Remote support
This chapter describes the outbound (call home and support data offload) and inbound (code download and remote support) communications for the IBM System Storage DS8000 family.
The DS8880 maintains the same functions as in the previous generation.
This chapter covers the following topics:
15.1 Introduction to remote support
IBM provides remote support capabilities for the DS8880. The remote support enables the storage to communicate with IBM, and allows IBM support to remotely connect to the system when authorized by the client.
The benefits of the remote support are that IBM Support can respond quickly to events reported by you or the system.
The following features can be enabled in the DS8880 for remote support:
Call home support (outbound remote support):
 – Reporting problems to IBM
 – Sending heartbeat information
 – Offloading data
Remote service (inbound) remote support
IBM Service support access the DS8880 HMC through a network-based connection.
During the installation and planning phase, complete the remote support worksheets and supply them to the IBM SSR at the time of the installation.
The worksheets are holding information about your remote support preferences, and the network communication requirements that needs to be fulfilled by your local network.
15.2 IBM policies for remote support
The following guidelines are at the core of the IBM remote support strategies for the DS8880:
When the DS8880 transmits service data to IBM, only logs and process memory dumps are gathered for troubleshooting.
When a remote session with the DS8880 is needed, the HMC or Management Console always initiates an outbound connection to predefined IBM servers or ports.
IBM maintains multiple-level internal authorizations for any privileged access to the DS8880 components. Only approved IBM service personnel can gain access to the tools that provide the security codes for HMC command-line access.
Although the Management Console is based on a Linux operating system, IBM disabled or removed all unnecessary services, processes, and IDs, including standard internet services, such as Telnet (Telnet server is disabled on the HMC), File Transfer Protocol (FTP), commands (Berkeley r-commands and Remote Procedure Call (RPC) commands), and RPC programs.
15.3 Remote support advantages
The following benefits can be realized when you enable remote support on the DS8880:
Serviceable events with related problem data are reported to IBM automatically and a support call is opened.
IBM support personnel can start data analysis and problem isolation immediately, which can reduce the overall time that is required to fix a problem.
If additional service data is needed, IBM Support can connect to the Management Console and offload the data for the next level of support.
Remote support helps clients to maintain the highest availability of their data
For DS8870 and DS8880, IBM also provides Remote Code Load as described under “Remote Code Load” on page 450.
15.4 Remote support call home
This section details the call home characteristics.
15.4.1 Call home and heartbeat: Outbound
This section describes the call home and heartbeat capabilities.
Call home
Call home is the capability of the Management Console to report serviceable events to IBM. The Management Console also transmits machine-reported product data (MRPD) information to IBM through call home. The MRPD information includes installed hardware, configurations, and features. The call home is configured by the IBM SSR during the installation of the DS8880 by using the customer worksheets. A test call home is placed after the installation to register the machine and verify the call home function.
Heartbeat
The DS8880 also uses the call home facility to send proactive heartbeat information to IBM. The heartbeat configuration can be set by the IBM SSR to send heartbeat information to the customer (through Simple Network Management Protocol (SNMP) and email) in addition to IBM. A heartbeat is a small message with basic product information that is sent to IBM to ensure that the call home function works.
The heartbeat can be scheduled every one to seven days based on the client’s preference. When a scheduled heartbeat fails to transmit, a service call is placed for the SSR with an action plan to verify the call home function. The DS8880 uses an internet connection through Transport Layer Security (TLS), which is also known as Secure Sockets Layer (SSL), for call home functions.
15.4.2 Data offload: Outbound
For many DS8880 problem events, such as a hardware component failure, a large amount of diagnostic data is generated. This data can include text and binary log files, firmware information, inventory lists, and timelines. These logs are grouped into collections by the component that generated them or the software service that owns them.
The entire bundle is collected together in a PEPackage. A DS8880 PEPackage can be large, often exceeding 100 MB. In certain cases, more than one PEPackage might be needed to diagnose a problem correctly. In certain cases, the IBM Support center might need an extra memory dump that is internally created by the DS8880 or manually created through the intervention of an operator.
