document applies to SteelStore v3.1.1 and later.

Appliance Security

SteelStore provides several features to control access to the management console or limit the type of changes that authorized users can make. SteelStore also provides logging and auditing features to monitor system activity and configuration changes.

This section contains the following topics:

“Operating System Security” on page 62

“Role-Based Management” on page 62

“Logging and Auditing” on page 62

“Services” on page 62

“Analytics” on page 63


SteelStore Security Appliance Security

Operating System Security

SteelStore is a storage appliance and is not a general purpose computing platform. It runs a hardened, minimalist version of Linux called SteelStore OS with only necessary libraries and programs. A user or even an administrator cannot access a user or root shell on a SteelStore. Root shell access is available only to NetApp Support on a limited and temporary basis for specific maintenance procedures based on customer requests that are logged in Support logs, which provide an audit log.

Role-Based Management

SteelStore enables multiple users to access the management console. The SteelStore role-based management feature enables you to customize what capabilities each user has to configure or monitor the appliance. You can assign a set of roles to each user. A role represents a group of related configuration properties. For example, the security role permits security-related functions such as encryption key import and export, management console access, and configuration import and export. You cannot read or change configuration properties unless your role has permissions to configure the feature. You might only have read-only access to a role; you can monitor, but cannot change properties of the feature.

Logging and Auditing

SteelStore provides two types of logs, system logs and user logs, to facilitate auditing. System logs show all appliance activity, and user logs show user-initiated actions. System logs contain all information present in the user logs. By default, SteelStore rotates logs daily and retains the last 50 logs. You can configure and change both rotation and retention values.

If you need more flexibility, you can set up a remote log server and SteelStore sends all system log activity to the remote log server and also records it in the appliance system logs.

The SteelStore Management Console provides graphs on Disk, CPU, and cloud replication statistics. Graphs are retained for a maximum of one year.

Services

You can disable a number of services run on a SteelStore on an individual basis to reduce the security footprint. These services include:

CIFS and NFS - These services expose network shares or exports on the internal network for data to be read and written. If you are using only one of these services, then you can disable the other one. Both CIFS and NFS also support access control lists to limit the users who can access a network share or export.

Web Management Console - The console allows you to change and monitor configuration of an appliance using a Web browser. You can disable the SteelStore Management Console if you only need command-line management. You can access the SteelStore Management Console through HTTP or HTTPS by default, but you can disable HTTP access.

SSH - This service allows you to change and monitor configuration of an appliance remotely using the command line. You can disable SSH if Web-only management is needed.

NTP - This service provides network time support and can be disabled.

SNMP - This service provides remote monitoring functionality and can be disabled.


Data Security SteelStore Security

Analytics

SteelStore has an automated analytics feature that sends usage data to NetApp Support. This data is used to preemptively detect potential problems that can be addressed by NetApp Support. No customer data or encryption keys are contained in this data. While this feature is useful in diagnosing and fixing problems, you can disable this functionality.

Data Security

SteelStore provides several features to ensure data confidentiality and integrity both on disk and in the cloud. This section contains the following topics:

“Disk and Cloud Contents” on page 64

“Encryption Key Protection” on page 64

“Key Rotation” on page 64

Figure 11-1. SteelStore Security Block Diagram - Flow of User Data from the Data Center to the Cloud

The SteelStore storage optimization service deduplicates, encrypts, and replicates user data to the cloud. Symmetric-key encryption protects data stored on disk and in the cloud. SteelStore encrypts all on-disk data using AES 256-bit block cipher in Cipher-Block-Chaining (CBC) mode with randomized initialization vectors (IVs). SteelStore splits files into variable-byte segments called slabs and encrypts each slab separately using AES. It stores only encrypted data on disk and replicates encrypted data to the cloud. There is no unencrypted data on disk or in the cloud.

SteelStore also encrypts file metadata (filename, file length, permissions) before storing it the cloud.

SteelStore


SteelStore Security Data Security

Disk and Cloud Contents

The following list summarizes the kinds of files stored both on disk and in the cloud and how they are secured:

Stored on the local disk:

Slabs - Segments that make up files stored on a SteelStore. Slabs are encrypted with AES 256.

