IBM Support

System requirements: IBM Spectrum Protect™ Plus V10.1.3

Preventive Service Planning


Abstract

This document details the system requirements for installing IBM® Spectrum Protect™ Plus V10.1.3.

Content

This document is divided into linked sections for ease of navigation. Use the links below to jump to the section of the document you need.
 

General
Virtual machine installation
Browser support
IBM Spectrum Protect requirements
IBM Spectrum Protect Plus Ports
vSnap server requirements
VADP Proxy requirements
VADP Proxy on vSnap server requirements
Cloud offload requirements
 


General

Ensure that you have the required system configuration and browser to deploy and run IBM Spectrum Protect™ Plus.

IBM Spectrum Protect Plus support for third-party platforms, applications, services, and hardware is dependent on the third-party vendors. Once a third-party vendor product or version enters extended support, self-serve support, or end-of-life, IBM Spectrum Protect Plus will support it at the same level.
 


Back to top
 


Virtual machine installation

IBM Spectrum Protect Plus is installed as a virtual appliance. Before deploying to the host, ensure that you have the following requirements in place:

  • The correct VMware or Microsoft Hyper-V template

  • vSphere 5.5, 6.0, 6.5 or 6.7 or Microsoft Hyper-V 2016
    Note: For later versions of vSphere, the vSphere Web Client may be required to deploy IBM Spectrum Protect Plus appliances.

  • Network information and VMware host information

  • Either an available static IP address to use or access to DHCP

For initial deployment, configure your virtual appliance to meet the following recommended minimum requirements:

  • 64-bit 8-core machine

  • 48 GB memory

  • 536 GB disk storage for virtual machine

Use an NTP server to synchronize the time zones across IBM Spectrum Protect Plus resources in your environment, such as the IBM Spectrum Protect Plus appliance, storage arrays, hypervisors and application servers. If the clocks on the various systems are significantly out of sync, you may experience errors during application registration, metadata cataloging, Inventory, Backup, or Restore/File Restore jobs. For more information about identifying and resolving timer drift, see the following VMware knowledge base article: Time in virtual machine drifts due to hardware timer drift
 


Back to top
 


Browser support

Run IBM Spectrum Protect Plus from a computer that has access to the installed virtual appliance.
IBM Spectrum Protect Plus was tested and certified against the following web browsers.  Note that newer versions might also be supported.

  • Firefox 55.0.3

  • Google Chrome 60.0.3112

  • Microsoft Edge 40.15063

If your resolution is below 1024 x 768, some items may not fit on the window. Pop-up windows must be enabled in your browser to access the Help system and some IBM Spectrum Protect Plus operations.
 


Back to top
 


IBM Spectrum Protect requirements

  • If you plan to use IBM Spectrum Protect as a Repository Server for cloud offload, ensure you are using IBM Spectrum Protect Version 8.1.7.
     


Back to top
 


IBM Spectrum Protect Plus Ports

The following ports are used by IBM Spectrum Protect Plus and associated services. Note that ports marked as Accept use secure connections (https/ssl).
 

Table 1. Incoming Firewall Connections (IBM Spectrum Protect Plus Appliance)
IBM Spectrum Protect Plus
Port Protocol Firewall Rule Service Description
22 TCP Accept OpenSSH 5.3
(protocol 2.0)		 Used for troubleshooting IBM Spectrum Protect Plus.
443 TCP Accept A microservice running a reverse-proxy. Main entry point for the client connections (ssl)
5432 TCP Blocked PostgreSQL SQL RDBMS - Supports job management and some security related data and transactions.
5671 TCP, AMQP Accept RabbitMQ Message framework used to manage messages produced and consumed by the VADP proxy and VMware job management workers. Also facilitates job log management.
5672 AMQP Blocked RabbitMQ Message framework used to manage messages produced and consumed within the IBM Spectrum Protect Plus appliance.
8082 TCP Blocked Virgo Modular Java application server. Serves core functions for IBM Spectrum Protect Plus including the REST APIs.
8083 TCP Blocked NodeJs JavaScript server. Provides higher level APIs to the user interface leveraging the REST APIs running in Virgo.
8090 TCP Accept Administrative Console Framework (ACF) Extensible framework for system administration functions. Supports plugins that run operations such as system updates and catalog backup/restore.
8092 TCP Blocked ACF Plugin EMI Supports system update, certificate and license management.
8093 TCP Blocked ACF Plugin Catalog Backup/Recovery Performs backup and restore of the IBM Spectrum Protect Plus catalog data.
8761 TCP Accept Discovery Server Automatically discovers VADP proxies and is used by IBM Spectrum Protect Plus VM backup operations.
9090 TCP Accept Documentation Default port for the IBM Spectrum Protect Plus help system
27017 TCP Blocked MongoDB Persists configuration related documents for IBM Spectrum Protect Plus.
27018 TCP Blocked MongoDB Persists recovery meta data documents for IBM Spectrum Protect Plus.
Onboard vSnap server
Port Protocol Firewall Rule Service Description
111 TCP Accept RPC Port Bind Allows clients to discover ports that ONC (Open Network Connectivity) clients require to communicate with ONC servers (internal).
2049 TCP Accept NFS Used for NFS data transfer to/from vSnap (internal)
3260 TCP Accept iSCSI Used for iSCSI data transfer to/from vSnap (internal).
20048 TCP Accept NFS Used for NFS data transfer to/from vSnap (internal).



 

Table 2. Outgoing Firewall Connections (IBM Spectrum Protect Plus Appliance)
Port Protocol Service Description
22 TCP OpenSSH 5.3 (protocol 2.0) Used for ssh communications to remote servers running guest apps components.
25 TCP SMTP Email service.
389 TCP LDAP Active directory services.
443 TCP VMware ESXi Host ESXi host port for managing operations.
443 TCP VMware vCenter Client connections to vCenter.
636 TCP LDAP Active directory services (ssl)
902 TCP VMware NFC service Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
5985 TCP Windows Remote Management (WinRM) Hyper-V and guest apps client connections.
8098 TCP VADP Proxy Virtual machine data protection proxy.
8900 TCP vSnap OVA/Installer version of the intelligent storage framework used as a target for data protection operations.



Use the following diagram as guidance for the communication paths managed by IBM Spectrum Protect Plus. This picture can provide assistance for troubleshooting and network configuration for deployment scenarios.

  • The labeled resources in the gray background represent the core services of the IBM Spectrum Protect Plus virtual appliance.
  • The curved lines represent implicit communications.
  • The colors of the various modules represent different types of services as defined by the key, which is below the diagram.
  • The red rectangle represents the network firewall.
  • Services that appear on the red rectangle are indicative of the ports that are open on the firewall.
  • Dashed arrows represent communication among resources and services.
  • The arrow flows TOWARD the listening port.
  • The port numbers that need to be open are indicated by the LISTENING port. For example, the vSnap service is represented as being external to the IBM Spectrum Protect Plus virtual appliance. It is listening on port 8900 as well as other ports.
  • A component in the virtual appliance establishes a communication path with a connection to the vSnap service at port 8900.

Figure 1. IBM Spectrum Protect Plus virtual appliance image-20190703093203-2


Back to top


vSnap server requirements

A vSnap server serves as the primary backup destination for IBM Spectrum Protect Plus. In either a VMware or Hyper-V environment, one vSnap server with the name localhost is automatically installed at the time that the IBM Spectrum Protect Plus appliance is initially deployed. In larger backup enterprise environments, additional vSnap servers might be needed.

Note: Memory should be adjusted based on backup capacity for more efficient deduplication. Information here is general guideline. For more sizing guidance see also the IBM Spectrum Protect Plus Blueprints.

For initial deployment, ensure that your virtual machine or physical Linux machine meets the following recommended minimum requirements:

  • 64-bit 8-core machine

  • 32 GB memory

  • 16 GB free space on root file system

  • 128 GB free space in separate file system mounted at /opt/vsnap-data

The Linux Network Management service must be installed and running.

Optionally, an SSD improves backup and restore performance.

  • To improve backup performance, configure the pool to use one or more log devices backed by SSD. Specify at least two log devices to create a mirrored log for better redundancy.

  • To improve restore performance, configure the pool to use a cache device backed by SSD.
     


vSnap server virtual machine installation requirements

Before deploying to the host, ensure you have the following:

  • The correct VMware or Microsoft Hyper-V template

  • vSphere 5.5, 6.0, 6.5 or 6.7 or Microsoft Hyper-V 2016
    Note: For later versions of vSphere, the vSphere Web Client might be required to deploy IBM Spectrum Protect Plus IBM Spectrum Protect Plus appliances.

  • Network information and VMware host information

  • Either an available static IP address to use or access to DHCP
     


vSnap server physical installation requirements

IBM® Spectrum Protect™ Plus V10.1.3 provides new functionality that requires the kernel levels supported in RHEL 7.5 and CentOS 7.5. Use IBM® Spectrum Protect™ Plus V10.1.2 for physical vSnap V10.1.2 installations if you need to use operating systems earlier than RHEL 7.5 and CentOS 7.5.

The following Linux operating systems are supported for IBM® Spectrum Protect™ Plus V10.1.3 physical vSnap server installations:

  • CentOS 7.1804 (7.5) (x86_64)

  • CentOS 7.1810 (7.6) (x86_64) (beginning with v10.1.3 patch1)

  • RedHat Enterprise Linux 7.5 (x86_64)

  • RedHat Enterprise Linux 7.6 (x86_64) (beginning with v10.1.3 patch1)

If you are using the following operating systems, use IBM® Spectrum Protect™ Plus V10.1.2 for physical vSnap server V10.1.2 installations:

  • CentOS Linux 7.3.1611 (x86_64)

  • CentOS Linux 7.4.1708 (x86_64)

  • RedHat Enterprise Linux 7.3 (x86_64)

  • RedHat Enterprise Linux 7.4 (x86_64)
     


vSnap server ports

The following ports are used by vSnap servers. Note that ports marked as Accept use a secure connection (https/ssl).
 

Table 3. Incoming vSnap server Firewall Connections
Port Protocol Firewall Rule Service Description
22 TCP Accept SSH Used for troubleshooting vSnap server.
111 TCP Accept RPC Port Bind Allows clients to discover ports that ONC (Open Network Connectivity) clients require to communicate with ONC servers (internal).
137 UDP Accept SMB/CIFS Used for SMB/CIFS data transfer to/from vSnap server (internal).
138 UDP Accept SMB/CIFS Used for SMB/CIFS data transfer to/from vSnap server (internal).
139 TCP Accept SMB/CIFS Used for SMB/CIFS data transfer to/from vSnap server (internal).
445 TCP Accept SMB/CIFS Used for SMB/CIFS data transfer to/from vSnap server (internal).
2049 TCP Accept NFS Used for NFS data transfer to/from vSnap server (internal).
3260 TCP Accept iSCSI Used for iSCSI data transfer to/from vSnap server (internal).
8900 TCP Accept HTTPS vSnap server REST APIs
20048 TCP Accept NFS Used for NFS data transfer to/from vSnap server (internal).


 


Back to top
 


VADP Proxy requirements

In IBM Spectrum Protect Plus, running virtual machine backup jobs through VADP can be taxing on system resources. By creating VADP backup job proxies, you enable load sharing and load balancing for your IBM Spectrum Protect Plus backup jobs. If proxies exist, the entire processing load is shifted off the IBM Spectrum Protect Plus appliance and onto the proxies.
This feature has been tested only for SUSE Linux Enterprise Server and Red Hat environments. It is supported only in 64-bit quad core or higher configurations with a minimum kernel of 2.6.32.

VADP Proxies support the following VMware transport modes: File, SAN, HotAdd, NBDSSL, and NBD. For more information about VMware transport modes, see the following VMware article: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vddk.pg.doc%2FvddkDataStruct.5.5.html .

This feature is supported only in 64-bit quad core or higher configurations in the following Linux environments:

  • CentOS Linux 6.5+ (beginning with 10.1.1 patch 1)

  • CentOS Linux 7.0+ (beginning with 10.1.1 patch 1)

  • Red Hat Enterprise Linux 6, Fix pack 4 or later

  • Red Hat Enterprise Linux 7, all updates are supported

  • SUSE Linux Enterprise Server 12, all updates are supported
     

Note: Information here is general guideline. For more sizing guidance see also the IBM Spectrum Protect Plus Blueprints.

For initial deployment of a VADP proxy server, ensure that your Linux machine meets the following minimum requirements:

• 64-bit quad core processor

• 8 GB RAM required, 16 GB recommended

• 60 GB free disk space

Note: Increase of used CPUs and/or concurrency on the VADP proxy server, requires tha the memory allocated on the proxy server should also increased accordingly.

The proxy must have the ability to mount NFS file systems, which in many cases requires an NFS client package to be installed. The exact package details vary based on the distribution, but are required for VADP proxy usage.
Each proxy must have a fully qualified domain name and must be able to resolve and reach vCenter.
vSnap servers must be reachable from the proxy. If a firewall is active on the proxy, the following ports on the vSnap server must be reachable (both TCP and UDP): 111, 2049, and 20048.
Port 8080 on the VADP proxy server must be open when the proxy server firewall is enabled. If the port is not open, VADP backups will run on local vmdkbackup instead of the VADP proxy server.


VADP Proxy Ports

The following ports are used by VADP proxies. Note that ports marked as Accept use a secure connection (https/ssl).
 

Table 4. Incoming VADP Proxy Firewall Connections
Port Protocol Firewall Rule Service Description
22 TCP Accept SSH Port 22 is used to push the VADP Proxy to the host node.
8098 TCP Accept VADP Default port for TLS-based REST API communications between the IBM Spectrum Protect Plus server and the VADP proxy

    Table 5. Outgoing VADP Proxy Firewall Connections
    Port Protocol Service Description
    111 TCP vSnap RPC Port Bind Allows clients to discover ports that Open Network Connectivity (ONC) clients require to communicate with ONC servers.
    443 TCP VMware ESXi Host/vCenter Client connections to vCenter.
    902 TCP VMware ESXi Host Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
    2049 TCP vSnap NFS Used for NFS file sharing via vSnap server.
    5671 TCP RabbitMQ Message framework used to manage messages produced and consumed by the VADP proxy and VMware job management workers. Also facilitates job log.
    8761 TCP Discovery Server Automatically discovers VADP proxies and is used by IBM Spectrum Protect Plus VM backup operations.
    20048 TCP vSnap mount Mounts vSnap file systems on clients such as the VADP proxy, application servers, and virtualization data stores.

      Note: VADP Proxies can be pushed and installed to Linux-based servers over SSH port 22.
       


      Back to top
       


      VADP Proxy on vSnap server requirements

      VADP proxies can be installed on vSnap servers in your IBM Spectrum Protect Plus environment. A combination VADP proxy/vSnap server must meet the minimum requirements of both devices. Consult the system requirements of both devices and add the core and RAM requirements together to identify the minimum requirements of the combination VADP proxy/vSnap server.
      Ensure that your combination VADP proxy/vSnap server meets the following recommended minimum requirements, which is the sum of the requirements for each device.

      VADP proxy installed on a virtual vSnap server:

      • 64-bit 8-core processor

      • 48 GB RAM

      All required VADP proxy and vSnap server ports must be open on the combination VADP proxy/vSnap server. Review the VADP proxy and vSnap Ports sections of the system requirements for more information.
       


      Back to top
       


      Cloud offload requirements

      To offload data to cloud storage, ensure that your IBM Spectrum Protect Plus and cloud environments meet the following requirements:


      Disk cache area

      For all functionality related to offload or restore from the cloud, the vSnap server requires a disk cache area to be present on the vSnap server. During offload operations, this cache is used as a temporary staging area for objects that are pending upload to the cloud endpoint. During restore operations, it is used to cache downloaded objects as well as to store any temporary data that may be written into the restore volume. Most of the cache space is freed up at the end of each offload or restore, but a small amount may continue to be used to cache metadata that will be used to speed up subsequent operations.
      The cache area must be configured in the form of an XFS filesystem mounted at /opt/vsnap-data on the vSnap server. If this mount point is not configured, offload or restore jobs will fail with the error: "Cloud functionality disabled: Data disk /opt/vsnap-data is not configured."

      Note: Do not unmount or manipulate files under /opt/vsnap-data while any offload or restore jobs are active. Once you have ensured that no jobs are active, it is safe to perform any maintenance activities such as unmounting and reconfiguring the cache area. The data stored under /opt/vsnap-data is also safe to delete as long as no offload or restore jobs are active. Deleting this data may result in the vSnap server having to re-download it from the cloud endpoint during the next offload or restore operation, which in turn, may introduce a small delay during the job.
       

      For new installations of vSnap 10.1.3:

      • When vSnap is deployed as a virtual appliance, the cache area is already present as a pre-configured 128 GB data disk mounted at /opt/vsnap-data.

      • When vSnap is installed on a custom server, the cache area must be configured manually.

      For systems upgraded from vSnap 10.1.2 to 10.1.3:

      • A default pre-configured cache area of 128 GB may already be present and mounted at /opt/vsnap-data if the system was previously deployed as a virtual appliance starting with vSnap 10.1.2. If the system was previously upgraded from vSnap 10.1.1, the cache area is not present. 

      • Use the "df" command on the vSnap server to confirm the presence of this mount point. If the pre-configured mount point is not present, it must be configured manually.

        Note: Instructions for sizing and installing cache see in Cloud offload configuration document
         


      Certificate requirements

      1. Self-signed certificates
        If the cloud endpoint or repository server uses a self-signed certificate, the certificate must be specified (in Privacy Enhanced Mail (PEM) format) while registering the cloud/repository server in the IBM Spectrum Protect Plus user interface.

      2. Certificates signed by private Certificate Authority
        If the cloud endpoint or repository server uses a certificate signed by a private Certificate Authority (CA), the endpoint certificate must be specified (in PEM format) while registering the cloud/repository server in the IBM Spectrum Protect Plus user interface.
        In addition, the root/intermediate certificate of the private CA must be added to the system certificate store in each vSnap server using the following procedure:

        1. Login to the vSnap server console as the "serveradmin" user and upload the private CA
          certificate(s) (in PEM format) to a temporary location

        2. Copy each certificate file to the system certificate store directory /etc/pki/ca trust/source/anchors/
          $ sudo cp /tmp/private-ca-cert.pem /etc/pki/ca-trust/source/anchors/

        3. Run the following command to update the system certificate bundle in order to incorporate the newly added custom certificate:
          $ sudo update-ca-trust

      3. Certificates signed by public Certificate Authority
        If the cloud endpoint uses a public CA-signed certificate, no special action is needed. vSnap server will validate the certificate using the default system certificate store.
         


      Network requirements

      The following ports are used for communication between vSnap servers and cloud or repository server endpoints.

      Table 6. Outgoing vSnap server firewall connections
      Port Protocol Service Description
      443 TCP HTTPS Allows vSnap to communicate with Amazon S3, Azure, or IBM Cloud Object Storage endpoints.
      9000 TCP HTTPS Allows vSnap to communicate with IBM Spectrum Protect (Repository Server) endpoints.


      If there are any firewalls or network proxies that perform SSL Interception or Deep Packet Inspection for traffic between vSnap servers and cloud endpoints, this may interfere with SSL certificate validation on vSnap servers and may cause cloud offload job failures. To prevent this, the vSnap servers must be exempted from SSL interception/inspection in the firewall/proxy configuration.
       


      Cloud provider requirements

      Native lifecycle management is not supported. IBM Spectrum Protect Plus manages the lifecycle of uploaded objects automatically using an incremental-forever approach where older objects may still be used by newer snapshots. Automatic or manual expiration of objects outside of IBM Spectrum Protect Plus will lead to data corruption.
      If the cloud provider uses an SSL certificate that is self-signed or signed by a private Certificate Authority, see Certificate requirements section.

      • Amazon S3 cloud storage offload requirements
        When the cloud provider is registered in IBM Spectrum Protect Plus, a pre-created bucket in one of the supported storage tiers must be specified: S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, and S3 One Zone-Infrequent Access.
         

      • IBM Cloud Object Storage offload requirements
        When the cloud provider is registered in IBM Spectrum Protect Plus, a pre-created bucket must be specified. If the specified bucket has a WORM policy that locks objects for a certain time period, IBM Spectrum Protect Plus will automatically detect the configuration and delete snapshots after the WORM policy removes the lock.
         

      • Microsoft Azure offload requirements
        When the cloud provider is registered in IBM Spectrum Protect Plus, a pre-created container in a hot or cool storage account must be specified.
         

      • Repository Server offload requirements
        When the cloud provider is registered in IBM Spectrum Protect Plus, you cannot use a pre-created bucket. IBM Spectrum Protect Plus  will create a uniquely named bucket for its own use.

      For quick start information to help you to set up and offload data to specific cloud providers, see technote: Data offload to cloud object storage with IBM Spectrum Protect Plus


      Back to top
       

      [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.1.3","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

      Document Information

      Modified date:
      30 September 2019

      UID

      ibm10743059

      Page Feedback