 
On Demand Dump: The On-Demand Data Dump (ODD) provides a mechanism that allows the collection of debug data for error scenarios. With ODD, IBM can collect data with no impact to the host I/O after an initial error occurs. ODD can be generated by using the data storage command-line interface (DS CLI) command diagsi -action odd and then offloaded.
The Management Console is a focal point for gathering and storing all of the data packages. Therefore, the Management Console must be accessible if a service action requires the information. The data packages must be offloaded from the Management Console and sent in to IBM for analysis. The offload is performed through the internet through a TLS connection.
15.4.3 Outbound connection types
This section describes the outbound connection options that are available for call home and data offload.
 
Internet through a TLS connection
The preferred remote support connectivity method is internet TLS for management console to IBM communication. TLS is the encryption protocol that was originally developed as a secured web communication standard. Traffic through a TLS proxy is supported with or without authentication based on the client’s proxy server configuration.
When the internet is selected as the outbound connectivity method, the Management Console (MC) uses a TLS connection over the internet to connect to the IBM.
For more information about IBM TLS remote support, see the IBM DS8880 Introduction and Planning Guide, GC27-8525, for planning and worksheets.
Standard FTP connection for data offload
The Management Console can be configured to support automatic data offload by using FTP over a network connection. This traffic can be examined at the client’s firewall before it is moved across the Internet. For FTP, the Management Console must be connected to customer LAN with a path to the Internet from the repository server.
 
Important: FTP offload of data is supported as an outbound service only. No active FTP server is running on the HMC that can receive connection requests.
When a direct FTP session across the Internet is not available or wanted, a client can configure the FTP offload to use a client-provided FTP proxy server. The client then becomes responsible for configuring the proxy to forward the data to IBM.
The client is required to manage its firewalls so that FTP traffic from the Management Console (or from an FTP proxy) can pass onto the Internet.
For more information, see the IBM DS8880 Introduction and Planning Guide, GC27-8525.
15.5 Using IBM Storage Insights
Starting with DS8000 Release 8.51, you can take advantage of additional functionality offered by IBM Storage Insights for Call Home and for events and notifications logging.
15.5.1 IBM Storage Insights
IBM Storage Insights provides an unparalleled level of visibility across your storage environment to help you manage complex storage infrastructures and make cost-saving decisions. It combines proven IBM data management leadership with proprietary analytics from IBM Research. As a cloud-based service, it enables you to deploy quickly and save storage administration time while optimizing your storage. It also helps automate aspects of the support process to enable faster resolution of issues. The following editions enable you to select the capabilities that serve your needs best:
Storage Insights
IBM Storage Insights provides a unified view of a storage environment with a diagnostic events feed, an integrated support experience, and key capacity and performance metrics. IBM Storage Insights is available at no cost to IBM Storage Insights Pro subscribers and owners of IBM block storage systems who sign up.
Storage Insights Pro
The capacity-based, subscription version is called IBM Storage Insights Pro and includes all the features of IBM Storage Insights plus a more comprehensive view of the performance, capacity, and health of storage resources. It also helps you reduce storage costs and optimize your data center by providing features like intelligent capacity planning, storage reclamation, storage tiering, and advanced performance metrics. The storage systems that you can monitor are expanded to include IBM file, object, software-defined storage (SDS) systems, and non-IBM block and file storage systems.
With features such as Call Home, data collectors, a streamlined ticketing process, and proactive support, you can feel confident that your storage environment is stable, performing well, and has the capacity to meet your applications’ requirements. And if a problem does occur, you can get help promptly through the unified support experience by completing the following tasks:
Open IBM Support tickets for a resource and automatically add a log package to the ticket
Update tickets with a new log package
View the tickets that are open for a resource
View the ticket history for a resource
Additionally, IBM Support has read-only access to diagnostic information about monitored storage systems, so that they can help troubleshoot and resolve problems.
A lightweight data collector is installed in your data center to stream performance, capacity, asset, and configuration metadata to your IBM Cloud instance.
The metadata flows in one direction: from your data center to IBM Cloud over HTTPS. In the IBM Cloud, your metadata is protected by physical, organizational, access, and security controls.
