Remote support
This chapter describes the outbound (call home and support data offload) and inbound (code download and remote support) communications for the IBM System Storage DS8000 family.
The DS8880 maintains the same functions as in the previous generation. Special emphasis was placed on the Remote Support section with two offerings, Assist On-site (AOS) and a new support offering called Remote Support Center (RSC). These are the preferred methods for remote access to IBM products.
This chapter covers the following topics:
15.1 Introduction to remote support
IBM is committed to servicing the DS8880, whether it is warranty work, planned code upgrades, or the management of a component failure, in a secure and professional manner. Dispatching service personnel for onsite maintenance is still a part of the IBM commitment to quality customer service.
Providing support remotely must comply with the client’s security rules and regulations. Maintaining the highest levels of security in a data connection is a primary goal for IBM.
For the IBM DS8880, remote support consists of the following features:
•Call home support (outbound):
– Reporting problems to IBM
– Sending heartbeat information
– Offloading data
•Call back support (inbound)
IBM Service support can establish a Transmission Control Protocol (TCP) inbound connection through AOS or RSC to the Hardware Management Console (HMC) or Management Console.
The IBM service support representative (IBM SSR) sets the client’s preferences for remote support from the customer worksheet. These preferences are specified for both call home and call back support. This chapter describes the remote support options that are available to IBM clients.
15.2 IBM policies for remote support
The following guidelines are at the core of the IBM remote support strategies for the DS8880:
•When the DS8880 transmits service data to IBM, only logs and process memory dumps are gathered for troubleshooting.
•When a remote session with the DS8880 is needed, the HMC or Management Console always initiates these connections and only to predefined IBM servers or ports. No active process listens for incoming sessions on the Management Console.
•IBM maintains multiple-level internal authorizations for any privileged access to the DS8880 components. Only approved IBM service personnel can gain access to the tools that provide the security codes for HMC command-line access.
Although the Management Console is based on a Linux operating system, IBM disabled or removed all unnecessary services, processes, and IDs, including standard internet services, such as Telnet (Telnet server is disabled on the HMC), File Transfer Protocol (FTP), r commands (Berkeley r-commands and Remote Procedure Call (RPC) commands), and RPC programs.
15.3 Remote support advantages
The following benefits can be realized when you enable remote support on the DS8880:
•Serviceable events with related problem data are reported to IBM automatically and a problem management record (PMR) is opened.
•IBM support personnel can start data analysis and problem isolation immediately, which can reduce the overall time that is required to fix a problem.
•If additional service data is needed, IBM Support can connect to the Management Console and offload the data for the next level of support.
•Remote support helps clients to maintain the highest availability of their data.
15.4 Remote support call home
This section details the call home characteristics.
15.4.1 Call home and heartbeat: Outbound
This section describes the call home and heartbeat capabilities.
Call home
Call home is the capability of the Management Console to report serviceable events to IBM. The Management Console also transmits machine-reported product data (MRPD) information to IBM through call home. The MRPD information includes installed hardware, configurations, and features. The call home is configured by the IBM SSR during the installation of the DS8880 by using the customer worksheets. A test call home is placed after the installation to register the machine and verify the call home function.
Heartbeat
The DS8880 also uses the call home facility to send proactive heartbeat information to IBM. The heartbeat configuration can be set by the IBM SSR to send heartbeat information to the customer (through Simple Network Management Protocol (SNMP) and email) in addition to IBM. A heartbeat is a small message with basic product information that is sent to IBM to ensure that the call home function works. The heartbeat can be scheduled every one to seven days based on the client’s preference. When a scheduled heartbeat fails to transmit, a service call is placed for the SSR with an action plan to verify the call home function. The DS8880 uses an internet connection through Transport Layer Security (TLS), which is also known as Secure Sockets Layer (SSL), for call home functions.
15.4.2 Data offload: Outbound
For many DS8880 problem events, such as a hardware component failure, a large amount of diagnostic data is generated. This data can include text and binary log files, firmware information, inventory lists, and timelines. These logs are grouped into collections by the component that generated them or the software service that owns them.
