data protector fokustag...a windows installation server must be part of the data protector cell to...
TRANSCRIPT
Technical Background
Primary- and secondary storage, high availability, clustering and replication as well as backup & recovery solutions.
Subject matter expert
MF Data Protector
HPE StoreOnce and Dell EMC Data Domain
HPE Tape Libraries
HPE 3PAR
HPE Serviceguard
Actively involved member
MF Data Protector Technical Advisory Board
HPE Worldwide Partner Ambassador
HPE Storage Championship Germany
Data Protector Practitioners Forum and Support Customer Forum
2
About The Speaker
EMEA Presales Data ProtectionMicro Focus
Sebastian Koehler
Data Protector 10.x Releases and Upgrade Path
Upgrade Options and Preparation
License Upgrade and Validation
Log Files Before and After Upgrade
Perform the Upgrade
Push and Local Client Installation and Upgrade
Secure Socket Communication
Importing Clients (Data Protector 10.x)
Clusters with Secure Communication
Scheduler and User Migration
Centralized omnirc management
3
Agenda
4
Data Protector 10.x Releases
September 28th, 2017Data Protector A.10.01
Version A.10.01.307
Patch bundle for A.10.00DPWINBDL_01001DPLNXBDL_01001DPUXBDL_01001
June 30th, 2017Data Protector A.10.00Version A.10.00.306
Full media kit
December 7th, 2017Data Protector A.10.02Version A.10.02.308
Patch bundle for 10.00:DPWINBDL_01002DPLNXBDL_01002DPUXBDL_01002
March 30th, 2018Data Protector A.10.03
Version A.10.03.181
Full media kit
May 31st, 2018Data Protector A.10.04Version A.10.03.182
Patch bundle for 10.03:DPWINBDL_01004DPLNXBDL_01004DPUXBDL_01004
September 17th, 2018Data Protector 2018.09
Version A.10.10.134
Full media kit
December 6st, 2018Data Protector 2018.11Version A.10.20.115
Full media kit
March 4th, 2019Data Protector 2019.03
Version A.10.30.105
Full media kit
2018 2019 2020
May 24th, 2019Data Protector 2019.05Version A.10.40.118
Full media kit
August 23th, 2019Data Protector 2019.08
Version A.10.50.125
Full media kit
5
Data Protector Upgrade Path
7.0x 8.0x 8.1x 9.0x 10.0x 10.10 10.20 10.30 10.40 10.50
6.2x
7.0x
8.0x
8.1x
9.0x
10.0x
10.10
10.20
10.30
10.40
Upgrade to VersionU
pgr
ade
fro
m V
ersi
on
Recommended Supported Not Supported
NOTE: This also applies to client upgrades
In-Place Upgrade
Single-step process where IDB and configuration data is retained, the Cell Manager name is not changed
Multi-step process if new hardware and/or operating system version should be used
Installation of an empty Cell Manager on a server (same platform, temporary name)
Migrate IDB and configuration files to the new system, be aware of service accounts used and file system permissions, junctions on Windows
Change hostname to old Cell Manager name
Perform the actual Upgrade in a seperate step
Migration (Green Field Installation)
Installation of a new Cell Manager on a server (physical or virtual) with a new name
Same or more recent Data Protector version
Migration of configuration data may vary
Config files (cell_info, specifications, etc.)
Clients (omnicc -update_all -force_cs)
Devices and Pools
Media (MCF export/import), DP 10.30 and later will retain Media Condition Factors
Only supported option for changing the Cell Manager platform (e.g. HP-UX to Linux)
6
Upgrade Options
Upgrade Licenses to 10.x
Data Protector 9.x will accept 10.x licenses
90 days Instant-On password after upgrade from 8.1x or 9.x to 10.x
Upgrade Planning, Review Documentation
Release Log Page
Support Matrix
Deprecation and Obsolescence list
Support Statement on Earlier Agent Versions
CM hardware requirements (min. 4x CPU and 16 GB RAM, Disk identical to DP 8.1x and 9.x)
Preparation Steps
Upgrade not longer supported clients to the latest possible agent version
Disable Encrypted Control Communication (ECC) in GUI or omnicc -encryption -disable -all
Remove the references to HP Fonts on Windows Cell Managers, requires reboot
Prepare changes in network firewalls
Clean-up logs before the upgrade
IDB consistency check using the command omnidbcheck -extended. Correct any errors before proceeding.
