IBM Support

System requirements: IBM Spectrum Protect Plus V10.1.8

Preventive Service Planning


Abstract

This document details the system requirements for installing IBM Spectrum Protect Plus Version 10.1.8.

Content

This document is divided into linked sections for ease of navigation. Use the following links to navigate to the section of the document that you require:



 


General

Ensure that you have the required system configuration and browser to deploy and run IBM Spectrum Protect Plus.

IBM Spectrum Protect Plus support for third-party operating systems, applications, services, and hardware depend on the third-party vendors. When a third-party product or version enters extended support, self-service support, or end of life, IBM Spectrum Protect Plus supports the product or version at the same level as the vendor.



 


IBM Spectrum Protect Plus server requirements

IBM Spectrum Protect Plus as a virtual appliance requirements

IBM Spectrum Protect Plus is installed on a VMware or Microsoft Hyper-V virtual appliance. The virtual appliance contains the application and catalogs, which manage data protection. Maintenance tasks are completed in vSphere Client or Hyper-V Manager by using the IBM Spectrum Protect Plus command line, or in the web-based administrative console.

Infrastructure updates are managed by IBM update facilities. The IBM Spectrum Protect Plus user interface serves as the primary means for updating IBM Spectrum Protect Plus features and underlying infrastructure components, including the operating system and file system.

Infrastructure updates are managed by IBM update facilities. The IBM Spectrum Protect Plus user interface serves as the primary means for updating IBM Spectrum Protect Plus features and underlying infrastructure components, including the operating system and file system.


 

Virtual appliance configuration

Before you deploy IBM Spectrum Protect Plus to the host, ensure that one of the following virtualization products is installed on the host:

  • VMware vSphere 6.0, including all updates and patch levels
  • VMware vSphere 6.5, including all updates and patch levels
  • vSphere 6.7, including all updates and patch levels (beginning with IBM Spectrum Protect Plus V10.1.2)
  • vSphere 7.0, including all updates and patch levels (beginning with IBM Spectrum Protect Plus V10.1.6)
  • Microsoft® Hyper-V 2016
  • Microsoft Hyper-V 2019 (beginning with IBM Spectrum Protect Plus V10.1.3)


 

Virtual appliance hardware

The listed requirements are the minimum requirements for installation. Depending on the capacity and configuration of the storage pool, extra resources might be required. For more information about how to size and build an IBM Spectrum Protect Plus solution, see the IBM Spectrum Protect Plus Blueprints

For initial deployment, configure your virtual appliance to meet the following minimum requirements:

  • 64-bit 8-core server
  • 48 GB memory
  • 270 GB disk storage for the virtual machine (VM)


 

IBM Spectrum Protect Plus as a set of containers requirements

IBM Spectrum Protect Plus can be installed on a Red Hat OpenShift cluster environment. The installation process uses the IBM Spectrum Protect Plus operator, which deploys and manages all the IBM Spectrum Protect Plus components on Red Hat OpenShift.
The IBM Spectrum Protect Plus operator is a Docker image that uses Ansible Operator technology. The image contains the Kubernetes configuration files that are required to deploy and upgrade IBM Spectrum Protect Plus.
If you plan to install IBM Spectrum Protect Plus in an environment that has IBM Cloud Pak for Multicloud Management 2.2 installed, you must use the IBM Spectrum Protect Plus operator for IBM Cloud Pak for Multicloud Management. This operator also works on environments that do not have the IBM Cloud Pak for Multicloud Management installed.


 

Container configuration

Before you deploy IBM Spectrum Protect Plus to a Red Hat OpenShift cluster, ensure that the following requirements are met:

  • Supported container platform: Red Hat OpenShift Container Platform Version 4.5 and later maintenance and modification levels
  • Supported cloud management platform: IBM Cloud Pak for Multicloud Management Version 2.2 and later maintenance and modification levels
  • Supported cloud: On premises (private cloud)

You can install the operator in an online environment or in an air-gapped environment. Before you can install an instance of the IBM Spectrum Protect Plus server, ensure that the following tools are installed or updated to the required version:

  • OpenShift command-line tool (oc) is which delivered with the supported container platform version.
  • Kubernetes command-line tool (kubectl) v1.18.0 or later.
    Note: Kubernetes levels supported in earlier IBM Spectrum Protect Plus reached end of life,  see Kubernetes Patch Releases
  • IBM Cloud Private command-line interface (cloudctl) v3.5.0 or later
  • Skopeo v1.2.2 or later.
    Note: The skopeo utility is used by the load_files.sh script to copy the installation images from IBM® Entitled Registry to your private registry. For more information about downloading the skopeo v1.2.2 utility, see https://github.com/containers/skopeo

You must run all commands on the Linux® operating system.

