Chapter 10. Configuration flow

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Configuration flow

This chapter provides a brief overview of the sequence of tasks that are required for the configuration of an IBM DS8880.

This chapter covers the following topics:

•Configuration worksheets

•User and role management

•Disk encryption

•Network security

•Configuration flow

•General storage configuration guidelines

10.1 Configuration worksheets

Before a new DS8880 is delivered, the client is given the DS8880 customization worksheets. The configuration worksheets can be found in Appendix E of the IBM DS8880 Introduction and Planning Guide, GC27-8525. The guide provides all of the information that is required to plan for a successful installation.

The purpose of the configuration worksheets is to provide the required information to the IBM service support representative (IBM SSR) to customize the DS8880. It is best to present the completed worksheets to the IBM SSR before the delivery of the DS8880.

The completed customization worksheets specify the initial setup for the following items:

•Company information: Provides important contact information.

•Management console network settings: Supplies the IP address and local area network (LAN) settings for connectivity to the management console.

•Remote support (which includes call home and remote service settings): Specifies the inbound and outbound remote support settings.

•Notifications: Lists Simple Network Management Protocol (SNMP) trap and email notification settings.

•Power control: Selects and controls the various power modes for the storage complex.

•Control switch settings: Specifies certain DS8880 settings that affect host connectivity. This information is required by the IBM SSR so that the SSR can enter these settings during the DS8880 installation.

10.2 User and role management

During the planning phase (when you use the customization worksheet), list all users who need access to the data storage graphical user interface (DS GUI) or data storage command-line interface (DS CLI). This action helps you manage secure authorization, which specifies the resource and access for different role-based users. A user can be assigned to more than one group. Assign at least one user to each of the following roles:

•The Administrator (admin) has access to all Hardware Management Console (HMC) or Management Console (MC) service methods and all storage image resources, except for encryption functions. This user authorizes the actions of the Security Administrator during the encryption deadlock prevention and resolution process.

•The Security Administrator (secadmin) has access to all encryption functions. This role requires an Administrator user to confirm the actions that are taken during the encryption deadlock prevention and resolution process.

•The Physical operator (op_storage) has access to physical configuration service methods and resources, such as managing the storage complex, storage image, rank, array, and extent pool objects.

•The Logical operator (op_volume) has access to all service methods and resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security methods.

•The Monitor group has access to all read-only, nonsecurity MC service methods, such as the list and show commands.

•The Service group has access to all MC service methods and resources, such as running code loads and retrieving problem logs. This group also has the privileges of the Monitor group, excluding security methods.

•The Copy Services operator has access to all Copy Services methods and resources, and the privileges of the Monitor group, excluding security methods.

Important: Available resource groups offer an enhanced security capability that supports the hosting of multiple customers with Copy Services requirements. It also supports the single client with requirements to isolate the data of multiple operating systems’ environments. For more information, see IBM System Storage DS8000 Copy Services Scope Management and Resource Groups, REDP-4758.

•No access prevents access to any service method or storage image resources. This group is used by an administrator to deactivate a user ID temporarily. By default, this user group is assigned to any user account in the security repository that is not associated with any other user group.

10.3 Disk encryption

Additional planning is required if you intend to activate encryption for the DS8880. It is important to plan and configure encryption before you perform the logical configuration.

The DS8880 provides disk-based encryption for data that is within the storage system, for increased data security. This disk-based encryption is combined with an enterprise-scale key management infrastructure.

Although all DS8880 systems have certificates installed, encryption is optional. It is activated when licensed Feature Code 1750 is ordered. Activation must be completed before you perform any logical configuration. For more information about encryption license considerations, see “Encryption activation review planning” on page 194.

The current DS8880 encryption solution requires the use of the IBM Security Key Lifecycle Manager, IBM Security Key Lifecycle Manager for z/OS, or the third-party solution SafeNet. These key lifecycle managers assist with generating, protecting, storing, and maintaining encryption keys that are used to encrypt information that is written to and decrypt information that is read from devices.

For more information, including current considerations and preferred practices for DS8870 encryption, see 7.3.6, “Key manager servers for encryption” on page 194 and IBM DS8880 Data-at-rest Encryption, REDP-4500.

10.4 Network security

The security of the network that is used to communicate to and manage the DS8880 (specifically the HMC) is important, depending on the client requirements. The DS8880 supports compliance to the National Institute of Standards and Technology (NIST) SP800-131a standards, which are also known as Gen-2 security.

Two components are required to provide full network protection:

•The first component is Internet Protocol Security (IPSec), and for Gen-2 security, IPsec-v3 is required. IPSec protects the network communication at the Internet layer, or the packets that are sent over the network. This configuration ensures that a valid workstation or server communicates with the HMC and that the communication between them cannot be intercepted.

•The second component is Transport Layer Security (TLS) 1.2, which provides protection at the application layer to ensure that valid software (external to the HMC or client) is communicating with the software (server) in the HMC.

Note: The details for implementing and managing Gen-2 security requirements are provided in IBM DS8870 and NIST SP 800-131a Compliance, REDP-5069.

