IBM Support

System requirements: IBM Storage Protect Plus 10.1.15

Preventive Service Planning


Abstract

This document details the system requirements for installing IBM Storage Protect Plus 10.1.15.

Content

Note: The product now known as IBM Storage Protect Plus was named IBM Spectrum Protect Plus in levels earlier than 10.1.15. To learn more about the brand change, see IBM Spectrum brand change to IBM Storage.
 

This document is divided into linked sections. Use the following links to go to the section of the document that you require.



 

General

To read about new and changed features in different versions of IBM Storage Protect Plus 10.1, see What's new for IBM Storage Protect Plus.

Ensure that you have the required system configuration and browser to deploy and run IBM Storage Protect Plus.

IBM Storage Protect Plus support for third-party operating systems, applications, services, and hardware depend on the respective vendor. If a third-party product or version moves into extended support, self-service support, or end-of-life, IBM Storage Protect Plus supports the product or version at the same level as the vendor. See also IBM Support General Guidelines and Limitations - IBM support for software on unsupported operating systems

Note:

  • To find the associated requirements for hypervisors, file indexing and restore, and all the application agents in this level, see All Requirements Doc.
  • IBM Spectrum Protect Plus as a set of containers and container backup support agent are not supported in 10.1.13 and later level. If you are using IBM Spectrum Protect Plus as a set of containers or container backup support agent, use IBM Spectrum Protect Plus 10.1.12.
  • IBM Spectrum Protect Plus no longer supports the protection of Microsoft 365 data starting with version 10.1.14. If you use IBM Spectrum Protect Plus to back up and restore Microsoft 365 data, use IBM Spectrum Protect Plus 10.1.13. For more information, see the IBM Spectrum Protect Plus for Microsoft Office 365 withdrawal letter.
    You can protect your Microsoft 365 resources, such as SharePoint Online, Exchange Online, Microsoft 365 Groups, and Microsoft Teams, by using IBM Spectrum Protect Plus Online Services. IBM Spectrum Protect Plus Online Services is a multi-tenant software as a service (SaaS) platform that requires no installation and minimal configuration to protect your Microsoft 365 resources. For more information, see the IBM Spectrum Protect Plus Online Services.



 

IBM Storage Protect Plus server requirements

IBM Storage Protect Plus as virtual appliance requirements

IBM Storage Protect Plus is installed on a VMware or Microsoft® Hyper-V virtual appliance. The virtual appliance contains the application and catalogs, which manage data protection. Maintenance tasks are completed in vSphere Client or Hyper-V Manager by using the IBM Storage Protect Plus command line, or in the web-based administrative console.

Infrastructure updates are managed by IBM update facilities. The IBM Storage Protect Plus user interface serves as the primary means for updating IBM Storage Protect Plus features and underlying infrastructure components, including the operating system and file system.


 

Virtual appliance configuration

Before you deploy IBM Storage Protect Plus to the host, ensure that one of the following virtualization products is installed on the host:

  • VMware vSphere 6.5, and 6.5.x levels
  • VMware vSphere 6.7, and 6.7.x levels (beginning with IBM Spectrum Protect Plus 10.1.2)
  • VMware vSphere 7.0, and 7.0.x levels (beginning with IBM Spectrum Protect Plus 10.1.6)
  • VMware vSphere 8.0 (beginning with IBM Spectrum Protect Plus 10.1.13)
  • Microsoft Hyper-V 2016
  • Microsoft Hyper-V 2019 (beginning with IBM Spectrum Protect Plus 10.1.3)

Note: Beginning with IBM Spectrum Protect Plus 10.1.8, VMware VDDK 7.0 is included. This VDDK level does not support vSphere 6.0. See APAR IT39868.


 

Virtual appliance hardware

The listed requirements are the minimum requirements for installation. Depending on the capacity and configuration of the storage pool, extra resources might be required. For more information about how to size and build an IBM Storage Protect Plus solution, see the IBM Storage Protect Plus Blueprints.

For initial deployment, configure your virtual appliance to meet the following minimum requirements:

  • 64-bit 8-core server
  • 48 GB of random access memory (RAM)
  • 270 GB disk storage for the virtual machine (VM)

Note: For the JVM heap maximum used by Virgo, need to be adjusted when the IBM Storage Protect Plus server memory is increased. The maximum memory to reserve for the heap depends on whether the optional file indexing feature is used. For systems that are not using the virtual machine file indexing feature, 25% of system memory need to be reserved for the maximum JVM heap. For systems that are using file indexing, a minimum of 128GB of memory need to be assigned to the system, with 38% of this memory reserved for the JVM heap.


 

IBM Storage Protect Plus server more requirements

The Connectivity requirements must be met.

Only default Active Directory nonnested security groups are supported.