IBM Spectrum Protect Plus containers are deployed on OpenShift Container Platform. IBM Spectrum Protect Plus consists of 10 core components that run as separate containers. The following IBM Spectrum Protect Plus containers are deployed in an OpenShift cluster:

  • Virgo
  • VADP
  • UI
  • Node.js
  • kc
  • postgres
  • MongoDB (three containers)
  • redis
  • awsebs
  • awsec2

In addition to these core components, the IBM Spectrum Protect Plus operator also deploys the following containers:

  • proxy: Used for internal communications between the virgo container and other containers
  • manager: Used to update the IBM Spectrum Protect Plus instance from the IBM Spectrum Protect Plus user interface

For an example of system configuration, go to IBM Documentation and see Figure 1


 

Container hardware

Persistent storage:
In order for IBM Spectrum Protect Plus to run on an OpenShift cluster, persistent storage is required. The IBM Spectrum Protect Plus operator submits requests for storage by using persistent volume claims (PVCs). The OpenShift cluster completes these requests by using an existing storage driver. A storage class must be configured to allow IBM Spectrum Protect Plus to create persistent volumes dynamically. For the storage volume access mode, all PVC access modes are set to RWO (readwriteonce).
The following table lists the minimum storage capacity for the persistent volumes (PVs):

Table 1. Persistent storage size
Persistent volume Size Mount Path Permissions Containers that access the PVC
Virgo logs 10GB /data/log drwxrwsr-x virgo
Plug-in logs 10GB /data/platform/log drwxrwsr-x awsec2
awsebs
MongoDB 50GB /var/lib/mongodb/data drwxrwsr-x mongodb
MongoDB catalog 100GB /var/lib/mongodb/data drwxrwsr-x mongodb2
Postgres 2GB /var/lib/pgsql/data drwxrwsr-x postgres
Apache Lucene 150GB /data/lucene drwxrwsr-x virgo
Node.js logs 2GB /data/log/node-cdm-service drwxrwsr-x nodejs
VMware vStorage API for Data Protection proxy (VADP proxy) logs 10GB /data/log/vmdkbackupproxy drwxrwsr-x VADP



Networking:
An ingress controller on OpenShift handles external communications for IBM Spectrum Protect Plus. The IBM Spectrum Protect Plus operator deploys the ingress controller, which decrypts the encrypted traffic and directs it to the proxy container. The proxy container then routes the request internally to the proper service. Each IBM Spectrum Protect Plus container uses a corresponding Kubernetes service to communicate internally with other containers.
 

Timeouts
By default, the ingress timeout is set to 900 seconds. This value can be updated by using the haproxy.router.openshift.io/timeout annotation of the ingress resource definition. Proxy timeouts can also be updated from the spp-proxy-config configmap. The default value for the proxy timeout is set to 600 seconds.
On any external load balancers that are being used, also set the timeout values to at least 900 seconds. For example, for an OpenShift cluster on Amazon Web Services (AWS), change the default value for the idle timeout setting of the Elastic Load Balancing (ELB) service from 60 seconds to 900 seconds.

CPU and memory resources
The following table lists the minimum CPU and memory resources that are required for each IBM Spectrum Protect Plus container:

Table 2. IBM Spectrum Protect Plus container CPU and memory requirements
Container CPU (request) CPU (limit) Memory (request) Memory (limit)
virgo 1000m 2000m 4Gi 8Gi
VADP 100m 250m 300Mi 500Mi
ui 50m 100m 100Mi 250Mi
nodejs 50m 100m 50Mi 150Mi
kc 50m 100m 300Mi 500Mi
postgres 50m 100m 50Mi 150Mi
MongoDB(x3) 50m 150m 250Mi 2Gi
redis 100m 250m 100Mi 500Mi
awsebs 50m 250m 500Mi 2Gi
awsec2 50m 250m 500Mi 2Gi

The CPU resource is measured in Kubernetes cpu units. Memory is specified in units of bytes. For more information about CPU units and memory, see Managing Resources for Containers


 

IBM Spectrum Protect Plus server additional requirements

Only default Active Directory non-nested security groups are supported.

Use a Network Time Protocol (NTP) server to synchronize the time zone across IBM Spectrum Protect Plus resources in your environment, such as the IBM Spectrum Protect Plus server, storage arrays, hypervisors, and application servers. If the clocks on the various systems are significantly out of sync, you might experience errors during application registration, metadata cataloging, inventory operations, backup jobs, or file restore jobs. For more information about identifying and resolving timer drift, see the following VMware knowledge base article: Time in virtual machine drifts due to hardware timer drift


 

IBM Spectrum Protect Plus server browser support

IBM Spectrum Protect Plus was tested and validated with the following web browsers:

  • Firefox 55.0.3 and later
  • Google Chrome 60.0.3112 and later
  • Microsoft Edge 40.15063 and later
  • Microsoft EdgeHTML 15.15063 and later

If your screen resolution is lower than 1024 x 768, some items might not fit in the window. Enable pop-up windows in your browser to access the help system and some IBM Spectrum Protect Plus operations.


 

IBM Spectrum Protect Plus server ports

IBM Spectrum Protect Plus server and associated services use the following ports.

Table 3. Communication ports when the target is an IBM Spectrum Protect Plus server
Port Protocol Initiator Target Description
22 Transmission Control Protocol (TCP) vSnap server IBM Spectrum Protect Plus server Provides access for troubleshooting and maintenance tasks on the IBM Spectrum Protect Plus server by using the Secure Shell (SSH) protocol.
443 TCP IBM Spectrum Protect Plus user interface IBM Spectrum Protect Plus server Provides web access by using the Hypertext Transfer Protocol Secure (HTTPS) protocol. This port is the main entry point for client connections that use the ransport Layer Security (TLS) protocol. This port is also used for Representational State Transfer application programming interface (REST API) queries.
443 TCP VADP proxy host IBM Spectrum Protect Plus server Provides web access by using the HTTPS protocol. This port is the main entry point for client connections that use the TLS protocol. This port is also used for REST API queries.
443 TCP All agents
(except IBM Db2)
IBM Spectrum Protect Plus server Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other operations
8090 TCP IBM Spectrum Protect Plus administrative console IBM Spectrum Protect Plus server Provides access for system administration. This extensible framework supports plug-ins that run operations such as system and network updates.
30000 - 32767 TCP Kubernetes plug-in IBM Spectrum Protect Plus server Provides access to the built-in Kubernetes (K8s) Kube proxy in support of Amazon Elastic Compute Cloud (EC2).
Note: Not every port in this range is used at the same time. Rather, a small subset of ephemeral ports are opened as required by NodePort services.

