Configuring PowerHA with Power Virtual Server FlashCopy (7.5)

1 Background
2 Before you begin
3 Procedure
4 Results

Background

IBM Power Virtual Server FlashCopy provides the ability to take point-in-time snapshots of independent auxiliary storage pools (IASPs) and bring the snapshots online on another partition that is active in the cluster. Common use cases for FlashCopy include offloading backups to a secondary partition to reduce backup windows (offline backups), and test environments.

Before you begin

This scenario assumes that the following tasks have been completed prior to these steps:

A cluster between the nodes has been created, and the cluster nodes have a status of Active.
The nodes are all in the same device domain. When creating a cluster or adding a node to a cluster with default options, PowerHA automatically adds nodes to a single device domain.
An IASP has been created on the production node.

Procedure

Adding Storage Credentials

Tip: If credentials were already added for technologies such as Global Replication Services or Volume Switching, skip to Adding Copy Descriptions

PowerHA uses the Power Virtual Server API to manage and control resources in IBM Power Virtual Server.

Configuring PowerHA to Accept Digital Certificates from IBM Cloud Services

All communication between PowerHA and the IBM Cloud uses TLS for communication. This communication uses digital certificates to both encrypt and protect the communication.

Create a *SYSTEM certificate store to hold the digital certificates

To create the *SYSTEM certificate store, use the following steps:

In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
Click on Create Certificate Store on the left-hand navigation menu
On the right-hand side of the page select *SYSTEM.

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed.

Create a password for the *SYSTEM store and click Create.

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Tip: The system certificate store must be created on all nodes in the cluster. Ensure the *SYSTEM certificate store is created on all nodes in the cluster before continuing.

Trusting the IBM Cloud Certificate Authority

There are two options for trusting the IBM Cloud Certificate Authority:

Recommended: Populate digital certificate manager with well known CAs.

Open the *SYSTEM certificate store in Digital Certificate Manager

If the *SYSTEM certificate store was created in the previous step, simply select it in the left-hand menu in Digital Certificate Manager and continue on to the next section.

In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
Click Open Certificate Store.
Select the *SYSTEM option, click continue.

If *SYSTEM does not appear in the list, the system certificate store either does not exist, or is already open. If it does not exist, see Creating the *SYSTEM Certificate Store. If it is already open, select it in the left-hand menu.

Sign in with the password for the certificate store and click Open.

Populate the *SYSTEM certificate store in Digital Certificate Manager with CAs

Click the Populate with CAs link in Digital Certificate Manager
Click the Select All button to select all certificates
Click the Populate button to populate the system certificate store with all well known CAs.
Repeat these steps on all nodes in the cluster.

Bypassing strict-certificate checking in PowerHA using a PowerHA Policy

Warning: While this step only needs to be performed on one node, it is not as secure as the option for trusting well-known certificates. While this option still uses encrypted communication between PowerHA and IBM Cloud services, it does not protect against a man-in-the-middle attack.

Add a PowerHA policy to bypass strict certificate checking in PowerHA. For example, the following policy would bypass strict certificate checking for any configuration description:

ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)') VALUE(*NO)

This step only needs to be performed on one node as the policy applies to the entire PowerHA cluster.

Creating an API Key

The API key at a minimum must have the following access levels to the Workspace for Power Virtual Server service:

power-iaas.cloud-instance.read
power-iaas.cloud-instance.modify

PowerHA recommends using Service IDs rather than API keys attached to an IBM cloud user. This ensures that operations are audited as the service ID, not as the user. In addition, it decouples the PowerHA access from being tied to an identity representing a specific person.

In the IBM Cloud console, go to Manage > Access (IAM) and select Service IDs.
If you don’t have a service ID created, create the service ID.
Click the Actions icon > Manage service ID.
Click API keys.
Click create
Add a name and description to easily identify the API key.
Click Create.
Save your API key by copying or downloading it to a secure location.

For security reasons, the API key is only available to be copied or downloaded at the time of creation. If the API key is lost, you must create a new API key.

Add a storage controller configuration description representing the Power Virtual Server Workspace

An HA configuration description of type storage controller (*STGCTL) and subtype (*PVS) is used to represent a Power Virtual Server workspace. It contains the authentication credentials (API Key), as well as the information required to identify and control the workspace.

A PVS Storage Controller configuration description can be created using any of the following methods:

Type the ADDHACFGD command and press F4 to go to the Add HA Configuration Description Screen.
Using the Work with Cluster (WRKCLU) command menu. Selection option 11, Work with HA Configuration Descriptions, and use option 1, Create.
From the command line, enter the ADDHACFGD command and your parameters.