7
Upgrade Preparation (1/2)
Create a recent IDB full backup to a known media
Keep media.log and device configuration (omnidownload -library | -device)
Create an (offline) backup of the Cell Manager, e.g.
Windows Server Backup or tarball of /etc/opt/omni, /opt/omni and /var/opt/omni
VMware or HyperV snapshot if Cell Manager is a Virtual Machine
LVM Snapshot on Linux/UNIX or Windows VSS snapshot1
Storage snapshot if the IDB is stored on an external disk array
Prevent sessions from being executed during or after the upgrade
Cell Manager services must be up and running (see omnisv status) during the upgrade (required in 10.40 and later)
Place Cell Manager in maintenance mode using omnisv -maintenance 1
8
Upgrade Preparation (2/2)
1 Be careful with junctions in %DP_SDATA_DIR%\server\db80\pg\pg_tblspc
Keep omnicc -check_license -detail and omnicc -password_info output (old version)
Check products/quantity in support contract
Service Request (Licensing), please include:
http://mysupport.microfocus.com
Target Name (Cell Manager)
Target Cell Manager IPv4/IPv6 address
Content of lic.dat and omnicc output (above)
Micro Focus License Portal
https://entitlement.microfocus.com
Directly update products under support
9
License Upgrade and Validation
Validation:• Replace lic.dat on Cell Manager (old version)• Remove lic.ctx (tmp directory) if required• Run omnicc and compare results
Clean-up before the upgrade
Run omnisv stop to stop the services
Run omnisv start to start the services
Collect logs after (a failed) upgrade
Data Protector 10.40 and later will create installation/upgrade debugs (OB2DBG*.txt) in %DP_DATA_DIR\tmp or /tmp by default
On Windows also collect files from %TEMP%
NOTE: Only required in case if something goes wrong and support is needed.
10
Log Files Before and After Upgrade
%DP_DATA_DIR%\tmp/var/opt/omni/tmp
All
%DP_SDATA_DIR%\server\db80\pg\pg_log/var/opt/omni/server/db80/pg/pg_log
All
%DP_DATA_DIR%\log/var/opt/omni/log
LargeFiles
%DP_DATA_DIR%\log\server /var/opt/omni/log/server
LargeFiles
%DP_DATA_DIR%\log\AppServer/var/opt/omni/log/AppServer
All
Upgrade the Cell Manager and at least one GUI client
setup.exe or omnisetup.sh from corresponding Media Kit
Perform basic sanity checks using omnidbcheck -extended and in GUI (Devices & Media and IDB)
At this stage backups and restores should be possible
Upgrade the Installation Servers
setup.exe or omnisetup.sh from corresponding Media Kit
Upgrade the remaining GUI clients (locally or remote)
Upgrade the Media Agents and clients with StoreOnceSoftware installed
Use storeoncesoftware --stop_store --name=<StoreName> --force to stop stores before the upgrade
NOTE: Hotfix QCIM2A84565 to resolve an issue in StoreOnceSoftware in DP A.10.50 on Windows
11
Perform the Upgrade (1/2)
Upgrade clients with Online Integration Modules (Oracle, SAP, MSSQL, PostgreSQL, etc.)