    Table 4. Communication ports when the initiator is an IBM Spectrum Protect Plus server
    Port Protocol Initiator Target Description
    22 TCP IBM Spectrum Protect Plus server vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using the SSH protocol.
    22 TCP IBM Spectrum Protect Plus server VADP proxy host Provides access for troubleshooting and maintenance tasks on the VADP proxy hosts by using the SSH protocol.
    22 TCP IBM Spectrum Protect Plus server Agents that use the Network File System (NFS) client.

    Except Kubernetes and OpenShift agents
     
    Provides access to troubleshoot and maintain remote proxy host servers running guest application components by using the SSH protocol

    Note: for Kubernetes and OpenShift agents, the port is assigned by NodePort service in Kubernetes
    Assigned by the NodePort service in Kubernetes TCP IBM Spectrum Protect Plus server Kubernetes or OpenShift agent Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents

    Note: By default, port 30001 is used for SSH connections to the Kubernetes or OpenShift agent containers. This port is configurable and is port-forwarded to port 22. This port is used only when a containerized IBM Spectrum Protect Plus server opens an SSH connection to the Kubernetes or OpenShift agent container. SSH connections are never used within the Container Backup Support containers.
    25 TCP IBM Spectrum Protect Plus server Email server that can be accessed by using the Simple Mail Transfer Protocol (SMTP) Provides access to an email service.
    389 TCP IBM Spectrum Protect Plus server Lightweight Directory Access Protocol (LDAP) server Provides access to Active Directory Services.
    443 TCP IBM Spectrum Protect Plus server Hypervisor: VMware Elastic Sky X Integrated (ESXi) host and vCenter Provides access to ESXi and vCenter for managing operations.
    443 TCP IBM Spectrum Protect Plus server Hypervisor: EC2 Provides access to Amazon Web Services (AWS) for managing operations.
    636 TCP IBM Spectrum Protect Plus server LDAP server Provides access to Active Directory Services by using the TLS protocol.
    902 TCP IBM Spectrum Protect Plus server Hypervisor: VMware ESXi host Used for the Network File Copy (NFC) protocol, which provides a file-type-aware File Transfer Protocol (FTP) service for vSphere components.
    By default, ESXi uses NFC for operations such as copying and moving data between datastores.
    5985 TCP IBM Spectrum Protect Plus server Hypervisor: Hyper-V Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
    5985 TCP IBM Spectrum Protect Plus server Agents that use the iSCSI initiator Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
    5986 TCP IBM Spectrum Protect Plus server Hypervisor: Hyper-V Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
    5986 TCP IBM Spectrum Protect Plus server Agents that use the iSCSI initiator Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
    8098 TCP IBM Spectrum Protect Plus server VADP proxy host Supports REST API communications between the IBM Spectrum Protect Plus server and the VADP proxy by using the TLS protocol.
    8900 TCP IBM Spectrum Protect Plus server vSnap server Supports REST API communications between the IBM Spectrum Protect Plus server and the vSnap server by using the TLS protocol.



     


    vSnap server requirements

    A vSnap server is the primary backup destination for IBM Spectrum Protect Plus.
     

    vSnap server configuration

    • vSnap server VM installation
      Before you deploy the vSnap server to the host, ensure that one of the following requirements is met:
      • vSphere 6.0, including all updates and patch levels
      • vSphere 6.5, including all updates and patch levels
      • vSphere 6.7, including all updates and patch levels (beginning with IBM Spectrum Protect Plus V10.1.2)
      • vSphere 7.0, including all updates and patch levels (beginning with IBM Spectrum Protect Plus V10.1.6)
      • Microsoft Hyper-V 2016
      • Microsoft Hyper-V 2019 (beginning with IBM Spectrum Protect Plus V10.1.3)
    • vSnap server physical installation
      When installing or upgrading vSnap on CentOS or Red Hat Enterprise Linux, the installer contains additional operating system packages that the vSnap software depends on. The dependencies included in the installer are sufficient to satisfy requirements on a ‘Minimal’ configuration of CentOS or Red Hat Enterprise Linux. If the system was created with a different OS configuration, additional dependencies might be needed. If the system is configured with access to online repositories, the vSnap installer attempts to download the required dependencies automatically. If online repositories are not accessible, you might need to manually install or update additional packages. Refer to the on-screen messages shown by the vSnap installer to determine which additional packages need to be installed or updated.

      Beginning with V10.1.3, IBM Spectrum Protect Plus provides new functions that require the kernel levels that are supported in Red Hat Enterprise (RHEL) 7.5 and CentOS 7.5. If you must use operating systems earlier than RHEL 7.5 and CentOS 7.5, use IBM Spectrum Protect Plus V10.1.2 for physical vSnap installations.

