System requirements: IBM Spectrum Protect™ Plus V10.1.4

Preventive Service Planning

Abstract

This document details the system requirements for installing IBM Spectrum Protect™ Plus Version 10.1.4.

Content

This document is divided into linked sections for ease of navigation. Use the links below to jump to the section of the document that you require.

General
Virtual machine installation
Browser support
IBM Spectrum Protect requirements
IBM Spectrum Protect Plus ports
vSnap server requirements
VADP proxy requirements
VADP proxy on vSnap server requirements
Cloud offload requirements

General

Ensure that you have the required system configuration and browser to deploy and run IBM Spectrum Protect™ Plus.

IBM Spectrum Protect Plus support for third-party platforms, applications, services, and hardware is dependent on the third-party vendors. When a third-party vendor product or version enters extended support, self-serve support, or end-of-life, IBM Spectrum Protect Plus will support the product or version at the same level.

Virtual machine installation

IBM Spectrum Protect Plus is installed as a virtual appliance. Before you deploy IBM Spectrum Protect Plus to the host, ensure that one of the following requirements are in place:

vSphere 5.5, 6.0, 6.5, or 6.7
Microsoft Hyper-V 2016 or Microsoft Hyper-V 2019

For initial deployment, configure your virtual appliance to meet the following minimum requirements:

64-bit 8-core machine
48 GB memory
536 GB disk storage for virtual machine

Use an NTP server to synchronize the time zones across IBM Spectrum Protect Plus resources in your environment, such as the IBM Spectrum Protect Plus appliance, storage arrays, hypervisors and application servers. If the clocks on the various systems are significantly out of sync, you might experience errors during application registration, metadata cataloging, inventory, backup, or restore/file restore jobs. For more information about identifying and resolving timer drift, see the following VMware knowledge base article: Time in virtual machine drifts due to hardware timer drift

Browser support

Run IBM Spectrum Protect Plus from a computer that has access to the installed virtual appliance.
IBM Spectrum Protect Plus was tested and certified against the following web browsers.

Firefox 55.0.3 and later
Google Chrome 60.0.3112 and later
Microsoft Edge 40.15063/Microsoft EdgeHTML 15.15063 and later

If your screen resolution is lower than 1024 x 768, some items might not fit in the window. Pop-up windows must be enabled in your browser to access the help system and some IBM Spectrum Protect Plus operations.

IBM Spectrum Protect requirements

If you plan to use IBM Spectrum Protect as a repository server for cloud offload operations, ensure that you are using IBM Spectrum Protect Version 8.1.8.

IBM Spectrum Protect Plus ports

The following ports are used by IBM Spectrum Protect Plus and associated services. Ports that are indicated with "Accept" in the Firewall Rule column use secure connections (HTTPS or SSL).

Note: In IBM Spectrum Protect Plus v10.1.3, port 9090 was used for online help. Starting with v10.1.4, this port is no longer required for online help. No further action is required.

Table 1. Incoming firewall connections (IBM Spectrum Protect Plus appliance)
IBM Spectrum Protect Plus
Port	Protocol	Firewall Rule	Service	Description
22	TCP	Accept	OpenSSH 5.3 (protocol 2.0)	Used for troubleshooting IBM Spectrum Protect Plus
443	TCP	Accept	A microservice running a reverse-proxy	Main entry point for the client connections (SSL). Note: This port is also used for REST API queries.
5671	TCP, AMQP	Accept	RabbitMQ	Message framework used to manage messages produced and consumed by the VADP proxy and VMware job management workers. Also facilitates job log management.
8090	TCP	Accept	Administrative Console Framework (ACF)	Extensible framework for system administration functions. Supports plugins that run operations such as system updates and catalog backup or restore operations
8761	TCP	Accept	Discovery Server	Automatically discovers VADP proxies and is used by IBM Spectrum Protect Plus VM backup operations
Onboard vSnap server
Port	Protocol	Firewall Rule	Service	Description
111	TCP	Accept	RPC Port Bind	Allows clients to discover ports that Open Network Computing (ONC) clients require to communicate with ONC servers (internal)
2049	TCP	Accept	NFS	Used for NFS data transfer to and from vSnap (internal)
3260	TCP	Accept	iSCSI	Used for iSCSI data transfer to and from vSnap (internal)
20048	TCP	Accept	NFS	Used for NFS data transfer to and from vSnap (internal)