10.5 Configuration flow

This section shows the list of tasks to perform when storage is configured in the DS8880. Depending on the environment and requirements, not all tasks might be necessary.

Logical configuration can be performed by using the DS GUI, DS CLI, or both. Depending on the client’s preference and experience, one method might be more efficient than the other. The DS8880 R8.1 GUI provides a powerful, yet simple process for logical configuration. If you use the DS Storage Management GUI, not all of the steps that are listed in this book are explicitly performed by the user. For more information about the DS Storage Management GUI, see Chapter 11, “DS8880 Storage Management GUI” on page 247.

If you perform logical configuration by using the DS CLI, the following steps provide a high-level overview of the configuration flow. For more detailed information about using and performing logical configuration with the DS CLI, see Chapter 12, “Configuration with the data storage command-line interface” on page 327.

The following is the general configuration flow:

1. Install license keys: Activate the license keys for the DS8880 storage system. For more information about activating licensed functions, see Chapter 9, “IBM DS8880 features and licensed functions” on page 217.

Important: If encryption will be activated, the encryption configuration must be performed before the logical configuration that is described in the next steps.

2. Create arrays: Configure the installed disk drives as RAID 5, RAID 6, or RAID 10 arrays.

3. Create ranks: Assign each array to be a fixed-block (FB) rank or a count key data (CKD) rank.

4. Create extent pools: Define extent pools, associate each one with Server 0 or Server 1, and assign at least one rank to each extent pool. To take advantage of storage pool striping, you must assign multiple ranks to an extent pool. For more information about storage pool striping, see “Storage pool striping: Extent rotation” on page 162, and “Storage pool striping” on page 349.

Important: If you plan to use IBM Easy Tier (in particular, in automatic mode), select the All pools option to receive all of the benefits of Easy Tier data management. For more information, see 6.7, “IBM Easy Tier” on page 168.

5. Create a repository for space-efficient volumes. For more information, see the latest version of DS8000 Thin Provisioning, REDP-4554.

6. Configure the I/O ports: Define the topology of the I/O ports. The port type can be Switched Fabric or Fibre Channel Protocol (FCP), Fibre Channel Arbitrated Loop (FC-AL), or Fibre Channel connection (FICON).

7. Create the volume groups for open systems: Create volume groups where FB volumes are assigned.

8. Create the host connections for open systems: Define open systems hosts and their Fibre Channel (FC) host bus adapter (HBA) worldwide port names (WWPNs). Assign volume groups to the host connections.

9. Create the open systems volumes: Create striped open systems FB volumes and assign them to one or more volume groups.

10. Create the z Systems logical control units (LCUs): Define their type and other attributes, such as subsystem identifiers (SSIDs).

11. Create the striped z Systems volumes: Create z Systems CKD base volumes and parallel access volume (PAV) aliases for them.

10.6 General storage configuration guidelines

Observe the following general guidelines when storage is configured in the DS8870:

•To achieve a well-balanced load distribution, use at least two extent pools (also known as a pool pair), each assigned to one of the internal servers (extent pool 0 and extent pool 1). If CKD and FB volumes are required on the same storage system, configure at least four extent pools: Two for FB and two for CKD.

•The volume type for the first volume that is created in an address group is either FB or CKD. That volume type determines the type for all other volumes (FB or CKD) for the entire address group. A volume is one of 256 in a logical subsystem (LSS) or LCU. An LSS is one of 16 in an address group (except address group F, which has only 15 LSSs). For more information about logical subsystems and address groups, see 4.4.5, “Logical subsystems” on page 119.

•Volumes of one LCU/LSS can be allocated on multiple extent pools in the same rank group.

•Assign multiple ranks to extent pools to take advantage of storage pool striping. Additionally, assign ranks from multiple device adapter (DA) pairs to an extent pool to spread the workload and increase performance. See 6.5.2, “Data placement in the DS8000” on page 160.

•The following options are available for fixed-block (FB) pools:

– Create a volume group for each server unless logical unit number (LUN) sharing is required.

– Assign the volume group for one server to all of its host connections.

– If LUN sharing is required, the following options are available (Figure 10-1):

• Create one volume group for each server. Assign the shared volumes in each volume group. Assign the individual volume groups to the corresponding server’s host connections. The advantage of this option is that you can assign private and shared volumes to each host. This configuration can be used in an environment such as application sharing.

• Create one common volume group for all servers. Place the shared volumes in the volume group and assign the volume group to the host connections. This configuration can be used in an environment such as clustering.

Figure 10-1 LUN configuration for shared access

•The following options are available for I/O ports:

– Configure a port to be FICON, FCP, or FC-AL.

– Distribute host connections of each type (FICON, FCP, and FC-AL) evenly across the I/O enclosures.

– Ensure that each host is connected to at least two different host adapters (HAs) in two different I/O enclosures for redundancy and availability.

– Use access any typically for I/O ports with access to ports that are controlled by storage area network (SAN) zoning.

Note: Avoid intermixing host I/O with Copy Services I/O on the same ports.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 10. Configuration flow

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 10. Configuration flow