Remote support
This chapter describes the outbound (call home and support data offload) and inbound (code download and remote support) communications for the IBM System Storage DS8000 family.
The DS8880 maintains the same functions as in the previous generation.
This chapter covers the following topics:
15.1 Introduction to remote support
IBM provides remote support capabilities for the DS8880. The remote support enables the storage to communicate with IBM, and allows IBM support to remotely connect to the system when authorized by the client.
The benefits of the remote support are that IBM Support can respond quickly to events reported by you or the system.
The following features can be enabled in the DS8880 for remote support:
•Call home support (outbound remote support):
– Reporting problems to IBM
– Sending heartbeat information
– Offloading data
•Remote service (inbound) remote support
IBM Service support access the DS8880 HMC through a network-based connection.
During the installation and planning phase, complete the remote support worksheets and supply them to the IBM SSR at the time of the installation.
The worksheets are holding information about your remote support preferences, and the network communication requirements that needs to be fulfilled by your local network.
15.2 IBM policies for remote support
The following guidelines are at the core of the IBM remote support strategies for the DS8880:
•When the DS8880 transmits service data to IBM, only logs and process memory dumps are gathered for troubleshooting.
•When a remote session with the DS8880 is needed, the HMC or Management Console always initiates an outbound connection to predefined IBM servers or ports.
•IBM maintains multiple-level internal authorizations for any privileged access to the DS8880 components. Only approved IBM service personnel can gain access to the tools that provide the security codes for HMC command-line access.
Although the Management Console is based on a Linux operating system, IBM disabled or removed all unnecessary services, processes, and IDs, including standard internet services, such as Telnet (Telnet server is disabled on the HMC), File Transfer Protocol (FTP), r commands (Berkeley r-commands and Remote Procedure Call (RPC) commands), and RPC programs.
15.3 Remote support advantages
The following benefits can be realized when you enable remote support on the DS8880:
•Serviceable events with related problem data are reported to IBM automatically and a support call is opened.
•IBM support personnel can start data analysis and problem isolation immediately, which can reduce the overall time that is required to fix a problem.
•If additional service data is needed, IBM Support can connect to the Management Console and offload the data for the next level of support.
•Remote support helps clients to maintain the highest availability of their data.
15.4 Remote support call home
This section details the call home characteristics.
15.4.1 Call home and heartbeat: Outbound
This section describes the call home and heartbeat capabilities.
Call home
Call home is the capability of the Management Console to report serviceable events to IBM. The Management Console also transmits machine-reported product data (MRPD) information to IBM through call home. The MRPD information includes installed hardware, configurations, and features. The call home is configured by the IBM SSR during the installation of the DS8880 by using the customer worksheets. A test call home is placed after the installation to register the machine and verify the call home function.
Heartbeat
The DS8880 also uses the call home facility to send proactive heartbeat information to IBM. The heartbeat configuration can be set by the IBM SSR to send heartbeat information to the customer (through Simple Network Management Protocol (SNMP) and email) in addition to IBM. A heartbeat is a small message with basic product information that is sent to IBM to ensure that the call home function works. The heartbeat can be scheduled every one to seven days based on the client’s preference. When a scheduled heartbeat fails to transmit, a service call is placed for the SSR with an action plan to verify the call home function. The DS8880 uses an internet connection through Transport Layer Security (TLS), which is also known as Secure Sockets Layer (SSL), for call home functions.
15.4.2 Data offload: Outbound
For many DS8880 problem events, such as a hardware component failure, a large amount of diagnostic data is generated. This data can include text and binary log files, firmware information, inventory lists, and timelines. These logs are grouped into collections by the component that generated them or the software service that owns them.
The entire bundle is collected together in a PEPackage. A DS8880 PEPackage can be large, often exceeding 100 MB. In certain cases, more than one PEPackage might be needed to diagnose a problem correctly. In certain cases, the IBM Support center might need an extra memory dump that is internally created by the DS8880 or manually created through the intervention of an operator.
|
On Demand Dump: The On-Demand Data Dump (ODD) provides a mechanism that allows the collection of debug data for error scenarios. With ODD, IBM can collect data with no impact to the host I/O after an initial error occurs. ODD can be generated by using the data storage command-line interface (DS CLI) command diagsi -action odd and then offloaded.
|
The Management Console is a focal point for gathering and storing all of the data packages. Therefore, the Management Console must be accessible if a service action requires the information. The data packages must be offloaded from the Management Console and sent in to IBM for analysis. The offload is performed through the internet through a TLS connection.
15.4.3 Outbound connection types
This section describes the outbound connection options that are available for call home and data offload.
Internet through a TLS connection
The preferred remote support connectivity method is internet TLS for management console to IBM communication. TLS is the encryption protocol that was originally developed as a secured web communication standard. Traffic through a TLS proxy is supported with or without authentication based on the client’s proxy server configuration.
When the internet is selected as the outbound connectivity method, the Management Console (MC) uses a TLS connection over the internet to connect to the IBM.
For more information about IBM TLS remote support, see the IBM DS8880 Introduction and Planning Guide, GC27-8525, for planning and worksheets.