Label maps - Determine what segments make up a given file stored on a SteelStore. These label maps are not encrypted when stored on disk, and they cannot be used to reconstruct user data without decrypting slabs, which requires knowledge of the datastore encryption key.

Metadata files - Contain the metadata such as filename, file length, and permissions of files stored on a SteelStore. These files are not encrypted when stored on disk, but they cannot be used to reconstruct user data without decrypting slabs, which requires knowledge of the datastore encryption key.

Stored in the cloud:

Slabs - Same as slabs stored on local disk, and are encrypted in the same manner.

Label maps - Same as the label maps stored on local disk. These label maps are not encrypted when stored in the cloud, but they cannot be used to reconstruct user data without decrypting slabs, which requires knowledge of the datastore encryption key.

Metadata files - Same as the metadata files stored on local disk, but they are encrypted using AES 256 when stored in the cloud.

Encryption Key Protection

The key used to encrypt and decrypt slabs is known as the datastore encryption key. SteelStore stores the datastore encryption key in an encrypted format on the appliance or in exported configuration archives. On the appliance, the datastore encryption key resides in an encrypted file system known as the secure vault. The secure vault also stores sensitive authentication parameters such as cloud credentials and user-provided SSL certificates. For details about the secure vault, contact NetApp Support.

SteelStore protects the datastore encryption key when you export it from an appliance in configuration archives by exporting the key in encrypted form. It encrypts the key using a special key called the user key. To derive the user key, you must enter a key pass-phrase when you generate the datastore encryption key. SteelStore protects the key using your key pass-phrase with the AES Key Wrap algorithm (AES 256). Details on AES Key Wrap can be found in the official NIST publication: http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf.

You must enter the same key pass-phrase when you reimport the datastore encryption key on to the appliance during configuration import or disaster recovery. Without the key pass-phrase, SteelStore cannot reconstruct the original datastore encryption key from your configuration archive.

Key Rotation

Key rotation is the process to change a potentially-compromised encryption key and replace it with a new one. SteelStore does not support rotation of the datastore encryption key because it must download all data from the cloud, reencrypt it, and reupload it to the cloud. This operation is both expensive and time consuming.


http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf

Transport Security SteelStore Security

SteelStore supports rotation of the key pass-phrase, which is the user-provided password used to derive the user key. It reencrypts the datastore encryption key with the new key pass-phrase. For future exported configuration archives, you must use the new key to import the configuration or perform disaster recovery. Rotating the key passphrase rotates the key that protects the datastore encryption key.

Figure 11-2. Rotating the Key Passphrase

Transport Security

SteelStore provides security of data as it flows along the network. This section contains the following topics:

“Internal Network Security” on page 65

“External Network Security” on page 65

“SSL/TLS Versions” on page 66

“Data Center Topology” on page 67

Internal Network Security

NetApp assumes that your SteelStore is installed in a trusted network environment, behind a network firewall. In the absence of a firewall, SteelStore provides limited IP tables-based firewall support, but this feature degrades performance and you should only use it as a last resort.

SteelStore runs in a trusted environment; therefore, CIFS and NFS traffic to and from a SteelStore are not encrypted because this data never reaches the Internet. Both CIFS and NFS provide authentication mechanisms to prevent unauthorized users from accessing data within SteelStore shares. CIFS also provides SMB signing, a way to prevent man-in-the-middle attacks, but enabling this feature incurs a significant performance penalty and is usually not necessary in an internal network environment.

External Network Security

All communication between a SteelStore appliance and a cloud provider occurs over SSL/TLS, to provide data confidentiality in transit and prevent man-in-the-middle (MITM) attacks.


SteelStore Security Transport Security

Furthermore, all data that reaches the cloud has already been encrypted (confidentiality is independent of the cloud provider security). Cloud providers never have a copy of any of the encryption keys used by SteelStore. This separation of encryption key and data ensures that even if there is a security breach at the cloud provider, user data is never leaked.

Figure 11-3. SSL Communication to the Cloud

SSL/TLS Versions

SteelStore supports SSL v2, SSL v3, and TLS v1.x when communicating with a cloud provider. By default, the appliance and the cloud provider can negotiate the specific version of SSL or TLS. You can restrict usage to SSL v3 or TLS v1.x only. Currently, SteelStore does not support specific configuration of the version of TLS or allowed cipher suites.


