Configuration flow
This chapter provides a brief overview of the sequence of tasks that are required to configure an IBM DS8900F.
This chapter covers the following topics:
•User and role management
9.1 Configuration worksheets
Before a new DS8900F system is delivered, it is highly advised to complete the DS8900F configuration worksheets (also called customization worksheets). For more information about these worksheets, including links to download their current version, see Appendix D, “Customization worksheets”, of the IBM DS8900F Introduction and Planning Guide, SC27-9560-04. The guide provides detailed information to help you plan a successful installation of the system.
|
Note: Planning information for all DS8900F models, including the rack-mounted model 933, is covered in the same guide.
|
The purpose of the configuration worksheets is to enable a smooth installation of the DS8900F by ensuring that the necessary information is available to the IBM Systems Service Representative (IBM SSR) during system installation. It is best to present the completed worksheets to the IBM SSR before the delivery of the DS8900F.
The completed customization worksheets specify the initial setup for the following items:
•Company information: Provide important company and contact information. This information is required to ensure that IBM Support personnel can reach the appropriate contact person or persons in your organization, or send a technician to service your system in the event of a critical event as quickly as possible.
•Management Console (MC) network: Provide the IP address and local area network (LAN) settings. This information is required to establish connectivity to the MC.
•Remote support, including Call Home: Provide information to configure Remote Support and Call Home. This information helps to ensure timely support for critical serviceable events on the system.
•Notification: Provide information to receive Simple Network Management Protocol (SNMP) traps and email notifications. This information is required if you want to be notified about serviceable events.
•Power control: Provide your preferences for the power mode on the system.
•Control switch: Provide information to set up the control switches on the system. This information is helpful if you want to customize settings that affect host connectivity for
IBM i and IBM Z hosts.
IBM i and IBM Z hosts.
9.2 User and role management
During the planning phase (when you use the customization worksheet), list all users who need access to the Data Storage Graphical User Interface (DS GUI) or Data Storage Command-Line Interface (DS CLI). This action helps you manage secure authorization, which specifies the resource and access for different role-based users.
Assign two or more storage administrators and two or more security administrators to manage your storage system. To preserve the dual control that is recommended for recovery key management, do not assign both storage administrator and security administrator roles to the same user. Assign one or more users to each of the following roles:
•The Administrator (admin) has access to several Hardware Management Console (HMC) or MC service functions and all storage image resources, except for specific encryption functions. This user authorizes the actions of the Security Administrator during the encryption deadlock prevention and resolution process.
•The Security Administrator (secadmin) has access to all encryption functions. A user with an Administrator role is required to confirm the actions that are taken by a user of this role during the encryption deadlock prevention and resolution process.
•The Physical operator (op_storage) has access to physical configuration service methods and resources, such as managing the storage complex, storage image, rank, array, and extent pool objects.
•The Logical operator (op_volume) has access to all service methods and resources that relate to logical volumes, hosts, host ports, logical subsystems (LSSs), and volume groups, excluding security methods.
•The Monitor role has access to all read-only, nonsecurity MC service methods, such as the list and show commands.
•The IBM Service role (ibm_service) has access to all MC service methods and resources, such as running code loads and retrieving problem logs. This group also has the privileges of the Monitor group, excluding security methods.
•The IBM Engineering role (ibm_engineering) has all access that the ibm_service group has plus more permissions to manage Fibre Channel (FC) Port settings, manage data at rest encryption, and modify Easy Tier settings.
•The Copy Services (CS) operator (op_copy_services) has access to all CS methods and resources, and the privileges of the Monitor group, excluding security methods.
•The Logical and Copy operator (op_volume and op_copy_services) has the combined access of the Logical operator and the Copy operator.
|
Important: Resource groups offer an enhanced security capability that supports the hosting of multiple customers with CS requirements. It also supports a single client with requirements to isolate the data of multiple operating system (OS) environments. For more information, see DS8000 Copy Services, SG24-8367.
|
The DS8900F provides a storage administrator with the ability to create custom user roles with a fully customized set of permissions by using the DS GUI or DS CLI. This set of permission helps to ensure that the authorization level of each user on the system exactly matches their job role in the company so that the security of the system is more robust against internal attacks or mistakes.
You can also consider using a Lightweight Directory Access Protocol (LDAP) server for authenticating IBM DS8000 users. You can now take advantage of the IBM Copy Services Manager (CSM) and its LDAP client that comes preinstalled on the DS8900F HMC. For more information about remote authentication and LDAP for the DS8900F, see LDAP Authentication for IBM DS8000 Systems, REDP-5460.
9.3 Encryption
More planning is required if you intend to activate data at rest encryption for the DS8900F. It is important to plan and configure data at rest encryption before you perform the logical configuration.
The following options are available:
•Data at rest encryption: The DS8900F support for data at rest encryption consists of hardware-level self-encrypting Full Disk Encryption (FDE) drives and flexible key manager software. The drive-based encryption is combined with an enterprise-scale key management infrastructure to provide increased data security. Additionally, the DS8900F encryption also offers a simple, cost-effective solution for securely erasing any flash drive that is being retired or repurposed (cryptographic erasure). Full-disk-encryption drives are standard on the DS8900F.
•IBM Fibre Channel Endpoint Security: Use this feature to encrypt data as it is transmitted between your IBM Z server and DS8900F. This encryption mechanism also uses external key servers. It can be enabled at any time.
•Transparent Cloud Tiering (TCT): The DS8900F also provides support to encrypt data being transferred to the cloud when using the TCT function. TCT encryption can be enabled at any time, and relies on external key managers.
The current DS8900F encryption solution requires an external key manager. The key manager generates, protects, stores, and maintains encryption keys that are needed to encrypt information.
For more information, including current considerations and preferred practices for DS8900F encryption, see 6.3.6, “Key manager servers for encryption” on page 181 and IBM DS8000 Encryption for data at rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.0), REDP-4500.
For more information about encryption license considerations, see “Encryption activation review planning” on page 181.
9.4 Network security
The security of the network that is used to communicate to and manage the DS8900F (specifically the HMC) is important depending on the client requirements. The DS8900F supports compliance with the National Institute of Standards and Technology (NIST) SP800-131a standards.
Two components are required to provide full network protection:
•The first component is Internet Protocol Security (IPsec), and for Gen 2 security, IPsec v3 is required. IPsec protects network communication at the internet layer or the packets that are sent over the network. This configuration ensures that a valid workstation or server communicates with the HMC and that the communication between them cannot be intercepted.
•The second component is Transport Layer Security (TLS) 1.2, which provides protection at the application layer to ensure that valid software (external to the HMC or client) is communicating with the software (server) in the HMC.
|
Note: The details for implementing and managing security requirements are provided in IBM DS8870 and NIST SP 800-131a Compliance, REDP-5069.
|
9.5 Configuration flow
This section shows the list of tasks to perform when storage is configured in the DS8900F. Depending on the environment and requirements, not all tasks might be necessary.
Logical configuration can be performed by using the DS GUI, DS CLI, or a combination of both. Depending on your preference and experience, one method might be more efficient than the other. The DS8900F GUI provides a powerful yet simple process for logical configuration. If you use the DS GUI, not all of the steps that are listed in this book are explicitly performed by the user. For more information about the DS GUI, see Chapter 10, “IBM DS8900F Storage Management GUI” on page 247.
If you perform logical configuration by using the DS CLI, the following steps provide a high-level overview of the configuration flow. For more detailed information about using and performing logical configuration with the DS CLI, see Chapter 11, “IBM DS8900F Storage Management Command Line Interface” on page 357.
Here is the general configuration flow:
1. Install license keys: Activate the license keys for the DS8900F storage system. For more information about activating licensed functions, see Chapter 8, “IBM DS8900F features and licensed functions” on page 217.
|
Important: If data at rest encryption will be activated, the encryption configuration must be performed before starting the logical configuration.
|
2. Create arrays: Configure the installed flash drives as Redundant Array of Independent Disks (RAID) 6, which is now the default and preferred RAID configuration for the DS8900F.
3. Create ranks: Assign each array as a fixed-block (FB) rank or a Count Key Data (CKD) rank.
4. Create extent pools: Define extent pools, associate each one with Server 0 or Server 1, and assign at least one rank to each extent pool. To take advantage of storage pool striping, you must assign multiple ranks to an extent pool. For more information about storage pool striping, see “Storage pool striping: Extent rotation” on page 151, and “Storage pool striping” on page 383.
|
Important: If you plan to use IBM Easy Tier (in particular, in automatic mode), select the All pools option to receive all of the benefits of Easy Tier data management. For more information, see 5.6, “Easy Tier” on page 156.
|
5. Consider other controls and monitoring when working with space-efficient volumes. For more information, see IBM DS8880 Thin Provisioning (Updated for Release 8.5), REDP-5343.
6. Configure the FC ports: Define the topology of the FC ports. The port type can be Switched Fabric or Fibre Channel Protocol (FCP) or Fibre Channel connection
(IBM FICON).
(IBM FICON).
7. Create the volume groups for open systems: Create volume groups where FB volumes are assigned.
8. Create the host connections for open systems: Define open systems hosts and their FC host bus adapter (HBA) worldwide port names (WWPNs). Assign volume groups to the host connections.
9. Create the open systems volumes: Create striped open systems FB volumes and assign them to one or more volume groups.
10. Create the IBM Z logical control units (LCUs): Define their type and other attributes, such as subsystem identifiers (SSIDs).
11. Create the striped IBM Z volumes: Create IBM Z CKD base volumes and parallel access volumes (PAV) aliases for them.
9.6 General storage configuration guidelines
Observe the following general guidelines when storage is configured in the DS8000:
•To achieve a well-balanced load distribution, use at least two extent pools (also known as a pool pair), each assigned to a different internal server. If CKD and FB volumes are required on the same storage system, configure at least four extent pools: Two for FB and two for CKD.
•The volume type for the first volume that is created in an address group is either FB or CKD. That volume type determines the type for all other volumes (FB or CKD) in the entire address group. A volume is one of 256 in an LSS or LCU. An LSS is one of 16 in an address group (except address group F, which has only 15 LSSs). For more information about LSSs and address groups, see 4.4.5, “Logical subsystems” on page 124.
•Volumes of one LCU / LSS can be allocated on multiple extent pools in the same rank group.
•Assign multiple ranks to extent pools to take advantage of storage pool striping. Additionally, assign ranks from multiple device adapter (DA) pairs to an extent pool to spread the workload and increase performance. For more information, see 5.5.2, “Data placement in the DS8900F” on page 149.
•The following options are available for FB pools:
– Create a volume group for each server unless logical unit number (LUN) sharing is required.
– Assign the volume group for one server to all of its host connections.
– If LUN sharing is required, the following items provide two possible use cases (Figure 9-1 on page 245):
• Application sharing: Create one volume group for each server. Assign the shared volumes in each volume group. Assign the individual volume groups to the corresponding server’s host connections. The advantage of this option is that you can assign private and shared volumes to each host.
• Clustering: Create one common volume group for all servers. Place the shared volumes in the volume group and assign the volume group to the host connections.
Figure 9-1 LUN configuration for shared access
•The following options are available for FC ports:
– Configure a port to be FICON or FCP.
– Distribute host connections of each type (FICON and FCP) evenly across the I/O enclosures.
– Ensure that each host is connected to at least two different host adapters in two different I/O enclosures for redundancy and availability.
– As a best practice, allow hosts to access all host adapter ports of the system.
|
Note: Avoid intermixing host I/O with Copy Services I/O on the same ports for performance reasons.
|
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.