Requirements
This chapter describes the requirements for Transparent Cloud Tiering (TCT), including
IBM DS8000, network, and IBM z/OS environments.
This chapter includes the following topics:
4.1 Ethernet connections on DS8000
To implement TCT, you need IP connectivity from each of the DS8000 internal servers to the cloud object storage solution. The DS8000 offers two different ways to connect:
Two 1 Gbps Ethernet ports per server that are built-in and available on every DS8000 that meets the requirements for TCT.
A pair of Ethernet cards, each providing two 10 Gbps (optical SFP+) and two 1 Gbps (RJ45 copper) Ethernet ports. The cards can be purchased with new machines or as a miscellaneous equipment specification (MES) for existing ones.
The built-in 1 Gbps Ethernet card is in location code P1-C10 or P1-C11 (depending on the model). The upper ports T1 and T2 are used for internal communications, and the bottom ports T3 and T4 are available for TCT, as shown in Figure 4-1 (with an IBM DS8910F central processor complex (CPC) as example). They are empty, and typically covered by a plastic port covering. Remove the plastic covering, and insert the RJ45 cable into the ports that you plan to use.
Figure 4-1 Built-in 1 Gbps Ethernet ports for TCT in a DS8910F CPC
The separately available 10 Gbps Ethernet adapters offer higher performance and bandwidth for TCT data movements. Depending on your DS8000 generation, you use one of two versions:
For the previous generation DS8880 and DS8880F, use the following information:
 – Feature Code (FC) 3600: TCT 10 Gb/1 Gb Ethernet pair for 2U controllers
(IBM DS8884 and IBM DS8884F). It is plugged into location code P1-C11, as shown in Figure 4-2.
Figure 4-2 Location of the 10 Gbps Ethernet cards in 2U DS8884 servers
 – FC 3601: TCT 10 Gb/1 Gb Ethernet pair for 4U controllers (IBM DS8886, IBM DS8888, IBM DS8886F, and IBM DS8888F). It is plugged into location code P1-C11, as shown in Figure 4-3 on page 39.
Figure 4-3 Location of the 10 Gbps Ethernet cards in 4U DS8886 servers
They contain two 10 Gbps LR ports (optical SFP+) and two 1 Gbps ports (RJ45 copper). The card is physically in location code P1-C11 or P1-C12 (depending on the model).
For the newer DS8900F generation, the cards were changed. They contain two 10 Gbps SR ports (optical SFP+) and 2 x 1 Gbps ports (RJ45 copper) and are partly installed in different locations, as shown in Figure 4-4 and Figure 4-5.
 – FC 3602: TCT 10 Gb/1 Gb Ethernet pair V2 for 2U controllers. It is plugged into location code P1-C4 for model 994 and P1-C11 for model 993.
Figure 4-4 Location of 10 Gbps Ethernet card in 2 U servers (DS8910F model 994)
 – FC 3603: TCT 10 Gb/1 Gb Ethernet pair V2 for 4U controllers. It is plugged into location code P1-C10.
Figure 4-5 Location of 10 Gbps Ethernet card in 4U servers (DS8950F model 996)
All ports on the new cards and the built-in ports can be used for TCT.
With the extra Ethernet cards, you have a total of six Ethernet ports that are available for use with TCT per server. However, port usage and network connectivity have certain limits. For more information, see Chapter 5, “Connectivity and network setup for Transparent Cloud Tiering” on page 45.
 
Note: To identify and configure the Ethernet ports by using the DS Command-line Interface (DSCLI), you need their port IDs. These IDs depend on the plug location. You can use the DSCLI command lsnetworkport -l to determine the port ID against their location code.
4.2 z/OS level
TCT support has been part of the z/OS base operating system since z7OS V2R3. Support for new features is made available for existing z/OS releases with APARs. In this section, we provide a list of the major new feature APARs. Some of these APARs already might be contained in the z/OS release that are you are running.
APAR OA55538 provides z/OS support for TCT encryption. It enables z/OS so that it can notify the DS8000 if a data set is already encrypted to avoid double encryption.
For TCT with a TS7700 as the cloud object target, you might need APAR OA58225.
DFSMSdss full volume dump (FVD) and restore is supported on z/OS V2R3 and z/OS V2R4 with APAR OA57526.
Support for TCT compression with a TS7700 as a Object Storage target
requires APAR OA59465 and its dependent APARS (OA59466, OA59467, OA59468, OA59469, OA59470, and OA59471), which are available for z/OS V2R3 and z/OS V2R4.
For TCT secure data transfer with TS7700, there are no extra z/OS requirements.
If you plan to use DS8990F multi-cloud connection support, you need z/OS APARs OA60977 and OA61013.
Hierarchical Storage Manager (HSM) support for FVD and CDA credential management requires z/OS APAR OA60278.
 
