Configuration flow
This chapter provides a brief overview of the sequence of tasks that are required for the configuration of an IBM DS8880.
This chapter covers the following topics:
•User and role management
10.1 Configuration worksheets
Before a new DS8880 is delivered, the client is given the DS8880 customization worksheets. The configuration worksheets can be found in Appendix E of the IBM DS8880 Introduction and Planning Guide, GC27-8525. The guide provides all of the information that is required to plan for a successful installation. For DS8882F see IBM DS8882F Introduction and Planning Guide, GC27-9259.
The purpose of the configuration worksheets is to provide the required information to the IBM service support representative (IBM SSR) to customize the DS8880. It is best to present the completed worksheets to the IBM SSR before the delivery of the DS8880.
The completed customization worksheets specify the initial setup for the following items:
•Company information: Provides important contact information.
•Management console network settings: Supplies the IP address and local area network (LAN) settings for connectivity to the management console.
•Remote support (which includes call home and remote service settings): Specifies the inbound and outbound remote support settings.
•Notifications: Lists Simple Network Management Protocol (SNMP) trap and email notification settings.
•Power control: Selects and controls the various power modes for the storage complex.
•Control switch settings: Specifies certain DS8880 settings that affect host connectivity. This information is required by the IBM SSR so that the SSR can enter these settings during the DS8880 installation.
10.2 User and role management
During the planning phase (when you use the customization worksheet), list all users who need access to the data storage graphical user interface (DS GUI) or data storage command-line interface (DS CLI). This action helps you manage secure authorization, which specifies the resource and access for different role-based users. Assign at least one user to each of the following roles:
•The Administrator (admin) has access to several Hardware Management Console (HMC) or Management Console (MC) service functions and all storage image resources, except for specifics encryption functions. This user authorizes the actions of the Security Administrator during the encryption deadlock prevention and resolution process.
•The Security Administrator (secadmin) has access to all encryption functions. This role requires an Administrator user to confirm the actions that are taken during the encryption deadlock prevention and resolution process.
•The Physical operator (op_storage) has access to physical configuration service methods and resources, such as managing the storage complex, storage image, rank, array, and extent pool objects.
•The Logical operator (op_volume) has access to all service methods and resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security methods.
•The Monitor role has access to all read-only, nonsecurity MC service methods, such as the list and show commands.
•The IBM Service role (ibm_service) has access to all MC service methods and resources, such as running code loads and retrieving problem logs. This group also has the privileges of the Monitor group, excluding security methods.
•The IBM Engineering role (ibm_engineering) has all access that ibm_service group has plus additional permissions to manage Fibre Channel Port settings, manage data at rest encryption, and modify Easy Tier settings.
•The Copy Services operator (op_copy_services) has access to all Copy Services methods and resources, and the privileges of the Monitor group, excluding security methods.
•The Logical and Copy operator (op_volume,op_copy_services) has combined access of the Logical operator and the Copy operator.
|
Important: Available resource groups offer an enhanced security capability that supports the hosting of multiple customers with Copy Services requirements. It also supports the single client with requirements to isolate the data of multiple operating systems’ environments. For more information, see IBM System Storage DS8000 Copy Services Scope Management and Resource Groups, REDP-4758.
|
Starting with release 8.5 of DS8880 microcode, a storage administrator can set up user roles in the GUI or CLI with a fully customized set of permissions. This will ensure that the authorization level of each user account exactly matches their job role in the company so that the security of the system is more robust against internal attacks or mistakes.
You can also consider using a Lightweight Directory Access Protocol (LDAP) server for authenticating DS8000 users. You can now take advantage of the Copy Services Manager (CSM) and its LDAP client that comes pre installed on the DS8000 HMC. For more information about remote authentication and LDAP for the DS8880, see IBM DS8880 Integrated Copy Services Manager and LDAP Client on the HMC, REDP-5356.
10.3 Data at rest encryption
Additional planning is required if you intend to activate encryption for the DS8880. It is important to plan and configure encryption before you perform the logical configuration.
The DS8880 provides data at rest encryption for data that is within the storage system, for increased data security. This drive-based encryption is combined with an enterprise-scale key management infrastructure.
Starting with DS8000 Release 8.5 code, you also have the possibility to encrypt data being transferred to the cloud, when using the Transparent Cloud Tiering (TCT) function. TCT encryption can be enabled at any time, and also relies on external key managers. In that case version 3.02 of Security Key Level Manager (SKLM) is required. See IBM DS8880 Data-at-rest Encryption, REDP-4500.
Full-disk-encryption drives are standard on the DS8000 series. Full disk encryption offerings must be activated before performing any logical configuration. For more information about encryption license considerations, see “Encryption activation review planning” on page 214.
The current DS8880 encryption solution requires the use of the IBM Security Key Lifecycle Manager, IBM Security Key Lifecycle Manager for z/OS, or a third-party OASIS KMIP solution like Gemalto SafeNet. These key lifecycle managers assist with generating, protecting, storing, and maintaining encryption keys that are used to encrypt information that is written to and decrypt information that is read from devices.
For more information, including current considerations and preferred practices for DS8880 encryption, see 7.3.6, “Key manager servers for encryption” on page 214 and IBM DS8880 Data-at-rest Encryption, REDP-4500.
10.4 Network security
The security of the network that is used to communicate to and manage the DS8880 (specifically the HMC) is important, depending on the client requirements. The DS8880 supports compliance to the National Institute of Standards and Technology (NIST) SP800-131a standards, which are also known as Gen-2 security.
Two components are required to provide full network protection:
•The first component is Internet Protocol Security (IPSec), and for Gen-2 security, IPsec-v3 is required. IPSec protects the network communication at the Internet layer, or the packets that are sent over the network. This configuration ensures that a valid workstation or server communicates with the HMC and that the communication between them cannot be intercepted.