The entire bundle is collected together in a PEPackage. A DS8880 PEPackage can be large, often exceeding 100 MB. In certain cases, more than one PEPackage might be needed to diagnose a problem correctly. In certain cases, the IBM Support center might need an extra memory dump that is internally created by the DS8880 or manually created through the intervention of an operator.
|
On Demand Data Dump: The On Demand Data (ODD) Dump provides a mechanism that allows the collection of debug data for error scenarios. With ODD Dump, IBM can collect data after an initial error occurs with no impact to the host I/O. ODD can be generated by using the data storage command-line interface (DS CLI) command diagsi -action odd and then offloaded.
|
The Management Console is a focal point for gathering and storing all of the data packages. Therefore, the Management Console must be accessible if a service action requires the information. The data packages must be offloaded from the Management Console and sent in to IBM for analysis. The offload is performed through the internet through a TLS connection.
15.4.3 Outbound connection types
This section describes the outbound connection options that are available for call home and data offload.
|
Note: TLS and its predecessor, SSL, are cryptographic protocols that are designed to provide communication security over the internet.
|
Internet through a TLS connection
The preferred remote support connectivity method is internet TLS for management console to IBM communication. TLS is the encryption protocol that was originally developed as a secured web communication standard. Traffic through a TLS proxy is supported with or without authentication based on the client’s proxy server configuration.
When the internet is selected as the outbound connectivity method, the Management Console (MC) uses a TLS connection over the internet when a connection is established to the IBM service center.
For this option, port 443:tcp needs to be enabled in the network infrastructure for the following destination servers:
•Americas:
– 129.42.160.48
– 129.42.160.49
– 207.25.252.200
– 207.25.252.204
•Non-Americas:
– 129.42.160.48
– 129.42.160.50
– 207.25.252.200
– 207.25.252.205
•Problem reporting servers:
– 129.42.26.224
– 129.42.34.224
– 129.42.42.224
•Configuration file servers:
– 129.42.56.216
– 129.42.58.216
– 129.42.60.216
For more information about IBM TLS remote support, see the IBM DS8880 Introduction and Planning Guide, GC27-8525, for planning and worksheets.
Standard FTP connection for data offload
The Management Console can be configured to support automatic data offload by using FTP over a network connection. This traffic can be examined at the client’s firewall before it is moved across the Internet. For FTP, the Management Console must be connected to customer LAN with a path to the Internet from the repository server.
|
Important: FTP offload of data is supported as an outbound service only. No active FTP server is running on the HMC that can receive connection requests.
|
When a direct FTP session across the Internet is not available or wanted, a client can configure the FTP offload to use a client-provided FTP proxy server. The client then becomes responsible for configuring the proxy to forward the data to IBM.
The client is required to manage its firewalls so that FTP traffic from the Management Console (or from an FTP proxy) can pass onto the Internet.
For more information, see the IBM DS8880 Introduction and Planning Guide, GC27-8525.
15.5 Remote Support Access (inbound)
IBM took many necessary steps to provide secure network access for the Management Console. The client can define how and when the IBM SSR establishes a non-TCP-based inbound connection to the Management Console. When remote support access is configured, IBM Support can connect to the Management Console to start problem analysis and data gathering. This process allows data to be analyzed as fast as possible with an action plan that is created for an onsite IBM SSR, if needed.
Many common support issues do not require direct onsite SSR support and can be resolved remotely. Having inbound access enabled can greatly increase efficiency by not waiting for the SSR to arrive onsite to gather problem data and upload it to IBM. With the DS8880, multiple inbound connectivity options are available to the client:
•Embedded AOS
•External AOS
•Embedded RSC
The next section describes inbound connectivity options that are available for the DS8880 remote access.
15.5.1 Assist On-site
IBM Tivoli Assist On-site (AOS) is an IBM remote support option that allows encrypted connection to a system that is at the client site and used to troubleshoot storage devices. With Version 3.3, AOS offers port forwarding as a solution that grants clients attended and unattended sessions. IBM Support can use this methodology with virtual private network (VPN) for data offload. IBM Tivoli Assist On-site (AOS) is a software product that is provided by IBM at no cost and it is designed to help clients. AOS offers a new method of remote support assistance for IBM products. It can be used with a wide range of IBM hardware systems, including the DS8880.