Note: At the time of writing, the PTFs for APAR OA60278, which support HSM Full Volume Dump and CDACREDS, are not available because a problem was discovered. If you intend to use these functions, check for the availability of APAR OA64130, which will fix the issue.
You can use the IBM.Function.DFSMSCloudStorage fix category to identify PTFs that are associated with the Data Facility Storage Management Subsystem (DFSMS) TCT support.
4.3 IBM zSystems host system hardware requirements
TCT requires some security and encryption functions on the IBM zSystems host system to handle credentials in a secure fashion.
4.3.1 The CP Assist for Cryptographic Function feature
IBM zSystems FC 3863 CP Assist for Cryptographic Functions (CPACF) must be enabled for your IBM zSystems host systems. It allows clear key DES and TDES instructions on all CPs. HSM and DFSMS need CPACF to encrypt and decrypt stored cloud credentials.
4.3.2 IBM Crypto Express feature
DFSMS and HSM use DFSMS Cloud Data Access (CDA), an IBM Integrated Cryptographic Service Facility (ICSF) based framework to manage cloud credentials. Installed and configured Crypto Express features allow CDA to wrap and protect the master key that is used to encrypt and decrypt those credentials.
4.4 DS8000 release level
To set up the cloud configuration, your DS8000 must at Release 8.2.3 – Bundle 88.23.19.0 Microcode and DSCLI or later.
To check your current DS8000 microcode level, run the ver -l DSCLI command that is shown in Example 4-1.
Example 4-1 Displaying a DS8000 release on the DSCLI
dscli> ver -l
DSCLI 7.9.10.223
StorageManager 9.1.2006300253
HMC DSCLI 7.9.10.248
================Version=================
Storage Image LMC Bundle Version
==========================================
IBM.2107-75LAH81 7.9.10.248 89.10.84.0
 
Note: You also can use the DSCLI commands lsserver -l or lspnode (available with DS8900F Release 9.1 and later) to determine your current microcode release.
To display the DS8000 release on DSGUI, select Actions → Properties.
Since the initial release, numerous enhancements were made to the DS8000 TCT functions. Make sure that you have the appropriate code level for the functions that you want to use.
DS8880 Release 8.2.3:
 – First release supporting TCT
 – OpenStack Swift API to connect to object storage systems
DS8880 Release 8.3:
 – Support for Amazon AWS and IBM Cloud Object Storage through the S3 API
 – Metro Mirror support
DS8880 Release 8.3.3:
 – Support for 10 Gbps Ethernet adapters
DS8880 Release 8.4:
 – FlashCopy support
DS8880 Release 8.5:
 – Global Mirror and Metro Global Mirror support
 – TCT encryption support
DS8880 Release 8.5.4 and DS8900F Release 9:
 – A TS7700 as the cloud object storage target
 – An Amazon S3 cloud object storage target
 – Multi-Target Peer to Peer Remote Copy (PPRC) support
DS8900F Release 9.1:
 – Compression with a TS7700 as the cloud object storage target
 – Secure data transfer with a TS7700 as the cloud object storage target
 – Support for DFSMSdss FVD and restore (also supported by DS8880 Release 8.5 SP6)
DS8900F Release 9.2:
 – Support for up to eight object storage connections
 – Support for Guardium Key Lifecycle Manager (GKLM) Containerized Edition as the key manager for TCT encryption.
4.5 TS7700 release level and features
TS7770 (Models VED) models are supported as cloud object targets in all attachment variations:
TS7770T tape-attached
TS7770C cloud-attached
TS7770 tapeless
All TS7770 Virtual Tape Servers that you want to use as object storage targets must be at least at microcode Release 5.22 and must have the feature Advanced Object Store for DS8000 FC 5283 enabled. The existing GRID adapters are used for TCT.
 
Note: Turning on encryption between DS8000 and TS7700 is optional. If you want to turn on encryption then you must install FC5281 on each TS7700 that the DS8000 will directly target.
 