Transport Security SteelStore Security

Data Center Topology

Figure 11-4 shows how a SteelStore is connected in a data center and also lists what ports and services are active on each network interface.

Figure 11-4. Data Center Topology

SteelStore Head Unit 3030


SteelStore Security Compliance

Compliance

This section describes accreditations and the NetApp internal development process, as related to security. This section contains the following topics:

“FIPS 140-2” on page 68

“Vulnerability Scanning” on page 68

“NetApp Internal Security” on page 68

FIPS 140-2

SteelStore supports the use of FIPS 140-2 Level 1 validated cryptography through the NetApp Cryptographic Security Module (RCSM) 1.0. RCSM provides cryptographic algorithms for all functions on SteelStore that require cryptography. This feature includes, but is not limited to:

encryption and decryption of user data through the storage optimization service.

SSL/TLS connections to and from the cloud.

password hashes of user accounts on the SteelStore Management Console

You can run SteelStore in FIPS mode, in which the RCSM verifies that all cryptographic operations use only ciphers allowed by the FIPS 140-2 standard. FIPS mode can be necessary for regulatory reasons. SteelStore does not provide any guarantee that the configured cloud provider uses FIPS 140-2 validated cryptography. It is your responsibility to ensure that the cloud provider meets regulatory requirements.

The use of FIPS mode on SteelStore requires a separate license key and configuration. For details, see the FIPS Administrator’s Guide.

Vulnerability Scanning

NetApp runs vulnerability scans against SteelStores to catch software vulnerabilities and patch them in a timely manner. NetApp uses tools such as Nessus to perform these scans. Weekly automated scans ensure that software vulnerabilities are found during development and testing.

Due to the imprecise manner in which vulnerability scanning tools find potential vulnerabilities, it is possible for false positives to be reported. NetApp recommends that you run your own security audits on your SteelStore installations and inquire about possible vulnerabilities. In many cases, these potential vulnerabilities can be false positives, or workarounds or patches might be available.

NetApp Internal Security

The software development process at NetApp is aimed at creating reliable and secure software. All code changes go through internal code reviews. Bugs and vulnerabilities are tracked through internal bug-tracking software and security vulnerabilities are specially marked for expedited resolution. All code is stored on internal servers that are inaccessible to non-NetApp personnel.


CHAPTER 12 Troubleshooting

This chapter describes how to troubleshoot common SteelStore issues. It includes the following sections:

“Troubleshooting SteelStore” on page 69

“Troubleshooting SteelStore-v” on page 71

“Troubleshooting Backup Applications” on page 74

Troubleshooting SteelStore

This section contains the following troubleshooting information:

“Longer Timeouts” on page 69

“Cloud Capacity Alarm” on page 69

“Cloud Bucket Disparity Alarm” on page 70

“Storage Optimization Service Displays “Replaying”” on page 70

“over_capacity Alarm and License Limits” on page 70

“Storage Optimization Service Alarm” on page 71

Longer Timeouts

Issue: Time-outs due to writes/reads/commits taking longer than 60 seconds.

Solution: Set Windows registry timeout settings. Commits for warm data are much faster in the SteelStore v2.0.

Cloud Capacity Alarm

Issue: Cloud capacity alarm triggers earlier in the product life than expected.

Solution: This alarm indicates that the cloud bucket size is greater than the licensed amount of cloud capacity that you are using. You must upgrade to a higher-capacity license, reduce the amount of data stored in the cloud, and/or identify whether data reduction is being performed before SteelStore receives the data.

Check the percentage of escaped bytes and redo sizing.


Troubleshooting Troubleshooting SteelStore

Cloud Bucket Disparity Alarm

Issue: The cloud bucket disparity alarm appears.

Solution: This alarm indicates that the cloud bucket that the appliance is trying to connect to might be used by another appliance. It prevents corruption of files in the cloud.

Use the megastore_guid_reset.sh for resetting the GUID if needed after disaster recovery.

Storage Optimization Service Displays “Replaying”

Issue: On the Storage Optimization Service page (Configure > Maintenance > Service), the process status is replaying.

Solution: If Status displays Replaying, the storage optimization service has been terminated, either due to loss of power or a crash. During this replay process, SteelStore is verifying data consistency from its transaction logs and, if needed, restoring data slabs (file chunks and references) from the cloud to the local SteelStore cache. The replay process might take a long time, depending on your WAN bandwidth and disk size.

Monitor the progress of the replay process by viewing the Back-end Throughput graph (Reports > Optimization > Throughput).

If the replay process is very slow or seems to be stuck, contact NetApp Support at https://mysupport.netapp.com.

over_capacity Alarm and License Limits

Issue: The SteelStore over_capacity alarm is triggered.

Solution: The SteelStore license limit controls the amount of data you can back up to the cloud from the SteelStore. The license limit varies for each SteelStore model. For details, see the NetApp SteelStore Cloud Integrated Storage Installation Guide.

SteelStore lets you exceed the license limit by 10 percent before triggering the over_capacity alarm. When you exceed 110 percent of the limit, SteelStore pauses all replication activity and does not upload any additional data to the cloud until you increase the licensed capacity or reclaim the space by deleting files.

Note: Because SteelStore does not accept new data when the over_capacity alarm is triggered, NetApp recommends that you resolve the error immediately when the over_capacity alarm appears at 100 percent capacity to avoid backup failures that occur at 110 percent capacity.

Restore operations are not affected by the over_capacity alarm, and all files, whether stored locally or in the cloud, remain available through the CIFS or NFS shares. Any new files written to SteelStore are queued pending replication to the cloud during the over_capacity alarm.

When you delete a file that has been replicated to the cloud, SteelStore first downloads the slab files containing the data. A slab file contains data segments from different files. SteelStore does not delete a slab file in the cloud because it contains data from files that you might not be deleting.

SteelStore evicts slab files when the data storage disk usage reaches 90 percent. It always keeps 10 percent free. If you reach the 90 percent threshold, SteelStore reduces the data to 89 percent by deleting the slab files from the disk. When the disk usage reaches 90 percent, eviction and new data ingestion occur at the same time. This process of eviction and ingestion is the steady state.

The over_capacity alarm is triggered when the total data in the cloud is under the license limit, but the data pending replication to the cloud pushes the total over the limit. You can find the pending data to be replicated in the Replication Optimization report by choosing Reports > Optimization > Replication.



Troubleshooting SteelStore-v Troubleshooting

Contact your NetApp account team if you want to add licenses.

Storage Optimization Service Alarm

Issue: The storage optimization service alarm is triggered.

Solution: This is a general failure of the storage optimization service, which can be tied to many individual issues. The resolution would typically be to check the following things:

1. Check the system log (Reports > Diagnostics > View System Logs) for a cause of the failure.

2. Check that the SteelStore has access to the WAN (from the CLI, use the ping command to connect to cloudportal.netapp.com).

3. Check that the SteelStore has the appropriate date and time, and it is connected to an NTP server (Configure > Networking > Host Settings).

4. Verify that the cloud settings are successfully applied and that the SteelStore can reach the cloud provider (Configure > Storage > Cloud Settings), and use the ping command through the CLI to connect to the cloud provider host from the cloud settings panel.

5. Try to stop and start the optimization service (by choosing Configure > Maintenance > Service)

6. Contact NetApp Support.

Troubleshooting SteelStore-v

This section describes common SteelStore-v issues. It contains the following troubleshooting information:

“Allocating Memory” on page 71

“Allocating Space” on page 71

“Resolving the High CPU Utilization Alarm” on page 72

“Sizing the Datastore” on page 72

“Expanding the Data Store” on page 73

“Checking the Amount of Data in the Cloud” on page 74

Allocating Memory

SteelStore-v V110 is configured with 4 GB of memory. However, NetApp recommends a configuration of at least 6 GB of memory (8 GB preferred).

Allocating Space

To calculate the amount of space you should allocate to SteelStore-v, divide the amount of data you intend to backup (in gigabytes) by the initial average deduplication ratio.

The initial average deduplication ratio is 2.5, but that value takes into account only the initial backups of the data, so it might increase over time. For example, if you plan to back up 3 TB of data, the calculation would be:


Troubleshooting Troubleshooting SteelStore-v

3 TB = 3000 GB

3000 / 2.5 = 1200 GB or 1.2 TB.

