Known Issues and Limitations: IBM Storage Protect Plus server cloud solutions

Preventive Service Planning

Abstract

This document details the known issues and limitations for IBM Storage Protect Plus server cloud solutions.

Content

Note: The product now known as IBM Storage Protect Plus was named IBM Spectrum Protect Plus in levels earlier than 10.1.15. To learn more about the brand change, see IBM Spectrum Protect brand change to IBM Storage Protect.

This document is divided in to linked sections for ease of navigation. Use the following links to jump to the section of the document that you require

Limitations

Catalog backup fails, if the SSH key authentication is enabled on Azure cloud platform (internal reference #ISPP-18209)
Problem: The IBM Spectrum Protect Plus appliance catalog backup stops with "Failed to enable password-less ssh to vSnap server" after it was successfully upgraded to 10.1.7 or later versions.
On Azure - the SSH password authentication can be disabled - depending on clients choice during installation.
Problem verification: See technote: https://www.ibm.com/support/pages/node/6454249
Workaround: When you run vSnap on Cloud (Azure), the workaround on the previous technote isn’t enough. Extra steps are required to enable SSH password authentication that uses a vSnap user:

Identity the vSnap user that was registered into IBM Spectrum Protect Plus (If the deployment was done by using Azure catalog the default user would be admin).
SSH by using perm key into vSnap server.
Set up a password for the user by using passwd command along with the username
```
sudo passwd admin
```
set the password that was given to the vSnap user (during deployment or manually).
Edit sshd_config file:
```
sudo vi /etc/ssh/sshd_config
```
Find the Line containing 'PasswordAuthentication' parameter and change its value from 'no' to 'yes'
```
PasswordAuthentication yes
```
After this changes save file and exit.
Restart the SSH service.
```
service sshd restart
```
To verify ssh is working try to ssh into vSnap server itself using:
```
ssh admin@<vsnap_private_ip>
```

Affected: IBM Spectrum Protect Plus on Azure cloud platform.
Limitation: Valid for any vSnap server, upgraded to 10.1.7 or later and running on Azure cloud platform where SSH password authentication is disabled.

Permanent restrictions

Catalog backup fails, if the SSH key authentication is enabled on AWS cloud platform (internal reference #ISPP-16953)
Problem: The IBM Spectrum Protect Plus appliance catalog backup stops with "Failed to enable password-less ssh to vSnap server" after it was successfully upgraded to 10.1.7 or later versions.
On AWS - the SSH password authentication is disabled by default.
Problem verification: See technote: https://www.ibm.com/support/pages/node/6454249
Workaround: When you run vSnap on Cloud (AWS), the workaround on the previous technote isn’t enough. Extra steps are required to enable SSH password authentication that uses a vSnap user:

Identity the vSnap user that was registered into IBM Spectrum Protect Plus (If the deployment was done by using AWS catalog the default user would be admin).
SSH by using perm key into vSnap server.
Set up a password for the user by using passwd command along with the username
```
sudo passwd admin
```
set the password that was given to the vSnap user (during deployment or manually).
Edit sshd_config file:
```
sudo vi /etc/ssh/sshd_config
```
Find the Line containing 'PasswordAuthentication' parameter and change its value from 'no' to 'yes'
```
PasswordAuthentication yes
```
After this changes save file and exit.
Restart the SSH service.
```
service sshd restart
```
To verify ssh is working try to ssh into vSnap server itself using:
```
ssh admin@<vsnap_private_ip>
```

Affected: IBM Spectrum Protect Plus on AWS cloud platform.
Limitation: Valid for any vSnap server, upgraded to 10.1.7 or later and running on AWS cloud platform where SSH password authentication is disabled. Beginning with IBM Spectrum Protect Plus 10.1.14, the IBM Spectrum Protect Plus deployment on AWS cloud offering is removed from the marketplace. Therefore this limitation is a permanent restriction for IBM Spectrum Protect Plus on AWS cloud platform.