Use a Network Time Protocol (NTP) server to synchronize the time zone across IBM Storage Protect Plus resources in your environment, such as the IBM Storage Protect Plus server, storage servers, hypervisors, and application servers. If the clocks on the various systems are significantly out of sync, you might experience errors during application registration, metadata cataloging, inventory operations, backup jobs, or file restore jobs. For more information about identifying and resolving timer drift, see the following VMware knowledge base article: Time in virtual machine drifts due to hardware timer drift


 

IBM Storage Protect Plus server browser support

IBM Storage Protect Plus was tested and validated with the following web browsers:

  • Firefox 55.0.3 and later
  • Google Chrome 60.0.3112 and later
  • Microsoft Edge 40.15063 and later
  • Microsoft EdgeHTML 15.15063 and later

If your screen resolution is less than 1024 x 768, some items might not fit in the window. Enable pop-up windows in your browser to access the help system and some IBM Storage Protect Plus operations.



 

vSnap server requirements

A vSnap server is the primary backup destination for IBM Storage Protect Plus.

To protect the data transport between vSnap and a remote VADP or application host, you can enable the transport encryption option. With the transport encryption, each data path of data between the application host or a remote VADP and the vSnap can be encrypted and decrypted. To protect the data transport with transport encryption option, you must update both IBM Storage Protect Plus and vSnap to 10.1.13 or later. After you install and update to IBM Storage Protect Plus and vSnap, the transport encryption option is not enabled by default. If you enabled transport encryption and plan to disable it, you must manually disable the transport encryption option. For more information about transport encryption, see Transport encryption.


 

vSnap server configuration

  • vSnap server as virtual appliance
    Before you deploy the vSnap server to the host, ensure that one of the following requirements is met:
    • VMware vSphere 6.5, and 6.5.x levels
    • VMware vSphere 6.7, and 6.7.x levels (beginning with IBM Spectrum Protect Plus 10.1.2)
    • VMware vSphere 7.0, and 7.0.x levels (beginning with IBM Spectrum Protect Plus 10.1.6)
    • VMware vSphere 8.0 (beginning with IBM Spectrum Protect Plus 10.1.13)
    • Microsoft Hyper-V 2016
    • Microsoft Hyper-V 2019 (beginning with IBM Spectrum Protect Plus 10.1.3)
       

    Note: Beginning with IBM Spectrum Protect Plus 10.1.8, VMware VDDK 7.0 is included. This VDDK level does not support vSphere 6.0. See APAR IT39868
     

  • vSnap server physical installation
    When you install or upgrade vSnap on Red Hat Enterprise Linux, the installer contains more operating system packages that the vSnap software depends on. The dependencies included in the installer are sufficient to satisfy requirements on a ‘Minimal’ configuration of Red Hat Enterprise Linux. If the system was created with a different OS configuration, more dependencies might be needed. If the system is configured with access to online repositories, the vSnap installer attempts to download the required dependencies automatically. If online repositories are not accessible, you might need to manually install or update more packages. Refer to the on-screen messages shown by the vSnap installer to determine which more packages need to be installed or updated.

    The following Linux x86_64 operating systems are supported for IBM Storage Protect Plus 10.1.15 physical vSnap server installations:
    • RHEL 8.1 (beginning with IBM Spectrum Protect Plus 10.1.8)
    • RHEL 8.2 (beginning with IBM Spectrum Protect Plus 10.1.8)
    • RHEL 8.3 (beginning with IBM Spectrum Protect Plus 10.1.8)
    • RHEL 8.4 (beginning with IBM Spectrum Protect Plus 10.1.9)
    • RHEL 8.5 (beginning with IBM Spectrum Protect Plus 10.1.11)
    • RHEL 8.6 (beginning with IBM Spectrum Protect Plus 10.1.11)
    • RHEL 8.7 (beginning with IBM Spectrum Protect Plus 10.1.14)
       

    Note:
    - CentOS 7.x and RHEL 7.x are not supported for IBM Spectrum Protect Plus 10.1.11 physical vSnap server installation because of security issues. See Security Bulletin:  Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus.
    - CentOS Linux 8 reached end of life (EOL) on 31 December 2021, see  CentOS Linux EOL. IBM Storage Protect Plus physical vSnap server installation is not supported on the next CentOS version (CentOS Stream 8).

  • For IBM Storage Scale requirements in an IBM Storage Protect Plus environment, see technote: Integrating IBM Spectrum Protect Plus with IBM Spectrum Scale to optimize data protection.
     
  • vSnap server hardware
    The listed requirements are the minimum requirements for installation. Depending on the capacity and configuration of the storage pool, more resources might be required. For more information about how to size and build an IBM Storage Protect Plus solution, see the IBM Storage Protect Plus Blueprints.

    For initial deployment, ensure that your VM or physical Linux server meets the following minimum requirements:
    • 64-bit 8-core server
    • 32 GB of random access memory (RAM)
    • 32 GB free space on the root file system. If separate mount points are configured instead of a single root file system, then ensure the following:
      - 10 GB free space in the /opt file system
      - 10 GB free space in the /tmp file system
      - 2 GB free space in the /etc file system
      - 10 GB free space in the /var file system
    • 128 GB free space in a separate XFS file system mounted at /opt/vsnap-data
       

    Restrictions:

    • UEFI Secure Boot must be disabled
    • SELinux enforcement must be disabled.
      • To disable enforcement, run:  
        setenforce 0
      • To ensure it remains not enabled after restart, edit the /etc/selinux/config file and set SELinux parameter to Disabled or Permissive
    • The nginx package must be installed by using the operating system installation media or online repository before you install vSnap server.