AOS is a secured tunneling application. It is controlled by the client at the client’s facilities, and it allows IBM Support to access systems for diagnosis and troubleshooting. A client can designate a system (either a workstation or virtual server) as the unique focal point for all their IT network infrastructure. This system manages and monitors all remote support requests for all different IBM products that support AOS. AOS offers the advantage of concentrating all remote support assistance in one point regardless of the type of specific remote maintenance tool that the IBM system or device requires. This simple concept allows easy management and maintenance of the AOS equipment at the client’s site.
The client controls the support individuals or teams that can remotely support their equipment. Clients can decide whether IBM remote support sessions are attended or unattended.
AOS can be used by the DS8880 as a remote support method, which adds TLS security and allows the client to have more control over their environment. Certain users are reluctant to implement VPN, even though it is a well-proven and consolidated secure option. To meet their security policies when they use AOS, the client can decide to place the AOS client workstation in the DMZ or elsewhere rather than to implement embedded AOS on the Management Console.
This section is not intended to be a comprehensive guide about AOS. It explains the fundamentals of AOS, and specifically for DS8880 remote support.
A simple AOS connection to the DS8880 is shown in Figure 15-1. For more information about AOS, prerequisites, and installation, see IBM Assist On-site for Storage Overview, REDP-4889.
Figure 15-1 DS8880 AOS connection
15.5.2 DS8880 embedded AOS
AOS is now an embedded feature, starting with code bundle R7.1. The Management Console hosts the AOS server and eliminates the requirement for clients to provide an external AOS server. Embedded AOS is a secure, fast, broadband form of remote access. Clients can choose to allow unattended or attended remote service sessions with embedded AOS. If the client selects attended remote service sessions, IBM Support contacts the client to start the attended session on the Management Console with DS CLI commands (chaccess or manageaccess).
The IBM SSR configures AOS by entering information that is provided by the client on the embedded AOS worksheet. In addition, ports need to be enabled in the client’s firewall to allow encrypted communication to the IBM AOS servers.
Further configuration is needed by the IBM SSR to allow AOS information to be displayed in the PMR system. This system enables IBM Support to recognize that a particular storage system has AOS connectivity.
For more information about AOS, see IBM Assist On-site for Storage Overview, REDP-4889.
15.5.3 DS8880 Embedded Remote Support Center
RSC is an embedded feature that was introduces in DS8000 code bundle R8.1. This new support offering functions much the same as the other embedded tool (AOS). It is hosted on the Management Console and can be controlled with the same DS CLI commands for customer management. RSC provides a secure web-based interface that is connected through an IBM monitored proxy server. RSC better aligns with remote support tools that are offered by other IBM products.
The IBM support representative configures RSC by entering information that is provided by the client on the installation worksheet. In addition, port 22 must be enabled in the client’s firewall to allow encrypted communication to the IBM RSC servers. The overall RSC setup is depicted in Figure 15-2.
Figure 15-2 Architectural view for a simple RSC connection to a DS8880
15.5.4 Support access management through the DS CLI
The client is able to manage remote access to the DS8880 by using DS CLI commands. The following user access security commands are available:
•manageaccess: This command manages the security protocol access settings of a Management Console for all communications to and from the DS8000 system. You can also use the manageaccess command to start or stop outbound virtual private network (VPN) connections instead of using the setvpn command.
•chaccess: The chaccess command changes one or more access settings of an HMC. Only users with administrator authority can access this command. See the command output in Example 15-1.
chaccess [-commandline enable | disable] [-wui enable | disable] [-modem enable | disable] [-aos enable | disable] hmc1 | hmc2
Example 15-1 Output of chaccess command
Invoking the chaccess command
dscli> chaccess -cmdline enable -wui enable -hmc 1
The resulting output
hmc1 successfully modified.
|
Note: With the release of the DS8880, VPN and modem support are no longer offered. The DS CLI retains the commands for compatibility with earlier versions.
|
•lsaccess: The lsaccess command displays the access settings and VPN status of the primary and backup Management Consoles:
lsaccess [hmc1 | hmc2]
See the output in Example 15-2.
