Component requirements

Ensure that you have the required system configuration and a supported browser to deploy and run IBM Spectrum Protect Plus. These requirements apply to all installations of IBM Spectrum Protect Plus.

IBM Spectrum Protect Plus support for third-party platforms, applications, services, and hardware parallels that of the third-party vendors. When a third-party vendor product or version enters extended support, self-serve support, or end of life, IBM Spectrum Protect Plus supports it at the same level.

Virtual machine installation

IBM Spectrum Protect Plus is installed as a virtual appliance. Before you deploy IBM Spectrum Protect Plus to the host, ensure that the following requirements are met:

  • The correct VMware or Microsoft Hyper-V template.
  • vSphere 5.5, 6.0, 6.5, or 6.7 or Microsoft Hyper-V Server 2016.

    For later versions of vSphere, the vSphere Web Client might be required to deploy IBM Spectrum Protect Plus virtual appliances.

  • Network information and VMware host information.
  • Either an available static IP address to use or access to the Dynamic Host Configuration Protocol (DHCP).
For initial deployment, the virtual appliance must meet the following minimum requirements:
  • 64-bit 8-core machine
  • 48 GB memory
  • 536 GB disk storage for virtual machine

Use a Network Time Protocol (NTP) server to synchronize the time zones across resources that are in your environment, such as the IBM Spectrum Protect Plus virtual appliance, storage arrays, hypervisors, and application servers. If the clocks on the various systems are significantly out of sync, you might experience errors during application registration, metadata cataloging, inventory, backup, restore, or file restore jobs. For more information about identifying and resolving timer drift, see the following VMware knowledge base article: Time in virtual machine drifts due to hardware timer drift.

Browser support

Run IBM Spectrum Protect Plus from a computer that has access to the installed virtual appliance. IBM Spectrum Protect Plus was tested against the following web browsers. Note that later browser versions might also be supported.
  • Firefox 55.0.3
  • Google Chrome 60.0.3112
  • Microsoft Edge 40.15063

If your screen resolution is less than 1024 x 768 pixels, some items might not fit on the window. Pop-up windows must be enabled in your browser to access the help system and some IBM Spectrum Protect Plus operations.

IBM Spectrum Protect requirements

When you are offloading data using Amazon S3, to the IBM Spectrum Protect Server repository, ensure that IBM Spectrum Protect is at Version 8.1.7 or later.

IBM Spectrum Protect Plus ports

The following ports are used by IBM Spectrum Protect Plus and associated services. Ports that are marked as Accept use secure connections (HTTPS/SSL).