Online upgrade on AWS might fail if the upgrade run from Windows bastion host or by using VPN connection (internal reference #ISPP-16829, #ISPP-18150)
Problem: IBM Spectrum Protect Plus can be upgrade in 2 options: Online upgrade from the internet and offline upgrade.
On AWS, if IBM Spectrum Protect Plus was installed by using automation from AWS marketplace, online upgrade might fail if the upgrade is done through Windows bastion host or when connected through VPN.
In fact, the upgrade does take place and starts, but user loses connectivity to management console (with an error on screen) and cannot log in to IBM Spectrum Protect Plus GUI and management console.
The upgrade is running in the background and might take up to 2 hours to complete where client does have access to IBM Spectrum Protect Plus UI.
Problem verification: Start an online upgrade, choose a wanted IBM Spectrum Protect Plus version. The upgrade seems to start, but after few minutes the following error might occur:
Errors encountered while updating IBM Spectrum Protect Plus. 0 - {"isTrusted":true} Picture_ISPP-16829
Workaround:

Run an offline upgrade (manually uploading the IBM Spectrum Protect Plus upgrade file to management console).
Offline upgrade doesn’t ‘suffer’ from this issue and upgrade pass successfully.
Run online upgrade by using SSH tunneling and not by using Windows bastion host or VPN connectivity.
See instructions on how to establish SSH tunneling on IBM Spectrum Protect Plus on AWS Deployment Guide Appendix B (Access the IBM Spectrum Protect Plus web application by using SSH tunneling).
In case an online upgrade is already started, and a UI error occurred as previously described, wait for at least 2 hours. After 2 hours, try to log in to IBM Spectrum Protect Plus UI.
- In case the login was successful: the IBM Spectrum Protect Plus is upgraded to the required version.
- In case the UI is still not accessible: reboot IBM Spectrum Protect Plus server. This action would release the ‘stuck’ UI thread and retrieve access to the system.
IBM Spectrum Protect Plus is upgraded to the required version after the reboot and accessing the UI.

Affected: IBM Spectrum Protect Plus on AWS cloud platform.
Limitation: Valid for automatic deployment (by using marketplace) of IBM Spectrum Protect Plus V10.1.6 ifix2 on AWS. Beginning with IBM Spectrum Protect Plus 10.1.14, the IBM Spectrum Protect Plus deployment on AWS cloud offering is removed from the marketplace. Therefore this limitation is a permanent restriction for IBM Spectrum Protect Plus on AWS cloud platform.

Hybrid deployment with IBM Spectrum Protect Plus on later version than 10.1.6.2 would fail (internal reference #ISPP-18153)
Problem: On a hybrid solution, IBM Spectrum Protect Plus on AWS deploys vSnap only, while existing IBM Spectrum Protect Plus credentials are being provided during deployment for registration and more configuration steps. In case IBM Spectrum Protect Plus server is on a higher version than 10.1.6.2 the vSnap deployment might fail.
Problem verification: The vSnap nested-stack deployment fails with the following error (see under Events-tab):
PictureAWS_ISPP-18153
Workaround: It’s important to mention that most steps of the deployment are passed successfully and few last steps are failing to complete due to change in the IBM Spectrum Protect Plus version.
The vSnap server was deployed and installed. The vSnap repository is formatted and configured. The vSnap server is registered into IBM Spectrum Protect Plus.
The following steps are missing from the deployment:

Rerun hybrid deployment from IBM Spectrum Protect Plus on AWS marketplace. When you complete the stack parameters, make sure to disable rollback in a failure.
This time even though the deployment fails as expected, the created resources such as vSnap server, vSnap repository, security groups, stay active and can be used.
The vSnap server was deployed and installed. The vSnap repository is formatted and configured. The vSnap server is registered into IBM Spectrum Protect Plus.

The following steps are missing from the deployment:

Add AWS access or secret key (from storage account).
A dedicated user for AWS on IBM Spectrum Protect Plus function is created on AWS under IAM service. Look for a user called SPP_application_user*. Pull the access and secret keys and register them into IBM Spectrum Protect Plus.
Register AWS account by using the key added previously.
Register S3 bucket by using the key added previously. A bucket is created on AWS according to the bucket name that was provided during deployment.
Create new SLA to a new site created previously, called Cloud.

All those steps need to be completed manually by using the instructions on IBM Spectrum Protect Plus user guide.
Affected: IBM Spectrum Protect Plus on AWS cloud platform – hybrid deployment
Limitation: Valid for automatic deployment (by using marketplace) of IBM Spectrum Protect Plus 10.1.6 ifix2 (10.1.6.2) on AWS, for hybrid solution only. Beginning with IBM Spectrum Protect Plus 10.1.14, the IBM Spectrum Protect Plus deployment on AWS cloud offering is removed from the marketplace. Therefore this limitation is a permanent restriction for IBM Spectrum Protect Plus on AWS cloud platform.

Solved Limitations

Hybrid deployment with IBM Spectrum Protect Plus on later version than 10.1.7 would fail (internal reference #ISPP-18153)
Problem: On a hybrid solution, IBM Spectrum Protect Plus on Azure deploys vSnap only, while existing IBM Spectrum Protect Plus credentials are being provided during deployment for registration and more configuration steps. In case IBM Spectrum Protect Plus server is on a higher version than 10.1.7 the vSnap deployment might fail.
Problem verification: The vSnap resource deployment fails with the following error:
Pictrure_ISPP_18153
Click operation details and check the status message:

{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
            {
                "code": "Conflict",
                "message": "{ (there is a long error message here … look for this text: [ERROR] MainThread Flow Manager: register access key, failed 
            }
        ]
    }
}

Workaround: It’s important to mention that most steps of the deployment are passed successfully and few last steps are failing to complete due to change in the IBM Spectrum Protect Plus version.
The vSnap server was deployed and installed. The vSnap repository is formatted and configured. The vSnap server is registered into IBM Spectrum Protect Plus.
The following steps are missing from the deployment:

Add Azure access or secret key (from storage account)
Register blob object storage bucket by using the key added previously. A bucket is created on Azure according to the bucket name that was provided during deployment.
Create new SLA to a new site created previously, called Cloud.

All those steps need to be completed manually by using the instructions on IBM Spectrum Protect Plus user guide.
Affected: IBM Spectrum Protect Plus on Azure cloud platform – hybrid deployment
Limitation: Valid for automatic deployment (by using marketplace) of IBM Spectrum Protect Plus 10.1.7 on Azure, for hybrid solution only. Solved with automatic deployment (by using marketplace) with IBM Spectrum Protect Plus later versions

CloudWatch is not activated when IBM Spectrum Protect Plus is deployed to AWS. (internal reference #ISPP-17223)
Problem: The CloudWatch service is not activated as part of the IBM Spectrum Protect Plus deployment to AWS.
CloudWatch is a monitoring service for AWS Cloud resources and the applications that you run on AWS. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.
Workaround:

Use an SSH connection to the IBM Spectrum Protect Plus server and the vSnap server. You can use the bastion server for the SSH connection. For instructions, see the “Update the SSH connection to the bastion host” topic in the IBM Spectrum Protect Plus on the AWS Cloud Deployment Guide.

Download package by issuing the following command:

#wget https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

Install the package by issuing the following command:
```
#sudo rpm -i amazon-cloudwatch-agent.rpm
```

Create for the CloudWatch agent a configuration file, /root/SPP/bin/cloud/flow_manager/flow_utils/amazon-cloudwatch-agent.json, with the following content:

{
  "logs": {
    "force_flush_interval": 5,
    "logs_collected": {
      "files": {
        "collect_list": [
          { "file_path": "/root/SPP/bin/cloud/flow_manager/deploy_*.log",             
            "log_group_name": "{instance_id}/{ip_address}",
            "log_stream_name": "deploy.log",
            "timestamp_format": "%Y-%m-%d %H:%M:%S",
            "timezone": "UTC"
          },
         { "file_path": "/var/log/messages",             
            "log_group_name": "{instance_id} /{ip_address}",
            "log_stream_name": "/var/log/messages",
            "timestamp_format": "%Y-%m-%d %H:%M:%S",
            "timezone": "UTC"
          },
          { "file_path": "/root/SPP/bin/cloud/flow_manager/cloud_init_output.log",             
            "log_group_name": " {instance_id}/{ip_address}",
            "log_stream_name": "cloud_init_output.log",
            "timestamp_format": "%Y-%m-%d %H:%M:%S",
            "timezone": "UTC"
          }
        ]
      }
    }
  }
}

Run the Amazon CloudWatch agent by issuing the following command:

#sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/root/SPP/bin/cloud/flow_manager/flow_utils/amazon-cloudwatch-agent.json

Affected: IBM Spectrum Protect Plus on AWS cloud platform.
Limitation: Valid for automatic deployment (by using marketplace) of IBM Spectrum Protect Plus V10.1.6 ifix2 on AWS. Solved with automatic deployment (by using marketplace) with IBM Spectrum Protect Plus later versions.

Port 8090 is missing from the security group for IBM Spectrum Protect Plus on AWS and Azure. (internal reference #ISPP-17219)
Problem: The default security group for IBM Spectrum Protect Plus on AWS and Azure does not include a security rule for port 8090, which is required for the administrative console.
Workaround:

Create a security rule for port 8090 to enable connection to the administrative console.
Use the following links to find instructions for creating security rules:
AWS: make the following a link from the text AWS: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#adding-security-group-rules
Azure: make the following a link from the text Azure: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#create-a-security-rule

Affected: IBM Spectrum Protect Plus on Microsoft Azure cloud platform, IBM Spectrum Protect Plus on AWS cloud platform.
Limitation: Valid for automatic deployment (by using marketplace) of IBM Spectrum Protect Plus V10.1.6 ifix2 on AWS and IBM Spectrum Protect Plus V10.1.7 on Azure. Solved with automatic deployment (by using marketplace) with IBM Spectrum Protect Plus later versions.

IBM Spectrum Protect Plus on Azure Cloud - License update failure. (internal reference #SPP-15027, #ISPP-14886)
Problem: If you are running the IBM Spectrum Protect Plus server on Microsoft Azure cloud platform (all-on-cloud), you cannot update the 30-day trial license by using the IBM Spectrum Protect Plus user interface. The following message is displayed:

This issue does not apply if you are running the IBM Spectrum Protect Plus server on-premises in a hybrid environment.
Workaround:
The issue is resolved in IBM Spectrum Protect Plus V10.1.7.2. Upgrade to IBM Spectrum Protect Plus V10.1.7.2 or later and then update the license.

To solve the issue without upgrading to IBM Spectrum Protect Plus V10.1.7.2 or later, you must update the license file manually as shown in the following steps:

Log out of the IBM Spectrum Protect Plus user interface.
Connect to the IBM Spectrum Protect Plus server by using Secure Shell (SSH) and run the following command:
```
#sudo chmod 666 /opt/ECX/virgo/repository/ecx-usr/ECX.lic 
```
Start IBM Spectrum Protect Plus and log in as a superuser.
Browse for and upload the license file.

Affected: IBM Spectrum Protect Plus on Microsoft Azure cloud platform.
Limitation: Since V10.1.7 (Build 3040). Solved with V10.1.7.2 (Build 3102).

Related Information

Featured Documents: IBM Storage Protect Plus

Requirements Documents: IBM Storage Protect Plus

Download Documents: IBM Storage Protect Plus

IBM Spectrum Protect Plus documentation

IBM Spectrum Protect Plus on Microsoft Azure Deployment Guide

IBM Spectrum Protect Plus on AWS Deployment Guide

[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSJEPVG","label":"IBM Storage Protect Plus"},"ARM Category":[{"code":"a8m0z0000001jgyAAA","label":"Troubleshooting"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"},{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"ARM Category":[{"code":"a8m0z0000001jgyAAA","label":"Troubleshooting"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

Known Issues and Limitations: IBM Storage Protect Plus server cloud solutions

Preventive Service Planning

Abstract

Content

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?