 

vSnap server more requirements

The Connectivity requirements must be met.



 

VADP proxy requirements

In IBM Storage Protect Plus, to run VMware backup jobs through VADP requires significant system resources. You can enable load sharing and load balancing of IBM Storage Protect Plus backup jobs by creating VADP backup job proxies. At least one VADP proxy is required to protect VMware backup jobs. You can install the VADP proxy on the vSnap server and add extra proxies.


 

VADP proxy connected to vSnap server

  • VADP proxy configuration
    This feature is supported only in 64-bit quad core or higher configurations with a minimum kernel version 2.6.32 in the following Linux x86_64 environments:
    • CentOS 7.7 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.1 patch 1)
    • CentOS 8.0(1) and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.8)
    • RHEL 7.7 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.1)
    • RHEL 8(2) and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.8)
    • RHEL 9(2) and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.14)
    • SUSE Linux Enterprise Server (SLES) 12 SP5 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.1)
    • SLES 15 SP1(2) and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.7)
       
    (1)CentOS Linux 8 reached end of life (EOL) on 31 December 2021, see  CentOS Linux EOL.  IBM Storage Protect Plus is not supported on the next CentOS version (CentOS Stream 8).
    (2)Transport encryption feature is supported.
     
    For more information about how to build an IBM Storage Protect Plus solution, see the IBM Storage Protect Plus Blueprints.

  • VADP proxy hardware
    For initial deployment of a VADP proxy server, ensure that your Linux server meets the following minimum requirements:

    Notes:
    - Because of increased processor usage and concurrency on the VADP proxy server, the memory that is allocated on the proxy server must be increased.  
    - Disk space is used in /opt/IBM/SPP for installation and the job log file. Approximately 100 MB is used for installation, and the job log file size varies depending on job execution. Additionally, the /tmp directory is used for temporary files where the amount of disk space used depends on job execution.

    • 64-bit quad core processor
    • 8 GB of random access memory (RAM) required, 16 GB preferred
    • 60 GB of free disk space
       
  • Restrictions
    Transport encryption feature is not supported on the following operating systems: CentOS 7, RHEL 7, CentOS 8, SLES 12.


 

VADP proxy connected to Open Snap Store Manager (OSSM) storage server

You can back up virtual machine snapshots directly to IBM Storage Protect directory-container storage pools without requiring an intervening vSnap server by using Open Snap Store Manager (OSSM). To support direct data backup operations from IBM Storage Protect Plus, you must install and configure the OSSM component where the IBM Storage Protect server is installed.
Note: When you deploy VADP proxy component on a site with OSSM storage, this deployment sets up an extra OSSM proxy agent component that requires more resources than just the basic VADP requirements.

  • VADP proxy configuration
    For VADP proxies that also serves as OSSM proxies, the following Linux x86_64 operating systems are supported:
    • RHEL 8.6 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.12)
    • RHEL 9 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.14)
    • SLES 15SP3 and later maintenance and modification levels (beginning with IBM Spectrum Protect Plus 10.1.12)
       
  • VADP proxy hardware
    For the initial deployment of a VADP proxy server, ensure that your Linux server meets the following minimum requirements:
    • 64-bit with 8-core processor
    • 16 GB of random access memory (RAM)
    • 60 GB of free disk space
       

    Note: The previous listed minimum requirements are suitable for a proxy, which is configured in the IBM Storage Protect Plus UI to have the "Softcap task limit" changed from "Use All Resources" to 8. The proxies that are handling larger workloads require more CPU, RAM, and disk space. Handling of larger workloads includes setting the "Softcap task limit" to values larger than 8, or for proxies that run a significant amount of instant access test restore.

  • More requirements
    • OSSM-related data and logs are stored in the /ossm directory on the proxy.
    • 200 GB disk space for a file system mounted on the /ossm directory used for OSSM cache
    • Ensure that the OSSM server and the IBM Storage Protect server are on the same level
    • Make sure that user_allow_other is not commented in the /etc/fuse.conf file.
    • You must have passwordless sudo privileges to create a VADP proxy on an OSSM storage server.
    • Ensure that you have system privileges on the IBM Storage Protect server.
    • Ensure that SELinux is disabled in /etc/selinux/config file.
    • Ensure that the date-time is in sync between the VADP proxy system and the system that is hosting the IBM Storage Protect server, and the OSSM primary control agent service.
    • All required VADP proxy ports and OSSM ports must be open on the combination of VADP proxy and OSSM.
    • Ensure that the following software packages are also installed:
      • Fuse package for your environment
      • nfs-utils package
        Note: nfs-utils package need to be installed after fuse package installation
         
  • Restrictions
    • A site defined on IBM Storage Protect Plus can contain only one IBM Storage Protect server and OSSM server. Also, the vSnap storage and OSSM storage cannot be mixed in the same IBM Storage Protect Plus site.
    • You can select one site for SLA. Selecting multiple sites for a single SLA is not supported.
    • The OSSM storage server supports multiple VADP proxies in a site but can allocate only one storage per site.
    • For OSSM backups, virtual machines are always placed on dedicated volumes. The global preference for grouping virtual machines does not apply to vSnap storage.
    • You can replicate backup data from an OSSM storage on a primary site to as OSSM storage on a secondary site. The replication process is run by IBM Storage Protect server by using storage rules.
    • Establish replication partnership between OSSM storage hosts. You must create replication partnership from the IBM Storage Protect source server to IBM Storage Protect target server.
    • The OSSM storage server does not support replication groups that are running concurrently. Before IBM Spectrum Protect server 8.1.17, there was no overlap in job schedules. Beginning with 8.1.17, the overlapping job schedules is supported. However, the secondary schedule or SLA will start only after the primary job is completed. User does not need to worry about overlapping job schedules.


