Flashes (Alerts)
Abstract
As documented in APAR IT33496, IBM Spectrum Protect customers that use a directory-container or cloud-container storage pool with encryption enabled might have unencrypted extents.
Content
Problem Summary
This APAR affects customers who used a cloud-container or directory-container storage pool with encryption enabled. Cloud-container storage pools were originally affected in the 8.1.1 release, while directory-container storage pools were affected starting with the 8.1.2 release.
The issue occurs in objects with extended attributes and is only known to affect Windows System State backups.
In addition to the extended attribute requirement, affected files must have a size smaller than the officially supported size of 2KB for deduplication (https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.9/client/r_opt_dedup.html). For files meeting this small size condition, the files are stored without deduplication. When such files are stored without deduplication, some file extents might not be encrypted.
This issue cannot happen in client-encrypted objects or objects that are greater than 2KB in size.
Restore operations on affected files fail because the server attempts to decrypt the extent and is unable to do so. This decryption failure causes the affected extents to be marked damaged.
PROTECT STGPOOL, REPLICATE NODE, and other operations that copy or move extents may not detect the issue with these chunks, making it possible to propagate the offending chunk to a secondary location.
Levels Affected
This issue affects IBM Spectrum Protect levels 8.1.1 through 8.1.10.
Recommendation
The following steps in the "Diagnosing the Issue" section determine whether the environment is affected by this issue. If it is determined that the environment is affected, then it is recommended to open a case (https://www.ibm.com/mysupport/s) with IBM Support so the product team can assist with the necessary remediation.
Diagnosing the Issue
If you are using a directory-container or cloud-container storage pool with encryption enabled, you might be affected. To determine whether your server is affected by the issue, follow these steps:
NOTE: If the server is the target of PROTECT STGPOOL but not REPLICATE NODE operations, the following steps may not be sufficient to determine whether the server is affected. For that case, all non-dedup containers need to be audited to make that determination. Use the Audit Container command with Type=SCANALL to find affected extents.
- Log in as the server instance ID that has ownership of the Db2 instance on the machine where the server is running. Then, run the following Db2 command to generate an Audit Container macro for the server.
- db2 -x "select distinct 'AUDIT CONTAINER ' || sdcn.cntrname from sd_recon_order sdro join sd_non_dedup_locations sdndl on sdro.chunkid=sdndl.chunkid join sd_containers sdcn on sdcn.cntrid=sdndl.cntrid where sdro.offset>0 and sdro.chunktype=1" > audit.mac
- db2 -x "select distinct 'AUDIT CONTAINER ' || sdcn.cntrname from sd_recon_order sdro join sd_non_dedup_locations sdndl on sdro.chunkid=sdndl.chunkid join sd_containers sdcn on sdcn.cntrid=sdndl.cntrid where sdro.offset>0 and sdro.chunktype=1" > audit.mac
- Entries in the audit.mac file generated in step 1 look like this:
AUDIT CONTAINER /storage/DCP1/00/0000000000000001.ncf
AUDIT CONTAINER /storage/DCP1/00/0000000000000002.ncf
If there are no entries in the audit.mac file, the server is not affected. Continue to step 3. - Run the macro generated in step 1. This macro audits all non-dedup containers identified with potentially affected extents. Any extents that are affected will be marked as damaged. The number of damaged extents can be checked with the QUERY DAMAGED command.
- Check the dsmffdc.log. Your server is affected when you see errors like this:
[ FFDC_GENERAL_SERVER_ERROR ]: (sdrtrv.c:6699) Error -1 decrypting data for chunk 7080194686464101993.
Problem Resolution
Contact IBM Support to resolve the issue.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"ARM Category":[{"code":"a8m50000000Ci5XAAS","label":"Server"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.1.1;8.1.10;8.1.2;8.1.3;8.1.4;8.1.5;8.1.6;8.1.7;8.1.8;8.1.9","Line of Business":{"code":"LOB26","label":"Storage"}}]
Was this topic helpful?
Document Information
Modified date:
16 July 2020
UID
ibm16208748