Table 1. Incoming firewall connections (IBM Spectrum Protect Plus appliance)
Port Protocol Firewall Service Description
22 TCP Accept OpenSSH 5.3 (protocol 2.0) Used for troubleshooting IBM Spectrum Protect Plus.
443 TCP Accept A micro-service running a reverse-proxy Main entry point for the client connections (SSL).
5432 TCP Blocked PostgreSQL SQL RDBMS: Supports job management and some security related data and transactions.
5671 TCP, AMQP Accept RabbitMQ Message framework used to manage messages produced and consumed by the VADP proxy and VMware job management workers. Also facilitates job log management.
5672 AMQP Blocked RabbitMQ Message framework used to manage messages produced and consumed in the IBM Spectrum Protect Plus appliance.
8082 TCP Blocked Virgo Modular Java™ application server. Serves core functions for IBM Spectrum Protect Plus including the REST APIs.
8083 TCP Blocked Node.js JavaScript server. Provides higher level APIs to the user interface leveraging the REST APIs running in Virgo.
8090 TCP Accept Administrative Console Framework (ACF) Extensible framework for system administration functions. Supports plugins that run operations such as system updates and catalog backup/restore.
8092 TCP Blocked ACF Plugin EMI Supports system update, certificate, and license management.
8093 TCP Blocked ACF Plugin Catalog Backup and Recovery Backs up and restores IBM Spectrum Protect Plus catalog data.
8761 TCP Accept Discovery Server Automatically discovers VADP proxies and is used by IBM Spectrum Protect Plus VM backup operations.
9090 TCP Accept DOCUMENTATION Default port for the IBM Spectrum Protect Plus help system
27017 TCP Blocked MongoDB Persists configuration related documents for IBM Spectrum Protect Plus.
27018 TCP Blocked MongoDB Persists recovery metadata documents for IBM Spectrum Protect Plus.
Table 2. Incoming firewall connections (IBM Spectrum Protect Plus appliance - onboard vSnap server)
Port Protocol Firewall Service Description
111 TCP Accept RPC Port Bind Allows clients to discover ports that Open Network Computing (ONC) clients require to communicate with ONC servers (internal).
2049 TCP Accept NFS Used for NFS data transfer to and from vSnap (internal).
3260 TCP Accept iSCSI Used for iSCSI data transfer to and from vSnap (internal).
20048 TCP Accept NFS Used for NFS data transfer to and from vSnap (internal).
Table 3. Outgoing firewall connections (IBM Spectrum Protect Plus)
Port Protocol Service Description
22 TCP OpenSSH 5.3 (protocol 2.0) Used for SSH communications to remote servers running guest applications components.
25 TCP SMTP Email service.
389 TCP LDAP Active directory services.
443 TCP VMware ESXi Host ESXi host port for managing operations.
443 TCP VMware vCenter Client connections to vCenter.
636 TCP LDAP Active directory services (SSL)
902 TCP VMware NFC service Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
5985 TCP Windows Remote Management (WinRM) Hyper-V and guest applications client connections.
8080 TCP VADP proxy Virtual machine data protection proxy.
8900 TCP vSnap OVA/Installer version of the intelligent storage framework used as a target for data protection operations.
Use the following diagram as guidance for the communication paths managed by IBM Spectrum Protect Plus. This picture can provide assistance for troubleshooting and network configuration for deployment scenarios.
  • The labeled resources in the gray background represent the core services of the IBM Spectrum Protect Plus virtual appliance.
  • The curved lines represent implicit communications.
  • The colors of the various modules represent different types of services as defined by the key in the upper right
  • The red rectangle represents the network firewall.
  • Services that appear on the red rectangle are indicative of the ports that are open on the firewall.
  • Dashed arrows represent communication among resources and services.
  • The arrow flows TOWARD the listening port.
  • The port numbers that need to be open are indicated by the LISTENING port. For example, the vSnap service is represented as being external to the IBM Spectrum Protect Plus virtual appliance. It is listening on port 8900 as well as other ports.
  • A component in the virtual appliance establishes a communication path with a connection to the vSnap service at port 8900.
Figure 1. IBM Spectrum Protect Plus virtual appliance
IBM Spectrum Protect Plus virtual appliance

vSnap requirements

A vSnap server is the primary backup destination for IBM Spectrum Protect Plus. In either a VMware or Hyper-V environment, one vSnap server with the name localhost is automatically installed at the time that the IBM Spectrum Protect Plus virtual appliance is initially deployed. In larger backup enterprise environments, more vSnap servers might be required.

Memory should be adjusted based on backup capacity for more efficient deduplication. For more information and sizing guidance, see IBM Spectrum Protect Plus Blueprints.

For initial deployment, ensure that your virtual machine or physical Linux machine meets the following minimum requirements:
  • 64-bit 8-core processor
  • 32 GB memory
  • 16 GB free space on root file system
  • 128 GB free space on a separate file system mounted at the following location: /opt/vsnap-data
  • Optionally, a solid-state drive (SSD) improves backup and restore performance
Note: The Linux Network Management service must be installed and running.

To improve backup performance, configure the pool to use one or more log devices backed by an SSD. Specify at least two log devices to create a mirrored log for better redundancy.