 

VADP proxy installed on vSnap server

VADP proxies can be installed on the vSnap servers in your IBM Storage Protect Plus environment. A combination of VADP proxy and vSnap server must meet the minimum requirements of both devices. Consider the system requirements of both devices and add the core and RAM requirements together to identify the minimum requirements of the combination VADP proxy and vSnap server.

For a VADP proxy installed on a virtual vSnap server, the following requirements must be met:

  • 64-bit 8-core processor
  • 48 GB of random access memory (RAM)

All required VADP proxy ports and vSnap server ports must be open on the combination of VADP proxy and vSnap server.


 

VADP proxy more requirements

The Connectivity requirements must be met.

To create VADP proxies, you must have a user ID with the SYSADMIN role assigned. For more information about roles, see Managing roles.

VADP proxies support the following VMware transport modes: SAN, HotAdd, NBDSSL, and NBD. For more information about VMware transport modes, see Virtual Disk Transport Methods

With transport encryption, you can securely transfer data between the vSnap and a remote VADP. For more information about how to enable transport encryption on VMware to protect VMware data, see Enabling transport encryption for VMware data
When transport encryption is enabled on the target vSnap servers, ensure that the cifs-utils package is installed on all VADP proxies in that site. If the VADP proxy is running on a vSnap server version 10.1.13 or later, then the cifs-utils package is already installed as part of the vSnap software. For other stand-alone VADP proxy servers, the cifs-utils package must be installed manually.



 

IBM Storage Protect Plus communication ports

The following table lists the ports between the IBM Storage Protect Plus components, like IBM Storage Protect Plus server, vSnap server and VADP proxy.
The table columns contain the following information:

  • Port: the port number
  • Protocol: used protocol. Might be Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) or both.
  • Initiator: component or service that initiates the communication through this port.
  • Target: component or service that is listening on this port.

Note: use the arrows next to the column names to sort the table.
 

Table 4. Communication ports
Port Protocol Initiator Target Description
22 TCP vSnap server IBM Storage Protect Plus server Provides access for troubleshooting and maintenance tasks on the IBM Storage Protect Plus server by using Secure Shell (SSH) protocol.
22 TCP vSnap server vSnap server Supports data transfer between two vSnap servers during replication by using the SSH protocol.
22 TCP IBM Storage Protect Plus server vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using the SSH protocol. Also used for Rsync data transfer over SSH during IBM Storage Protect Plus catalog backup and restore operations.
22 TCP IBM Storage Protect Plus server VADP proxy host Provides access for troubleshooting and maintenance tasks on VADP proxy hosts by using the SSH protocol.
22 TCP IBM Storage Protect Plus server Agents that use the NFS client. Provides access to troubleshoot and maintain remote proxy host servers that are running guest application components by using the SSH protocol.
22 TCP Hypervisors vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
22 TCP Agents that use the NFS client vSnap server Provides access for troubleshooting and maintenance tasks on vSnap servers by using SSH protocol.
22 TCP Agents that use the iSCSI client vSnap server Used for iSCSI data transfer over SSH tunnel to and from LUNs mounted from vSnap servers during backup and restore operations when transport encryption is enabled.
25 TCP IBM Storage Protect Plus server Email server that can be accessed by using the Simple Mail Transfer Protocol (SMTP) Provides access to an email service.
111 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
111 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
111 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
111 TCP and UDP VADP proxy host Open Snap Store Manager (OSSM) Used for NFS data transfer to and from file systems mounted from OSSM storage server during backup and restore operations.
389 TCP IBM Storage Protect Plus server Lightweight Directory Access Protocol (LDAP) server Provides access to Active Directory Services.
443 TCP IBM Storage Protect Plus user interface IBM Storage Protect Plus server Provides web access by using the Hypertext Transfer Protocol Secure (HTTPS) protocol. This port is the main entry point for client connections that use the Transport Layer Security (TLS) protocol. This port is also used for Representational State Transfer application programming interface (REST API) queries.
443 TCP IBM Storage Protect Plus server Hypervisor: VMware Elastic Sky X Integrated (ESXi) host and vCenter Provides access to ESXi and vCenter for managing operations.
443 TCP IBM Storage Protect Plus server Hypervisor: Amazon EC2 Provides access to Amazon Web Services (AWS) for managing operations.
443 TCP VADP proxy host Hypervisor: VMware ESXi host and vCenter Provides access to ESXi and vCenter for managing operations.
443 TCP VADP proxy host IBM Storage Protect Plus server Provides web access by using the HTTPS protocol. This port is the main entry point for client connections that use the TLS protocol. This port is also used for REST API queries.
443 TCP All agents
(See Note)		 IBM Storage Protect Plus server Port that allows the agents to communicate with IBM Storage Protect Plus for making representational state transfer application programming interface (REST API) calls to run backup, restore, inventory, and other operations.

