IBM Virtualization Engine TS7700 Series Best Practices. TS7700 Logical WORM Best Practices

Transcription

1 IBM Virtualization Engine TS7700 Series Best Practices TS7700 Logical WORM Best Practices Jim Fisher Executive IT Specialist Advanced Technical Skills (ATS) Page 1 of 10

2 Contents Introduction...3 Cohasset Associates Report...3 Host Considerations...4 Protecting ACS Routines...4 Protecting Logical Volumes from Being Scratched...4 TS7700 Considerations...5 Data Class Default...5 Limit Access to Storage Construct Action Modification...5 Fast Ready Expire with Hold...9 Separate Category for WORM and Non-WORM Use Media 1 and Media Page 2 of 10

3 Introduction The TS7700 Virtualization Engine supports the logical write once, read many (WORM) function through TS7700 Virtualization Engine software emulation. The host views the TS7700 Virtualization Engine as a Logical WORM (LWORM) compliant library that contains WORM-compliant 3490E logical drives and media. The LWORM implementation of the TS7700 Virtualization Engine emulates physical WORM tape drives and media. The TS7700 Virtualization Engine provides the following functions: Provides an advanced function Data Class construct property that allows volumes to be assigned as LWORM-compliant during the volume s first mount, where a write operation from BOT is required, or during a volume s reuse from scratch, where a write from BOT is required. Generates, during the assignment of LWORM to a volume s characteristics, a temporary World Wide Identifier that is surfaced to host software during host software open and close processing, and then bound to the volume during first write from BOT. Generates and maintains a persistent Write-Mount Count for each LWORM volume and keeps the value synchronized with host software. Allows only appends to LWORM volumes using physical WORM append guidelines. Provides a mechanism through which host software commands can discover LWORM attributes for a given mounted volume. The LWORM implementation consists of two major components, the TS7700 itself and the host s Tape Management System (TMS). The TS7700 protects data from overwrite and modification and the TMS controls retention of the LWORM volume. A report from Cohasset Associates was commissioned by IBM to evaluate the TS7700 LWORM implementation. The report is referenced in the next section. This paper looks beyond the Cohasset report and provides best practices for protecting the solution from changes made to LWORM policies by unauthorized personnel. This paper also provides details of some of the items mentioned in the Cohasset Associates report. Cohasset Associates Report This technical report is a compliance assessment of the storage capabilities of the IBM Virtualization Engine TS7700 relative to the requirements and conditions of SEC Rule 17a-4(f). Its purpose is to obtain an independent and objective assessment of the TS7700 s capabilities to meet the requirements set forth in SEC Rule 17a-4(f). Cohasset Associates assessment concludes that the TS7700 meets all of the SEC requirements that are its direct responsibility for retaining and storing in digital form 17a-3 and 17a-4 records pursuant to the requirements set forth in Rule 17a-4(f), which expressly allows records to be retained on electronic storage media. Here is a pointer to the Cohasset Associates report: ftp://public.dhe.ibm.com/storage/tape/cai-ibmts7700techreport.pdf Page 3 of 10

4 Host Considerations Protecting ACS Routines The DFSMS Automatic Class Selection (ACS) routines are used to assign storage construct names for a logical volume scratch mount being directed to a TS7700. These constructs include Storage Group, Management Class, Storage Class, and Data Class. The Data Class construct is used to designate the logical volume as a Logical WORM (LWORM) volume. To make sure all logical volume mounts that were intended to be LWORM tapes, the ACS routines must be protected from being altered by an unauthorized person. This can be accomplished using RACF. Refer to the z/os DFSMSdfp Storage Administration manual for more information. F=all13be9&DT= &CASE=&searchTopic=TOPIC&searchText=TEXT&searchIndex=INDEX& rank=rank&scrolltop=firsthit#firsthit Protecting Logical Volumes from Being Scratched The Tape Management System (TMS), such as RMM or CA-1 is responsible for logical volume retention. Access to the ability to scratch a logical volume must be protected from unauthorized access. Also, using RMM, the scratching process can be changed to require a manual two-step process. RMM (Removable Media Manager) provides the ability to require manual action before allowing a logical volume to be returned to scratch. Below is an excerpt from an RMM manual. Check the CA-1 product or your TMS product to see if it has a similar capability. If you want to prevent logical WORM volumes returning to scratch automatically you can use the existing capability of the VLPOOL with RELEASEACTION(NOTIFY). This forces the NOTIFY release action for all volumes in the pool and requires you to issue RMM CV volser CRLSE(NOTIFY) to confirm the action before the REPLACE is handled automatically. Refer to existing DFSMSrmm Implementation & Customization Guide documentation for how to use NOTIFY and ensure it requires a manual action. tm Page 4 of 10

5 TS7700 Considerations The TS7700 defines the actions associated with the storage constructs that are passed to the TS7700 as part of a scratch mount. This includes the Data Class which is used to select Logical WORM. Be sure the appropriate Data Classes have the Logical WORM action set to Yes. Data Class Default The four storage constructs have default actions that can be altered. For a TS7700 that is exclusively using Logical WORM tapes, the default action should be set to specify the Logical WORM action. When the TS7700 receives a scratch mount request with an undefined storage construct, the TS7700 will automatically add the new construct name and assign the default actions. With the default set to Logical WORM, a previously unknown Data Class passed to the TS7700 will be given the action of a Logical WORM. The figure below shows the Modify Data Class panel for the default Data Class ( ) with Logical WORM being set as the action associated with the default. Figure 1 - Modify Data Class Panel Limit Access to Storage Construct Action Modification Similar to protecting modification of the ACS routines at the host, the construct actions need to be protected from alternation by an unauthorized person. This is accomplished by properly utilizing the Roles and Permissions settings on the TS7700 as well as assigning the appropriate role to a user account. The TS7700 provides four fixed roles; Administrator, Operator, Lead Operator, and Manager, as well as ten customizable roles. Each custom role can be defined to provide or deny access to selected, individual panels. For Logical WORM protect, be specifically concerned with the access to the storage construct panels associated with the Data Class construct. The fixed Operator role cannot modify, add, or delete any storage constructs. However, the Lead Operator, Manager, and Administrator roles can modify, add, or delete storage constructs and their associated actions. Any accounts created for users that should not have access to modifying, adding, or deleting storage constructs should be assigned the Operator Role or a custom role that denies access to the storage construct panels, especially Data Class. Page 5 of 10

6 It is also critical to only allow authorized users to create, modify, or delete user accounts. Both the Manager and Administrator roles are able to modify, add, and delete accounts. A custom role could also create, modify, or delete an account if the role is defined to allow this. The screenshot below shows the Roles & Permissions panel with the four fixed roles and six of the ten custom roles. As an example, Custom Role 1 will be modified to allow user Account and Roles & Permissions access. The example also makes an update to the role s name to make it more meaningful. Figure 2 - Roles & Permissions Panel Page 6 of 10

7 The screenshot below shows the panel used to define the access for one of the custom roles. Access to a panel is granted by checking the checkbox next to a panel name. In this example the panels associated with user account and roles are checked. This custom role will be able to create and modify custom roles and add, modify, and delete user accounts and their associated roles. This custom role is named Manage Users. Figure 3 - Modifying Custom Roles & Assigned Permissions - Account Management Page 7 of 10

8 The screenshot below also shows the panel used to define the access for one of the custom roles. Access to a panel is granted by checking the checkbox next to a panel name. In this example the panels associated with adding, modifying and deleting storage constructs are checked. This custom role will be able to add, modify, and delete storage constructs and their associated actions. This custom role is named Manage Constructs. Figure 4 - Modifying Custom Roles & Assigned Permissions - Construct Management Page 8 of 10

9 The screenshot below shows the addition of a new account, AdminJim, with a role of Manage Users and access to all clusters in the five cluster grid. Since the Manage Users role was defined to allow alteration of Roles and Permissions, AdminJim will be able to alter Roles and Permissions. Figure 5 - Adding an Account Panel In summary: 1. Control who can administer the user accounts and the actions available to each role. Make sure only authorized users can create, modify, or delete accounts. Also make sure only authorized users can modify the actions available to the custom roles. 2. Control which accounts can modify the storage construct actions, such as the actions associated with the Data Class, Logical WORM in particular. Fast Ready Expire with Hold As explained earlier, it is the Tape Management System (TMS) that controls when a logical volume is returned to scratch. The appropriate protections against unauthorized or inadvertent scratching of a Logical WORM volume should be in place. Additional protection can be provided at the TS7700 by utilizing the Fast Ready Expire with Hold functionality on the TS7700. Scratch categories are defined at the TS7700 to allow the TS7700 to quickly mount a scratch volume, thus the name fast ready. The fast ready categories should match the scratch categories defined by DEVSUP at the host. There are two optional parameters that can be set for each fast ready category; expire time and expire hold. Expire time defines the amount of time after a virtual volume is returned to the Fast Ready scratch category before its data content is automatically expired by the TS7700. Once expired, the TS7700 stops managing the logical volume at which point it can no longer be accessed. The logical volume will expire when either the expiretime passes or the scratch volume is needed to satisfy a scratch mount, whichever occurs first. The expire-time can be set from 1 hour to 365 days. Page 9 of 10

10 Expire hold causes the TS7700 to not allow a scratch logical volume s attributes to be altered or be used to satisfy a scratch mount for the full expire time. This essentially protects the data on the logical volume from being expired for the duration of the expire-time. Setting an expire-time and enabling the expire-hold capability you can provide a grace period where an inadvertent or unauthorized setting of a logical volume to scratch can be reversed. The TMS can be used to set the volume back to private. Starting with Release 2.1, the TS7700 allows an expire-held logical volume s category to be changed from its fast-ready category to a non-fast-ready category. Prior to Release 2.1, expire-hold must be temporarily turned off at the TS7700 in order to change the logical volume s category. The screenshot below shows scratch category 0012 being added as a fast-ready category with an expire-time of 365 days and with expire-hold set. Figure 6 - Add a Fast Ready Category with Expire Hold Separate Category for WORM and Non-WORM Use Media 1 and Media 2 In some TS7700 Logical WORM (LWORM) implementations all of the logical volumes are WORM tapes. In other TS7700 implementations some logical volumes are treated as normal volumes and others are treated as LWORMs. In the mixed case, the fast-ready category attributes for expire-hold will most likely need to be different. For example, it may be desirable to set an expire time of just a few days for a non-lworm scratched volume, but many days, perhaps 365 days, for LWORM volumes. This requires two scratch categories. The TS7700 supports media 1 and media 2 logical volumes. Each media type has a different category such as 0001 and 0002, or 0011 and 0012, and so forth. When the two both non-lworm and LWORM volumes need to be specified using a single DEVSUP definition, you can use one media type for LWORM and the other for non- LWORM volumes. This will allow you to have separate expire-hold settings for each media type with a single DEVSUP. Page 10 of 10