      The following Linux operating systems are supported for IBM Spectrum Protect Plus V10.1.8 physical vSnap server installations:
      • CentOS 7.1804 (7.5) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.2)
      • CentOS 7.1810 (7.6) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.3 patch 1)
      • CentOS 7.1908 (7.7) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.5 patch 1)
      • CentOS 7.2003 (7.8) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.7)
      • CentOS 7.2009 (7.9) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • CentOS 8.1911 (8.1) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • CentOS 8.2004 (8.2) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • CentOS 8.2011 (8.3) (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • RHEL 7.5 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.2)
      • RHEL 7.6 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.3 patch1)
      • RHEL 7.7 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.5 patch1)
      • RHEL 7.8 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.7)
      • RHEL 7.9 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • RHEL 8.1 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • RHEL 8.2 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
      • RHEL 8.3 (x86_64) (beginning with IBM Spectrum Protect Plus V10.1.8)
         
      If you are using the following operating systems, use IBM Spectrum Protect Plus for physical vSnap server V10.1.2 installations:
      • CentOS 7.3.1611 (x86_64)
      • CentOS 7.4.1708 (x86_64)
      • RHEL 7.3 (x86_64)
      • RHEL 7.4 (x86_64)
         
      For IBM Spectrum Scale requirements in an IBM Spectrum Protect Plus environment, see technote: Integrating IBM Spectrum Protect Plus with IBM Spectrum Scale to optimize data protection


     

    vSnap server hardware

    The listed requirements are the minimum requirements for installation. Depending on the capacity and configuration of the storage pool, additional resources might be required. For more information about how to size and build an IBM Spectrum Protect Plus solution, see the IBM Spectrum Protect Plus Blueprints

    For initial deployment, ensure that your VM or physical Linux server meets the following minimum requirements:

    • 64-bit 8-core server
    • 32 GB memory formatted as XFS
    • 16 GB free space on the root file system
    • 128 GB free space in a separate XFS file system mounted at /opt/vsnap-data

    Restrictions:

    • UEFI Secure Boot must be disabled
    • SELinux mode must be Permissive in the /etc/selinux/config file during physical vSnap installation

    vSnap server additional requirements


     

    vSnap server ports

    The following ports are used by vSnap servers.

    Table 5. Communication ports when the target is a vSnap server
    Port Protocol Initiator Target Description
    22 TCP IBM Spectrum Protect Plus server vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
    22 TCP Hypervisors vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
    22 TCP Agents that use the NFS client vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
    111 TCP and User Datagram Protocol (UDP) Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    111 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    111 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    445 TCP Application agents that use the SMB or the CIFS protocol vSnap server Used for SMB or CIFS file sharing by the vSnap server during backup and restore operations.
    2049 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    2049 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    2049 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    3260 TCP Hypervisor: Microsoft Hyper-V vSnap server Used for Microsoft Internet Small Computer System Interface (iSCSI) data transfer to and from logical unit number's (LUN)s mounted from vSnap servers during backup and restore operations.
    3260 TCP Agents that use the iSCSI client vSnap server Used for iSCSI data transfer to and from LUNs mounted from vSnap servers during backup and restore operations.
    8900 TCP IBM Spectrum Protect Plus server vSnap server Supports REST API communications between the IBM Spectrum Protect Plus server and the vSnap server by using the TLS protocol.
    8900 TCP vSnap server vSnap server Supports REST API communications between two vSnap servers during replication by using the TLS protocol.
    20048 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    20048 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
    20048 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.

    Important security information: Process requests to vSnap data ports (NFS, SMB, and iSCSI) only when the request comes from a node in the internal network. Requests that come from external (non-private) network nodes must be blocked. To ensure that proper security practices are followed, work with your network security administrator.

      Table 6. Communication ports when the initiator is a vSnap server
      Port Protocol Initiator Target Description
      22 TCP vSnap server IBM Spectrum Protect Plus server Provides access for troubleshooting and maintenance tasks on the IBM Spectrum Protect Plus server by using SSH protocol.
      443 TCP vSnap server Cloud server endpoints Allows the vSnap server to communicate with Amazon Simple Storage Service (S3), Microsoft Azure, or IBM Cloud Object Storage endpoints.
      8900 TCP vSnap server vSnap server Supports REST API communications between two vSnap servers during replication by using the TLS protocol.
      9000 TCP vSnap server Repository server endpoints Allows the vSnap server to communicate with IBM Spectrum Protect (repository server) endpoints.


      VADP proxy requirements

      In IBM Spectrum Protect Plus, running VM backup jobs through VADP requires significant system resources. By creating VADP backup job proxies, you enable load sharing and load balancing for IBM Spectrum Protect Plus backup jobs. If proxies exist, the entire processing load is shifted from the IBM Spectrum Protect Plus server onto the proxies.


       

      VADP proxy configuration

      This feature is supported only in 64-bit quad core or higher configurations with a minimum kernel version of v2.6.32 in the following Linux environments:

      • CentOS 6.5 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.1 patch 1)
      • CentOS 7.0 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.1 patch 1)
      • CentOS 8.0 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.8)
      • RHEL 6.4 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.1)
      • RHEL 7 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.1)
      • RHEL 8 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.8)
      • SUSE Linux Enterprise Server (SLES) 12 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.1)
      • SLES 15 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus V10.1.7)

      For more information about how to build an IBM Spectrum Protect Plus solution, see the IBM Spectrum Protect Plus Blueprints  


       

      VADP proxy hardware

      For initial deployment of a VADP proxy server, ensure that your Linux server meets the following minimum requirements:

      • 64-bit quad core processor
      • 8 GB of random access memory (RAM) required, 16 GB preferred
      • 60 GB of free disk space

      Note:

      • Because of increased processor usage and concurrency on the VADP proxy server, the memory that is allocated on the proxy server must be increased.  
      • Disk space is consumed in /opt/IBM/SPP for installation and the job log file. Approximately 100 MB is used for installation and the job log file size vary based on job execution. Additionally, the /tmp directory is used for temporary files where the amount of disk space used depends on job execution.