Note: IBM Db2 agent does not require port 443 to the REST API in the IBM Storage Protect Plus server.
443 TCP vSnap server Cloud server endpoints Allows the vSnap server to communicate with Amazon Simple Storage Service (S3), Microsoft Azure, or IBM Cloud Object Storage endpoints.
443 TCP Windows VMs selected for file indexing and restore IBM Storage Protect Plus server Port that allows the agents to communicate with IBM Storage Protect Plus for making representational state transfer application programming interface (REST API) to upload file indexing and restore results. 
445 TCP VADP proxy host vSnap server Used for SMB or CIFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations when transport encryption is enabled.
445 TCP Application agents that use the SMB or the CIFS protocol vSnap server Used for SMB or CIFS file sharing by the vSnap server during backup and restore operations.
445 TCP Application agents that use the SMB or the CIFS protocol vSnap server Used for SMB or CIFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations when transport encryption is enabled.
636 TCP IBM Storage Protect Plus server LDAP server Provides access to Active Directory Services by using the Transport Layer Security (TLS) protocol.
902 TCP IBM Storage Protect Plus server Hypervisor: VMware ESXi host Used for the Network File Copy (NFC) protocol, which provides a file-type-aware File Transfer Protocol (FTP) service for vSphere components.
By default, ESXi uses NFC for operations such as copying and moving data between data stores.
902 TCP VADP proxy host Hypervisor: VMware ESXi host Used for the Network File Copy (NFC) protocol, which provides a file-type-aware File Transfer Protocol (FTP) service for vSphere components.
By default, ESXi uses NFC for operations such as copying and moving data between data stores.
2049 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
2049 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
2049 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations
2049 TCP and UDP VADP proxy host Open Snap Store Manager (OSSM) Used for NFS data transfer to and from file systems mounted from OSSM storage server during backup and restore operations.
3260 TCP Hypervisor: Microsoft Hyper-V vSnap server Used for Microsoft Internet Small Computer System Interface (iSCSI) data transfer to and from logical unit number's (LUN)s s mounted from vSnap servers during backup and restore operations.
3260 TCP Agents that use the iSCSI client
 		 vSnap server Used for iSCSI data transfer to and from LUNs mounted from vSnap servers during backup and restore operations.
3337 TCP Open Snap Store Manager (OSSM) VADP proxy host Enables communications between the OSSM control agent and the VADP proxy by using the Transport Layer Security protocol (TLS).
5985 TCP IBM Storage Protect Plus server Hypervisor: Hyper-V Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
5985 TCP IBM Storage Protect Plus server Agents that running on Windows application servers Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
5985 TCP IBM Storage Protect Plus server Windows VMs selected for file indexing and restore Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
5986 TCP IBM Storage Protect Plus server Hypervisor: Hyper-V Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
5986 TCP IBM Storage Protect Plus server Agents that running on Windows application servers Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
5986 TCP IBM Storage Protect Plus server Windows VMs selected for file indexing and restore Provides access to the Microsoft Windows Remote Management (WinRM) service for Windows-based servers.
8090 TCP IBM Storage Protect Plus administrative console IBM Storage Protect Plus server Provides access for system administration. This extensible framework supports plug-ins that run operations such as system and network updates.
8098 TCP IBM Storage Protect Plus server VADP proxy host Supports REST API communications between the IBM Storage Protect Plus server and the VADP proxy by using the Transport Layer Security (TLS) protocol.
8900 TCP IBM Storage Protect Plus server vSnap server Supports REST API communications between the IBM Storage Protect Plus server and the vSnap server by using the TLS protocol.
8900 TCP vSnap server vSnap server Supports REST API communications between two vSnap servers during replication by using the TLS protocol.
9000 TCP vSnap server Repository server endpoints Allows the vSnap server to communicate with IBM Storage Protect (repository server) endpoints.
20048 TCP and UDP Hypervisor: VMware ESXi host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
20048 TCP and UDP VADP proxy host vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
20048 TCP and UDP Agents that use the NFS client vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations.
20048 TCP and UDP VADP proxy host Open Snap Store Manager (OSSM) Used for NFS data transfer to and from file systems mounted from OSSM storage server during backup and restore operations.
30000 - 32767 TCP Kubernetes plug-in IBM Storage Protect Plus server Provides access to the built-in Kubernetes (K8s) Kube proxy in support of EC2.
Note: Not every port in this range is used at the same time. Rather, a small subset of ephemeral ports is opened as required by NodePort services.

Important security information: Process requests to vSnap data ports (NFS, SMB, and iSCSI) only when the request comes from a node in the internal network. Requests that come from external (nonprivate) network nodes must be blocked. To ensure that proper security practices are followed, work with your network security administrator.
 