Table 2. Outgoing firewall connections (IBM Spectrum Protect Plus appliance)
Port	Protocol	Service	Description
22	TCP	OpenSSH 5.3 (protocol 2.0)	Used for SSH communications to remote servers running guest applications components
25	TCP	SMTP	Email service
389	TCP	LDAP	Active directory services
443	TCP	VMware ESXi Host	ESXi host port for managing operations
443	TCP	VMware vCenter	Client connections to vCenter
636	TCP	LDAP	Active directory services (SSL)
902	TCP	VMware NFC service	Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. By default, ESXi uses NFC for operations such as copying and moving data between datastores
5985	TCP	Windows Remote Management (WinRM)	Hyper-V and guest applications client connections
8098	TCP	VADP Proxy	Virtual machine data protection proxy
8900	TCP	vSnap	OVA/Installer version of the intelligent storage framework used as a target for data protection operations

vSnap server requirements

A vSnap server is the primary backup destination for IBM Spectrum Protect Plus. . In either a VMware or Hyper-V environment, one vSnap server with the name localhost is automatically installed at the time that the IBM Spectrum Protect Plus appliance is initially deployed. In larger backup enterprise environments, additional vSnap servers might be required.

Allocate memory based on backup capacity for more efficient deduplication. For more information and sizing guidance, see the IBM Spectrum Protect Plus Blueprints

For initial deployment, ensure that your virtual machine or physical Linux machine meets the following minimum requirements:

64-bit 8-core machine
32 GB memory
16 GB free space on the root file system
128 GB free space in a separate file system mounted at /opt/vsnap-data

The Linux Network Management service must be installed and running.

Optionally, an SSD improves backup and restore performance.

To improve backup performance, configure the pool to use one or more log devices backed by SSD. Specify at least two log devices to create a mirrored log for better redundancy.
To improve restore performance, configure the pool to use a cache device backed by SSD.

vSnap server virtual machine installation requirements

Before deploying the vSnap server to the host, ensure that one of the following requirements are in place:

vSphere 5.5, 6.0, 6.5, or 6.7
Microsoft Hyper-V 2016 or Microsoft Hyper-V 2019

vSnap server physical installation requirements

Beginning with V10.1.3 IBM Spectrum Protect Plus provides new functionality that requires the kernel levels supported in RHEL 7.5 and CentOS 7.5. If you must use operating systems earlier than RHEL 7.5 and CentOS 7.5, use IBM Spectrum Protect Plus V10.1.2 for physical vSnap V10.1.2 installations.

The following Linux operating systems are supported for IBM® Spectrum Protect Plus V10.1.4 physical vSnap server installations:

CentOS 7.1804 (7.5) (x86_64)
CentOS 7.1810 (7.6) (x86_64)
Red Hat Enterprise Linux 7.5 (x86_64)
Red Hat Enterprise Linux 7.6 (x86_64)

If you are using the following operating systems, use IBM Spectrum Protect Plus V10.1.2 for physical vSnap server V10.1.2 installations:

CentOS Linux 7.3.1611 (x86_64)
CentOS Linux 7.4.1708 (x86_64)
Red Hat Enterprise Linux 7.3 (x86_64)
Red Hat Enterprise Linux 7.4 (x86_64)

vSnap server ports

The following ports are used by vSnap servers. Ports that are indicated with "Accept" in the Firewall Rule column use secure connections (HTTPS or SSL).