       

      VADP proxy additional requirements

      To create VADP proxies, you must have a user ID with the SYSADMIN role assigned. For more information about roles, see Managing roles

      VADP proxies support the following VMware transport modes: File, SAN, HotAdd, NBDSSL, and NBD. For more information about VMware transport modes, see Virtual Disk Transport Methods


       

      VADP proxy ports

      The following ports are used by VADP proxies.

      Table 7. Communication ports when the target is a VADP proxy host
      Port Protocol Initiator Target Description
      22 TCP IBM Spectrum Protect Plus server VADP proxy host Provides access for troubleshooting and maintenance tasks on VADP proxy hosts by using the SSH protocol.
      8098 TCP IBM Spectrum Protect Plus server VADP proxy host Supports REST API communications between the IBM Spectrum Protect Plus server and the VADP proxy by using the TLS protocol.
      Notes:
      • VADP proxies can be pushed and installed to Linux-based servers over SSH port 22.
      • Port 8098 on the VADP proxy server must be open when the proxy server firewall is enabled.
      Table 8. Communication ports when the initiator is a VADP proxy host
      Port Protocol Initiator Target Description
      111 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
      443 TCP VADP proxy host Hypervisor: VMware ESXi host and vCenter Provides access to ESXi and vCenter for managing operations.
      443 TCP VADP proxy host IBM Spectrum Protect Plus server Provides web access by using the HTTPS protocol. This port is the main entry point for client connections that use TLS protocol. This port is also used for REST API queries.
      902 TCP VADP proxy host Hypervisor: VMware ESXi host Used for the Network File Copy (NFC) protocol, which provides a file-type-aware File Transfer Protocol (FTP) service for vSphere components.
      By default, ESXi uses NFC for operations such as copying and moving data between datastores.
      2049 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
      20048 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.


      If the firewall command script is not available on your system, edit the firewall manually to open or close the necessary ports, and restart the firewall. For instructions about editing firewall ports, see Editing firewall ports


         

        VADP proxy on vSnap server

        VADP proxies can be installed on the vSnap servers in your IBM Spectrum Protect Plus environment. A combination VADP proxy and vSnap server must meet the minimum requirements of both devices. Consider the system requirements of both devices and add the core and RAM requirements together to identify the minimum requirements of the combination VADP proxy and vSnap server.

        For a VADP proxy installed on a virtual vSnap server, the following requirements must be met:

        • 64-bit 8-core processor
        • 48 GB RAM



         


        IBM Spectrum Protect Plus Ports and Diagram

        IBM Spectrum Protect Plus communication ports

        The following table lists the all ports between the IBM Spectrum Protect Plus components.

        Table 9. Communication ports
        Port Protocol Initiator Target Description
        22 Transmission Control Protocol (TCP) vSnap server IBM Spectrum Protect Plus server Provides access for troubleshooting and maintenance tasks on the IBM Spectrum Protect Plus server by using Secure Shell (SSH) protocol.
        22 TCP IBM Spectrum Protect Plus server vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using the SSH protocol.
        22 TCP IBM Spectrum Protect Plus server VADP proxy host Provides access for troubleshooting and maintenance tasks on VADP proxy hosts by using the SSH protocol.
        22 TCP IBM Spectrum Protect Plus server Agents that use the NFS client.

        Except Kubernetes and OpenShift agents
        Provides access to troubleshoot and maintain remote proxy host servers running guest application components by using the SSH protocol