15.5.2 Getting started with Storage Insights
To start using Storage Insights, you need to perform the following steps:
1. If you don’t have an IBM ID yet, go to https://www.ibm.com/ and register.
2. Sign up to Storage insights on https://ibm.biz/insightsreg:
a. Within 24 hours an IBM representative will contact you to get started.
b. When you register, specify an owner for IBM Storage Insights. The owner manages access for other users and acts as the main contact.
c. You will receive a Welcome email when IBM Storage Insights is ready. The email contains a direct link to your dashboard.
3. Install data Collector in your data center to stream performance, capacity, and configuration metadata about storage systems to IBM Storage Insights. On your dashboard, click Deploy Data Collectors and get started. See Figure 15-1.
a. Go through the wizard and choose your preferred operating system to download the data collector (Windows, Linux, or AIX).
b. Extract the contents of the data collector file on the virtual machine or server where you want it to run. 1 GB of RAM and 1 GB of disk space are required.
c. Run installDataCollectorService.sh (Linux/AIX) or installDataCollectorService.bat (Windows).
Figure 15-1 Deploy Data Collectors
After the data collector is deployed, it attempts to establish a connection to IBM Storage Insights. When the connection is complete, you can start to add your DS8000 system for monitoring. Figure 15-2 shows your dashboard wizard waiting for connection from Data Collector. This window can be closed.
Figure 15-2 Attempting to connect to the installed Data Collector
Register DS8000 to your dashboard
To add your DS8000 system to the dashboard, perform the following steps:
1. In the Dashboard’s Operations tab, click the Add Storage System button to start. See Figure 15-3.
Figure 15-3 Adding new storage system
2. Select DS8000 in the pop-up windows, as shown in Figure 15-4.
Figure 15-4 Select machine type
3. Fill the required fields with the IP addresses of HMC(s) or host name(s) and a user with monitoring privileges credentials and click Connect. See Figure 15-5.
Figure 15-5 Connection details
4. After the connections are ready, your system displays in Dashboard/Operations, as shown in Figure 15-6.
Figure 15-6 System distribution ready
Storage Insights dashboard
The main Tile view enables you to quickly access essential information about your storage systems. Systems with error conditions are displayed first. See Figure 15-7.
Figure 15-7 Dashboard Tile view
As a data collector is deployed and connected, a snapshot of performance and capacity is displayed. Opening your system by clicking the tile presents information including the following data shown in Figure 15-8:
Overview of key performance and capacity metrics
Events details and actions you can take to manage events, if available
Tickets details and actions you can take to manage tickets, if available
Figure 15-8 One System overview
For further detailed information about Storage Insights, visit the following page on IBM knowledge center:
15.6 Remote Support Access (inbound)
IBM took many necessary steps to provide secure network access for the Management Console. The client can define how and when the IBM SSR can connect to the Management Console. When remote support access is configured, IBM Support can connect to the Management Console to start problem analysis and data gathering. This process enables data to be analyzed as fast as possible with an action plan that is created for an onsite IBM SSR, if needed.
Having inbound access enabled can greatly reduce the problem resolution time by not waiting for the SSR to arrive onsite to gather problem data and upload it to IBM. With the DS8880, inbound connectivity options are available to the client:
External Assist On-Site Gateway
Embedded remote access feature
The remote support access connection cannot be used to send support data to IBM.
The support data offload always uses the Call Home feature.
15.6.1 Assist On-site
Assist On-site (AOS) is an IBM remote access solution that relies on the IBM commercial product IBM BigFix® for Remote Control. The IBM DS8000 support uses the Port-Forwarding feature to maintain the DS8000 with an IP-based maintenance tool.
IBM Support encourages you to use Assist On-site as your remote access method.
The remote access connection is secured with TLS 1.2. In addition, a mechanism is implemented so that the HMC only communicates network wise as outbound connection while you must specifically allow IBM to connect to the HMC at any time. You can compare this function to that of a modem that picks up incoming calls. The DS8880 documentation refers to this as an unattended service.
The connection is under control of the DS8880 administrator at all time. Any DS8880 administrator can start and stop the AOS connection.