Note: Some TS7700 machines still have the DS8000 Object Store feature (FC 5282) installed. This feature is obsolete and should not be used anymore.
Feature number 5283 (Advanced Object Store for DS8000) can be installed only on clusters in a grid where feature number 5282 is not installed. Migration services to migrate from the older FC 5282 to the new FC 5283 can be performed with TS7700 R 5.3 or later and are available through a statement of work (SOW) or contract from IBM Lab Services.
4.6 Authentication information
The following account information must be provided by your Cloud Service Provider or Administrator:
Endpoint URL with port number
Credentials for the used cloud target type
Tenant (for Swift)
Secure Sockets Layer (SSL) certificates (if using SSL or Transport Layer Security (TLS))
 
For all cloud target types except Swift, you use the DS8000 Hardware Management Console (HMC) as proxy between z/OS DFSMS and the cloud storage. Therefore, you need connection information for the DS8000 HMC:
The HMC IP address or network name.
The port number that is used for the cloud proxy connection is 8452.
A DS8000 user and password with at least Monitor authority.
4.6.1 Endpoint
The endpoint is the location or URL that the DS8000 (and DFSMS for Swift) uses when accessing and authenticating with the cloud object storage system.
When a swift-keystone authentication method is used, the endpoint must contain the version number of the identity API to use. At the time of writing, only the version 2 API is supported. For example, if the provider endpoint is https://dallas.ibm.com, the endpoint should be configured as https://dallas.ibm.com/v2.0.
To have access to the endpoint connection, you might also need a port number, which is either already part of your endpoint specification or provided by the cloud storage administrator. The maximum length for the port number is 5 characters, 0 - 65535. You must also ensure that this port is open on the local network firewalls.
4.6.2 Cloud credentials
The cloud administrator provides a set of credentials. Their names and extent differ by cloud target type. You must provide the credentials to the DS8000 when you set up the cloud connection. If you connect to a Swift cloud, you also need these credentials for the DFSMS cloud definition. For more information about the required credentials for the different cloud target types and how to provide them, see Chapter 6, “Configuring the IBM DS8000 for Transparent Cloud Tiering” on page 49 and Chapter 7, “Configuring Data Facility Storage Management Subsystem for Transparent Cloud Tiering” on page 65.
 
Important: Be careful with the cloud credentials. Anyone with access to them can also access the cloud directly. This access gives the user the power to read, update, or delete the data in the cloud, potentially compromising data integrity or making DFSMShsm unable to recall or restore the data from this cloud account. It is a best practice to have a security administrator who is managing the cloud storage passwords also be the individual who manages the password for DFSMShsm to protect this method of access to the cloud data sets.
For Swift cloud storage environments, an extra abstraction layer is required, which is called Tenant. A Tenant name is the name or project name that identifies your object store environment. This name needs to be something meaningful to your organization’s environment, for example, possible Tenant names might be production, development, or test. You can either choose this name when requesting cloud storage access, or it can be predefined by the cloud administrator.
4.6.3 Certificates (if using SSL/TLS)
The first level of encryption-based security provides secure communications between the DS8000 system, DFSMS, and the cloud service provider. The standard protocol, TLS, protects these connections by encrypting authentication data that is transferred between DFSMS, DS8000 systems, and the cloud service provider. Secure communications are mandatory for these connections and require that public certificates are exchanged between the cloud service provider, DFSMS, and the DS8000 systems.
 
Note: SSL/TLS is used only to encrypt the authentication data between DFSMS, the DS8000, and the cloud object storage. You must configure and enable TCT encryption to encrypt the customer data during transmission and while it is in cloud storage. If you are already using Pervasive Encryption to encrypt data sets on the host, TCT encryption is not required.
For cloud targets that use SSL/TLS to encrypt the authentication path, certificates are required to maintain a chain of trust between DFSMS, the DS8000, and the object store.
If you use self-signed certificates, it is sufficient to provide only them. If you use a CA, you need the CA’s root certificate and any intermediate certificates that are required to complete the certificate chain. You provide the certificates wrapped in Privacy-Enhanced Mail (PEM) files that you can import into the DS8000 system and DFSMS. A PEM file can support multiple digital certificates, including a certificate chain.
4.7 SSL/TLS considerations
DFSMS and IBM DS8000 send account information (usernames and passwords) over an HTTP connection. To ensure that the information is encrypted, as a best practice, establish a secure HTTP connection between the z/OS host, the IBM DS8000 system, and the object storage cloud server.
The supported SSL/TLS versions that are used when making HTTP requests are TLSV12, TLSV11, TLSV1, and SSLV3.
There are two types of authentication:
Server authentication: The z/OS host or DS8000 verifies the identity of the object storage cloud server.
Mutual authentication: The z/OS host or DS8000 verifies the identity of the object storage cloud server, and the object storage cloud verifies the identity of the z/OS host or DS8000.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset