Re: FW: TDPO questions
>>> I think you have that behaviour quite different from a fs backup because >>> you are dealing with RMAN, and at this point I do not know if there is any >>> way to lower the severity to Warning for that but if is the RMAN script to >>> fail in one of this points I do not think so. I have set COPYPOOLNAMES in primary pool to have the both primary and copy files during export/import for nodes and then I hit problem with TDPO backups. RMAN is sending data to TDPO --> TDPO is sending data to TSM Client --> TSM Client is sending data to TSM Server --> TSM Server is failing. I do not think RMAN can see something on TSM Server. This is TSM problem. > >>What's the output of the RMAN script in that when the job is failing due to > >>the copy pool not present? RMAN-03009: failure of backup command on t1 channel at 04/07/2013 15:03:42 ORA-19502: write error on file "/LPAR01/vcen.07.0.1228.1.812127807", block number 1121 (block size=8192) ORA-27030: skgfwrt: sbtwrite2 returned error ORA-19511: Error received from media manager layer, error text: ANS1315W (RC15) Unexpected retry request. The server found an error while writing the data. >>>Why do not make a separate job to copy the data from primary to copy pool? It is a good question. According to setup decision to propagate files to copy pool is made by client site (export/import, TSM agent, etc). I was running all copies by separate schedules for many years. Now I am not sure what is better write data in parallel to primary and copy pools during backup or write to primary pools and then propagate data to copy pools. It is possible because I am using Data Domain VTL for primary pools replicated to disaster site and FILE copy pools. I understand all possible problems with performance, but at the same time I prefer to save time as well. Grigori G. Solonovitch Senior Systems Architect Ahli United Bank Kuwait www.ahliunited.com.kw Please consider the environment before printing this E-mail CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail message and any attachments hereto may be legally privileged and confidential. The information is intended only for the recipient(s) named in this message. If you are not the intended recipient you are notified that any use, disclosure, copying or distribution is prohibited. If you have received this in error please contact the sender and delete this message and any attachments from your computer system. We do not guarantee that this message or any attachment to it is secure or free from errors, computer viruses or other conditions that may damage or interfere with data, hardware or software. Please consider the environment before printing this Email.
Re: FW: TDPO questions
Thanks Grigori,
no matter how long is the chain after RMAN, rman only demand to the MML (in
this case TSM MML, namely the TDPO library) to write to the channel and
treat it as a black-box.
If something in that black box goes wrong he quits the run {} statement :
RMAN-03009: failure of backup command on t1 channel at 04/07/2013 15:03:42
and the process is marketed as failed due to the returncode not equal to 0:
ANS1315W (RC15) Unexpected retry request. The server found an error while
writing the data.
So I think that you have two ways here:
a- Ask support if exist a flag for tdpo to mask that failure so the
returncode to RMAN channel will be 0 also in case of failure on the copypool
b- Mantain two separate jobs for the RMAN backups. one to the primary
channel, another to copy that data to the copypool.
On Tue, Apr 9, 2013 at 9:46 AM, Grigori Solonovitch <
grigori.solonovi...@ahliunited.com> wrote:
> >>> I think you have that behaviour quite different from a fs backup
> because you are dealing with RMAN, and at this point I do not know if there
> is any way to lower the severity to Warning for that but if is the RMAN
> script to fail in one of this points I do not think so.
> I have set COPYPOOLNAMES in primary pool to have the both primary and copy
> files during export/import for nodes and then I hit problem with TDPO
> backups. RMAN is sending data to TDPO --> TDPO is sending data to TSM
> Client --> TSM Client is sending data to TSM Server --> TSM Server is
> failing. I do not think RMAN can see something on TSM Server. This is TSM
> problem.
>
> > >>What's the output of the RMAN script in that when the job is failing
> due to the copy pool not present?
> RMAN-03009: failure of backup command on t1 channel at 04/07/2013 15:03:42
> ORA-19502: write error on file "/LPAR01/vcen.07.0.1228.1.812127807", block
> number 1121 (block size=8192)
> ORA-27030: skgfwrt: sbtwrite2 returned error
> ORA-19511: Error received from media manager layer, error text:
> ANS1315W (RC15) Unexpected retry request. The server found an error
> while writing the data.
>
> >>>Why do not make a separate job to copy the data from primary to copy
> pool?
> It is a good question. According to setup decision to propagate files to
> copy pool is made by client site (export/import, TSM agent, etc).
> I was running all copies by separate schedules for many years. Now I am
> not sure what is better write data in parallel to primary and copy pools
> during backup or write to primary pools and then propagate data to copy
> pools.
> It is possible because I am using Data Domain VTL for primary pools
> replicated to disaster site and FILE copy pools. I understand all possible
> problems with performance, but at the same time I prefer to save time as
> well.
>
> Grigori G. Solonovitch
> Senior Systems Architect Ahli United Bank Kuwait www.ahliunited.com.kw
>
> Please consider the environment before printing this E-mail
>
>
>
> CONFIDENTIALITY AND WAIVER: The information contained in this electronic
> mail message and any attachments hereto may be legally privileged and
> confidential. The information is intended only for the recipient(s) named
> in this message. If you are not the intended recipient you are notified
> that any use, disclosure, copying or distribution is prohibited. If you
> have received this in error please contact the sender and delete this
> message and any attachments from your computer system. We do not guarantee
> that this message or any attachment to it is secure or free from errors,
> computer viruses or other conditions that may damage or interfere with
> data, hardware or software.
>
>
> Please consider the environment before printing this Email.
>
--
Eng. Carlo Zanelli
EMC Ireland, Co. Cork
Mobile: +353-(0)864569250, +39-3491419132
Re: FW: TDPO questions
Thank you very much.
Grigori G. Solonovitch
Senior Systems Architect Ahli United Bank Kuwait www.ahliunited.com.kw
Please consider the environment before printing this E-mail
-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Carlo
Zanelli
Sent: 09 04 2013 12:12 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] FW: TDPO questions
Thanks Grigori,
no matter how long is the chain after RMAN, rman only demand to the MML (in
this case TSM MML, namely the TDPO library) to write to the channel and treat
it as a black-box.
If something in that black box goes wrong he quits the run {} statement :
RMAN-03009: failure of backup command on t1 channel at 04/07/2013 15:03:42 and
the process is marketed as failed due to the returncode not equal to 0:
ANS1315W (RC15) Unexpected retry request. The server found an error while
writing the data.
So I think that you have two ways here:
a- Ask support if exist a flag for tdpo to mask that failure so the returncode
to RMAN channel will be 0 also in case of failure on the copypool
b- Mantain two separate jobs for the RMAN backups. one to the primary channel,
another to copy that data to the copypool.
On Tue, Apr 9, 2013 at 9:46 AM, Grigori Solonovitch <
grigori.solonovi...@ahliunited.com> wrote:
> >>> I think you have that behaviour quite different from a fs backup
> because you are dealing with RMAN, and at this point I do not know if
> there is any way to lower the severity to Warning for that but if is
> the RMAN script to fail in one of this points I do not think so.
> I have set COPYPOOLNAMES in primary pool to have the both primary and
> copy files during export/import for nodes and then I hit problem with
> TDPO backups. RMAN is sending data to TDPO --> TDPO is sending data to
> TSM Client --> TSM Client is sending data to TSM Server --> TSM Server
> is failing. I do not think RMAN can see something on TSM Server. This
> is TSM problem.
>
> > >>What's the output of the RMAN script in that when the job is
> > >>failing
> due to the copy pool not present?
> RMAN-03009: failure of backup command on t1 channel at 04/07/2013
> 15:03:42
> ORA-19502: write error on file "/LPAR01/vcen.07.0.1228.1.812127807",
> block number 1121 (block size=8192)
> ORA-27030: skgfwrt: sbtwrite2 returned error
> ORA-19511: Error received from media manager layer, error text:
> ANS1315W (RC15) Unexpected retry request. The server found an error
> while writing the data.
>
> >>>Why do not make a separate job to copy the data from primary to
> >>>copy
> pool?
> It is a good question. According to setup decision to propagate files
> to copy pool is made by client site (export/import, TSM agent, etc).
> I was running all copies by separate schedules for many years. Now I
> am not sure what is better write data in parallel to primary and copy
> pools during backup or write to primary pools and then propagate data
> to copy pools.
> It is possible because I am using Data Domain VTL for primary pools
> replicated to disaster site and FILE copy pools. I understand all
> possible problems with performance, but at the same time I prefer to
> save time as well.
>
> Grigori G. Solonovitch
> Senior Systems Architect Ahli United Bank Kuwait
> www.ahliunited.com.kw
>
> Please consider the environment before printing this E-mail
>
>
>
> CONFIDENTIALITY AND WAIVER: The information contained in this
> electronic mail message and any attachments hereto may be legally
> privileged and confidential. The information is intended only for the
> recipient(s) named in this message. If you are not the intended
> recipient you are notified that any use, disclosure, copying or
> distribution is prohibited. If you have received this in error please
> contact the sender and delete this message and any attachments from
> your computer system. We do not guarantee that this message or any
> attachment to it is secure or free from errors, computer viruses or
> other conditions that may damage or interfere with data, hardware or software.
>
>
> Please consider the environment before printing this Email.
>
--
Eng. Carlo Zanelli
EMC Ireland, Co. Cork
Mobile: +353-(0)864569250, +39-3491419132
CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail
message and any attachments hereto may be legally privileged and confidential.
The information is intended only for the recipient(s) named in this message. If
you are not the intended recipient you are notified that any use, disclosure,
copying or distribution is prohibited. If you have received this in error
please contact the sender and delete this message and any attachments from your
computer system. We do not guarantee that this message or any attachment to it
is secure or free from errors, computer viruses or other conditions that may
damage or interfere with data, hardware or software.
Re: FW: TDPO questions
You are welcome :-)
On Tue, Apr 9, 2013 at 10:34 AM, Grigori Solonovitch <
grigori.solonovi...@ahliunited.com> wrote:
> Thank you very much.
>
> Grigori G. Solonovitch
> Senior Systems Architect Ahli United Bank Kuwait www.ahliunited.com.kw
>
> Please consider the environment before printing this E-mail
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
> Carlo Zanelli
> Sent: 09 04 2013 12:12 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] FW: TDPO questions
>
> Thanks Grigori,
>
> no matter how long is the chain after RMAN, rman only demand to the MML
> (in this case TSM MML, namely the TDPO library) to write to the channel and
> treat it as a black-box.
> If something in that black box goes wrong he quits the run {} statement :
> RMAN-03009: failure of backup command on t1 channel at 04/07/2013 15:03:42
> and the process is marketed as failed due to the returncode not equal to 0:
> ANS1315W (RC15) Unexpected retry request. The server found an error while
> writing the data.
>
> So I think that you have two ways here:
> a- Ask support if exist a flag for tdpo to mask that failure so the
> returncode to RMAN channel will be 0 also in case of failure on the copypool
> b- Mantain two separate jobs for the RMAN backups. one to the primary
> channel, another to copy that data to the copypool.
>
>
>
>
> On Tue, Apr 9, 2013 at 9:46 AM, Grigori Solonovitch <
> grigori.solonovi...@ahliunited.com> wrote:
>
> > >>> I think you have that behaviour quite different from a fs backup
> > because you are dealing with RMAN, and at this point I do not know if
> > there is any way to lower the severity to Warning for that but if is
> > the RMAN script to fail in one of this points I do not think so.
> > I have set COPYPOOLNAMES in primary pool to have the both primary and
> > copy files during export/import for nodes and then I hit problem with
> > TDPO backups. RMAN is sending data to TDPO --> TDPO is sending data to
> > TSM Client --> TSM Client is sending data to TSM Server --> TSM Server
> > is failing. I do not think RMAN can see something on TSM Server. This
> > is TSM problem.
> >
> > > >>What's the output of the RMAN script in that when the job is
> > > >>failing
> > due to the copy pool not present?
> > RMAN-03009: failure of backup command on t1 channel at 04/07/2013
> > 15:03:42
> > ORA-19502: write error on file "/LPAR01/vcen.07.0.1228.1.812127807",
> > block number 1121 (block size=8192)
> > ORA-27030: skgfwrt: sbtwrite2 returned error
> > ORA-19511: Error received from media manager layer, error text:
> > ANS1315W (RC15) Unexpected retry request. The server found an error
> > while writing the data.
> >
> > >>>Why do not make a separate job to copy the data from primary to
> > >>>copy
> > pool?
> > It is a good question. According to setup decision to propagate files
> > to copy pool is made by client site (export/import, TSM agent, etc).
> > I was running all copies by separate schedules for many years. Now I
> > am not sure what is better write data in parallel to primary and copy
> > pools during backup or write to primary pools and then propagate data
> > to copy pools.
> > It is possible because I am using Data Domain VTL for primary pools
> > replicated to disaster site and FILE copy pools. I understand all
> > possible problems with performance, but at the same time I prefer to
> > save time as well.
> >
> > Grigori G. Solonovitch
> > Senior Systems Architect Ahli United Bank Kuwait
> > www.ahliunited.com.kw
> >
> > Please consider the environment before printing this E-mail
> >
> >
> >
> > CONFIDENTIALITY AND WAIVER: The information contained in this
> > electronic mail message and any attachments hereto may be legally
> > privileged and confidential. The information is intended only for the
> > recipient(s) named in this message. If you are not the intended
> > recipient you are notified that any use, disclosure, copying or
> > distribution is prohibited. If you have received this in error please
> > contact the sender and delete this message and any attachments from
> > your computer system. We do not guarantee that this message or any
> > attachment to it is secure or free from errors, computer viruses or
> > other conditions that may damage or interfere with data, hardware or
> software.
> >
> >
> > Please consider the environment before printing this Email.
> >
>
>
>
> --
> Eng. Carlo Zanelli
> EMC Ireland, Co. Cork
> Mobile: +353-(0)864569250, +39-3491419132
>
>
>
>
> CONFIDENTIALITY AND WAIVER: The information contained in this electronic
> mail message and any attachments hereto may be legally privileged and
> confidential. The information is intended only for the recipient(s) named
> in this message. If you are not the intended recipient you are notified
> that any use, disclosure, copying or distribution is prohibited. If you
> have received this in error
Re: Moving TSM server from AIX to Linux
Yes. Sparc. That was a long time ago as well. But trying doesn't cost anything but time. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Thomas Denier Sent: Thursday, April 04, 2013 10:45 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Moving TSM server from AIX to Linux Was the Solaris system using SPARC processors? Solaris on SPARC and Linux on IBM mainframe share the big-endian byte order. I would be much less optimistic about a database backup and restore involving platforms with opposite byte order, such as a backup from AIX and a restore to Linux on x86. Thomas Denier Thomas Jefferson University Hospital -Gary Lee wrote: - >From: "Lee, Gary" > >Haven't tried it with v6, but that's how I moved a server from >solaris to suse linux. The linux was running as a guest under VM on >our mainframe. > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf >Of James Choate > >Is it really as easy as just installing a new server on the new >platform and then restoring a db? > >I wasn't aware that you could restore a db across platforms. I >thought you would have to export/import the nodes out of the AIX >server into the Linux server. > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf >Of Lee, Gary > >Shouldn't be a big deal. > >However, tougher with v6 than v5. > >You should be able to restore a db backup after installing the new >server. > >Then, define storage pools, tape drives, and libraries as necessary. > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf >Of Troy A Cross > >I've been tasked with the project to move our TSM server from AIX to >Linux (prefer RedHat or CentOS). > >Any pointers? > >Thanks, Troy
SAP RMAN full backup fails
Hi all,
I have a SAP BRBackup with RMAN, which after a Oracle upgrade fails.
Recovery Manager: Release 11.2.0.3.0 - Production on Tue Apr 9 11:52:22 2013
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
RMAN>
RMAN> connect target *
connected to target database: GQ1 (DBID=3371058019)
using target database control file instead of recovery catalog
RMAN> **end-of-file**
RMAN>
host command complete
RMAN> 2> 3> 4> 5> 6> 7> 8> 9>
executing command: SET BACKUP COPIES
allocated channel: sbt_1
channel sbt_1: SID=73 device type=SBT_TAPE
channel sbt_1: Data Protection for SAP(R)
allocated channel: sbt_2
channel sbt_2: SID=196 device type=SBT_TAPE
channel sbt_2: Data Protection for SAP(R)
Starting backup at 09-APR-13
channel sbt_1: starting incremental level 0 datafile backup set
channel sbt_1: specifying datafile(s) in backup set
input datafile file number=6 name=K:\ORACLE\GQ1\SAPDATA2\SR3_3\SR3.DATA3
input datafile file number=00018 name=K:\ORACLE\GQ1\SAPDATA2\SR3_15\SR3.DATA15
input datafile file number=00027 name=K:\ORACLE\GQ1\SAPDATA2\SR3_24\SR3.DATA24
channel sbt_1: starting piece 1 at 09-APR-13
channel sbt_2: starting incremental level 0 datafile backup set
channel sbt_2: specifying datafile(s) in backup set
input datafile file number=7 name=K:\ORACLE\GQ1\SAPDATA2\SR3_4\SR3.DATA4
input datafile file number=00019 name=K:\ORACLE\GQ1\SAPDATA2\SR3_16\SR3.DATA16
input datafile file number=00028 name=K:\ORACLE\GQ1\SAPDATA2\SR3_25\SR3.DATA25
channel sbt_2: starting piece 1 at 09-APR-13
RMAN-03009: failure of backup command on sbt_2 channel at 04/09/2013 12:35:00
ORA-19509: failed to delete sequential file, handle="GQ1_bekydgco.2816_1_1",
parms="BLKSIZE=65536
ENV=(XINT_PROFILE=E:\oracle\GQ1\11203\database\initGQ1.utl,PROLE_PORT=57323,BR_CALLER=BRBACKUP,BR_BACKUP=FULL,BR_REQUEST=NEW,BR_RUN=bekydgco.fnr)"
ORA-27027: sbtremove2 returned error
ORA-19511: Error received from media manager layer, error text:
channel sbt_2 disabled, job failed on it will be run on another channel
released channel: sbt_1
released channel: sbt_2
RMAN-00571: ===
RMAN-00569: === ERROR MESSAGE STACK FOLLOWS ===
RMAN-00571: ===
RMAN-03009: failure of backup command on sbt_1 channel at 04/09/2013 12:35:07
ORA-19509: failed to delete sequential file, handle="GQ1_bekydgco.2815_1_1",
parms="BLKSIZE=65536
ENV=(XINT_PROFILE=E:\oracle\GQ1\11203\database\initGQ1.utl,PROLE_PORT=57323,BR_CALLER=BRBACKUP,BR_BACKUP=FULL,BR_REQUEST=NEW,BR_RUN=bekydgco.fnr)"
ORA-27027: sbtremove2 returned error
ORA-19511: Error received from media manager layer, error text:
RMAN>
specification does not match any backup in the repository
RMAN>
Recovery Manager complete.
BR0280I BRBACKUP time stamp: 2013-04-09 12.35.10
BR0279E Return code from 'E:\oracle\GQ1\11203\BIN\rman nocatalog': 1
BR0522E 6 of 36 files / save sets processed by RMAN
BR0536E RMAN call for database instance GQ1 failed
BR0200I BR_TRACE: location BrRmanCall-56, commands for RMAN in:
F:\oracle\GQ1\sapbackup\.bekydgco.cmd
@F:\oracle\GQ1\sapbackup\..bekydgco..cmd
host 'E:\usr\sap\GQ1\SYS\exe\uc\NTAMD64\brtools.exe -f delete
F:\oracle\GQ1\sapbackup\..bekydgco..cmd';
run { set backup copies 1;
allocate channel sbt_1 device type 'SBT_TAPE'
parms 'BLKSIZE=65536
ENV=(XINT_PROFILE=E:\oracle\GQ1\11203\database\initGQ1.utl,PROLE_PORT=57323,BR_CALLER=BRBACKUP,BR_BACKUP=FULL,BR_REQUEST=NEW,BR_RUN=bekydgco.fnr)';
allocate channel sbt_2 device type 'SBT_TAPE'
parms 'BLKSIZE=65536
ENV=(XINT_PROFILE=E:\oracle\GQ1\11203\database\initGQ1.utl,PROLE_PORT=57323,BR_CALLER=BRBACKUP,BR_BACKUP=FULL,BR_REQUEST=NEW,BR_RUN=bekydgco.fnr)';
backup incremental level 0 tag bekydgco format 'GQ1_bekydgco.%s_%p_%c'
filesperset 3 check logical
database;
release channel sbt_1;
release channel sbt_2; }
list backup of database tag bekydgco;
exit;
BR0280I BRBACKUP time stamp: 2013-04-09 12.35.10
BR0506E Full database backup (level 0) using RMAN failed
BR0056I End of database backup: bekydgco.fnr 2013-04-09 12.35.10
BR0280I BRBACKUP time stamp: 2013-04-09 12.35.12
BR0054I BRBACKUP terminated with errors
Full BRBackup was running fine before upgrade.
It's running on W2K8 R2 and SAP TSM Agent is 6.2.1.0.
Regards
Bo Nielsen
Senior Technology Consultant
Datacenter
DONG Energy
Nesa Allé 1
2820
Gentofte
Tlf. +45 99 55 54 34
bo...@dongenergy.dk
www.dongenergy.com
Re: Implementing Encryption
Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > Zoltan, BTDTGTTS. > > You first decide if you want to use TSM-managed or externally-managed > (EKM) encryption. > > With TSM encryption, it really is just as simple as creating a devclass > and creating storage pools pointing to that devclass. > (Plus you have to set the encryption mode on the logical library to > application-managed.) > > TSM creates its own keys, stores them in the TSM DB, passes the keys to > the drives and tells the drives to encrypt the tapes. > The encryption is still done outboard by the hardware. > Has the wonderful advantage of being simple, free, and unbreakable. > Your hands never touch the keys, it's totally transparent to everybody. > You can't hurt it. > No implications for DR. No reason not to use it. > TSM development doesn't get enough credit for making this easy and free. > > OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT > tapes, nor BACKUPSET tapes. > > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover the > EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > It is possible (not likely, but possible) to get yourself in a DR > situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > > So if you have a requirement for encrypting backupsets, you need the EKM. > DEVCLASS change does not apply, as TSM knows nothing about the encryption. > > If all you have is a requirement that BACKUP DATA on your storage pool > tapes (which isn't included in a DB backup tape) gets encrypted so that if > a tape falls off a truck there is no exposure to PII, choose TSM encryption > and just turn it on. > > W > > > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Zoltan Forray > Sent: Thursday, April 04, 2013 9:41 AM > To: ADSM-L@VM.MARIST.EDU > Subject: [ADSM-L] Implementing Encryption > > I know this sounds strange, but we need to implement encryption on our > TS1130 tapes. > > Never having done this, I need some help/suggestions/war-stories/etc on > how to basically turn encryption on. Is there a quick-and-dirty book on > the subject? > > I understand the first thing would be to change the devclass for the tape > drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are > library managers). > > Then I saw something about EKM to manage the keys. Is this also > implemented on all TSM servers? > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://infosecurity.vcu.edu/phishing.html > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Export to tape, Import on another platform
Hell all A quick one, If I do an export to tape (LTO3), from a Windows TSM 5.5 instance, can I import it into a 5.5 instance on AIX? Thanks Steven
Re: Export to tape, Import on another platform
Yes. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Tuesday, April 09, 2013 3:02 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Export to tape, Import on another platform Hell all A quick one, If I do an export to tape (LTO3), from a Windows TSM 5.5 instance, can I import it into a 5.5 instance on AIX? Thanks Steven
Re: Export to tape, Import on another platform
Or. If you have server-to-server communication between the Windows TSM server and the AIX TSM server, you can export/import without going to tape. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Tuesday, April 09, 2013 2:13 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: Export to tape, Import on another platform Yes. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Tuesday, April 09, 2013 3:02 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Export to tape, Import on another platform Hell all A quick one, If I do an export to tape (LTO3), from a Windows TSM 5.5 instance, can I import it into a 5.5 instance on AIX? Thanks Steven
Re: Implementing Encryption
The real question is: are you allowed to send the unencrypted keys (in the unencrypted dbbackup) offsite in the same truck as the encrypted tapes? Or will you have to ship the dbbackup tape separately? Or if you want to dodge that "gotcha," I suppose you could simply scp the dbbackup to some server at another site, rather than sending the dbbackup with your tapes. Maybe rsync, because it can do block-level incremental. If you don't have a lot of change in your dbbackup, that could save on bandwidth. On 4/9/2013 9:39 AM, Zoltan Forray wrote: Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage pools pointing to that devclass. (Plus you have to set the encryption mode on the logical library to application-managed.) TSM creates its own keys, stores them in the TSM DB, passes the keys to the drives and tells the drives to encrypt the tapes. The encryption is still done outboard by the hardware. Has the wonderful advantage of being simple, free, and unbreakable. Your hands never touch the keys, it's totally transparent to everybody. You can't hurt it. No implications for DR. No reason not to use it. TSM development doesn't get enough credit for making this easy and free. OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, nor BACKUPSET tapes. With externally-managed encryption, the keys are managed by the EKM. TSM doesn't' know it's happening. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. But the cost of the software is trivial compared to the implementation cost. High learning curve. Lots of testing required to make sure you can recover. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) It is possible (not likely, but possible) to get yourself in a DR situation where NOBODY, including IBM, can read those encrypted tapes. Test, test, CYA, test. But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. So if you have a requirement for encrypting backupsets, you need the EKM. DEVCLASS change does not apply, as TSM knows nothing about the encryption. If all you have is a requirement that BACKUP DATA on your storage pool tapes (which isn't included in a DB backup tape) gets encrypted so that if a tape falls off a truck there is no exposure to PII, choose TSM encryption and just turn it on. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 9:41 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Implementing Encryption I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 D
Re: Export to tape, Import on another platform
Thanks Wanda. James, I can't in this case - it's 3TB+ of data over a slow WAN link. Thanks Steven On 9 April 2013 21:16, James Choate wrote: > Or. > If you have server-to-server communication between the Windows TSM server > and the AIX TSM server, you can export/import without going to tape. > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Prather, Wanda > Sent: Tuesday, April 09, 2013 2:13 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: Export to tape, Import on another platform > > Yes. > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Steven Langdale > Sent: Tuesday, April 09, 2013 3:02 PM > To: ADSM-L@VM.MARIST.EDU > Subject: [ADSM-L] Export to tape, Import on another platform > > Hell all > > A quick one, If I do an export to tape (LTO3), from a Windows TSM 5.5 > instance, can I import it into a 5.5 instance on AIX? > > Thanks > > Steven >
Re: Implementing Encryption
Oh, sorry, rest of the question. It's easy to convert from AME to LME - create new library partition, new devclass, set up for LME. Rename some stgpools and recreate them using the new devclass so you don't have to modify your daily maintenance scripts or copygroups. Then attrition, reclamation, or move data scripts. Pretty much the same way you'd handle any other media refresh. I don't think there's anything else you need to do. With AME, the robot doesn't talk to TSM for the keys - it's done strictly at the tape drive level. TSM requests a tape mount, the robot moves the tape to the drive, the drive mounts and sends the volser to TSM, TSM looks up the data key in the db, sends the data key to the drive, the drive uses the data key to encrypt. It's described pretty well in the IBM System Storage Open Systems Tape Encryption Solutions redbook. http://www.redbooks.ibm.com/abstracts/sg247907.html On 4/9/2013 9:39 AM, Zoltan Forray wrote: Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage pools pointing to that devclass. (Plus you have to set the encryption mode on the logical library to application-managed.) TSM creates its own keys, stores them in the TSM DB, passes the keys to the drives and tells the drives to encrypt the tapes. The encryption is still done outboard by the hardware. Has the wonderful advantage of being simple, free, and unbreakable. Your hands never touch the keys, it's totally transparent to everybody. You can't hurt it. No implications for DR. No reason not to use it. TSM development doesn't get enough credit for making this easy and free. OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, nor BACKUPSET tapes. With externally-managed encryption, the keys are managed by the EKM. TSM doesn't' know it's happening. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. But the cost of the software is trivial compared to the implementation cost. High learning curve. Lots of testing required to make sure you can recover. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) It is possible (not likely, but possible) to get yourself in a DR situation where NOBODY, including IBM, can read those encrypted tapes. Test, test, CYA, test. But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. So if you have a requirement for encrypting backupsets, you need the EKM. DEVCLASS change does not apply, as TSM knows nothing about the encryption. If all you have is a requirement that BACKUP DATA on your storage pool tapes (which isn't included in a DB backup tape) gets encrypted so that if a tape falls off a truck there is no exposure to PII, choose TSM encryption and just turn it on. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 9:41 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Implementing Encryption I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishi
Exchange 2010 backup fails with ACN6076, ACN6068
TSM 6.3.3 on Win2K8-64 Exchange 2010 Two Exchange nodes in a DAG, each with multiple active mailbox DB's, running TDP for Exchange 6.4.0.0, TSM client 6.4.0.0. (The passive DBs live at a DR site across a WAN, which is why I'm backing up the active ones.) TDP Scheduled backup ran for a couple of weeks on both nodes with no problem. Full backups only so far, as the DB's are still in circular logging mode. 2 nights ago the backups started failing on one mailbox on node A, and one mailbox on node B with: ACN6076I < databaseName > cannot be backed up because its 'BackupInProgress' flag is set to 'True'. Check whether the database is being backed... But there is no other TSM backup in progress. The Exchange utility getmailbox shows the "backup in progress" flag is indeed set to "True". Diskshadow shows no leftover shadows. I found this hit that says we are essentially toast and will probably have to reboot. http://www-01.ibm.com/support/docview.wss?uid=swg21626354 So my question is, what causes this situation and how do I prevent it happening again? Wanda Prather | Senior Technical Specialist | wanda.prat...@icfi.com | www.icfi.com ICF International | 401 E. Pratt St, Suite 2214, Baltimore, MD 21202 | 410.539.1135 (o)