Following are additional guidelines to allocate SteelStore-v space:

The maximum size of a VMware virtual disk is 32 TB.

Do not use low-quality storage for the datastore disk. Make sure that the SteelStore-v disk used for the datastore VMDK uses a disk medium that supports a high number of Input/Output Operations Per Second (IOPS). For example, use NAS, SAN, or dedicated SATA disks.

Do not share host physical disks. VMware recommends that to achieve near-native disk I/O performance, you do not share host physical disks (such as SCSI or SATA disks) between VMs. While deploying SteelStore-v, allocate an unshared disk for the datastore disk.

Resolving the High CPU Utilization Alarm

Issue: During the initial cold backup, SteelStore-v might experience high CPU usage that triggers an alarm.

Solution: To clear this alarm manually, enter the following command in the SteelStore CLI:

stats alarm cpu_util_indiv clear

You can also increase the number of virtual CPUs assigned to SteelStore from the VMware ESXi management console. The minimum requirements is two virtual CPUs, but NetApp recommends using three or four. NetApp also recommends that you check the ESXi server for CPU contention issues between virtual machines.

If this alarm continues to occur, contact NetApp Support.

Sizing the Datastore

Issue: Is my datastore undersized?

Solution: There are two methods to determine if the disk size assigned to SteelStore is too small:


Troubleshooting SteelStore-v Troubleshooting

Choose Reports > Optimization > Eviction in the SteelStore Management Console and check the data cache eviction age on the graph.

Figure 12-1. Eviction Optimization Report

or

Choose Reports > Diagnostics > View System Logs in the SteelStore Management Console and view the logs. In the example message below, the file slab has been on the evicted list for 26868 seconds (almost 7.5 hours):

[evicter.NOTICE] (6723)evicted slab 0x209220001; had been in the evicted list for 26868 seconds; instime=1322402954

SteelStore usually evicts data every 14 days. However, in this example, the file slab has been on the evicted list for 26868 seconds (almost 7.5 hours). If you see data like this example (although it is unusual), SteelStore rejects new data writes, because it cannot evict any data from the local disk cache.

The log message indicates that the data is present on the local disk for a very short amount of time before being evicted.

To alleviate this issue, follow the recommendations to increase the disk cache size. If messages still appear where eviction candidates have only been in the list for a few hours (or days) before they get evicted, divide the workload using multiple SteelStore appliances.

Expanding the Data Store

Issue: The SteelStore-v data store should be expanded due to its small initial size.

Solution: Follow these steps to expand the datastore:

1. Shut down SteelStore-v.

2. Expand the LUN size on the storage array.

3. Log in to your ESX server through the vSphere Client.

Ensure the larger size is detected.

4. Right-click the SteelStore-v and select Edit settings.


Troubleshooting Troubleshooting Backup Applications

5. Increase the disk size on the secondary disk and save the changes.

6. Restart the SteelStore-v.

When it restarts, SteelStore-v detects that the disk has grown and nondestructively expands the datastore file system.

Checking the Amount of Data in the Cloud

Issue: How do I check the amount of data in the cloud using the SteelStore CLI?

Solution: Use the following steps to check the amount of data in the cloud using the SteelStore CLI:

1. Connect to the SteelStore CLI.

2. Enter the following command:

UK-vWW1 # show replication bucket listing entries from bucket uk-vww114 entries in bucket uk-vww111.2MB (11736605 bytes) in bucket uk-vww1: * 11.2MB in 4 slabs * 1.3kB in 4 references * 189B in 2 maps

The show replication bucket command can take a long time to run depending on how data is present in the cloud.

Troubleshooting Backup Applications

This section describes how to troubleshoot the following backup applications used with SteelStore:

“EMC Networker” on page 74

“BackupExec” on page 75

“Veeam” on page 75

“Oracle RMAN” on page 76

EMC Networker

This section describes the issues that might occur when using SteelStore with EMC Networker. It contains the following information:

“Concurrent SteelStore Backup Sessions with EMC Networker” on page 74

“EMC Networker Backup Sessions with SteelStore-v” on page 75

“Disabling Compression and Encryption on EMC Networker v7.6” on page 75

Concurrent SteelStore Backup Sessions with EMC Networker

Issue: When using EMC Networker to back up data to a SteelStore, the concurrent backup locations can be limited, even if you have increased the value of Max Sessions in the configuration. The most likely cause is the EMC Networker Parallelism configuration.

