Purpose

This article provides information about protecting VMware Cloud on AWS with IBM Spectrum Protect for Virtual Environments.  For more information about supported versions of IBM Spectrum Protect for Virtual Environments, please refer to IBM Spectrum Protect for Virtual Environments support for VMware Cloud on AWS.

Disclaimer:  The partner solution referenced in this article is a solution that is developed and supported by a partner. Use of this product is also governed by the end user license agreement of the partner. You must obtain from the partner the application, support, and licensing for using this product. For more information, see IBM Spectrum Protect for Virtual Environments.

Resolution

Here is a summary of target use cases, solution architecture, solution components, and support information.

Use cases that are supported on VMware Cloud on AWS

IBM Spectrum Protect for Virtual Environments provides data protection for virtual machines managed by a VMware Cloud on AWS Software-Defined Data Center and supports these use cases:

• Virtual machine data protection providing backup to a centralized IBM Spectrum Protect server
• Incremental forever virtual machine backup using VMware’s Change Block Tracking (CBT) feature to reduce the daily backup workload to only data that has changed since the previous backup operation
• Data compression and data deduplication at the backup source or target
• Automatic discovery of new virtual machine inventory without having to modify existing data protection policies
• Recovery of a virtual machine within a VMware Cloud on AWS Software-Defined Data Center either to replace a failed machine or as a new virtual machine entity including virtual network (NSX) definitions
• Recovery of files and/or directories within supported Microsoft Windows and Linux virtual machines
• Backup and recovery of individual virtual machine disks (VMDK)
• HotAdd transport mode

Use cases that are not supported on VMware Cloud on AWS

These use cases are not supported by IBM Spectrum Protect for Virtual Environments when deployed in a VMware Cloud on AWS Software-Defined Data Center

• Use of the vSphere Web Client or vSphere Client plugins for IBM Spectrum Protect for Virtual Environments
• Ability to instantly access a virtual machine image by accessing data directly from the IBM Spectrum Protect server backup storage
• Ability to instantly restore a virtual machine by accessing data directly from the IBM Spectrum Protect server backup storage and migrating the storage to vSAN storage located in the Software-Defined Data Center using Storage vMotion
• Protection of Microsoft SQL Server or Microsoft Exchange Server applications running within a virtual machine
• Recovery of virtual machines outside of the Software-Defined Data Center
• NBD, NBDSSL and SAN  transport modes

Solution Architecture

The recommended architecture for protecting virtual machines in a VMware Cloud on AWS Software-Defined Data Center allows a customer to protect virtual machine workloads within the Software-Defined Data Center by providing backup to a centralized Spectrum Protect backup server outside of the Software-Defined Data Center as shown in the diagram below:

The IBM Spectrum Protect components for this solution are:

• Spectrum Protect backup server which provides automated, centrally scheduled, policy-managed backup capabilities for virtual machines and other workloads. This component is installed in the customer’s AWS Virtual Private Cloud (VPC). Spectrum Protect backup storage which can consist of disk-based, cloud-based, or tape-based storage organized into storage containers or storage pools.  For disk- and tape-based storage, the storage would be located in the customer’s AWS VPC; for cloud-based storage the storage can be on-premise or in a certified object storage environment.  For more information about which cloud object storage environments are certified with IBM Spectrum Protect see this IBM Support document.
• Spectrum Protect for Virtual Environment (Data Protection for VMware) data movers which are responsible for moving data between the Software-Defined Data Center datastores and the Spectrum Protect backup storage for backup and recovery operations. This component is installed in the VMware Cloud on AWS Software-Defined Data Center.

Solution Components

The following components are required for data protection of virtual machines in VMware Cloud on AWS:

• IBM Spectrum Protect Server
• IBM Spectrum Protect for Virtual Environments – Data Protection for VMware
• For component version information, please refer to IBM Spectrum Protect for Virtual Environments support for VMware Cloud on AWS

Detailed information about the solution can be found in the IBM Knowledge Center.