NOTE: Upgrading clients where Exchange GRE is installed will cause an IISReset
The VMware GRE plug-in needs to be re-registered
Performed automatically during the Cell Manager upgrade or manually in GUI
Now uses a "Web User" and Secure Communication (no exception, automatically configured)
Upgrade the remaining clients
Clients that support an upgrade to the latest version
Upgrade the Backup Navigator or Reporting Server, if used
12
Perform the Upgrade (2/2)
A Windows Installation Server must be part of the Data Protector cell to allow Remote Installation and Upgrades of Windows clients
Installation source available via the OmniBack share on the installation server
Push installation is now using SMB signing when deploying new clients or during upgrade of 8.1x or 9.x clients
Data Protector 10.20 and later is using INET for upgrades (OB2UPGRADEOVERINET=1)
To allow the initial connect to the OmniBack share a user account must be configured on the Installation Server (omniinetpasswd)
omnirc option (Installation Server, 10.20 and later)
OB2UPGRADEOVERINET=0|1
OB2FWPASSTHRU=1
User Configuration (Installation Server)
omniinetpasswd -add DOMAIN\User
omniinetpasswd -inst_srv_user DOMAIN\User
omniinetpasswd -list
13
Push Installation and Upgrade (Windows)
A Linux/UNIX Installation Server1 must be part of the Data Protector cell to allow Remote Installation and Upgrades of Linux/UNIX clients
Installation source available in the directory /opt/omni/databases on the IS
Push installation is now using SSH by default
Operation can be performed by root or a sudo-enabled user account
Data Protector 10.20 and later is using INET for upgrades (OB2UPGRADEOVERINET=1)
If SSH keys are not pre-configured between the IS and the clients, then a password is required (e.g. ssh-copy-id) per client.
omnirc option (Installation Server, 10.20 and later)
OB2UPGRADEOVERINET=0|1
1 IS on HP-UX not available in Data Protector 10.50+
14
Push Installation and Upgrade (Linux/UNIX)
A local client installation/upgrade can be used if the remote installation is not working
Can be started from Windows Media Kit or directly from the OmniBack share
Make sure to specify Cell Manager name and confirm fingerprint (last step)
Use the INET port for your cell (e.g. 5555)
Client is automatically registered with Windows Firewall
Import the client after installation or run omnicc -update_host <Client> after an upgrade from 8.1x or 9.x
15
Local Client Installation and Upgrade (Windows)
A local client installation/upgrade can be used if the remote installation is not working
Can be started from Linux/HP-UX Media Kit
Make sure to specify Cell Manager name (-server) and confirm fingerprint (last step)
Use the INET port (-inetport) for your cell (e.g. 5555)
Firewall ports are not automatically opened
Import the client after installation or run omnicc -update_host <Client> after an upgrade from 8.1x or 9.x
linux:/tmp/LOCAL_INSTALL # ./omnisetup.sh -install da -server CM.domain.tld -inetport 5565
[...]
Certificate information:
- Hostname:CM.domain.tld
- Valid: from Jul 16 13:07:18 2019 GMT until Jul 13 13:07:18 2029 GMT
- Fingerprint: 12:b3:1a:a1:6e:96:64:30:bf:2f:74:33:21:d5:f1:37:ca:a5:bb:13:26:bf:52:fa:a2:67:b8:e0:7c:56:7e:d9
Do you want to continue (y/n)?y
Host 'CM.domain.com' configured for secure configuration successfully.
16
Local Client Installation and Upgrade (Linux/UNIX)
Secure communication (AES-256 bit, TLS 1.2) between client and Cell Manger
A self-signed client certificate is generated for each client (including the Cell Manager)
Fingerprints of all known clients are stored in the ssconfig file on the Cell Manager
The ssconfig file on each client only has the Cell Manager fingerprint
Client communication via the Data Protector INET port (e.g. 5565/TCP) only
The INET port must be open (IN and OUT) in the firewall
Ports previously used in OB2PORTRANGE may be closed after the client upgrade
omnicc -update_local_port <INET> can be used to quickly change the INET port on a client
17
Secure Socket Communication (1/2)
Cell Manager Client
Permitted
Rogue Client
Rejected
Secure communication between members
How to set it up?