Table 3. Incoming vSnap server firewall connections
Port	Protocol	Firewall Rule	Service	Description
22	TCP	Accept	SSH	Used for troubleshooting vSnap servers
111	TCP	Accept	RPC Port Bind	Allows clients to discover ports that ONC clients require to communicate with ONC servers (internal)
137	UDP	Accept	SMB/CIFS	Used for SMB or CIFS data transfer to and from vSnap servers (internal)
138	UDP	Accept	SMB/CIFS	Used for SMB or CIFS data transfer to and from vSnap servers (internal)
139	TCP	Accept	SMB/CIFS	Used for SMB or CIFS data transfer to and from vSnap servers (internal)
445	TCP	Accept	SMB/CIFS	Used for SMB or CIFS data transfer to and from vSnap servers (internal)
2049	TCP	Accept	NFS	Used for NFS data transfer to and from vSnap servers (internal)
3260	TCP	Accept	iSCSI	Used for iSCSI data transfer to and from vSnap servers (internal)
8900	TCP	Accept	HTTPS	vSnap server REST APIs
20048	TCP	Accept	NFS	Used for NFS data transfer to and from vSnap servers (internal)

VADP proxy requirements

In IBM Spectrum Protect Plus, running virtual machine backup jobs through VADP can be taxing on system resources. By creating VADP backup job proxies, you enable load sharing and load balancing for your IBM Spectrum Protect Plus backup jobs. If proxies exist, the entire processing load is shifted from the IBM Spectrum Protect Plus appliance onto the proxies.
This feature has been tested only for SUSE Linux Enterprise Server and Red Hat environments. The feature supported only in 64-bit quad core or higher configurations with a minimum kernel of 2.6.32.

VADP proxies support the following VMware transport modes: File, SAN, HotAdd, NBDSSL, and NBD. For more information about VMware transport modes, see: Virtual Disk Transport Methods

This feature is supported only in 64-bit quad core or higher configurations in the following Linux environments:

CentOS Linux 6.5 and later maintenance and modification levels (beginning with 10.1.1 patch 1)
CentOS Linux 7.0 and later maintenance and modification levels (beginning with 10.1.1 patch 1)
Red Hat Enterprise Linux 6, Fix pack 4 and later maintenance and modification levels
Red Hat Enterprise Linux 7 and later maintenance and modification levels
SUSE Linux Enterprise Server 12 and later maintenance and modification levels

For more information and sizing guidance, see the IBM Spectrum Protect Plus Blueprints

For initial deployment of a VADP proxy server, ensure that your Linux machine meets the following minimum requirements:

64-bit quad core processor
8 GB RAM required, 16 GB preferred
60 GB free disk space

The increase of used CPUs and concurrency on the VADP proxy server requires the memory that is allocated on the proxy server to be increased accordingly.
The proxy must be able to mount NFS file systems, which in many cases requires an NFS client package to be installed. The exact package details vary based on the distribution.
Each proxy must have a fully qualified domain name and must be able to resolve and reach the vCenter. vSnap servers must be reachable from the proxy.
Port 8098 on the VADP proxy server must be open when the proxy server firewall is enabled.

VADP Proxy ports

The following ports are used by VADP proxies. Ports that are indicated with "Accept" in the Firewall Rule column use secure connections (HTTPS or SSL).

Table 4. Incoming VADP proxy firewall connections
Port	Protocol	Firewall Rule	Service	Description
22	TCP	Accept	SSH	Port 22 is used to push the VADP Proxy to the host node.
8098	TCP	Accept	VADP	Default port for TLS-based REST API communications between the IBM Spectrum Protect Plus server and the VADP proxy.

Table 5. Outgoing VADP proxy firewall connections
Port	Protocol	Service	Description
111	TCP	vSnap RPC Port Bind	Allows clients to discover ports that ONC clients require to communicate with ONC servers (internal)
443	TCP	VMware ESXi Host/vCenter	Client connections to vCenter.
902	TCP	VMware ESXi Host	Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
2049	TCP	vSnap NFS	Used for NFS file sharing via vSnap server.
5671	TCP	RabbitMQ	Message framework used to manage messages produced and consumed by the VADP proxy and VMware job management workers. Also facilitates job log.
8761	TCP	Discovery Server	Automatically discovers VADP proxies and is used by IBM Spectrum Protect Plus VM backup operations.
20048	TCP	vSnap mount	Mounts vSnap file systems on clients such as the VADP proxy, application servers, and virtualization data stores.