Solution: To view the EMC Networker Parallelism, go to the configuration tab, and then select<node_name> > Properties > Globals (1 of 2) > Parallelism.


Troubleshooting Backup Applications Troubleshooting

NetApp recommends a value of 10 for the parallelism. For details, refer to EMC documentation.

EMC Networker Backup Sessions with SteelStore-v

Issue: EMC Networker has limits on the number of active backup sessions to each device. Max Sessions is a hard limit and cannot be exceeded. You can configure the Target Sessions up to the limit set by Max Sessions.

Solution: When the number of target sessions is reached, Networker checks the device pool to see if there are other devices in the pool with session count below Target Sessions. If SteelStore is the only device in the pool, then the Networker adds extra sessions, up to Max Sessions count. You can set Target and Max Sessions to the same value.

The recommended limit to the amount of streams you configure on EMC network is 10 with SteelStore-v. This limit is per SteelStore-v rather than per share. For example, you should not have two CIFS shares both with 10 backup streams. In the case of two CIFS shares, both should be configured on EMC with five streams giving a total of 10. Exceeding the limit increases the risk of backup failures. This limit is also related to the EMC Parallelism configuration.

Disabling Compression and Encryption on EMC Networker v7.6

Issue: How do I disable compression and encryption on EMC Networker v7.6?

Solution: When using the SteelStore, your backup software should have encryption and compression disabled to maximize the deduplication ratio that the SteelStore can achieve.

You can do this by choosing Properties > Cloud on EMC Networker. By default, SteelStore encrypts all data sent to the cloud, using AES 256-bit and SSLv3 data encryption.

BackupExec

Backups of Exchange using Granular Restore Technology (GRT) directly to SteelStore are not supported. Backups of Exchange using GRT should be made to a staging folder, which is then backed up with BackupExec to SteelStore.

For details, see the Solution Guide for Symantec Backup Exec at https://www.symantec.com.

Veeam

Veeam vPower functions of Veeam might cause slow performance reading from SteelStore, because these operations cause random reads and writes to occur. NetApp recommends that you perform vPower tasks serially, on physical SteelStore hardware instead of SteelStore-v and an individual user-supplied disk.

Issue: Low performance during full or incremental backups.

Possible solutions:

Ensure SteelStore logging is set to INFO rather than NOTICE.

Double-check the job settings. Several of Veeam's backup job defaults differ from the recommendations in our best practices guide.

Ensure no other jobs are writing to SteelStore at the same time and that no more than one Veeam job is writing to SteelStore at a time.

Due to inherent limitations of the CIFS protocol, 30 to 50 MBps data throughput is not uncommon for a single backup stream.

Check Veeam job logs to verify that Veeam is using SAN or HOTADD transport modes rather than falling back to NBD (Network Block Device) mode, which is much slower than the other two.


https://support.riverbed.com/content/support/software/steelstore.html

Troubleshooting Troubleshooting Backup Applications

Sanity test ESX infrastructure for bottlenecks by temporarily changing the problematic backup job's repository to local disk storage or creating a separate job in Veeam with the same VMs configured to write local disk storage. If the observed throughput is not substantially higher, the bottleneck is elsewhere.

In case of slow incremental backups, verify that the last full backup is no more than a week old and that there are no more than six increments taken since then. If a job is only run manually, Veeam does not run a full backup unless it is either required or the user specifically requests it. Because Veeam scans the last full backup and all subsequent increments during backups, having too many increments slows the process.

If slow performance persists, upgrade to the latest SteelStore software and rerun a full backup before running incremental backups.

Issue: Poor vPower performance and time-outs during VM power-on in SureBackup jobs.

Possible solutions:

Ensure that SteelStore logging is set to INFO rather than NOTICE.

Due to SteelStore architecture and optimizations, vPower features do not run as fast as they would run on the primary storage. This is a common issue with inline deduplication storage.