Standard FTP connection for data offload
The Management Console can be configured to support automatic data offload by using FTP over a network connection. This traffic can be examined at the client’s firewall before it is moved across the Internet. For FTP, the Management Console must be connected to customer LAN with a path to the Internet from the repository server.
|
Important: FTP offload of data is supported as an outbound service only. No active FTP server is running on the HMC that can receive connection requests.
|
When a direct FTP session across the Internet is not available or wanted, a client can configure the FTP offload to use a client-provided FTP proxy server. The client then becomes responsible for configuring the proxy to forward the data to IBM.
The client is required to manage its firewalls so that FTP traffic from the Management Console (or from an FTP proxy) can pass onto the Internet.
For more information, see the IBM DS8880 Introduction and Planning Guide, GC27-8525.
15.5 Remote Support Access (inbound)
IBM took many necessary steps to provide secure network access for the Management Console. The client can define how and when the IBM SSR can connect to the Management Console. When remote support access is configured, IBM Support can connect to the Management Console to start problem analysis and data gathering. This process allows data to be analyzed as fast as possible with an action plan that is created for an onsite IBM SSR, if needed.
Having inbound access enabled can greatly reduce the problem resolution time by not waiting for the SSR to arrive onsite to gather problem data and upload it to IBM. With the DS8880, inbound connectivity options are available to the client:
•External Assist On-Site Gateway
•Embedded remote access feature
The remote support access connection cannot be used to send support data to IBM.
The support data offload always uses the Call Home feature.
15.5.1 Assist On-site
Assist On-site (AOS) is an IBM remote access solution that relies on the IBM commercial product IBM BigFix® for Remote Control. The IBM DS8000 support uses the Port-Forwarding feature to maintain the DS8000 with an IP-based maintenance tool.
IBM Support encourages you to use Assist On-site as your remote access method.
The remote access connection is secured with TLS 1.2. In addition, a mechanism is implemented so that the HMC only communicates network wise as outbound connection while you must specifically allow IBM to connect to the HMC at any time. You can compare this function to that of a modem that picks up incoming calls. The DS8880 documentation refers to this as an unattended service.
The connection is under control of the DS8880 administrator at all time. Any DS8880 administrator can start and stop the AOS connection.
For more information, see 15.5.4, “Support access management through the DS CLI and the Storage Management GUI” on page 441.
When you prefer to have a centralized access point for IBM Support, then an Assist On-site Gateway might be the correct solution. With the AOS Gateway, install the AOS Software externally to a DS8880 HMC. You need to install the AOS software on a system you provide and maintain. IBM Support only provides the AOS software package. Through port-forwarding on an AOS Gateway, you can configure remote access to one or more DS8880s or other IBM Storage Systems.
A simple AOS connection to the DS8880 is shown in Figure 15-1. For more information about AOS, prerequisites, and installation, see IBM Assist On-site for Storage Overview, REDP-4889.
Figure 15-1 DS8880 AOS connection
15.5.2 DS8880 embedded AOS
AOS is an embedded feature, on DS8700, DS8800, DS8870, and DS8880. The AOS software package is preinstalled and customized on the Management Console. This technique eliminates the need to provide an additional system to operate an AOS Gateway. Embedded AOS is a secure, fast, broadband form of remote access. You can choose to allow unattended or attended remote access sessions. If you select attended remote access sessions, IBM Support contacts you or the storage operator to start the support session through DS CLI or the DS GUI.
The IBM SSR configures AOS during the installation or a later point in time by entering information that is provided in the inbound remote support worksheet. The worksheets can be found in the Installation and Planning Guide, or online in the Planning Section of the IBM DS8880 Knowledge Center at:
In addition, your firewall needs to allow outbound traffic from the HMC to the AOS Infrastructure. The inbound remote support worksheet provides information about the required firewall changes.
For more information about AOS, see IBM Assist On-site for Storage Overview, REDP-4889.
15.5.3 DS8880 Remote Support Center
The HMC has been made Remote Support Center (RSC) ready starting with Microcode release R8.1. RSC uses SSH instead of TLS as used with Assist On-site.
15.5.4 Support access management through the DS CLI and the Storage Management GUI
All support connections can be enabled or disabled through the DS Storage Manager GUI or DSCLI. The following interfaces can be controlled:
•The web-based user interface for the IBM SSR on the HMC
•The SSH command-line interface access through the local or internal network
•The remote access through Assist On-site
Using the DS Storage Manager GUI to manage the service access
You can control the all service access through the DS Storage Manager GUI through the Access window, which can be opened by clicking Settings → Support Menu. Figure 15-2 shows the example of the Access window.
Figure 15-2 Control the Support access through the DS Storage Manager GUI
Using DSCLI to manage service access
You are able to manage the service access to the DS8880 by using DS CLI commands. The following user access security commands are available:
•manageaccess: This command manages the security protocol access settings of a Management Console for all communications to and from the DS8000 system. You can also use the manageaccess command to start or stop outbound virtual private network (VPN) connections instead of using the setvpn command.