Tip: VADP proxies can be pushed and installed to Linux-based servers over SSH port 22.

If the firewall command script is not available on your system, edit the firewall manually to add necessary ports, and restart the firewall. More information on editing firewall rules can be found here: Editing firewall ports

VADP proxy on vSnap server requirements

VADP proxies can be installed on vSnap servers in your IBM Spectrum Protect Plus environment. A combination VADP proxy/vSnap server must meet the minimum requirements of both devices. Consult the system requirements of both devices and add the core and RAM requirements together to identify the minimum requirements of the combination VADP proxy/vSnap server.
Ensure that your combination VADP proxy/vSnap server meets the following recommended minimum requirements, which is the sum of the requirements for each device.

VADP proxy installed on a virtual vSnap server:

64-bit 8-core processor
48 GB RAM

All required VADP proxy and vSnap server ports must be open on the combination VADP proxy/vSnap server. Review the VADP proxy and vSnap ports sections of the system requirements for more information.

Cloud requirements

To offload data to cloud storage, ensure that your IBM Spectrum Protect Plus and cloud environments meet the following requirements.

Disk cache area

For all functionality related to offloading as well as restoring to and from cloud and archival targets, the vSnap server requires a disk cache area to be present on the vSnap server.

During offload operations, this cache is used as a temporary staging area for objects that are pending upload to the cloud endpoint.
During restore operations, the disk cache area is used to cache downloaded objects as well as to store any temporary data that may be written into the restore volume.

For instructions about sizing and installing the cache see Cloud offload configuration or IBM Spectrum Protect Plus Blueprints

Multipath requirements

During copy operations to object storage, IBM Spectrum Protect Plus attaches and detaches virtual cloud devices on vSnap servers. If multipath is enabled on the vSnap server using dm-multipath, it can interfere with the copy operation. To avoid this, the virtual cloud devices must be excluded from the multipath configuration. Modify the multipath configuration file and specify a rule to exclude devices whose vendor matches "LIO-ORG". For instructions and examples, go to the Red Hat Customer Portal and see the DM Multipath documentation

Certificate requirements

Self-signed certificates
If the cloud endpoint or repository server uses a self-signed certificate, the certificate must be specified (in Privacy Enhanced Mail (PEM) format) while registering the cloud or repository server in the IBM Spectrum Protect Plus user interface.
Certificates signed by private Certificate Authority
If the cloud endpoint or repository server uses a certificate signed by a private Certificate Authority (CA), the endpoint certificate must be specified (in PEM format) when you register the cloud or repository server in the IBM Spectrum Protect Plus user interface.
In addition, the root/intermediate certificate of the private CA must be added to the system certificate store in each vSnap server using the following procedure:
1. Log in to the vSnap server console as the "serveradmin" user and upload any private CA
  certificates (in PEM format) to a temporary location.
2. Copy each certificate file to the system certificate store directory (/etc/pki/ca trust/source/anchors/) by running the following command:
```
$ sudo cp /tmp/private-ca-cert.pem /etc/pki/ca-trust/source/anchors/
```
3. To incorporate the newly added custom certificate and update the system certificate bundle, run the following command:
```
$ sudo update-ca-trust
```
Certificates signed by public Certificate Authority
If the cloud endpoint uses a public CA-signed certificate, no special action is needed. vSnap server will validate the certificate by using the default system certificate store.

Network requirements

The following ports are used for communication between vSnap servers and cloud or repository server endpoints.

Table 6. Outgoing vSnap server firewall connections
Port	Protocol	Service	Description
443	TCP	HTTPS	Allows vSnap to communicate with Amazon S3, Microsoft Azure, or IBM Cloud Object Storage endpoints
9000	TCP	HTTPS	Allows vSnap to communicate with IBM Spectrum Protect (repository server) endpoints

Any firewalls or network proxies that perform SSL Interception or Deep Packet Inspection for traffic between vSnap servers and cloud endpoints might interfere with SSL certificate validation on vSnap servers. This interference can also cause cloud offload job failures. To prevent this interference, the vSnap servers must be exempted from SSL interception and inspection in the firewall or proxy configuration.

Cloud provider requirements for offload and archive operations

Native lifecycle management is not supported. IBM Spectrum Protect Plus manages the lifecycle of uploaded objects automatically using an incremental-forever approach where older objects can still be used by newer snapshots. Automatic or manual expiration of objects outside of IBM Spectrum Protect Plus will lead to data corruption.
If the cloud provider uses an SSL certificate that is self-signed or signed by a private Certificate Authority, see Certificate requirements.

Amazon S3 cloud requirements
- Offload: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket in one of the supported storage tiers must be specified: S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, or S3 One Zone-Infrequent Access.
- Archive: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket in one of the supported storage tiers must be specified: S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, or S3 One Zone-Infrequent Access. IBM Spectrum Protect Plus will directly upload data files to the Glacier tier. Some small metadata files will be stored in the default tier for the bucket. A copy of these metadata files is also placed into the Glacier tier for disaster recovery purposes.
IBM Cloud Object Storage requirements
- Offload: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket must be specified. If the specified bucket has a WORM policy that locks objects for a certain time period, IBM Spectrum Protect Plus automatically detects the configuration and deletes snapshots after the WORM policy removes the lock.
- Archive: When the cloud provider is registered in IBM Spectrum Protect Plus, an existing bucket must be specified. If the specified bucket has a WORM policy that locks objects for a certain time period, IBM Spectrum Protect Plus automatically detects the configuration and deletes snapshots after the WORM policy removes the lock. IBM Spectrum Protect Plus creates a single lifecycle management rule on the bucket to migrate data files to the archive tier.
Microsoft Azure requirements
- Offload: When the cloud provider is registered in IBM Spectrum Protect Plus, a an existing container in a hot or cool storage account must be specified.
- Archive: When the cloud provider is registered in IBM Spectrum Protect Plus, a an existing container in a hot or cool storage account must be specified. IBM Spectrum Protect Plus moves files between tiers on demand. Data files will be immediately moved to the archive tier and temporarily returned to the hot tier only during a restore operations. Some small metadata files will be stored in the default tier for the container. A copy of these metadata files is also placed in the archive tier for disaster recovery purposes.
IBM Spectrum Protect (repository server) requirements
- Offload: When the cloud provider is registered in IBM Spectrum Protect Plus, you cannot use an existing bucket. IBM Spectrum Protect Plus creates a uniquely named bucket for its own use.
- Archive: When the cloud provider is registered in IBM Spectrum Protect Plus, you cannot use an existing bucket. IBM Spectrum Protect Plus creates a uniquely named bucket for its own use. IBM Spectrum Protect Plus will directly upload data files to IBM Spectrum Protect tape storage. Some small metadata files will be stored in IBM Spectrum Protect object storage. A copy of these metadata files is also placed on IBM Spectrum Protect tape storage for disaster recovery purposes.

Table 7. Offload and archive requirements for cloud providers
Operation	Provider	Requirements
Offload	Amazon S3	An existing bucket must be specified from one of the supported storage tiers.
Offload	IBM Cloud Storage	An existing bucket must be specified.
Offload	Microsoft Azure	An existing container must be specified from hot or cool storage tier.
Offload	IBM Spectrum Protect	IBM Spectrum Protect Plus creates its own unique bucket.

Archive	Amazon S3	Allows vSnap to communicate with IBM Spectrum Protect (repository server) endpoints.
Archive	IBM Cloud Storage	An existing bucket must be specified from the archive tier.
Archive	Microsoft Azure	An existing container must be specified from the hot storage tier and archive tier.
Archive	IBM Spectrum Protect	IBM Spectrum Protect Plus creates its own unique bucket to be copied to IBM Spectrum Protect tape.

For quick-start information to help you to set up and offload data to specific cloud providers, see: Data offload to cloud object storage with IBM Spectrum Protect Plus

Related Information

IBM Spectrum Protect™ Plus - All Requirements Doc

Featured Documents for IBM Spectrum Protect™ Plus

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.1.4","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Tips