Example 15-2 lsaccess command output for a system with only one Management Console
dscli> lsaccess -hmc all -l
Date/Time: November 4, 2015 4:16:37 PM CET IBM DSCLI Version: 7.8.0.376 DS: -
hmc cmdline wui modem cim aos vpn
=====================================================
hmc1 enabled enabled - disabled enabled disabled
dscli>
|
Important: The hmc1 value specifies the primary HMC, and the hmc2 value specifies the secondary HMC, regardless of how -hmc1 and -hmc2 were specified during dscli start. A DS CLI connection might succeed even if a user inadvertently specifies a primary HMC by using -hmc2 and the secondary backup HMC by using -hmc1 at the DS CLI start.
|
Client notification of remote login
The Management Console code records all remote access in a log file. A client can use a DS CLI function to offload this file for audit purposes. The DS CLI function combines the log file that contains all service login information with an IBM enterprise storage server network interface (ESSNI) server audit log file that contains all client user login information to provide the client with a complete audit trail of remote access to a Management Console.
This on-demand audit log mechanism is sufficient for client security requirements about HMC remote access notification.
In addition to the audit log, email notifications and SNMP traps also can be configured at the Management Console to send notification in a remote support connection.
15.6 Audit logging
The DS8880 offers an audit log, It is an unalterable record of all actions and commands that were initiated by users on the storage system through the DS8000 Storage Management graphical user interface (GUI), DS CLI, DS Network Interface (DSNI), or Copy Service Manager. An audit log does not include commands that were received from host systems or actions that were completed automatically by the storage system. The audit logs can be exported and downloaded by the DS CLI or Storage Management GUI.
The DS CLI offloadauditlog command provides clients with the ability to offload the audit logs to the client’s DS CLI workstation into a directory of their choice, as shown in Example 15-3.
Example 15-3 DS CLI command to download audit logs
dscli> offloadauditlog -logaddr smc1 c:75ZA570_audit.txt
Date/Time: November 3, 2015 11:41:56 AM CET IBM DSCLI Version: 7.8.0.376 DS: -
CMUC00243I offloadauditlog: Audit log was successfully offloaded from smc1 to c:75ZA570_audit.txt.
The audit log can be exported by using the DS8000 Storage Management GUI on the Events window by clicking the Diskette icon and then selecting Export Audit Log, as shown in Figure 15-3.
Figure 15-3 Export Audit Log
The downloaded audit log is a text file that provides information about when a remote access session started and ended, and the remote authority level that was applied. A portion of the downloaded file is shown in Example 15-4.
Example 15-4 Audit log entries that relate to a remote support event
MST,,1,IBM.2107-75ZA570,N,8036,Authority_to_root,Challenge Key = 'Fy31@C37'; Authority_upgrade_to_root,,,
U,2015/10/02 12:09:49:000 MST,customer,1,IBM.2107-75ZA570,N,8020,WUI_session_started,,,,
U,2015/10/02 13:35:30:000 MST,customer,1,IBM.2107-75ZA570,N,8022,WUI_session_logoff,WUI_session_ended_loggedoff,,,
The Challenge Key that is presented to the IBM support representative is a part of a two-factor authentication method that is enforced on the Management Console. It is a token that is shown to the IBM SSR who connects to the DS8880. The representative must use the Challenge Key in an IBM internal system to generate a Response Key that is given to the HMC. The Response Key acts as a one-time authorization to the features of the HMC. The Challenge and Response Keys change when a remote connection is made.
The Challenge-Response process must be repeated if the representative needs higher privileges to access the Management Console command-line environment. No direct user login and no root login are on a DS8880.
Entries are added to the audit file only after the operation completes. All information about the request and its completion status is known. A single entry is used to log request and response information. It is possible, though unlikely, that an operation does not complete because of an operation timeout. In this case, no entry is made in the log.
The audit log entry includes the following information:
•Log users that connect or disconnect to the storage manager.
•Log user password and user access violations.
•Log commands that create, remove, or modify the logical configuration, including the command parameters and user ID.
•Log commands that modify storage facility image (SFI) and Storage Facility settings, including the command parameters and user ID.
•Log Copy Services commands, including command parameters and users.
|
Note: IBM Tivoli Storage Productivity Center for Replication commands are not supported.
|
Audit logs are automatically trimmed (first-in first-out (FIFO)) by the subsystem so that they do not use more than 50 MB of disk storage.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.