To improve restore performance, configure the pool to use a cache device backed by an SSD.

vSnap server virtual machine installation requirements

Before deploying to the host, ensure that you have met the following requirements:

  • The correct VMware or Microsoft Hyper-V template.
  • vSphere 5.5, 6.0, 6.5. or 6.7 or Microsoft Hyper-V Server 2016.
  • For later versions of vSphere, the vSphere Web Client might be required to deploy IBM Spectrum Protect Plus appliances.
  • Network information and VMware host information.
  • Either an available static IP address to use or access to DHCP.

vSnap server physical installation requirements

IBM Spectrum Protect Plus V10.1.3 provides new functionality that requires the kernel levels supported in RHEL 7.5 and CentOS 7.5. Use IBM Spectrum Protect Plus V10.1.2 for physical vSnap V10.1.2 installations if you need to use operating systems earlier than RHEL 7.5 and CentOS 7.5.

The following Linux operating systems are supported for IBM Spectrum Protect Plus V10.1.3 physical vSnap server installations:

  • CentOS 7.1804 (7.5) (x86_64)
  • CentOS 7.1810 (7.6) (x86_64) (beginning with v10.1.3 patch1)
  • RedHat Enterprise Linux 7.5 (x86_64)
  • RedHat Enterprise Linux 7.6 (x86_64) (beginning with v10.1.3 patch1)

If you are using one of the following operating systems, use IBM Spectrum Protect Plus V10.1.2 for physical vSnap server installations:

  • CentOS Linux7.3.1611 (x86_64)
  • CentOS Linux7.4.1708 (x86_64)
  • Red Hat Enterprise Linux 7.3 (x86_64)
  • Red Hat Enterprise Linux 7.4 (x86_64)

vSnap server ports

The following ports are used by vSnap servers. Ports that are marked as Accept use secure connections (HTTPS/SSL).

Table 4. Incoming vSnap firewall connections
Port Protocol Firewall Service Description
22 TCP Accept SSH Used for troubleshooting vSnap.
111 TCP Accept RPC Port Bind Allows clients to discover ports that ONC clients require to communicate with ONC servers (internal).
137 TCP Accept SMB/CIFS Used for SMB/CIFS data transfer to and from vSnap (internal).
138 TCP Accept SMB/CIFS Used for SMB/CIFS data transfer to and from vSnap (internal).
139 TCP Accept SMB/CIFS Used for SMB/CIFS data transfer to and from vSnap (internal).
445 TCP Accept SMB/CIFS Used for SMB/CIFS data transfer to and from vSnap (internal).
2049 TCP Accept NFS Used for NFS data transfer to and from vSnap (internal).
8900 TCP Accept HTTPS vSnap REST APIs
3260 TCP Accept iSCSI Used for iSCSI data transfer to and from vSnap (internal).
20048 TCP Accept NFS Used for NFS data transfer to and from vSnap (internal).

VADP proxy requirements

In IBM Spectrum Protect Plus, running virtual machine backup jobs through VADP can be taxing on system resources. By creating VADP backup job proxies, you enable load sharing and load balancing for your backup jobs. If proxies exist, the entire processing load is shifted from the IBM Spectrum Protect Plus appliance onto the proxies. This processing has been tested for SUSE Linux Enterprise Server and Red Hat environments. It is supported only in 64-bit quad core configurations with a minimum kernel of 2.6.32.

VADP proxies support the following VMware transport modes: File, SAN, HotAdd, NBDSSL, and NBD. For more information about VMware transport modes, see Virtual Disk Transport Methods.

VADP proxies are supported only in 64-bit quad core and higher configurations in the following Linux environments:

  • CentOS Linux 6.5+ (beginning with 10.1.1 patch 1)
  • CentOS Linux 7.0+ (beginning with 10.1.1 patch 1)
  • Red Hat Enterprise Linux 6, Fix pack 4 or later
  • Red Hat Enterprise Linux 7, all updates
  • SUSE Linux Enterprise Server 12, all updates

For initial deployment, ensure that your Linux machine meets the following minimum requirements:

  • 64-bit quad core processor
  • 8 GB RAM required, 16 GB recommended
  • 60 GB free disk space

For more information and sizing guidance, see IBM Spectrum Protect Plus Blueprints.