•The second component is Transport Layer Security (TLS) 1.2, which provides protection at the application layer to ensure that valid software (external to the HMC or client) is communicating with the software (server) in the HMC.
|
Note: The details for implementing and managing Gen-2 security requirements are provided in IBM DS8870 and NIST SP 800-131a Compliance, REDP-5069.
|
10.5 Configuration flow
This section shows the list of tasks to perform when storage is configured in the DS8880. Depending on the environment and requirements, not all tasks might be necessary.
Logical configuration can be performed by using the DS GUI, DS CLI, or both. Depending on the client’s preference and experience, one method might be more efficient than the other. The DS8880 GUI provides a powerful, yet simple process for logical configuration. If you use the DS Storage Management GUI, not all of the steps that are listed in this book are explicitly performed by the user. For more information about the DS Storage Management GUI, see Chapter 11, “DS8880 Storage Management GUI” on page 275.
If you perform logical configuration by using the DS CLI, the following steps provide a high-level overview of the configuration flow. For more detailed information about using and performing logical configuration with the DS CLI, see Chapter 12, “Configuration with the command-line interface” on page 379.
The following is the general configuration flow:
1. Install license keys: Activate the license keys for the DS8880 storage system. For more information about activating licensed functions, see Chapter 9, “IBM DS8880 features and licensed functions” on page 243.
|
Important: If data at rest encryption will be activated, the encryption configuration must be performed before the logical configuration that is described in the next steps.
|
2. Create arrays: Configure the installed disk drives as RAID-6 which is now the default and preferred RAID configuration for IBM DS8880.
3. Create ranks: Assign each array to be a fixed-block (FB) rank or a count key data (CKD) rank.
4. Create extent pools: Define extent pools, associate each one with Server 0 or Server 1, and assign at least one rank to each extent pool. To take advantage of storage pool striping, you must assign multiple ranks to an extent pool. For more information about storage pool striping, see “Storage pool striping: Extent rotation” on page 180, and “Storage pool striping” on page 408.
|
Important: If you plan to use IBM Easy Tier (in particular, in automatic mode), select the All pools option to receive all of the benefits of Easy Tier data management. For more information, see 6.7, “IBM Easy Tier” on page 187.
|
5. Consider other controls and monitoring when working with space-efficient volumes. For more information, see IBM DS8880 Thin Provisioning (Updated for Release 8.5), REDP-5343.
6. Configure the fibre channel ports: Define the topology of the fibre channel ports. The port type can be Switched Fabric or Fibre Channel Protocol (FCP), Fibre Channel Arbitrated Loop (FC-AL), or Fibre Channel connection (FICON). The FC-AL protocol is not available for 16 Gbps fibre channel ports.
7. Create the volume groups for open systems: Create volume groups where FB volumes are assigned.
8. Create the host connections for open systems: Define open systems hosts and their Fibre Channel (FC) host bus adapter (HBA) worldwide port names (WWPNs). Assign volume groups to the host connections.
9. Create the open systems volumes: Create striped open systems FB volumes and assign them to one or more volume groups.
10. Create the IBM Z logical control units (LCUs): Define their type and other attributes, such as subsystem identifiers (SSIDs).
11. Create the striped IBM Z volumes: Create IBM Z CKD base volumes and parallel access volumes (PAV) aliases for them.
10.6 General storage configuration guidelines
Observe the following general guidelines when storage is configured in the DS8000:
•To achieve a well-balanced load distribution, use at least two extent pools (also known as a pool pair), each assigned to one of the internal servers (extent pool 0 and extent pool 1). If CKD and FB volumes are required on the same storage system, configure at least four extent pools: Two for FB and two for CKD.
•The volume type for the first volume that is created in an address group is either FB or CKD. That volume type determines the type for all other volumes (FB or CKD) for the entire address group. A volume is one of 256 in a logical subsystem (LSS) or LCU. An LSS is one of 16 in an address group (except address group F, which has only 15 LSSs). For more information about logical subsystems and address groups, see 4.4.5, “Logical subsystems” on page 131.
•Volumes of one LCU/LSS can be allocated on multiple extent pools in the same rank group.
•Assign multiple ranks to extent pools to take advantage of storage pool striping. Additionally, assign ranks from multiple device adapter (DA) pairs to an extent pool to spread the workload and increase performance. See 6.5.2, “Data placement in the DS8000” on page 178.
•The following options are available for fixed-block (FB) pools:
– Create a volume group for each server unless logical unit number (LUN) sharing is required.
– Assign the volume group for one server to all of its host connections.
– If LUN sharing is required, the following options are available (Figure 10-1):
• Create one volume group for each server. Assign the shared volumes in each volume group. Assign the individual volume groups to the corresponding server’s host connections. The advantage of this option is that you can assign private and shared volumes to each host. This configuration can be used in an environment such as application sharing.
• Create one common volume group for all servers. Place the shared volumes in the volume group and assign the volume group to the host connections. This configuration can be used in an environment such as clustering.
Figure 10-1 LUN configuration for shared access
•The following options are available for fibre channel ports:
– Configure a port to be FICON, FCP, or FC-AL (for 8 Gbps Host adapter).
– Distribute host connections of each type (FICON, FCP, and FC-AL) evenly across the I/O enclosures.
– Ensure that each host is connected to at least two different host adapters (HAs) in two different I/O enclosures for redundancy and availability.
– Use access any typically for fibre channel ports with access to ports that are controlled by storage area network (SAN) zoning.
|
Note: Avoid intermixing host I/O with Copy Services I/O on the same ports.
|
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.