•chaccess: The chaccess command changes one or more access settings of an HMC. Only users with administrator authority can access this command. See the command output in Example 15-1.
chaccess [-commandline enable | disable] [-wui enable | disable] [-modem enable | disable] [-aos enable | disable] hmc1 | hmc2
Example 15-1 Output of chaccess command
Invoking the chaccess command
dscli> chaccess -cmdline enable -wui enable -hmc 1
The resulting output
hmc1 successfully modified.
|
Note: With the release of the DS8880, VPN and modem support are no longer offered. The DS CLI retains the commands for compatibility with earlier versions.
|
•lsaccess: The lsaccess command displays the access settings and VPN status of the primary and backup Management Consoles:
lsaccess [hmc1 | hmc2]
See the output in Example 15-2.
Example 15-2 The lsaccess command output for a system with only one Management Console
dscli> lsaccess -hmc all -l
hmc cmdline wui modem cim aos vpn
=====================================================
hmc1 enabled enabled - disabled enabled disabled
dscli>
|
Important: The hmc1 value specifies the primary HMC, and the hmc2 value specifies the secondary HMC, regardless of how -hmc1 and -hmc2 were specified during dscli start. A DS CLI connection might succeed even if a user inadvertently specifies a primary HMC by using -hmc2 and the secondary backup HMC by using -hmc1 at the DS CLI start.
|
Client notification of remote login
The Management Console code records all remote access in a log file. A client can use a DS CLI function to offload this file for audit purposes. The DS CLI function combines the log file that contains all service login information with an IBM enterprise storage server network interface (ESSNI) server audit log file that contains all client user login information to provide the client with a complete audit trail of remote access to a Management Console.
This on-demand audit log mechanism is sufficient for client security requirements about HMC remote access notification.
In addition to the audit log, email notifications and SNMP traps also can be configured at the Management Console to send notification in a remote support connection.
15.6 Audit logging
The DS8880 offers an audit log, It is an unalterable record of all actions and commands that were initiated by users on the storage system through the DS8000 Storage Management graphical user interface (GUI), DS CLI, DS Network Interface (DSNI), or Copy Service Manager. An audit log does not include commands that were received from host systems or actions that were completed automatically by the storage system. The audit logs can be exported and downloaded by the DS CLI or Storage Management GUI.
The DS CLI offloadauditlog command provides clients with the ability to offload the audit logs to the client’s DS CLI workstation into a directory of their choice, as shown in Example 15-3.
Example 15-3 DS CLI command to download audit logs
dscli> offloadauditlog -logaddr smc1 c:75ZA570_audit.txt
Date/Time: November 3, 2015 11:41:56 AM CET IBM DSCLI Version: 7.8.0.376 DS: -
CMUC00243I offloadauditlog: Audit log was successfully offloaded from smc1 to c:75ZA570_audit.txt.
The audit log can be exported by using the DS8000 Storage Management GUI on the Events window by clicking the Diskette icon and then selecting Export Audit Log, as shown in Figure 15-3.
Figure 15-3 Export Audit Log
The downloaded audit log is a text file that provides information about when a remote access session started and ended, and the remote authority level that was applied. A portion of the downloaded file is shown in Example 15-4.
Example 15-4 Audit log entries that relate to a remote support event
MST,,1,IBM.2107-75ZA570,N,8036,Authority_to_root,Challenge Key = 'Fy31@C37'; Authority_upgrade_to_root,,,
U,2015/10/02 12:09:49:000 MST,customer,1,IBM.2107-75ZA570,N,8020,WUI_session_started,,,,
U,2015/10/02 13:35:30:000 MST,customer,1,IBM.2107-75ZA570,N,8022,WUI_session_logoff,WUI_session_ended_loggedoff,,,
The Challenge Key that is presented to the IBM support representative is a part of a two-factor authentication method that is enforced on the Management Console. It is a token that is shown to the IBM SSR who connects to the DS8880. The representative must use the Challenge Key in an IBM internal system to generate a Response Key that is given to the HMC. The Response Key acts as a one-time authorization to the features of the HMC. The Challenge and Response Keys change when a remote connection is made.
The Challenge-Response process must be repeated if the representative needs higher privileges to access the Management Console command-line environment. No direct user login and no root login are on a DS8880.
Entries are added to the audit file only after the operation completes. All information about the request and its completion status is known. A single entry is used to log request and response information. It is possible, though unlikely, that an operation does not complete because of an operation timeout. In this case, no entry is made in the log.
The audit log entry includes the following information:
•Log users that connect or disconnect to the storage manager.
•Log user password and user access violations.
•Log commands that create, remove, or modify the logical configuration, including the command parameters and user ID.
•Log commands that modify storage facility image (SFI) and Storage Facility settings, including the command parameters and user ID.
•Log Copy Services commands, including command parameters and users.
|
Note: IBM Copy Services Manager commands are not supported.
|
Audit logs are automatically trimmed (first-in first-out (FIFO)) by the subsystem so that they do not use more than 50 MB of disk storage.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.