Installation and Configuration
Installation and configuration of the IBM Spectrum Protect Server component can be found in the IBM Knowledge Center

Steps to install and configure IBM Spectrum Protect for Virtual Environments – Data Protection for VMware component

1. Review the IBM Knowledge Center article: Installing and upgrading Data Protection for VMware
2. Choose a Windows virtual machine in the Software-Defined Data Center to install Data Protection for VMware
3. Execute the IBM Spectrum Protect for Virtual Environments Data Protection for VMware suite installation wizard and select the “Typical installation” installation type
4. When the installation wizard completes, uncheck the box to launch the configuration wizard.
5. For IBM Spectrum Protect for Virtual Environments 8.1.9:
   Edit the permissions required for IBM Spectrum Protect for Virtual Environments to allow the solution to execute in the Software-Defined Data Center
   1. Locate the permissions file on the Windows virtual machine where IBM Spectrum Protect for Virtual Environments was installed, the permissions file is located at C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\tsmVmGUI\TSMRequiredPermissonsList.xml.
   2. Open the file TSMRequiredPermissionsList.xml
   3. Remove all of the “<Privilege>…” lines in the section under <vCenter version’”6.*>, leaving only the “<Privilege>Datastore.AllocateSpace” permission as shown:
      
      <vCenter version=”6.*”>
         <Datacenter>
            <Privilege> Datastore.AllocateSpace</Privilege>
         </Datacenter>
      
      Note: it is normal to have to remove 40 – 50 lines with the <Privilege> tag in this step
   4. Save the changes to TSMRequiredPermissionsList.xml and close the file.
       

For IBM Spectrum Protect for Virtual Environments 8.1.10:
Update file C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.security, removing SHA1 from both lines.
 

1. From:  jdk.certpath.disabledAlgorithms=MD2,MD5,SHA1 usage TLSServer TLSClient SignedJAR, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 256, DSS

 

2. From:  jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL

 

6. On the Spectrum Protect server, create a policy domain to manage the virtual machine backups, e.g., domain=VMC_DOMAIN. For more information on creating policy domains refer to the IBM Knowledge Center.
7. Launch the IBM Spectrum Protect for Virtual Environments user interface from the Windows virtual machine where IBM Spectrum Protect for Virtual Environments was installed using a web browser and opening https://localhost:9081/TsmVMwareUI.
8. Log in to the IBM Spectrum Protect for Virtual Environments user interface
   1. for “vCenter Name” enter the fully-qualified domain name (FQDN) of the vCenter server
   2. Enter the vCenter Username and Password
   3. Ensure that the “Configuration Mode” checkbox is checked.
9. In the Configuration Wizard “vCenter Settings” panel uncheck the “Update registration” checkbox to prevent registering the solution with the vSphere Web Client
10. Finish the additional steps in the Configuration Wizard as outlined in the IBM Knowledge Center article: Installing and upgrading Data Protection for VMware.
11. Locate and modify the local IBM Spectrum Protect for Virtual Environments data mover options file
    1. On a Windows platform, the options file is located at:
       C:\Program Files\Tivoli\TSM\baclient\dsm.<data mover unique>.opt
    2. Add the following line at the end of the file
       testflags VM_NO_VSPHERE_STATUS
    3. Save and close the options file
    4. If you choose to add data movers on a Linux platform, the options file that needs to be modified is dsm.sys.
    5. If you enabled File Level Restore in the configuration wizard, add the testflags line above to the Windows mount proxy option file and to the Linux mount proxy section of the dsm.sys file.
12. Verify the configuration by launching a virtual machine backup operation from IBM Spectrum Protect for Virtual Environments
    1. Locate the IBM Spectrum Protect for Virtual Environments data mover executable on the Windows machine where the component was installed. On Windows this executable is:
       C:\Program Files\Tivoli\TSM\baclient\dsmc.exe
    2. Execute the command to back up a virtual machine
       dsmc backup vm <vmname> -optfile=dsm.<data mover unique>.opt -asnode=<datacenter node>

VMware Cloud on AWS Network configuration

Review the information about Required communications ports in the IBM Knowledge Center to configure the appropriate ports between the Spectrum Protect components and the VMware Cloud on AWS components.

At a minimum, you will need to create an inbound rule for port 443 as shown in the VMware on AWS console screenshot below:



Interoperability with VMware Cloud on AWS product features

The IBM Spectrum Protect for Virtual Environments solution provides data protection for virtual machines deployed in Software-Defined Data Center on VMware Cloud on AWS.  It is not intended to provide protection for hybrid solutions such as protecting virtual machines in a traditional data center (or traditional vSphere datacenter) and recovering the virtual machine to a Software-Defined Data Center or visa-versa.

Support Information

• For information on troubleshooting and collecting IBM Spectrum Protect for Virtual Environments logs, refer to the IBM Support article.
• To download entitled software from IBM visit Passport Advantage to download most purchased software products, or My Entitled Systems Support to download system software
• Information about enabling and collecting logs on vCenter and ESXi components can be found in this IBM Support article
• For information about support see the IBM Support home page
• Information about IBM Spectrum Protect for Virtual Environments error messages can be found in this IBM Knowledge Center article.

For more information on IBM Spectrum Protect and IBM Spectrum Protect for Virtual Environments see the IBM Spectrum Protect home page.