        Note: for Kubernetes and OpenShift agents, the port is assigned by NodePort service in Kubernetes
        22 TCP Hypervisors vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
        22 TCP Agents that use the NFS client vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
        25 TCP IBM Spectrum Protect Plus server Email server that can be accessed by using the Simple Mail Transfer Protocol (SMTP) Provides access to an email service.
        111 TCP and User Datagram Protocol (UDP) Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        111 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        111 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        389 TCP IBM Spectrum Protect Plus server Lightweight Directory Access Protocol (LDAP) server Provides access to Active Directory Services.
        443 TCP IBM Spectrum Protect Plus user interface IBM Spectrum Protect Plus server Provides web access by using the Hypertext Transfer Protocol Secure (HTTPS) protocol. This port is the main entry point for client connections that use the Transport Layer Security (TLS) protocol. This port is also used for Representational State Transfer application programming interface (REST API) queries.
        443 TCP VADP proxy host IBM Spectrum Protect Plus server Provides web access by using the HTTPS protocol. This port is the main entry point for client connections that use TLS protocol. This port is also used for REST API queries.
        443 TCP IBM Spectrum Protect Plus server Hypervisor: VMware Elastic Sky X Integrated (ESXi) host and vCenter Provides access to ESXi and vCenter for managing operations.
        443 TCP IBM Spectrum Protect Plus server Hypervisor: Amazon EC2 Provides access to Amazon Web Services (AWS) for managing operations.
        443 TCP VADP proxy host Hypervisor: VMware ESXi host and vCenter Provides access to ESXi and vCenter for managing operations.
        443 TCP All agents
        (except IBM Db2)
        IBM Spectrum Protect Plus server Port that allows the agents to communicate with IBM Spectrum Protect Plus for making representational state transfer application programming interface (REST API) calls to run backup, restore, inventory, and other operations.
        443 TCP vSnap server Cloud server endpoints Allows the vSnap server to communicate with Amazon Simple Storage Service (S3), Microsoft Azure, or IBM Cloud Object Storage endpoints.
        445 TCP Application agents that use the SMB or the CIFS protocol vSnap server Used for SMB or CIFS file sharing by the vSnap server during backup and restore operations.
        636 TCP IBM Spectrum Protect Plus server LDAP server Provides access to Active Directory Services by using the Transport Layer Security (TLS) protocol.
        902 TCP IBM Spectrum Protect Plus server Hypervisor: VMware ESXi host Used for the Network File Copy (NFC) protocol, which provides a file-type-aware File Transfer Protocol (FTP) service for vSphere components.
        By default, ESXi uses NFC for operations such as copying and moving data between datastores.
        902 TCP VADP proxy host Hypervisor: VMware ESXi host Used for the Network File Copy (NFC) protocol, which provides a file-type-aware File Transfer Protocol (FTP) service for vSphere components.
        By default, ESXi uses NFC for operations such as copying and moving data between datastores.
        2049 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        2049 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        2049 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations
        3260 TCP Hypervisor: Microsoft Hyper-V vSnap server Used for Microsoft Internet Small Computer System Interface (iSCSI) data transfer to and from logical unit number's (LUN)s s mounted from vSnap servers during backup and restore operations.
        3260 TCP Agents that use the iSCSI client
         
        vSnap server Used for iSCSI data transfer to and from LUNs mounted from vSnap servers during backup and restore operations.
        5985 TCP IBM Spectrum Protect Plus server Hypervisor: Hyper-V Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
        5985 TCP IBM Spectrum Protect Plus server Agents that use the iSCSI initiator Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
        5986 TCP IBM Spectrum Protect Plus server Hypervisor: Hyper-V Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
        5986 TCP IBM Spectrum Protect Plus server Agents that use the iSCSI initiator Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
        8090 TCP IBM Spectrum Protect Plus administrative console IBM Spectrum Protect Plus server Provides access for system administration. This extensible framework supports plug-ins that run operations such as system and network updates.
        8098 TCP IBM Spectrum Protect Plus server VADP proxy host Supports REST API communications between the IBM Spectrum Protect Plus server and the VADP proxy by using the Transport Layer Security (TLS) protocol.
        8900 TCP IBM Spectrum Protect Plus server vSnap server Supports REST API communications between the IBM Spectrum Protect Plus server and the vSnap server by using the TLS protocol.
        8900 TCP vSnap server vSnap server Supports REST API communications between two vSnap servers during replication by using the TLS protocol.
        9000 TCP vSnap server Repository server endpoints Allows the vSnap server to communicate with IBM Spectrum Protect (repository server) endpoints.
        20048 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        20048 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        20048 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
        30000 - 32767 TCP Kubernetes plug-in IBM Spectrum Protect Plus server Provides access to the built-in Kubernetes (K8s) Kube proxy in support of EC2.
        Note: Not every port in this range is used at the same time. Rather, a small subset of ephemeral ports are opened as required by NodePort services.
        Assigned by the NodePort service in Kubernetes TCP IBM Spectrum Protect Plus server Kubernetes or OpenShift agent Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents

        Note: By default, port 30001 is used for SSH connections to the Kubernetes or OpenShift agent containers. This port is configurable and is port-forwarded to port 22. This port is used only when a containerized IBM Spectrum Protect Plus server opens an SSH connection to the Kubernetes or OpenShift agent container. SSH connections are never used within the Container Backup Support containers.


        Port updates:

        • Ports 111, 2029, and 20048: In earlier versions, these ports were used for catalog backup operations to vSnap server by using the Network File System (NFS) client. Beginning with IBM Spectrum Protect Plus V10.1.7, the IBM Spectrum Protect Plus server uses the Secure File Transfer protocol (SFTP) to back up catalogs to vSnap servers. For that reason, ports 111, 2029, and 20048 are no longer required.
        • Ports 137, 138, and 139: In earlier versions, ports 137, 138, and 139 on the vSnap server were used by application agents that use SMBv1. Beginning with IBM Spectrum Protect Plus V10.1.6, the SMBv1 protocol is not used. All agents use SMBv2 or later, which does not require ports 137, 138, or 139.
        • Port 3260: In earlier versions, this port was used for Internet Small Computer System Interface (iSCSI) data transfer by the vSnap server. Beginning with IBM Spectrum Protect Plus V10.1.7, the IBM Spectrum Protect Plus server does not include an onboard vSnap server. For that reason, the port is no longer required.
        • Port 9090: In earlier versions, this port was used for online help. Starting with V10.1.4, this port is no longer required for online help. No further action is required.
        • Port 8761: In earlier versions, this port was used to automatically discover VADP proxies and for IBM Spectrum Protect Plus VM backup operations. Beginning with IBM Spectrum Protect Plus V10.1.6, the VADP proxy architecture is modified and port 8761 is no longer required to be open. When IBM Spectrum Protect Plus is updated to V10.1.6 or later, the associated VADP proxies in the environment are also upgraded.
        • Port 5671: In earlier versions, this port was used for internal and external message and log management. Beginning with IBM Spectrum Protect Plus V10.1.7, the VADP proxy architecture is modified and port 5671 is no longer required to be open.
          Note: If you upgrade to IBM Spectrum Protect Plus version 10.1.7 from a previous version, you can close TCP port 5671 since it is no longer used in V10.1.7 and later. Log in to IBM Spectrum Protect Plus as the server admin user and issue the following commands to close the port:
          $ sudo firewall-cmd --zone=public --permanent --remove-port=5671/tcp
          $ sudo firewall-cmd --reload

        IBM Spectrum Protect Plus communication paths diagram

        The following diagram is an overview of the communication paths that are managed by IBM Spectrum Protect Plus. This diagram is intended to provide a high-level representation of components and their associated ports. This diagram can provide assistance for troubleshooting and network configuration for deployment scenarios.

