Deploying WORM solutions

This topic describes how you can set up a WORM (write once and read many) solution by using IBM Storage Scale, Transparent cloud tiering, and IBM Cloud® Object Storage.

IBM Storage Scale provides the immutability feature where you can associate a retention time with files, and any change or deletion of file data is prevented during the retention time. You can configure an IBM Storage Scale fileset with an integrated Archive Manager (IAM) mode by using the mmchfileset command. Files stored in such an immutable fileset can be set to immutable or append-only by using standard POSIX or IBM Storage Scale commands. For more information on immutability features available in IBM Storage Scale, see Immutability and appendOnly features.

After immutability feature is configured in IBM Storage Scale, you can ensure that files that are stored on the Object Storage are immutable by leveraging the locked vault feature available in IBM Cloud Object Storage.

Locked vaults enable storage vaults to be created and registered under the exclusive control of an external gateway application. IBM Cloud Object Storage stores objects received from the gateway application. The gateway authenticates to the IBM Cloud Object Storage Manager exclusively by using an RSA private key and certificate that was configured to create a locked vault and registered only with the gateway. After that, the normal S3 APIs can be used against the Accesser nodes by using the configured private key and certificate. Accesser API key and secret key for S3 API cannot be used for authentication or authorization. If a key is compromised, the gateway rotates keys by calling the Rotate Client Key Manager REST API. This API replaces the existing key and revokes the old certificates. A locked vault with data cannot be deleted by the IBM Cloud Object Storage Administrator, and its ACLs cannot be changed. Additionally, it cannot be renamed or have proxy setting enabled. For more information about locked vaults, see IBM Cloud Object Storage System Locked Vault Guide.
Note: To configure WORM feature at the fileset level, it is recommended to match the immutable filesets with immutable container pair sets on the cloud.