Solution Architecture
The recommended architecture for protecting virtual machines in a VMware Cloud on AWS Software-Defined Data Center allows a customer to protect virtual machine workloads within the Software-Defined Data Center by providing backup to a centralized Spectrum Protect backup server outside of the Software-Defined Data Center as shown in the diagram below:The IBM Spectrum Protect components for this solution are:
- Spectrum Protect backup server which provides automated, centrally scheduled, policy-managed backup capabilities for virtual machines and other workloads. This component is installed in the customer’s AWS Virtual Private Cloud (VPC). Spectrum Protect backup storage which can consist of disk-based, cloud-based, or tape-based storage organized into storage containers or storage pools. For disk- and tape-based storage, the storage would be located in the customer’s AWS VPC; for cloud-based storage the storage can be on-premise or in a certified object storage environment. For more information about which cloud object storage environments are certified with IBM Spectrum Protect see this IBM Support document.
- Spectrum Protect for Virtual Environment (Data Protection for VMware) data movers which are responsible for moving data between the Software-Defined Data Center datastores and the Spectrum Protect backup storage for backup and recovery operations. This component is installed in the VMware Cloud on AWS Software-Defined Data Center.
Solution Components
The following components are required for data protection of virtual machines in VMware Cloud on AWS:
Detailed information about the solution can be found in the IBM Knowledge Center.Installation and ConfigurationInstallation and configuration of the IBM Spectrum Protect Server component can be found in the IBM Knowledge CenterSteps to install and configure IBM Spectrum Protect for Virtual Environments – Data Protection for VMware component
- Review the IBM Knowledge Center article: Installing and upgrading Data Protection for VMware
- Choose a Windows virtual machine in the Software-Defined Data Center to install Data Protection for VMware
- Execute the IBM Spectrum Protect for Virtual Environments Data Protection for VMware suite installation wizard and select the “Typical installation” installation type
- When the installation wizard completes, uncheck the box to launch the configuration wizard.
- For IBM Spectrum Protect for Virtual Environments 8.1.9:
Edit the permissions required for IBM Spectrum Protect for Virtual Environments to allow the solution to execute in the Software-Defined Data Center
- Locate the permissions file on the Windows virtual machine where IBM Spectrum Protect for Virtual Environments was installed, the permissions file is located at C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\tsmVmGUI\TSMRequiredPermissonsList.xml.
- Open the file TSMRequiredPermissionsList.xml
- Remove all of the “<Privilege>…” lines in the section under <vCenter version’”6.*>, leaving only the “<Privilege>Datastore.AllocateSpace” permission as shown:
<vCenter version=”6.*”>
<Datacenter>
<Privilege> Datastore.AllocateSpace</Privilege>
</Datacenter>
Note: it is normal to have to remove 40 – 50 lines with the <Privilege> tag in this step - Save the changes to TSMRequiredPermissionsList.xml and close the file.
For IBM Spectrum Protect for Virtual Environments 8.1.10:Update file C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.security, removing SHA1 from both lines.
- From: jdk.certpath.disabledAlgorithms=MD2,MD5,SHA1 usage TLSServer TLSClient SignedJAR, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 256, DSS
To: jdk.certpath.disabledAlgorithms=MD2,MD5 usage TLSServer TLSClient SignedJAR, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 256, DSS
- From: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL
To: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL
- On the Spectrum Protect server, create a policy domain to manage the virtual machine backups, e.g., domain=VMC_DOMAIN. For more information on creating policy domains refer to the IBM Knowledge Center.
- Launch the IBM Spectrum Protect for Virtual Environments user interface from the Windows virtual machine where IBM Spectrum Protect for Virtual Environments was installed using a web browser and opening https://localhost:9081/TsmVMwareUI.
- Log in to the IBM Spectrum Protect for Virtual Environments user interface
- for “vCenter Name” enter the fully-qualified domain name (FQDN) of the vCenter server
- Enter the vCenter Username and Password
- Ensure that the “Configuration Mode” checkbox is checked.
- In the Configuration Wizard “vCenter Settings” panel uncheck the “Update registration” checkbox to prevent registering the solution with the vSphere Web Client
- Finish the additional steps in the Configuration Wizard as outlined in the IBM Knowledge Center article: Installing and upgrading Data Protection for VMware.
- Locate and modify the local IBM Spectrum Protect for Virtual Environments data mover options file
- On a Windows platform, the options file is located at:
C:\Program Files\Tivoli\TSM\baclient\dsm.<data mover unique>.opt - Add the following line at the end of the file
testflags VM_NO_VSPHERE_STATUS - Save and close the options file
- If you choose to add data movers on a Linux platform, the options file that needs to be modified is dsm.sys.
- If you enabled File Level Restore in the configuration wizard, add the testflags line above to the Windows mount proxy option file and to the Linux mount proxy section of the dsm.sys file.
- Verify the configuration by launching a virtual machine backup operation from IBM Spectrum Protect for Virtual Environments
- Locate the IBM Spectrum Protect for Virtual Environments data mover executable on the Windows machine where the component was installed. On Windows this executable is:
C:\Program Files\Tivoli\TSM\baclient\dsmc.exe - Execute the command to back up a virtual machine
dsmc backup vm <vmname> -optfile=dsm.<data mover unique>.opt -asnode=<datacenter node>
VMware Cloud on AWS Network configurationReview the information about Required communications ports in the IBM Knowledge Center to configure the appropriate ports between the Spectrum Protect components and the VMware Cloud on AWS components.At a minimum, you will need to create an inbound rule for port 443 as shown in the VMware on AWS console screenshot below:Interoperability with VMware Cloud on AWS product featuresThe IBM Spectrum Protect for Virtual Environments solution provides data protection for virtual machines deployed in Software-Defined Data Center on VMware Cloud on AWS. It is not intended to provide protection for hybrid solutions such as protecting virtual machines in a traditional data center (or traditional vSphere datacenter) and recovering the virtual machine to a Software-Defined Data Center or visa-versa.Support Information
For more information on IBM Spectrum Protect and IBM Spectrum Protect for Virtual Environments see the IBM Spectrum Protect home page.