A Secure Socket Communication trust is automatically configured
During a remote installation of a 10.x client
During a remote upgrade of a 8.1x or 9.x client to 10.x
Exceptions are configured for all clients in the cell_info during a CM upgrade (8.1x or 9.x)
Exporting a client from the cell will remove the SSC trust on Cell Manager and the client
Secure Data Communication
Encryption of payload (backup data) available in Data Protector 10.50 and later
Enabled or disabled with global option EnableSecureDataCommunication=0|1
Slightly higher CPU load and reduced performance
18
Secure Socket Communication (2/2)
Data Protector 10.x client (CM name was used and certificate accepted during installation)
Import in the GUI or omnicc -import_host <Client> [-accept_host] on the Cell Manager
Data Protector 10.x client (removed from the CM or installed without the CM name)
omnicc -secure_comm -configure_peer <CM> [-accept_host] on client
Import in the GUI or omnicc -import_host <Client> [-accept_host] on the Cell Manager
NOTE: A failed import may remove the certificate trust from the client!
Data Protector 9.x client (removed from the CM)
Import in the GUI (as OpenVMS host) or omnicc -import_openvms_host <Client> on the CM
NOTE: This will configure a SSC exception and import the client in one step
19
Importing Clients (Data Protector 10.x)
Each client is identified by an unique certificate (localhost_cert.pem and localhost_key.pem) and the fingerprint of the certificate is used to validate the client identity.
The same fingerprint may be used for different hostnames, but different fingerprints may not be used for the same hostname. Failing over a virtual hostname may break secure communication!
Solution: Use the same client certificate on all physical nodes in a Failover Cluster, Exchange DAG, SQL Server AO, Oracle RAC or any other HA environment where clients are imported as a "Virtual Host" with the purpose to be actviated on a different system.
20
Clusters with Secure Communication
Physical and Virtual Cluster Nodes
[root@node1 ~]# omnicc -secure_comm -get_fingerprintFingerprint : 1a:a3:4s:99:fx:11:41:...:d3:77
[root@node2 ~]# omnicc -secure_comm -get_fingerprintFingerprint : 85:af:6c:5a:f4:57:20:...:95:03
[root@vip1 ~]# omnicc -secure_comm -get_fingerprintFingerprint : 85:af:6c:5a:f4:57:20:...:95:03 node2
node1
vip1
Data Protector 10.00 introduced the new Consolidatd Scheduler (now Web Scheduler)
A combination of Legacy- and Advanced Scheduler storing all configuration in the Internal Database
Migration of Legacy Scheduler (schedule files) to Internal Database (JCE) was mandatory until DP 10.10
Schedule migration can be started using omnidbutil -migrate_schedules manually
The Leagacy Scheduler was re-introduced in Data Protector 10.20 in addition to Web Scheduler
Fallback to the Legacy Scheduler:
(Re)create schedules manually in Legacy Scheduler
Run omnidbutil -reinstate_legacy_schedules -force to rename *.migrate files and delete Web Schedules
Obtain and run omnijce2schedule.pl script to migrate omnidbutil -export_schedules -all output to Legacy Schedule files and delete associated Web Schedules
21
Scheduler Migration
User configuration is stored in the KeyCloak database (AppServer) in Data Protector 10.00
Enables LDAP authentication for users/groups and stores user information and access token
User migration runs during the 10.x upgrade or manually with the userMigrate.pl script
Direct modifcation of the UserList file is no longer supported
Use the GUI or omniusers command instead
Users with <ANY> statements are no longer valid for new entries in Data Protector 10.50 and later
A user that requires GUI access needs a password in KeyCloak
A randomized password is generated for all users in UserList during a upgrade
The password only needs to be known when using VMware GRE or the Data Protector WebUI
22
User Migration
Examples:omniusers -add -type W -usergroup admin -name "User" -group "DOM" -client "client.domain.tld" -setpass
omnicc -update_omnirc allows the remote manipulation of client specific configuration options across the entire cell
Available since Data Protector 10.03
It allows to push one omnirc option (key/value pair) at a time
Operating system type, specific agent installed or a set of hosts in a comma separated list or from a input file
23
Centralized omnirc management
Examples:omnicc -update_omnirc OB2NOTREEWALK -value 1 -client_os microsoftomnicc -update_omnirc OB2SQLBLOCKSIZE -value 65536 -module mssql70omnicc -update_omnirc OB2_DNSTIMEOUT -value 2