        • The labeled resources on the gray background represent the core services of IBM Spectrum Protect Plus.
        • The colors of the various modules represent different types of services as defined by the key.
        • The area that is labeled Firewall represents the network firewall.
        • Services that appear in the Firewall area are indicative of the ports that are open on the firewall.
        • Dashed arrows represent communication among resources and services.
        • Arrows flow toward the listening port (target).
        • The port numbers that must be open are indicated by the listening port.
          For example:
          • The vSnap service is represented as being external to the IBM Spectrum Protect Plus server. The vSnap service is listening on port 8900 and other ports.
          • A component in the server establishes a communication path with a connection to the vSnap service at port 8900.

        Figure 1: IBM Spectrum Protect Plus communication paths diagram.

        10.1.8 diagram

        Component details:

        1. IBM Spectrum Protect Plus contains several base components, for more information, see Product components
        2. The following hypervisors and agents use an iSCSI initiator:
          • Hypervisor: Microsoft Hyper-V
          • Agents: Microsoft SQL Server, Microsoft Exchange, and Windows file systems.
        3. The following hypervisors and agents use an NFS client:
          • Hypervisor: VMware
          • Agents: Oracle server, IBM Db2, MongoDB, Container (Kubernetes and OpenShift), and Microsoft 365.
            Note: IBM Db2 agent does not require port 443 to the REST API in the IBM Spectrum Protect Plus server.
        4. The following agents use a Server Message Block (SMB) or the Common Internet File System (CIFS) protocol client:
          • Microsoft SQL Server (only for transaction log backup and restore operations)
          • Microsoft Exchange (only for transaction log backup and restore operations)
          • Windows File systems. 
        5. An SSH port connects the IBM Spectrum Protect Plus server to the Kubernetes Backup Support agent. If you do not select a port, a random port number is selected by the NodePort Services in the default range. If you specify a value for this port, use a port number within the NodePort range that is set by the Kubernetes administrator that is not already in use.



         


        Connectivity requirements

        Ensure that the following connectivity requirements are met:

        • The secure file transfer protocol (SFTP) subsystem for Secure Shell (SSH) is enabled on the IBM Spectrum Protect Plus server, VADP proxies, and vSnap servers.
        • The Secure Shell (SSH) service is running on port 22 on the IBM Spectrum Protect Plus server, VADP proxies, and vSnap servers.
        • Firewalls are configured to allow IBM Spectrum Protect Plus components to connect with each other by using SSH.
        • VADP proxy servers use the Network File System (NFS) to mount storage volumes for backup and restore operations. On Linux, ensure that the native Linux NFS client is installed.
        • All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment can be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
        • If DNS names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and from the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
        • If DNS is not available, you must add the server to the /etc/hosts file on the IBM Spectrum Protect Plus server by using the command line.



         


        Repository server storage requirements

        If you plan to use IBM Spectrum Protect as a repository server for copying data to cloud storage, ensure that you are using IBM Spectrum Protect V8.1.12.



         


        Cloud storage requirements

        Disk cache area

        For all functions related to data copy and restore operations to and from cloud targets, the vSnap server requires a disk cache area to be present on the vSnap server:

        • During copy operations, this cache is used as a temporary staging area for objects that are pending upload to the cloud endpoint.
        • During restore operations, the disk cache area is used to cache downloaded objects and to store any temporary data that might be written into the restore volume.

        For instructions about sizing and installing the cache, see the IBM Spectrum Protect Plus Blueprints
         


         

        Multipath

        During copy operations to object storage, IBM Spectrum Protect Plus attaches and detaches virtual cloud devices on vSnap servers. If a multipath configuration is enabled on the vSnap server by using dm-multipath, the configuration can interfere with the copy operation. To avoid this interference, modify the multipath configuration file and specify a rule to exclude devices whose vendor matches "LIO-ORG". For instructions and examples, go to the Red Hat Customer Portal and see the DM Multipath documentation


         

        Certificates

        • Self-signed certificates
          If the cloud endpoint or repository server uses a self-signed certificate, you must specify the certificate in Privacy Enhanced Mail (PEM) format when you register the cloud or repository server in the IBM Spectrum Protect Plus user interface.
           