Increase of used CPUs and concurrency on the VADP proxy server, requires the memory allocated on the proxy server to be increased.

The proxy must be able to mount NFS file systems, which in many cases requires an NFS client package to be installed. The exact package details vary based on the distribution.

Each proxy must have a fully qualified domain name and must be able to resolve and reach the vCenter. vSnap servers must be reachable from the proxy. If a firewall is active on the proxy, the following ports on the vSnap server must be reachable (both TCP and UDP): 111, 2049, and 20048.

Port 8080 on the VADP proxy server must be open when the proxy server firewall is enabled. If the port is not open, VADP backups will run on local vmdkbackup instead of the VADP proxy server.

VADP proxy ports

The following ports are used by VADP proxies. Ports that are marked as Accept use secure connections (HTTPS/SSL).

Table 5. Incoming VADP proxy firewall connections
Port Protocol Firewall Service Description
22 TCP Accept SSH Port 22 is used to push the VADP proxy to the host node.
8098 TCP Accept VADP Default port for TLS-based REST API communications between the IBM Spectrum Protect Plus server and the VADP proxy.
Table 6. Outgoing VADP proxy firewall connections
Port Protocol Firewall Service Description
111 TCP Accept vSnap RPC Port Bind Used for troubleshooting vSnap.
443 TCP Accept VMware ESXi Host/vCenter Allows clients to discover ports that ONC clients require to communicate with ONC servers (internal).
902 TCP Accept VMware ESXi Host NFC provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
2049 TCP Accept vSnap NFS Used for NFS data transfer to and from vSnap (internal).
5671 TCP Accept RabbitMQ Used for iSCSI data transfer to and from vSnap (internal).
8761 TCP Accept Discovery Server Used for NFS data transfer to and from vSnap (internal).
20048 TCP Accept vSnap mounted Mounts vSnap file systems on clients such as the VADP proxy, application servers, and virtualization data stores.

VADP proxies can be pushed and installed on Linux-based servers over SSH port 22.

VADP proxy on vSnap server requirements

VADP proxies can be installed on vSnap servers in your IBM Spectrum Protect Plus environment. A combination VADP proxy/vSnap server must meet the minimum requirements of both devices. Consult the system requirements of both devices and add the core and RAM requirements together to identify the minimum requirements of the combination VADP proxy and vSnap server.

Ensure your combination VADP proxy and vSnap server meets the following minimum requirements, which is the sum of the requirements for each device.

VADP proxy installed on a virtual vSnap server:
  • 64-bit 8-core processor
  • 48 GB RAM

All required VADP proxy and vSnap server ports must be open on the combination VADP proxy and vSnap server.

Cloud offload requirements

To offload data to cloud storage, ensure that your IBM Spectrum Protect Plus and cloud environments meet the following requirements:

Disk cache area
For all functionality relating to offloading or restoring from the cloud, the vSnap server requires a disk cache area on the vSnap server.
  • During offload operations, this cache is used as a temporary staging area for objects that are pending upload to the cloud endpoint.
  • During restore operations, it is used to cache downloaded objects as well as to store any temporary data that may be written into the restore volume.
Most of the cache space is freed up at the end of each offload or restore operation, but a small amount may continue to be used to cache metadata that is used to speed up subsequent operations. The cache area must be configured in the form of an XFS filesystem mounted at /opt/vsnap-data on the vSnap server. If this mount point is not configured, offload or restore jobs fail with this error: Cloud functionality disabled: Data disk /opt/vsnap-data is not configured.
Note:

Do not unmount or manipulate files under /opt/vsnap-data while any offload or restore jobs are active. Once you have ensured that no jobs are active, it is safe to run any maintenance activities such as unmounting and reconfiguring the cache area. The data stored under /opt/vsnap-data is also safe to delete as long as no offload or restore jobs are active. Deleting this data may result in the vSnap server needing to re-download it from the cloud endpoint during the next offload or restore operation, which may introduce a delay during the job.