When you prefer to have a centralized access point for IBM Support, then an Assist On-site Gateway might be the correct solution. With the AOS Gateway, install the AOS Software externally to a DS8880 HMC. You need to install the AOS software on a system you provide and maintain. IBM Support only provides the AOS software package. Through port-forwarding on an AOS Gateway, you can configure remote access to one or more DS8880s or other IBM Storage Systems.
A simple AOS connection to the DS8880 is shown in Figure 15-9. For more information about AOS, prerequisites, and installation, see IBM Assist On-site for Storage Overview, REDP-4889.
Figure 15-9 DS8880 AOS connection
15.6.2 DS8880 embedded AOS
AOS is an embedded feature, on DS8700, DS8800, DS8870, and DS8880. The AOS software package is preinstalled and customized on the Management Console. This technique eliminates the need to provide an additional system to operate an AOS Gateway. Embedded AOS is a secure, fast, broadband form of remote access. You can choose to allow unattended or attended remote access sessions. If you select attended remote access sessions, IBM Support contacts you or the storage operator to start the support session through DS CLI or the DS GUI.
The IBM SSR configures AOS during the installation or a later point in time by entering information that is provided in the inbound remote support worksheet. The worksheets can be found in the Installation and Planning Guide, or online in the Planning Section of the IBM DS8880 Knowledge Center at:
In addition, your firewall needs to allow outbound traffic from the HMC to the AOS Infrastructure. The inbound remote support worksheet provides information about the required firewall changes.
For more information about AOS, see IBM Assist On-site for Storage Overview, REDP-4889.
15.6.3 DS8880 Remote Support Center (rsc)
The HMC has been made Remote Support Center (rsc) ready starting with Microcode release R8.1. The rsc relies on a single outgoing TCP connection and is not able to receive inbound connections of any kind. Instead of TLS, as used with Assist On-site, rsc uses SSH.
Access to the DS8000 by using rsc is controlled by using either the DS GUI or DS CLI.
 
Important: To use rsc, the following servers will need to be allowed outbound connection from the HMC on port 22:
195.110.41.141
195.110.41.142
204.146.30.139
129.33.206.139
For more information about rsc, contact your IBM service representative.
15.6.4 Support access management through the DS CLI and the Storage Management GUI
All support connections can be enabled or disabled through the DS Storage Manager GUI or DSCLI. The following interfaces can be controlled:
The web-based user interface for the IBM SSR on the HMC
The SSH command-line interface access through the local or internal network
The remote access through Assist On-site
Using the DS Storage Manager GUI to manage the service access
You can control the all service access through the DS Storage Manager GUI through the Access window, which can be opened by clicking the Settings → System → Advanced Menu. See Figure 15-10.
Figure 15-10 Control the Support access through the DS Storage Manager GUI
The following options are available in the Service Access section:
DS Service GUI Access
Allow authorized IBM service representatives to access the DS Service GUI.
SSH Service Access
Allow authorized IBM service representatives to access the Secure Shell (SSH) command line on the HMC.
Using DSCLI to manage service access
You are able to manage the service access to the DS8880 by using DS CLI commands. The following user access security commands are available:
manageaccess: This command manages the security protocol access settings of a Management Console for all communications to and from the DS8000 system. You can also use the manageaccess command to start or stop outbound virtual private network (VPN) connections instead of using the setvpn command.
chaccess: The chaccess command changes one or more access settings of an HMC. Only users with administrator authority can access this command. See the command output in Example 15-1.
chaccess [-commandline enable | disable] [-wui enable | disable] [-modem enable | disable] [-aos enable | disable] hmc1 | hmc2
Example 15-1 Output of chaccess command
Invoking the chaccess command
dscli> chaccess -cmdline enable -wui enable -hmc 1
The resulting output
hmc1 successfully modified.
 
Note: With the release of the DS8880, VPN and modem support are no longer offered. The DS CLI retains the commands for compatibility with earlier versions.
lsaccess: The lsaccess command displays the access settings and VPN status of the primary and backup Management Consoles:
lsaccess [hmc1 | hmc2]
See the output in Example 15-2.