        • Certificates signed by a private certificate authority
          If the cloud endpoint or repository server uses a certificate signed by a private certificate authority (CA), the endpoint certificate must be specified (in PEM format) when you register the cloud or repository server in the IBM Spectrum Protect Plus user interface.
          In addition, you must add the root or intermediate certificate of the private CA to the system certificate store in each vSnap server by using the following procedure:
          1. Log in to the vSnap server console as the serveradmin user and upload any private CA certificates (in PEM format) to a temporary location.
          2. Copy each certificate file to the system certificate store directory (/etc/pki/ca-trust/source/anchors/) by running the following command:
              $ sudo cp /tmp/private-ca-cert.pem /etc/pki/ca-trust/source/anchors/
          3. To incorporate the newly added custom certificate and update the system certificate bundle, run the following command:
              $ sudo update-ca-trust
        • Certificates signed by public certificate authority
          If the cloud endpoint uses a public CA-signed certificate, no special action is required. The vSnap server validates the certificate by using the default system certificate store.
           
        • Wildcard certificates
          If the cloud endpoint uses a wildcard certificate, note that the wildcard applies only to one subdomain level of the domain name. For example, if the certificate is for *.example.com, the certificate matches hostname level1.example.com but not matches level1.level2.example.com. If the bucket name contains periods (for example, "my.bucket") and it is part of the hostname used for registering the cloud endpoint in IBM Spectrum Protect Plus (for example, "my.bucket.example.com"), certificate validation can fail. In such cases, ensure that the bucket name does not contain periods.


         

        Network

        The following ports are used for communication between the vSnap servers and cloud or repository server endpoints.

        Table 10. Communication ports when the target is a cloud server or repository server endpoint
        Port Protocol Initiator Target Description
        443 TCP vSnap server Cloud server endpoints Allows the vSnap server to communicate with Amazon Simple Storage Service (S3), Microsoft Azure, or IBM Cloud Object Storage endpoints.
        9000 TCP vSnap server Repository server endpoints Allows the vSnap server to communicate with IBM Spectrum Protect (repository server) endpoints.


        Any firewalls or network proxies that inspect TLS or conduct a deep packet inspection of traffic between the vSnap servers and cloud endpoints might interfere with TLS certificate validation on vSnap servers. This interference can also cause cloud copy job failures. To prevent this interference, the vSnap servers must be exempted from TLS interception and inspection in the firewall or proxy configuration.


         

        Cloud provider

        • Amazon S3 cloud requirements
          • Standard object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket in one of the supported storage tiers must be specified: S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, or S3 One Zone-Infrequent Access.
          • Archive object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket in one of the supported storage tiers must be specified: S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, or S3 One Zone-Infrequent Access. IBM Spectrum Protect Plus directly uploads data files to the Glacier tier. Some small metadata files are stored in the default tier for the bucket. A copy of these metadata files is also placed into the Glacier tier for disaster recovery purposes.
             
        • IBM Cloud Object Storage requirements
          • Standard object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket must be specified. If the specified bucket has a Write Once Read Many (WORM) policy that locks objects for a certain time period, IBM Spectrum Protect Plus automatically detects the configuration and deletes snapshots after the WORM policy removes the lock. The bucket must have the Name Index setting enabled.
          • Archive object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket must be specified. If the specified bucket has a WORM policy that locks objects for a certain time period, IBM Spectrum Protect Plus automatically detects the configuration and deletes snapshots after the WORM policy removes the lock. IBM Spectrum Protect Plus creates a single lifecycle management rule on the bucket to migrate data files to the archive tier. The bucket must have the Name Index setting enabled.
             
        • Microsoft Azure requirements
          • Standard object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing container in a hot or cool storage account must be specified.
          • Archive object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing container in a hot or cool storage account must be specified. IBM Spectrum Protect Plus moves files between tiers on demand. Data files are immediately moved to the archive tier and temporarily returned to the hot tier only during restore operations. Some small metadata files are stored in the default tier for the container. A copy of these metadata files is also placed in the archive tier for disaster recovery purposes.
             
        • IBM Spectrum Protect (repository server) requirements
          • Standard object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, you cannot use an existing bucket. IBM Spectrum Protect Plus creates a uniquely named bucket for its own use.
          • Archive object storage: When the cloud provider is registered in IBM Spectrum Protect Plus, you cannot use an existing bucket. IBM Spectrum Protect Plus creates a uniquely named bucket for its own use. IBM Spectrum Protect Plus directly uploads data files to IBM Spectrum Protect tape storage.  Some small metadata files are stored in IBM Spectrum Protect object storage.  A copy of these metadata files is also placed on IBM Spectrum Protect tape storage for disaster recovery purposes.
             
        Table 11. Copy and archive copy requirements for cloud providers
        Operation Provider Requirements
        Copy Amazon S3 An existing bucket must be specified from one of the supported storage tiers.
        Copy IBM Cloud Object Storage An existing bucket must be specified. The bucket must have the Name Index setting enabled.
        Copy Microsoft Azure An existing container must be specified from a hot or cool storage tier.
        Copy IBM Spectrum Protect IBM Spectrum Protect Plus creates its own unique bucket.
        Operation Provider Requirements
        Archive copy Amazon S3 An existing bucket must be specified from one of the supported storage tiers.
        Archive copy IBM Cloud Object Storage An existing bucket must be specified from the archive tier. The bucket must have the Name Index setting enabled.
        Archive copy Microsoft Azure An existing container must be specified from the hot storage tier and archive tier.
        Archive copy IBM Spectrum Protect IBM Spectrum Protect Plus creates its own unique bucket to be copied to IBM Spectrum Protect tape storage.



         

        [{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"ARM Category":[{"code":"a8m3p000000h9Z4AAI","label":"HW\/SW Requirements"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.1.8"}]

        Document Information

        Modified date:
        16 September 2021

        UID

        ibm16416669