Component details:

  1. IBM Storage Protect Plus contains several base components, see Product components.
  2. The following hypervisors and agents use an iSCSI initiator:
    • Hypervisor: Microsoft Hyper-V
    • Agents: Microsoft SQL Server, Microsoft Exchange
      Note: When transport encryption is enabled, these agents use iSCSI through a Secure Shell (SSH) tunnel for backup and restore operations. When transport encryption is not enabled, iSCSI is used without the additional SSH tunnel.
  3. The following hypervisors and agents use an NFS client:
    • Hypervisor: VMware
      Note: When transport encryption is not enabled, NFS is used for all VMware backup and restore operations. When transport encryption is enabled, NFS is used only for VMware restores in Test or Clone mode 
    • Agents: Oracle server, IBM Db2, MongoDB, SAP HANA.
      Note: When transport encryption is not enabled, NFS is used for backup and restore operations by these agents. When transport encryption is enabled, NFS is not used.
      Note: For SAP HANA, log backup operations use NFS regardless of whether transport encryption is enabled.
    • Agents: Microsoft 365
  4. The following hypervisors and agents use a Server Message Block (SMB) or the Common Internet file system (CIFS) protocol client:
    • Microsoft SQL Server (only for transaction log backup and restore operations)
    • Microsoft Exchange (only for transaction log backup and restore operations)
    • Windows file systems. 
    • Hypervisor: VMware
      Note: When transport encryption is enabled, SMB or CIFS is used for VMware backup, and production mode restore operations. When transport encryption is not enabled, SMB or CIFS is not used for any VMware operations.
    • Agents: Oracle server, IBM Db2, MongoDB, SAP HANA
      Note: When transport encryption is enabled, SMB or CIFS is used for backup and restore operations by these agents. When transport encryption is not enabled, SMB/CIFS is not used for any of these agent operations.
      Note: For SAP HANA, log backup operations do not use SMB or CIFS regardless of whether transport encryption is enabled.

Notes:

  • VADP proxies can be pushed and installed to Linux-based servers over SSH port 22.
  • Port 8098 on the VADP proxy server must be open when the proxy server firewall is enabled.
  • If the firewall command script is not available on your system, edit the firewall manually to open or close the necessary ports, and restart the firewall. For instructions about editing firewall ports, see Editing firewall ports.


Port updates:

  • Ports 111, 2029, and 20048: In earlier versions, these ports were used for catalog backup operations to vSnap server by using the Network File System (NFS) client. Beginning with IBM Spectrum Protect Plus 10.1.7, the IBM Spectrum Protect Plus server uses Rsync over the Secure Shell protocol (SSH) to back up catalogs to vSnap servers. For that reason, ports 111, 2029, and 20048 are no longer required.
  • Ports 137, 138, and 139: In earlier versions, ports 137, 138, and 139 on the vSnap server were used by application agents that use SMBv1. Beginning with IBM Spectrum Protect Plus 10.1.6, the SMBv1 protocol is not used. All agents use SMBv2 or later, which does not require ports 137, 138, or 139.
  • Port 443:  For IBM Spectrum Protect Plus 10.1.9, 10.1.9.1, and 10.1.9.2, this port is not used. The IBM Spectrum Protect Plus server initiates the communication with the VADP proxy over port 8098 instead. For IBM Spectrum Protect Plus 10.1.9.3 and later this port is used by VADP proxies to communicate with IBM Spectrum Protect Plus server when the VADP proxy was the initiator of the communication between the proxy and server, see APAR IT39830.
  • Port 3260: In earlier versions, this port was used for Internet Small Computer System Interface (iSCSI) data transfer by the vSnap server. Beginning with IBM Spectrum Protect Plus 10.1.7, the IBM Spectrum Protect Plus server does not include an onboard vSnap server. For that reason, the port is no longer required.
  • Port 9090: In earlier versions, this port was used for online help. Starting with 10.1.4, this port is no longer required for online help. No further action is required.
  • Port 8761: In earlier versions, this port was used to automatically discover VADP proxies and for IBM Spectrum Protect Plus VM backup operations. Beginning with IBM Spectrum Protect Plus 10.1.6, the VADP proxy architecture is modified and port 8761 is no longer required to be open. When IBM Spectrum Protect Plus is updated to 10.1.6 or later, the associated VADP proxies in the environment are also upgraded.
  • Ports 111, 2049, 3337, and 20048: Those ports need to be opened on the firewall when VADP connected to Open Snap Store Manager (OSSM) storage server.
    • If another service than firewalld is running, you must manually open all the ports.
    • If the firewall service is not running, then opening of ports is not required.
  • Port 5671: In earlier versions, this port was used for internal and external message and log management. Beginning with IBM Spectrum Protect Plus 10.1.7, the VADP proxy architecture is modified and port 5671 is no longer required to be open.
    Note: If you upgrade to IBM Spectrum Protect Plus 10.1.7 from a previous version, you can close TCP port 5671 since it is no longer used in 10.1.7 and later. Log in to IBM Spectrum Protect Plus as the server admin user and issue the following commands to close the port: 
    $ sudo firewall-cmd --zone=public --permanent --remove-port=5671/tcp
$ sudo firewall-cmd --reload
  • Ports 22, and 445: Beginning with IBM Spectrum Protect Plus 10.1.13 and later, those ports with target vSnap server are used when transport encryption is enabled.
  • Ports 80, 443: Beginning with IBM Spectrum Protect Plus 10.1.13, those ports are not required. In earlier versions:
    • Port 80 and 443 was used by the container backup support agent to communicate with Amazon Simple Storage Service (S3), Microsoft Azure, or IBM Cloud Object Storage endpoints.
    • Port 443 was also used by IBM Spectrum Protect Plus to connect to the data mover container to run agents and for REST API connections to the Container backup support agent.


 

 

Connectivity requirements

Ensure that the following connectivity requirements are met:

  • The Secure File Transfer protocol (SFTP) subsystem for Secure Shell (SSH) is enabled on the IBM Storage Protect Plus server, VADP proxies, and vSnap servers.
  • The Secure Shell (SSH) service is running on port 22 on the IBM Storage Protect Plus server, VADP proxies, and vSnap servers.
  • The SSH host key must be one of the following algorithms: ssh-dsa, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521.
  • Firewalls are configured to allow IBM Storage Protect Plus components to connect with each other by using SSH.
  • When transport encryption is not enabled, VADP proxy servers use the Network File System (NFS) to mount storage volumes for backup and restore operations. On Linux, ensure that the Linux NFS client is installed.
  • When transport encryption is enabled, VADP proxy servers use the Server Message Block (SMB) or the Common Internet file system (CIFS) protocol to mount storage volumes for backup and restore operations. On Linux, ensure that the Linux SMB client is installed.
  • All servers, proxies, applications, and hypervisors that are added to the IBM Storage Protect Plus environment can be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
  • If DNS names are used, they must be resolvable over the network by the IBM Storage Protect Plus server and from the vSnap server. All IBM Storage Protect Plus components must also be resolvable by their DNS names.
  • If DNS is not available, you must add the server to the /etc/hosts file on the IBM Storage Protect Plus server by using the command line.



 

Repository server storage requirements

If you plan to use IBM Storage Protect as a repository server for copying data to cloud storage, ensure that you are using IBM Storage Protect 8.1.19.



 

Cloud storage requirements

If your primary backup storage is a vSnap server, you can copy snapshots from the primary backup storage to secondary storage for longer-term data protection. Secondary storage is not available for container data that is backed up to cloud storage. For more information, see Copying snapshots to secondary backup storage.


 

Disk cache area 

Cloud storage for copy and archive operations only: For all functions related to data copy and restore operations to and from cloud targets, the vSnap server requires a disk cache area to be present on the vSnap server:

  • During copy operations, this cache is used as a temporary staging area for objects that are pending upload to the cloud endpoint.
  • During restore operations, the disk cache area is used to cache downloaded objects and to store any temporary data that might be written into the restore volume.

For instructions about sizing and installing the cache, see the IBM Storage Protect Plus Blueprints.
 


 

Multipath 

Cloud storage for copy and archive operations only: During copy operations to object storage, IBM Storage Protect Plus attaches and detaches virtual cloud devices on vSnap servers. If a multipath configuration is enabled on the vSnap server by using dm-multipath, the configuration can interfere with the copy operation. To avoid this interference, modify the multipath configuration file and specify a rule to exclude devices whose vendor matches "LIO-ORG". For instructions and examples, go to the Red Hat Customer Portal and see the DM Multipath documentation


 

Certificates

  • Self-signed certificates 
    If the cloud endpoint or repository server uses a self-signed certificate, you must specify the certificate in Privacy Enhanced Mail (PEM) format when you register the cloud or repository server in the IBM Storage Protect Plus user interface.
     
  • Certificates signed by a private certificate authority 
    If the cloud endpoint or repository server uses a certificate signed by a private certificate authority (CA), the endpoint certificate must be specified (in PEM format) when you register the cloud or repository server in the IBM Storage Protect Plus user interface.

    Cloud storage for copy and archive operations only: In addition, you must add the root or intermediate certificate of the private CA to the system certificate store in each vSnap server by using the following procedure:
    1. Log in to the vSnap server console as the serveradmin user and upload any private CA certificates (in PEM format) to a temporary location.
    2. Copy each certificate file to the system certificate store directory (/etc/pki/ca-trust/source/anchors/) by running the following command: 
        $ sudo cp /tmp/private-ca-cert.pem /etc/pki/ca-trust/source/anchors/
    3. To incorporate the newly added custom certificate and update the system certificate bundle, run the following command: 
        $ sudo update-ca-trust

  • Certificates signed by public certificate authority 
    If the cloud endpoint uses a public CA-signed certificate, no special action is required. The vSnap server validates the certificate by using the default system certificate store.
     
  • Wildcard certificates
    If the cloud endpoint uses a wildcard certificate, the wildcard applies only to one subdomain level of the domain name. For example, if the certificate is for *.example.com, the certificate matches to the hostname level1.example.com but not  level1.level2.example.com. If the bucket name contains periods (for example, "my.bucket") and it is part of the hostname used for registering the cloud endpoint in IBM Storage Protect Plus (for example, "my.bucket.example.com"), certificate validation can fail. In such cases, ensure that the bucket name does not contain periods. 


 

Network

The following ports are used for communication between the vSnap servers and cloud or repository server endpoints.

Table 5. Communication ports when the target is a cloud server or repository server endpoint
Port Protocol Initiator Target Description
443 TCP vSnap server Cloud server endpoints Allows the vSnap server to communicate with Amazon Simple Storage Service (S3), Microsoft Azure, or IBM Cloud Object Storage endpoints.
9000 TCP vSnap server Repository server endpoints Allows the vSnap server to communicate with IBM Storage Protect (repository server) endpoints.

Any firewalls or network proxies that inspect TLS or conduct a deep packet inspection of traffic between the vSnap servers and cloud endpoints might interfere with TLS certificate validation on vSnap servers. This interference can also cause cloud copy job failures. To prevent this interference, the vSnap servers must be exempted from TLS interception and inspection in the firewall or proxy configuration.


 

Cloud provider

Native lifecycle management is not supported. IBM Storage Protect Plus manages the lifecycle of uploaded objects automatically by using an incremental-forever approach where older objects can still be used by newer snapshots. Automatic or manual expiration of objects outside of IBM Storage Protect Plus leads to data corruption.
If the cloud provider uses a TLS certificate that is self-signed or signed by a private certificate authority, see Certificate requirements.

  • Amazon S3 cloud requirements
    • Standard object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing bucket must be specified.
    • Archive object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing bucket must be specified. IBM Storage Protect Plus directly uploads data files to the Glacier tier. Some small metadata files are stored in the default tier for the bucket. A copy of these metadata files is also placed into the Glacier tier for disaster recovery purposes.
    • Backup object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing bucket must be specified.
  • IBM Cloud Object Storage requirements
    • Standard object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing vault must be specified. The vault must have the Name Index setting enabled. If for the specified vault a retention policy is enabled (that is, immutable option), IBM Storage Protect Plus automatically detects the retention period and configures the SLA retention to match the vault setting.
    • Archive object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing vault must be specified. The vault must have the Name Index setting enabled. If for the specified vault a retention policy is enabled (that is, immutable option), IBM Storage Protect Plus automatically detects the retention period and configures the SLA retention to match the vault setting. IBM Storage Protect Plus creates a single lifecycle management rule on the vault to migrate data objects to the archive tier.
      Note: IBM Storage Protect Plus supports archiving to IBM Cloud Object Storage in IBM Cloud only. Archiving to on-premises versions of IBM Cloud Object Storage is not supported.
    • Backup object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing vault must be specified. Retention policy must not be enabled for the vault (that is, immutable option). Retention-enabled vaults are not supported for use as backup object storage.
  • Microsoft Azure requirements
    • Standard object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing container in a hot or cool storage account must be specified.
    • Archive object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing container in a hot or cool storage account must be specified. IBM Storage Protect Plus moves files between tiers on demand. Data files are immediately moved to the archive tier and temporarily returned to the hot tier only during restore operations. Some small metadata files are stored in the default tier for the container. A copy of these metadata files is also placed in the archive tier for disaster recovery purposes.
    • Backup object storage: When the cloud provider is registered in IBM Storage Protect Plus, an existing container in a hot or cool storage account must be specified.
  • IBM Storage Protect (repository server) requirements
    • Standard object storage: When the cloud provider is registered in IBM Storage Protect Plus, you cannot use an existing bucket. IBM Storage Protect Plus creates a uniquely named bucket for its own use.
    • Archive object storage: When the cloud provider is registered in IBM Storage Protect Plus, you cannot use an existing bucket. IBM Storage Protect Plus creates a uniquely named bucket for its own use. IBM Storage Protect Plus directly uploads data files to IBM Storage Protect tape storage.  Some small metadata files are stored in IBM Storage Protect object storage.  A copy of these metadata files is also placed on IBM Storage Protect tape storage for disaster recovery purposes.

Table 6. Copy and archive copy requirements for cloud providers
Operation Provider Requirements
Copy Amazon S3 An existing bucket must be specified from one of the supported storage tiers.
Copy IBM Cloud Object Storage An existing bucket must be specified. The bucket must have the Name Index setting enabled.
Copy Microsoft Azure An existing container must be specified from a hot or cool storage tier.
Copy IBM Storage Protect IBM Storage Protect Plus creates its own unique bucket.
Archive copy Amazon S3 An existing bucket must be specified from one of the supported storage tiers.
Archive copy IBM Cloud Object Storage An existing bucket must be specified from the archive tier. The bucket must have the Name Index setting enabled.
Archive copy Microsoft Azure An existing container must be specified from the hot storage tier and archive tier.
Archive copy IBM Storage Protect IBM Storage Protect Plus creates its own unique bucket to be copied to IBM Storage Protect tape storage.
Backup Amazon S3 An existing bucket must be specified from one of the supported storage tiers.
Backup IBM Cloud Object Storage An existing bucket must be specified.
Backup Microsoft Azure An existing container must be specified from a hot or cool storage tier.




 

[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSJEPVG","label":"IBM Storage Protect Plus"},"ARM Category":[{"code":"a8m3p000000h9Z4AAI","label":"HW\/SW Requirements"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.1.15","Type":"MASTER"}]

Product Synonym

IBM Spectrum Protect Plus;

Document Information

Modified date:
13 June 2023

UID

ibm16991799

Page Feedback