Support assistance

Support assistance enables support personnel to access the system to complete troubleshooting and maintenance tasks.

You can configure either local support assistance, where support personnel visit your site to fix problems with the system, or local and remote support assistance. Remote support assistance allows support personnel to access the system remotely from the support center. Both local and remote support assistance use secure connections to protect data exchange between the support center and system. All actions that are completed with support assistance are recorded for auditing purposes. Local support assistance must be configured before remote support assistance is enabled.

Local support assistance

When you enable local support assistance, you can specify the IP address or domain name for the support connections. When support personnel log on to the systems with local support assistance, they are assigned either the Monitor role or the Restricted Administrator role.

The Monitor role can view, collect, and monitor logs and errors to determine the solution to problems on the system.

The Restricted Administrator role gives support personnel access to administrator tasks to help solve problems on the system. However, this role restricts these users from deleting volumes or pools, unmapping hosts, or creating, deleting, or changing users.

Roles limit access of the assigned user to specific tasks on the system. Users with the service role can set the time and date on the system, delete dump files, add and delete nodes, apply service, and shut down the system. They can also view objects and system configuration settings but cannot configure, modify, or manage the system or its resources. They also cannot read user data.

Remote support assistance

With remote support assistance, support personnel can access the system remotely through a secure connection from the support center. However, before you enable remote support assistance between the system and support, you first need to configure local support assistance. You must have either Call Home with cloud services or Call Home with email notifications configured. For more information about Call Home, see Call Home

During system initialization, you can optionally set up a service IP address and remote support assistance. If you did not configure a service IP address, go to Settings > Network > Service IPs to configure a service IP for each node on the system. If you use a firewall to protect your internal network you can configure a remote proxy server to allow access.

To prevent connection errors, ports 22 and 443 must be configured to support the service IP addresses remote support assistance.

When you enable remote support assistance, you can specify either IP address or domain name for support. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers. In addition, you can define a shared-token that will be generated by the system and sent to the support center. If the system needs support services, support personnel can be authenticated onto the system with a challenge-response mechanism. Use the chsra command to enable remote support assistance on the system. After support personnel obtain the response code, it is entered to gain access to the system. Service personnel have three attempts to enter the correct response code. After three failed attempts, the system generates a new random challenge and support personnel must obtain a new response code.

Remote code load

Remote code load (RCL) is a service that allows remote support engineers to complete code updates on the storage system.

RCL is the process of having IBM® support personnel securely connect to and update the microcode on the storage system. The RCL service is the preferred code delivery method, which proves to be both efficient and secure for IBM clients. RCL is fast and easy to coordinate because it does not require an onsite visit of an IBM services technician.

Prerequisites

If you are configuring remote support assistance, the following prerequisites are required for all configurations.
  • Call home must be configured and functioning with a valid email server. To configure call home, select Settings > Notifications > Email in the management GUI or through system setup.
  • Service IP addresses must be configured on each node on the system. To configure service IP addresses, select Settings > Network > Service IPs in the management GUI.
  • A DNS server must be configured on your system. To configure a DNS server, select Settings > System > DNS in the management GUI.
    Note: DNS of your local system should allow for local and remote servers. It should not be configured to allow only a single external DNS server like Google 8.8.8.8.
  • You can configure your firewall to allow traffic to pass directly from the system or you can route traffic through an HTTP proxy server within your environment. For more information, see HTTP proxy server.
  • With the addition of the HTTP proxy support, Remote Support Proxy servers are no longer necessary, but they are still fully supported for existing configurations. Optionally, a Remote Support Proxy can be configured to consolidate firewall traffic from a number of storage systems. Remote upgrades cannot be completed through the Remote Support Proxy server.

Firewall configuration

The following network connections between IBM and the system are required to enable support assistance.
esupport.ibm.com
The esupport.ibm.com network connection is used to for the following actions:
  • Uploading logs to the IBM Enhanced Customer Data Repository (ECUREP)
  • Connecting to Call home with cloud services
  • Downloading software from FixCentral
Note: The esupport.ibm.com network connection is fully certified to securely transmit data for Blue Diamond (HIPPA) users and General Data Protection Regulation (GDPR) protected users.
If you are using a firewall to route traffic instead of an HTTP proxy server, use the following information to configure a firewall rule.
Table 1. Firewall rule configuration
Source Target Port Protocol Direction
The service IP address of every node or node canister. esupport.ibm.com 443 https Outbound only
Remote Access
Use the following information to configure a firewall rule for remote access.
Table 2. Firewall rule configuration for remote access
Source Target Port Protocol Direction
The service IP address of every node or node canister 170.225.126.11, 170.225.126.12, 170.225.127.11, and 170.225.127.12 443 or 22 https or ssh Outbound only

For remote access, port 443 is suggested as it provides more security. If the connection from port 443 remote access is unsuccessful, then port 22 is used as a backup. When you configure the firewall rules with port 443, the fallback of remote access from port 443 to port 22 is not applicable.

Configure support assistance

To configure support assistance, use the Settings > Support > Support Assistance > Set Up Support Assistance panel in the management GUI.

To configure support assistance using the command-line interface, see chsra commands.