For new installations of vSnap V10.1.3
When the vSnap is deployed as a virtual appliance, the cache area is already present as a preconfigured 128 GB data disk mounted at /opt/vsnap-data. When the vSnap is installed on a custom server, the cache area must be configured manually.
For systems upgraded from vSnap V10.1.2 to V10.1.3
A default preconfigured cache area of 128 GB may already be present and mounted at /opt/vsnap-data if the system was previously deployed as a virtual appliance with vSnap V10.1.2. If the system was previously upgraded from vSnap V10.1.1, the cache area is not present. Use the df command on the vSnap server to confirm the presence of this mount point. If the preconfigured mount point is not present, it must be configured manually. For more information about sizing and installing cache, see the Cloud offload configuration document.
Certificate requirements
  • Self-signed certificates: If the cloud endpoint or repository server uses a self-signed certificate, the certificate must be specified in Privacy Enhanced Mail (PEM) format, when registering the cloud or repository server in the IBM Spectrum Protect Plus user interface.
  • Certificates signed by private Certificate Authority: If the cloud endpoint or repository server uses a certificate signed by a private Certificate Authority (CA), the endpoint certificate must be specified (in PEM format) when registering the cloud or repository server in the IBM Spectrum Protect Plus user interface. In addition, the root/intermediate certificate of the private CA, must be added to the system certificate store in each vSnap server with the following procedure:
    • Login to the vSnap server console as the serveradmin user, and upload the private CA certificates (in PEM format) to a temporary location.
    • Copy each certificate file to the system certificate store directory
      /etc/pki/ca trust/source/anchors/ $ sudo cp /tmp/private-ca-cert.pem 
      /etc/pki/ca-trust/source/anchors/ 
    • Run the following command to update the system certificate bundle to incorporate the added custom certificate:
      $ sudo update-ca-trust
  • Certificates signed by public Certificate Authority: If the cloud endpoint uses a public CA-signed certificate, no special action is needed. The vSnap server validates the certificate by using the default system certificate store.
Network requirements

The following ports are used for communication between vSnap servers and cloud or repository server endpoints.

Table 7. Outgoing vSnap server firewall connections
Port Protocol Service Description
443 TCP HTTPS Allows vSnap to communicate with Amazon S3, Azure, or IBM Cloud™ Object Storage endpoints.
9000 TCP HTTPS Allows vSnap to communicate with IBM Spectrum Protect (Repository Server) endpoints.
If there are any firewalls or network proxies that run SSL Interception or Deep Packet Inspection for traffic between vSnap servers and cloud endpoints, this may interfere with SSL certificate validation on the vSnap servers. This interference may cause cloud offload job failures. To prevent this, the vSnap servers must be exempted from SSL interception and inspection in the firewall or proxy configuration.
Cloud provider requirements
Native lifecycle management is not supported. IBM Spectrum Protect Plus manages the lifecycle of uploaded objects automatically using an incremental-forever approach where older objects may still be used by newer snapshots. Automatic or manual expiration of objects outside of IBM Spectrum Protect Plus will lead to data corruption. For more information about cloud providers using SSL certificates that are self-signed or signed by a private Certificate Authority, see Certificate requirements on this page.
  • Amazon S3 cloud storage offload requirements: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket in one of the supported storage tiers must be specified: S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, and S3 One Zone-Infrequent Access.
  • IBM Cloud Object Storage offload requirements: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket must be specified. If the specified bucket has a WORM policy that locks objects for a certain time period, IBM Spectrum Protect Plus automatically detects the configuration and deletes snapshots after the WORM policy removes the lock.
  • Microsoft Azure offload requirements: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing container in a hot or cool storage account must be specified.
  • Repository Server offload requirements: When the cloud provider is registered in IBM Spectrum Protect Plus, you cannot use an existing bucket. IBM Spectrum Protect Plus creates a uniquely named bucket for its own use.

For quick start information to help you to set up and offload data to specific cloud providers, see Data offload to cloud object storage with IBM Spectrum Protect Plus.