Dual control

Dual control functionality is provided for additional security starting with Copy Services Manager Version 6.2.5.

About this task

Dual control provides a higher level of security by requiring two authorized individuals to perform specific tasks or actions. When dual control is enabled on a Copy Services Manager (CSM) server, the security procedure ensures that two people with proper authority must agree to perform a given task or action. This design effectively prevents malicious attacks against the server and enhances safety for commands issued, as multiple individuals need to concur on the task or action.

Dual control can be enabled or disabled through the GUI, and the dual control setting can be accepted or rejected in both the GUI and CLI. However, it can only be viewed in the GUI.

Enabling or disabling dual control requires two users with admin authority - at either the Admin or User Admin level. Approving or rejecting a dual control request requires two users that have authority for the type of command that was being requested. Monitors should never see requests because they cannot issue any actions.

Dual control modes

Dual Control can be enabled in one of two modes: Full Protection Mode and Safeguarded Copy Mode (SGC).

Full Protection Mode: Provides full Dual Control protection from malicious acts against the server.
Safeguarded Copy Mode (SGC): Implements Dual Control protection for administrative and Safeguarded Copy related actions, including:
- Expire Backup, Terminate, and Restore Backup to Production commands for SGC Sessions.
- Modification of Properties for SGC and Snapshot Sessions.
- Removal of Copy Sets for SGC Sessions.
- Removal of Sessions.
- Modification, Disabling, or Removal of scheduled tasks associated with SGC and Snapshot sessions.

By providing two different Dual Control Modes – Full Protection Mode and Safeguarded Copy Mode (SGC) – our approach ensures comprehensive flexibility and enhanced security for critical operations.

Dual control requests

The following list details the types of dual control requests that are supported in Version 6.2.5:

Run command: Any command action issued against a Copy Services Manager session. These actions include commands, such as Start H1->H2, Suspend, Recover, Terminate, and Backup.
SnapGroup command: A command against a snapgroup in a snapshot session for IBM Spectrum Accelerate devices.
Set Properties on a session: Modifying the description or properties for a session.
Add/Remove Copy sets: Adding or removing copy sets on a session.
Scheduled Task (modify, delete, enable, disable, run): Modifying, deleting, enabling , disabling, or running a scheduled task. Creating a scheduled task does NOT require dual control because the creation does not run or enable the schedule of the task.
Note: After a task is enabled and approved by a second user, the task runs on the defined schedule automatically without requiring approval each time that it runs.
User Action (add access, delete access, modify access, create user, remove user): Managing users from the Administration tab.
Enable/Disable Dual Control on the server: The act of turning dual control on or off on a Copy Services Manager server.
Set CG Name on a session: Defining a consistency group name for a given session.
An active/standby setup command (set standby, set as standby) for high availability (HA): Setting a server as a standby, or setting a standby server both require dual control. Additional rules apply for active/standby support with dual control.

Dual control request notifications

When dual control is enabled on a server, a request is created. This request displays under the Notifications->Dual Control Requests tab on the Copy Services Manager GUI Navigator (and corresponding Copy Services Manager CLI commands).

When one or more requests exist, a number appears next to the Notifications tab in the Navigator, alerting the requester and any valid approvers that there is a pending request. A valid approver is anyone who is NOT the requester, and has the authority to issue the command or task that was requested.

Example: If both John and Bob can manage session GMP, but Tim cannot, when John issues a Start H1->H2 command to session GMP, both John and Bob can see the pending request, but Tim does not.

The Notification->Dual Control Requests panel displays all the requests in a table that lists the ID, Type, Requesting User, Time Requested, and Summary for each request. The requester sees a Cancel button next to the request, and can cancel the request at any time before someone else approves it. Approvers see the Approve and Reject buttons. If the Approve button is selected, approvers are asked to confirm that they want to approve the request. If they do approve, then the request is executed. If they choose to Reject the request, they can optionally enter a reason for the rejection. The request is then denied, and removed from the table.

Important:

When you enable a server for dual control, it is important to remember that all of the previously listed actions require two users to execute them. You must ensure that you always have at least two users defined on the server that is used to approve the actions. Otherwise, you might be locked out of issuing actions.
Dual control can only be enabled or disabled by an Admin or User Admin, and therefore needs approval by another Admin or User Admin. So you must have at least two Admins or User Admins defined on the server.

When dual control is enabled, and the Copy Services Manager server is restarted, or a High Availability takeover occurs, any pending dual control requests are automatically rejected, thereby leaving no pending requests when the servers come back up.

When dual control is disabled, any pending dual control requests are automatically rejected.

Active/standby design for dual control

Dual control for Copy Services Manager includes the following design considerations for the active/standby servers:

Active/standby support is handled by enabling dual control on the Define Standby and Set this Server as Standby commands ONLY.
If the active server has dual control enabled, the standby MUST also have dual control enabled before you attempt to create the connection.
If the standby server has dual control enabled, it is NOT necessary for the active server to have dual control enabled, although this scenario is highly unlikely and results in the standby losing dual control.
If dual control is enabled on the active server, the connection MUST be set up from the active server. If you attempt the connection from the standby, it fails. You cannot set a server as a standby of another without the active giving permission.
If dual control is enabled on both servers, approval to set up the connection is multi-phased and requires the approval first on the active server, and then on the standby server.

When dual control is enabled and the Define Standby or Set this Server as Standby command is called, a dual control request is created as in the following example:

Feb 7, 2019 2:14:56 PM : csmadmin : IWNR2629I : User csmadmin requested command
SET_STANDBY on the standby server. The time of the request is
Thu Feb 07 14:14:56 CST 2019.

The Remove Active, Remove Standby, Takeover, and Reconnect commands do not need dual control. If the active/standby connection is already set up, then dual control has already approved the pairing. After the action is complete, dual control is still enabled, and all dangerous actions still require multiple users.
If an active/standby connection already exists, and is in a Connected or Synchronized state when attempting to set up dual control on the active server, then after dual control is approved by a second user, the dual control requirement is synchronized on the standby server. When a takeover is issued on the standby server, the standby server should automatically be in dual control mode as well (the takeover does not require dual approval).
Important:
- To avoid getting locked out of dual control actions after a takeover, you MUST ensure that two Admins (or User Admins) already exist on both the active and standby servers BEFORE you enable dual control.
- It is VITAL to ensure there are at least two Admins or User Admins defined on both the active and standby servers. If not, a takeover might be issued where the server ends up in dual control mode because the active server was dual control. If the standby is in dual control without at least two Admins or User Admins defined, then you will be locked out of executing most actions, and will not have the ability to disable dual control or add additional users without a second admin. If this situation occurs, you will need to contact IBM Support.

The following table shows the possible variations of active/standby enablement and the expected results.

Table 1. Active/standby enablement variation and results
Command issued	Active status	Standby status	Result
DEFINE STANDBY	Active dual control off	Standby dual control off	Sync completes without approvals
DEFINE STANDBY	Active dual control on	Standby dual control off	Approve Request on active fails and issues message IWNR3016E with reason code 124 (must enable dual control on standby)
DEFINE STANDBY	Active dual control on	Standby dual control on	Approve on active, approve on standby, and then sync should complete
DEFINE STANDBY	Active dual control off	Standby dual control on	Approve on standby, and then sync should complete
SET THIS SERVER AS STANDBY	Active dual control off	Standby dual control off	Sync completes without approvals
SET THIS SERVER AS STANDBY	Active dual control on	Standby dual control off	No approvals, but fails and issues message IWNR3016E with reason code 125 (must connect from active)
SET THIS SERVER AS STANDBY	Active dual control on	Standby dual control on	Approve Request on standby fails and issues message IWNR3016E with reason code 125 (must connect from active)
SET THIS SERVER AS STANDBY	Active dual control off	Standby dual control on	Approve on standby, and then sync should complete