For this example, a configuration description for DAL10 is created using the following command, followed by selecting the appropriate workspace from the list:

ADDHACFGD NAME(PVSWSDAL) TYPE(*STGCTL) SUBTYPE(*PVS) PVSHOST('apikey')

This command specifies to add a storage controller configuration description named PVSWSDAL with the API key ‘apikey’, representing the API key created previously. The PVSHOST parameter has additional elements that by default will prompt to select a workspace from the workspaces the API key has access to in the IBM Cloud infrastructure.

Tip: The name of the configuration description does not need to match the name of the workspace or data center. This name is only known to the PowerHA product.

Note: When using the command in batch mode, a workspace CRN must be specified in the command rather than the *SELECT option. The Power Virtual Server workspace CRN can be found in the IBM Cloud console.

Adding Copy Descriptions

A copy description gives PowerHA the information it needs to describe and manage a single copy of an IASP. With FlashCopy, there are two copies of the IASP: the source of the FlashCopy and the target of the FlashCopy. Therefore, PowerHA requires two copy descriptions for FlashCopy.

Adding the FlashCopy source Copy Description

Follow the section below depending on the current configuration:

If the IASP used for FlashCopy is already configured with another technology such as Volume switching or Global Replication Services (GRS), then the source copy likely already has a copy description describing it from that configuration. That same copy description is used for the source copy description for FlashCopy.

If the IASP used for FlashCopy is already configured for Geographic Mirroring, then the source copy description likely already exists as well. However, additional steps may be required to convert the Geographic Mirroring copy description from a storage-agnostic ASP copy description (ASPCPYD) to a Power Virtual Server ASP copy description (PVSCPYD).

First end the PowerHA Geographic Mirroring session, to end PowerHA’s management of Geographic Mirroring. For example: ENDASPSSN SSN(GEOMIRSSN).
While this does not suspend geographic mirroring replication, it does temporarily disable PowerHA’s management of Geographic Mirroring.
Display the ASP copy description to take note of the CRG and SITE parameters using the DSPASPCPYD command. For example: DSPASPCPYD ASPCPY(PRODCPY).
Remove the ASP copy description that describes the source copy. For example: RMVASPCPYD ASPCPY(PRODCPY)
Now add a PVS Copy Description that describes the source copy, for example:
ADDPVSCPYD ASPCPY(PRODCPY) ASPDEV(MYIASP) CRG(MYCRG) SITE(DAL10) NODE(*CRG) PVSCFGD(PVSWSDAL)
This command adds a copy description named PRODCPY for asp device MYIASP. It describes this copy of the IASP being represented by the site named DAL10 in the CRG called MYCRG. Specifying a node of *CRG indicates to the copy description that the lowest numbered backup node at the given site of the CRG currently owns the copy. Finally, the Power Virtual Server configuration description parameter gives the copy description the credentials needed to control the Power Virtual Server Workspace previously defined in the configuration description called PVSWSDAL.
One of the pieces of information PowerHA needs to manage and control FlashCopy is the identifying information about the volumes in storage that represent the IASP, in this case PowerHA uses the IBM Power Virtual Server volume identifiers (Volume IDs). These Volume IDs must be added to the source copy description.

The Change Power Virtual Server Copy Description (CHGPVSCPYD) command is used to add volumes. For example, the copy description for the primary copy can be added using the following command:
CHGPVSCPYD ASPCPY(PRODCPY) ACTION(*ADDVOL)
This command specifies to add volumes to the copy description named PRODCPY. By default, the command uses the value *SELECT for the volumes to add. With the *SELECT option, PowerHA queries the IBM Power Virtual Server workspace for volumes that can be added into the copy description. Alternatively, the volumes may be specified manually via the command line using the VOLID parameter.

Note: When using the command in batch mode, volume IDs must be specified in the command rather than the *SELECT option. The Volume IDs for a volume can be found in the IBM Cloud console.

Finally, start the PowerHA Geographic Mirroring session, to start PowerHA’s management of Geographic Mirroring. For example: STRASPSSN SSN(GEOMIRSSN) TYPE(*GEOMIR) ASPCPY((PRODCPY HACPY))

If the IASP used for FlashCopy is not used with other IASP Switching or Replication Technologies, then a source copy description likely does not yet exist. The following steps are an example of adding a source copy description in these environments:

The information required in the copy description describes the location of the copy of the IASP it describes. For example, a copy description for the primary (source) copy can be added using the following command:
ADDPVSCPYD ASPCPY(DAL10CPY) ASPDEV(MYIASP) CRG(*NONE) SITE(*NONE) NODE(PROD) PVSCFGD(PVSWSDAL)
This command adds a copy description named DAL10CPY for asp device MYIASP. It describes this copy of the IASP being represented by the node named PROD. In this instance the CRG and SITE are both *NONE as the IASP is not configured for volume switching or GRS, and therefore is not in a cluster resource group. Finally, the Power Virtual Server configuration description parameter gives the copy description the credentials needed to control the Power Virtual Server Workspace previously defined in the configuration description called PVSWSDAL.
One of the pieces of information PowerHA needs to manage and control FlashCopy is the identifying information about the volumes in storage that represent the IASP, in this case PowerHA uses the IBM Power Virtual Server volume identifiers (Volume IDs). These Volume IDs must be added to the source copy description.
The Change Power Virtual Server Copy Description (CHGPVSCPYD) command is used to add volumes. For example, the copy description for the primary copy can be added using the following command:
CHGPVSCPYD ASPCPY(DAL10CPY) ACTION(*ADDVOL)
This command specifies to add volumes to the copy description named DAL10CPY. By default, the command uses the value *SELECT for the volumes to add. With the *SELECT option, PowerHA queries the IBM Power Virtual Server workspace for volumes that can be added into the copy description. Alternatively, the volumes may be specified manually via the command line using the VOLID parameter.

Note: When using the command in batch mode, volume IDs must be specified in the command rather than the *SELECT option. The Volume IDs for a volume can be found in the IBM Cloud console.

Adding the FlashCopy target Copy Description

The target copy description for FlashCopy primarily describes the ASP device, and the cluster node that will be the host for the FlashCopy when mounted.

Prior to adding a copy description, the device description for the IASP device must exist on the FlashCopy target node. If the FlashCopy target node is in an administrative domain, and the IASP device description is in the administrative domain, the device description likely already exists on the FlashCopy target node. If the FlashCopy target node is not in the administrati, use the CRTDEVASPin the administrative domain, the device description likely already exists on the FlashCopy target node. If the FlashCopy target node is not in the administrative domain or the ASP device description is not in the administrative domain, use the CRTDEVASP command on the FlashCopy target node to create the device description, specifying the IASP name and IASP resource name. For example: CRTDEVASP DEVD(MYIASP) RSRCNAME(MYIASP).

Once the device description exists, the target copy description can be added. For example:

ADDPVSCPYD ASPCPY(FLASHCPYD) 
           ASPDEV(MYIASP)
           CRG(*NONE) SITE(*NONE) NODE(FLASH)
           PVSCFGD(PVSWSDAL)

This command adds a copy description named FLASHCPYD for asp device MYIASP. It describes this copy of the IASP being represented by the node named FLASH. In this instance the CRG and SITE are both *NONE as the target of a FlashCopy is never in a CRG, even if the source copy is. Finally, the Power Virtual Server configuration description parameter gives the copy description the credentials needed to control the Power Virtual Server Workspace previously defined in the configuration description called PVSWSDAL.

Associating the FlashCopy target Copy Description with a Power Virtual Server Instance

As part of mounting a FlashCopy, PowerHA will attach volumes to the Power Virtual Server Instance represented by the FlashCopy target. PowerHA requires information to associate a cluster node name with the Power Virtual Server Instance ID. The CHGPVSCPYD command is used to add a cluster node association with a PVM Instance ID. For example:

CHGPVSCPYD ASPCPY(FLASHCPY) ACTION(*ADDNODE)

This command specifies to add a cluster node and PVM Instance ID association to the copy description named FLASHCPY. By default, the command uses the value *SELECT for the node and instance ID parameters. With the *SELECT option, PowerHA queries the IBM Power Virtual Server workspace for instances that can be added into the copy description. Alternatively, the instance may be specified manually via the command line using the PVMINSTID parameter.

Note: When using the command in batch mode, the NODE and PVMINSTID parameters must be specified in the command rather than the *SELECT option. The PVM Instance IDs for an instance can be found in the IBM Cloud console.

Starting a PowerHA Session

A session in PowerHA describes the relationship between copy descriptions, including the type of replication and is used to manage and control replication. A session can be started in this example using the following command:

STRPVSSSN SSN(FLASHSSN) TYPE(*FLASHCOPY) ASPCPY((DAL10CPY FLASHCPYD))

This command specifies to start a session called FLASHSSN that is of type FlashCopy. PowerHA uses FlashCopy to represent point-in-time snapshots. In addition, the command specifies that this session references a source copy description named DAL10CPY and a target copy description named FLASHCPYD.

Did you know?
With IBM Power Virtual Server FlashCopy, the PowerHA FlashCopy session is designed to always exist, regardless of the status of the underlying FlashCopy or snapshots. No FlashCopy or snapshot is taken at the time of starting the PowerHA FlashCopy session.

Results

PowerHA management of FlashCopy is now configured between the copy descriptions. To verify and monitor the status of FlashCopy, use one of the following:

The Display PVS Session (DSPPVSSSN) command. For example, DSPPVSSSN SSN(FLASHSSN).
The SQL Service table function QHASM.SESSION_INFO.

Once Power Virtual Server FlashCopy is configured see Managing FlashCopy in Power Virtual Server for information on taking, mounting, unmounting, and deleting FlashCopy snapshots.