Ensure that no other jobs are reading and writing to SteelStore when SureBackup or other vPower features are in use.

Stagger the vPower-based jobs so that no more than one is running at a time.

In case of VM time-outs during SureBackup, increase the time-out to at least 1 hour. If time-outs still persist, start the job manually and monitor the console of the affected VM. If the tested VM gets a usable login prompt well before the time-out, log in to the VM and verify that the network and VMware tools started successfully. There is a known issue with Veeam sometimes failing to detect a successful guest OS startup. Also, check the SteelStore Front-End Throughput Out graphs during the time when Veeam is waiting for the VM to come up. Unless there is steady read activity throughout the time-out period, the issue most likely is with the VM itself.

For details, see the Solution Guide for Veeam Backup and Replication at https://www.symantec.com.

Oracle RMAN

Using the native operating system, the NFS client can cause decreased performance of Oracle RMAN backups to SteelStore. NetApp recommends that you use the Oracle Direct NFS client (with Oracle software v11.2.0.2 or higher) to mount SteelStore NFS exports for best performance. If you are using the Oracle Direct NFS client, you must configure the SteelStore NFS share with the <i>insecure</i> option, to allow connections from Oracle Direct NFS. This step is not required if using the default NFS client with Linux or UNIX. The insecure option is available only through the SteelStore command-line interface and cannot be set through the SteelStore Management Console. Configure the NFS share using the SteelStore Management Console, and then log in to the command-line interface and enter the following commands:

enableconfigure terminalnfs export modify name <existing-SteelStore-NFS-share-name> insecure


https://support.riverbed.com/content/support/software/steelstore.html

Index

AAccess Key 58AES encryption 63Amazon Glacier

configuring in SteelStore 57operational costs 56overview 55

Analytics 63Appliance security 61Auditing 62

BBackup applications supported 7Backup example 14BackupExec 75

CCIFS shares, adding 22CIFS users, adding 19, 20, 21Cloud agility 41Cloud bucket disparity alarm 70Cloud capacity alarm triggers 69Cloud credentials 64cloud migration 41Cloud providers supported 7Cloud security 64Configuration file, exporting 25Control access 61CPU utilization alarm 72

DData confidentiality 63Data encryption 63Data migration 41Data restoring 26Data store, SteelStore-v sizing 72Deployment guidelines

physical SteelStore 9SteelStore-v 10

Disaster recoverybenefits of SteelStore 23definition 23performing 17, 23, 24, 37preparing for 25

Document conventions, overview of 2

EEMC Networker 74Enable Proxy 59

NetApp SteelStore Cloud Integrated Storage FIPS Administra

Encryption 63Encryption key 64ES Key Wrap algorithm 64Eviction 6Exporting, configuration file 25

GGlacier 42

KKey encryption 63Key rotation 64Known issues 2

LLicense limit 70Linux 62Logs 62

MMegastore ID 51Memory, allocating to SteelStore-v 71Metadata 64Migrate 41

OOnline documentation 2Operating System security 62Oracle RMAN 76Over_capacity alarm 70

PPeer replication, configuring 50Port 51Primary appliance 47, 50

RRelated reading 2REST API 43Restoring data 26Role-based management 62Roles, definition 62

SSecondary appliance 47, 50Secondary URL 52Secret Key 59Secure vault 64Security

cloud 64

tor’s Guide 77

Index

encryption 63logging 62overview 61role-based 62

Shared Secret 51, 52Sizing

calculating 14data store 72questions 13

Slab files 55, 70SteelStore

benefits in disaster recovery 23configuring Amazon Glacier 57definition 5deployments 5overview 5physical, deployment guidelines 9sizing 13troubleshooting 69

SteelStore-vdeployment guidelines 10memory allocation 71requirements 10

Storage optimization service alarm 71Switchover 48

TTime-outs 69Troubleshooting, common SteelStore issues 69

UUser-provided SSL certificates 64

VVeeam backup application 75

78
Index

NetApp SteelStore Cloud Integrated Storage 3.2 Deployment Guide

Documents

Transcript of NetApp SteelStore Cloud Integrated Storage 3.2 Deployment Guide