Example 15-2 The lsaccess command output for a system with only one Management Console
dscli> lsaccess -hmc all -l
hmc cmdline wui modem cim aos vpn
=====================================================
hmc1 enabled enabled - disabled enabled disabled
dscli>
 
 
Important: The hmc1 value specifies the primary HMC, and the hmc2 value specifies the secondary HMC, regardless of how -hmc1 and -hmc2 were specified during dscli start. A DS CLI connection might succeed even if a user inadvertently specifies a primary HMC by using -hmc2 and the secondary backup HMC by using -hmc1 at the DS CLI start.
Client notification of remote login
The Management Console code records all remote access in a log file. A client can use a DS CLI function to offload this file for audit purposes. The DS CLI function combines the log file that contains all service login information with an IBM enterprise storage server network interface (ESSNI) server audit log file that contains all client user login information to provide the client with a complete audit trail of remote access to a Management Console.
This on-demand audit log mechanism is sufficient for client security requirements about HMC remote access notification.
In addition to the audit log, email notifications and SNMP traps also can be configured at the Management Console to send notification in a remote support connection.
15.7 Audit logging
The DS8880 offers an audit log, It is an unalterable record of all actions and commands that were initiated by users on the storage system through the DS8000 Storage Management graphical user interface (GUI), DS CLI, DS Network Interface (DSNI), or Copy Service Manager. An audit log does not include commands that were received from host systems or actions that were completed automatically by the storage system. The audit logs can be exported and downloaded by the DS CLI or Storage Management GUI.
The DS CLI offloadauditlog command provides clients with the ability to offload the audit logs to the client’s DS CLI workstation into a directory of their choice, as shown in Example 15-3.
Example 15-3 DS CLI command to download audit logs
dscli> offloadauditlog -logaddr smc1 c:75ZA570_audit.txt
Date/Time: November 3, 2015 11:41:56 AM CET IBM DSCLI Version: 7.8.0.376 DS: -
CMUC00243I offloadauditlog: Audit log was successfully offloaded from smc1 to c:75ZA570_audit.txt.
The audit log can be exported by using the DS8000 Storage Management GUI on the Events window by clicking the Diskette icon and then selecting Export Audit Log, as shown in Figure 15-11.
Figure 15-11 Export Audit Log
The downloaded audit log is a text file that provides information about when a remote access session started and ended, and the remote authority level that was applied. A portion of the downloaded file is shown in Example 15-4.
Example 15-4 Audit log entries that relate to a remote support event
MST,,1,IBM.2107-75ZA570,N,8036,Authority_to_root,Challenge Key = 'Fy31@C37'; Authority_upgrade_to_root,,,
U,2015/10/02 12:09:49:000 MST,customer,1,IBM.2107-75ZA570,N,8020,WUI_session_started,,,,
U,2015/10/02 13:35:30:000 MST,customer,1,IBM.2107-75ZA570,N,8022,WUI_session_logoff,WUI_session_ended_loggedoff,,,
The Challenge Key that is presented to the IBM support representative is a part of a two-factor authentication method that is enforced on the Management Console. It is a token that is shown to the IBM SSR who connects to the DS8880. The representative must use the Challenge Key in an IBM internal system to generate a Response Key that is given to the HMC. The Response Key acts as a one-time authorization to the features of the HMC. The Challenge and Response Keys change when a remote connection is made.
The Challenge-Response process must be repeated if the representative needs higher privileges to access the Management Console command-line environment. No direct user login and no root login are on a DS8880.
Entries are added to the audit file only after the operation completes. All information about the request and its completion status is known. A single entry is used to log request and response information. It is possible, though unlikely, that an operation does not complete because of an operation timeout. In this case, no entry is made in the log.
The audit log entry includes the following information:
Log users that connect or disconnect to the storage manager.
Log user password and user access violations.
Log commands that create, remove, or modify the logical configuration, including the command parameters and user ID.
Log commands that modify storage facility image (SFI) and Storage Facility settings, including the command parameters and user ID.
Log Copy Services commands, including command parameters and users.
 
Note: IBM Copy Services Manager commands are not supported.
Audit logs are automatically trimmed (first-in first-out (FIFO)) by the subsystem so that they do not use more than 50 MB of disk storage.
 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset