FAQ

Here are some of the frequently asked questions, contact information, legal information, and support policies.

Deployment

How do I provision a NPSaaS instance and where do I get the credentials from?: To provision an NPSaaS instance, go to Provisioning NPSaaS instances.

How to download the nz tool?: See https://cloud.ibm.com/docs/netezza?topic=netezza-nztool.

Architecture

How does NPSaaS architecture looks like?: See more information at Learning about NPSaaS architecture and workload isolation.

Security

Would NPSaaS use OAuth or SAML? If it is SAML, what is the Entity ID and ACS? The solution is for Netezza authentication to work with a Single sign-on solution such as Ping that we use for multi-factor authentication. What is the solution for this issue?: See https://cloud.ibm.com/docs/netezza?topic=netezza-samloverview.

Provisioning and networking

What are the prerequisites for setting up a private endpoint to access NPSaaS?

For setting-up private endpoints, follow the procedure:

Select the connectivity type as private during provisioning, this will setup the instance with private endpoints.
To connect to the private end point, enable private endpoint from the console to generate a private link alias which will then be used to connect to the customers private endpoint. For more details, see Connecting to NPSaaS by using private endpoints.

What are the encryption controls for data at rest?

Netezza-as-a-Service has security built into its architecture. The following methods are used to secure your connection and data:

All the connections to the database server are TLS1.2 connections.
Netezza Performance Server uses ECDHE-RSA-AES256-GCM-SHA384 Cipher with 2048 bit key size for TLS communication.
User data are stored on secure reliable storage (as a service) from the cloud providers (IBM Cloud block storage or Azure Premium disks while using Azure).
The data are encrypted at rest by the cloud provider itself, in this case Azure.
Backups are stored on Cloud Object Storage (COS) and are geo-replicated as well as encrypted by cloud provider at rest and in transit.

Encryption key strength?

Netezza Performance Server uses ECDHE-RSA-AES256-GCM-SHA384 Cipher with 2048 bit key size for TLS communication.

Who manages the encryption keys?

For NPSaaS, IBM manages the encryption keys.

Will industry standard encryption be used for transit of data and non-encrypted transit of data be disabled?

The Netezza Performance Server system supports SSL for encrypting communication with Netezza Performance Server client users and peer authentication between the client and Netezza Performance Server host. This encryption protects the communication for the client users who access their data by using ODBC, JDBC, nzsql, or the command-line interfaces. The peer authentication process uses a digital certificate from the Netezza Performance Server system to confirm the identity of the clients and host. This together ensures the secure transit of data throughout the NPS system.

It should also be noted that non-encrypted data transfer would be disabled on the instance by default.

Connectivity

How do we connect to NPSaaS environment?: See https://cloud.ibm.com/docs/netezza?topic=netezza-connecting-overview.
What is NPSaaS SLA and number: See https://www.ibm.com/support/customer/csol/terms/internal?id=Z126-8005&lc=en and https://www.ibm.com/support/customer/csol/terms/internal?id=i126-9268&lc=en#detail-document.
How to get .pem certificates for connectivity to NPSaaS?: Open a case in IBM support.
IBM terms:: See https://www.ibm.com/support/customer/csol/terms?id=i126-9288&lc=en#detail-document.
IBM DPA: See https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1E039090754711EB8B57E58A521A0F2A.

Cost

What are the parameters driving most cost in Netezza on Azure? How are costs calculated?: Cost will depend on the size of the contour and storage specified. There is also an egress charge when moving data out of NPSaaS

Database Administration

Where do I download the NPSaaS drivers from?: NPSaaS drivers can be downloaded from the following path: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FIBM+Cloud+Private+for+Data+System&release=NPS_11.2&platform=All&function=fixId&fixids=11.2.2.1-WS-ICPDS-NPS-fp11737.

Migration

How do we migrate data from a existing Netezza onPrem environment such as Mako/CPDS into KwaNPSaaS?

Data can be migrated using Netezza backup and restore or using nz_migrate.

Using backup and restore to migrate data:

nzbackup on the OnPrem system

Move the backup to Azure Blob Storage using nzAzConnector

$./nz_azConnector -db=<> -dir<> -npshost=<hostname> -storage-account=<mycontainer> -key=xxxxx -container=<abcd> -upload -backupset=<xxxxx> -uniqueid=<SAMPLEBKUP> -logfiledir=/tmp -streams=8 -paralleljobs=8 -blocksize=50

Sync the backup with NPSaaS using sync-cloud. Download the nz tool using:
```
curl -o nz <Netezza REST URL>/v1/download/nz-linux-amd64

chmod +x nz
```

Run the sync-cloud command:

$ ./nz nzbatchbnr ls scan-cloud --unique-id <> --account-key "<>" --account-name <> --container "<>" --destination az -host "<>" -u admin -pw "<>"

Restore from cli:

$ ./nz nzrestore -v --host <> -u admin -pw <> -db <> -backupset <> -connector az -connectorArgs "UNIQUE_ID=<>:STORAGE_ACCOUNT=<>:KEY=<>:CONTAINER=<>"

Restore from Web Console.

Using nz_migrate to migrate data:

Depending on the size of the data, customers can choose to use nz_migrate to load data into NPSaaS

nz_migrate -shost $source_host -sdb $source_database -suser $source_user -pw $source_password \

thost $target_host -tdb $target_database -tuser $target_user -pw $target_password  \

CreateTargetDatabase  YES -CreateTargetTable     YES \

format binary  \

threads 5 -cksum fast \

truncateTargetTable YES \

> migrate.log 2>&1

Note: Do not forget to generate statistics (nz_genstats) and groom (nz_groom) your database post migration.

Restoring natural order of data (link here)

Compliance

Is NPSaaS HIPPA Compliant?: s of 03/2022, not yet. It is on the Roadmap.

Is NPSaaS GDPR Compliant ?: Yes, NPSaaS is fully GDPR compliant.

What is the Netezza version for Oracle Java with OpenJDK?: IBM Semeru JDK 17.

Others

Can connections to the NPSaaS database be restricted at an IP/Subnet level?: This feature is on the Roadmap for 2Q 2022.

Will we be able to send audit logs to one of our remote log managers (e.g. syslog)?

History information is saved in a history database. Users with the correct privileges can review the query history information for details about the users and activity on the Netezza system. These features enhance the query history with auditing and the following benefits:

Guaranteed audit capture of all operations
Digital signing of audit data
Audit data stored in row-secure tables
Secure data offload to a different Netezza system, lowering the impact on a production system and improving the security of the audit

From the NPSaaS console, the end user has access to Query History. The Query History tab allows for viewing query history data as well as exporting it to a file, filtering and searching for specific queries such as those run by a particular user or on a particular database. Query History also allows for the aaS end user to Search their query history tables using predefined or custom search criteria, as well as view metrics, explanations, and the plan file behind particular queries on the system.

Will we be able to ingest logs to an on-prem log aggregator? For instance if we expose our Splunk HEC or syslog on our pub network or have VPN tunnel, can we tell the solution to send audit logs to it?

For OS audit logs. Being a managed service, no one but IBM Ops can access the actual system. Therefore auditing of this access is done by IBM Ops in our internal syslog / logging solution, and typically not exposed or relevant to the end user.

For Db level auditing, then NZ query history / audit history is the way to go (which is already accessible via the database sql)

Will the solution be accessible by public internet and if so can we restrict the IPs which have access?

NPSaaS provides the option to specify a public and private endpoint for the system. Public network service endpoints are accessible from anywhere on the internet. Private network service endpoint access traverses only the cloud platform backbone network, not the public internet. Netezza Performance Server also supports private connectivity through Azure Privatelink.

Managing access to Netezza can be done through Identity Access Management provided in the Cloud. Every user that accesses the Netezza Performance Server service in your account must be assigned an access policy with an IAM role.

Will we be able to leverage our identity services (E.g. Azure AD)?

Yes, you will be able to leverage your identity services. Netezza supports LDAP authentication for user connectivity to database(s) and Azure AD supports LDAP via Azure AD Domain Services (AD DS). If the LDAP/AD server is accessible to the Netezza host, then the LDAP/AD server/service can run anywhere.

Will we be able to enforce MFA on any user access to solution?

MFA is provided through the cloud platform where Netezza is deployed.

The web access to NPSaaS web console will allow user authentication via Azure AD but will not support MFA at the moment. It should be noted that this question only relates specifically to web console access, not for database clients, ODBC/JDBC clients, and BI tools so it would not be an issue for those forms of access.

Will the console access be open to public internet or can we restrict (Is this where 'private service endpoints' come in)? What functions are available through the console (data exposure and availability scoping)?

Yes, database access can be made “private”. The console access is TLS encrypted. We have a roadmap item to make this private on request for 2H of this year. But this way (database endpoint being private, console via https) is par for the course on any SaaS service.

Will data be stored exclusively in the US?

Yes, the data should be only stored in the US assuming the software is deployed in a US region.

Will backups be taken of the data?

Yes, backups will be taken of the data. The nzbackup command allows for the creation of full and/or incremental backups of databases in compressed internal format external tables. Restoring these data to the Netezza Performance Server system is done simply by using the nzrestore command. These processes can also be performed through similar steps on the web console.

Specific to NPSaaS, backups are taken once every 24 hours for the IBM Operations team to retain business continuity in case of disaster. This DR backup is encrypted and stored in Cloud Object Storage (COS). COS replicates each DR backup across multiple cloud regions to ensure availability if a single zone fails. The customer can take backups whenever they choose, to their own Azure blob bucket.

Will we be able to obtain 3rd party attestations for security control compliance for the cloud environment for frameworks such as ISO 27001, SOC2, NIST 800-53 or equivalent?

Yes, IBM Cloud has annually and quarterly assessments with 3rd parties for compliance with AICPA SOC2 (type 1 & 2) and SOC3, ISO/IEC 27001, 27017, 27018, 27701, etc.

You can view the certifications here: https://www.ibm.com/cloud/compliance/global

Will there be documented data retention policies and mechanisms to purge legacy data? Will there be technical controls to enforce?

User data are stored on secure reliable storage (as a service) from the cloud providers, in this case this would mean Azure Premium disks as described in the encryption for data at rest question above.

For data deletion: When you delete any NPSaaS instance, the service deletes the data associated with your instance including IBM managed backups associated with the service. You will never be able to restore it after that.

How to size the NPSaaS instance?

See http://ibm.biz/netezza-saas.

We can also offert Trid Analysis to more accurate sizing than the baseline sizing from equivalency metrics

Where is the NPSaaS Data Processing Addendum (DPA)?: See https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1E039090754711EB8B57E58A521A0F2A.

Netezza Service Description:

See https://www.ibm.com/support/customer/csol/terms/?id=i126-9288&lc=en#detail-document.

Business continuity and disaster recovery for NPSaaS (RTO/RPO):

See https://cloud.ibm.com/docs/netezza?topic=netezza-understanding-bc-dr.

Any compatibility constraints (ex. must upgrade to a minimum version of DataStage in order to go for cloud version)?

DataStage has a native Netezza database connector to import database metadata into the InfoSphere Information Server metadata repository, and access data in the database. No need to upgrade your current DataStage version.

Connector availability for Datastage jobs to the new Netezza on Azure - Are there any general incompatibilities/functionality/features in current on-prem Netezza version that will not work in Cloud Netezza version?

The DataStage native Netezza database connector support the new IBM Performance Server v11.x. It backward compatibly for the Netezza Mako Systems (7.2.x version).

Regarding DR in SaaS. According to https://www.ibm.com/support/customer/csol/terms?id=i126-9268&lc=en#detail-document NPS is Tier 1 = single instance in a single data center. What happens if this data center goes down? I assume our backups are stored in another DC and a new instance would be set up, using this backup?

Backups are replicated in three regions. Our (openshift) clusters span 3 AZs. So In case of an Az (ie entire Data center) going down due to a disaster ibm ops take the responsibility of immediately restoring a new namespace from last backup in a new Az (data center) (edited).

What is the Resume time for Auto-PR?

If your system is idle for more than 15 mins, we stop the billing for compute resources ... (internally machines are released to a common pool after 45 mins as per machine management policy), once machines are released, the resume can take upto 30 mind.

What is RTO for NPSaaS in case of an AZ failure?

What are the parameters driving most cost in Netezza on Azure? How are costs calculated?Billing is consumption based, by the hour?

All billing is handled by IBM – no need to deal with multiple vendors.
Scale storage and compute independently only when needed – a better way to save costs.

Is there a functionality/provision to archive older/lesser accessed data to optimize cost?Unloading old archival data to customer’s own object storage is natively supported but isn’t always necessary?

Operational aspects (ex. BUR, Monitoring, Security, Provisioning/Patching etc) included in default service management?- This is a fully managed offering and is taking care by IBM.

IBM takes the responsibility of upgrades, patching and maintenance of all the components.
Each update is communicated and can be tracked by the customer.
Database upgrades that require outage windows also allow customers to scheduling window if required.

Are there any general incompatibilities/functionality/features in current on-prem Netezza version that will not work in Cloud Netezza version?: There is no functionality/features in current on-prem that is not in the new Netezza on Azure. Netezza on Azure is 100% compatible with Mako. We improved the existing Mako features by adding new features for much performance, concurrency, new era of data and driver type.

What is the Resume time for NPSaaS Auto-PR: If your system is idle for more than 15 mins, we stop the billing for compute resources ... (internally machines are released to a common pool after 45 mins as per machine management policy), once machines are released, the resume can take up to 30 mins.

What is the RTO for NPSaaS if an AZ goes down.: 4 hours.
Can we have better compression ratios using zstd backups?: Yes, (around 40 %) ... (https://www.ibm.com/docs/en/netezza?topic=od-compress-option), plz check the limitation in the link above ... Also, we have not yet exposed this through UI ... one would have to use CLI

What is the difference between Cloud and OnPrem compression ratio?: The maximum compression ratio on the cloud is 8x. This is because, we are limited by the functionality provided by the cloud provider and we are diligently working with them to overcome this restriction.

Can you be notified on any state change to the system for example, ad hoc pause/ auto pause?: No, "pause" and "paused now" are valid and good state so there is no alert.

Do we (regularly) test the snapshots?: Snapshots are tested periodically according to IBM's BC/DR recovery policy.
Can we share the results of those tests with them test?: Test results are reviewed internally, but they cannot be shared outside of IBM.
If we cannot share the results of those tests, do we have anything else to share that shows the process of restoring the snapshot works?: Snapshot test results are reviewed by IBM corporate security and compliance regularly to ensure the service meets IBM cloud service standards. These requirements are mandatory for all IBM cloud services, including Netezza. Compliance with those standards is attested to in the "IBM Data Security and Privacy Principles", section 9.e. See: https://www.ibm.com/support/customer/csol/terms/?id=Z126-7745&lc=en.
How much time it takes for compute scaling in AWS?: It will take time up to 15-20 minutes.
Note: On AWS there is a 6 hour cool off period before you can do storage scaling again. Basically AWS does not allow us to modify the disk again until ~6 hours have passed since last modification. For Azure, scale up can be completed as soon as the current one completes.

What is the status for storage scaling?: Status is online.

How long does the scaling take?: Should be within 5-10 minutes.

Is scaling an online process or is there a certain period where it might be offline?: Scaling is a complete online process. No disruption to workloads read or write

How to update the NPS hostname from the lengthy name to a user friendly short name?: Usrs are allowed to create a DNS entry in the cloud account to make the change. However, they will not be able to apply certificates pertaining to their domain.