Chatta subito con l'assistenza
Chat con il supporto

QoreStor 7.1.1 - User Guide

Introducing QoreStor Accessing QoreStor Configuring QoreStor settings
Licensing QoreStor Configuring SAML Configuring an SSL Certificate for your QoreStor System Configuring Active Directory settings Understanding system operation scheduling Configuring Secure Connect Enabling MultiConnect Configuring and using Rapid NFS and Rapid CIFS Configuring and using VTL Configuring and Using Encryption at Rest Configuring email notification settings Configuring and using the Recycle Bin Configuring Cloud Reader Configuring RDA immutability
Managing containers Managing local storage Managing cloud storage Managing replications Managing Users Monitoring the QoreStor system Managing QoreStor Remotely Support, maintenance, and troubleshooting Security recommendations guide About us

Adding certificates for Secure Connect

The QoreStor Secure Connect feature requires custom certificates on both the client and QoreStor server machine.

NOTE: The certificates on both the client machine and QoreStor server must be from the same certificate authority.

Adding a Secure Connect certificate - Windows Client

  1. Prepare custom certificates chain and install them to the certificate store using the Microsoft Management Console (MMC) Certificates snap-in.
    1. Install the Root certificate to Trusted Root Certification Authorities.
    2. If necessary, install the Intermediate certificate to Intermediate Certification Authorities.
    3. Install the Server certificate to Personal.
  2. In the client installation directory, open the sc_client.properties file with a text editor.
  3. Edit the entries below:
    • openSSL.client.caConfig -  The path to the file of the trusted root certificate or directory containing the trusted root certificates chain. For specifying directory path, be sure that directory contains certificates in the PEM format and symbolic links to the certificate files, created by the c_rehash utility.
    • openSSL.client.certificateFile - The path to the file containing the server's or client's certificate in PEM format.
    • openSSL.client.privateKeyFile - The path to the file containing the private key for the certificate in PEM format.

      Example in case there is the chain of 3 certificates (root, intermediate, server), private key and they are located in the same directory as sc_client.dll:

      • openSSL.client.caConfig = ${application.configDir}
      • openSSL.client.certificateFile = ${application.configDir}server-certificate-name.pem
      • openSSL.client.privateKeyFile = ${application.configDir}privat-key-name.key

      Example in case there is the chain of 2 certificates (root, server), private key and they are located at C:\certificates:

      • openSSL.client.caConfig = C:\certificates\root-certificate-name.pem
      • openSSL.client.certificateFile = C:\certificates\server-certificate-name.pem
      • openSSL.client.privateKeyFile = C:\certificates\privat-key-name.key
  4. Make c_rehash for the certificates:
    1. Download perl from https://www.activestate.com/ActivePerl.
    2. Download the perl script c_rehash, stored inside OpenSSL (https://wiki.openssl.org/index.php/Binaries)
    3. Set the new openssl environment variable with the path to openssl.
    4. Run the command prompt.
    5. Use perl.exe with path_to_the_c_rehash and path_to_the_cert_dir arguments (e.g. perl.exe C:\<path to the c_rehash> C:\<path to the certificates directory>)
  5. When Secure Connect is used with any DMA - restart DMA services.

NOTE: If certificate validation fails, the connection between client and server will fail back to a normal connection.

Adding a Secure Connect certificate - Linux Client and QoreStor server

  1. Prepare custom certificates chain
  2. Place the certificate to be trusted (in PEM format) in /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust at the prompt.

    If the certificate is in OpenSSL’s extended BEGIN TRUSTED CERTIFICATE format, place it in /etc/pki/ca-trust/source and run sudo update-ca-trust.

  3. Make c_rehash for the certificates:
    1. Install the openssl-perl package.
    2. Run c_rehash <path-to-the-folder-with-certificates>.
  4. In the client installation directory, open the sc_client.properties file with a text editor.
  5. Edit the entries below:
    1. openSSL.client.caConfig - The path to the file of the trusted root certificate or directory containing the trusted root certificates chain. For specifying directory path, be sure that directory contains certificates in the PEM format and symbolic links to the certificate files, created by the c_rehash utility.
    2. openSSL.client.certificateFile - The path to the file containing the server's or client's certificate in PEM format.
    3. openSSL.client.privateKeyFile - The path to the file containing the private key for the certificate in PEM format.

      Example in case there is the chain of 3 certificates (root, intermediate, server), private key and they are located in the same directory with sc_client.so, server side:

      • openSSL.server.caConfig = ${application.configDir}
      • openSSL.server.certificateFile = ${application.configDir}server-certificate-name.pem
      • openSSL.server.privateKeyFile = ${application.configDir}privat-key-name.key

      Example in case there is the chain of 2 certificates (root, server), private key and they are located at /usr/certificates on the client machine:

      • openSSL.client.caConfig = /usr/certificates/root-certificate-name.pem
      • openSSL.client.certificateFile = /usr/certificates/server-certificate-name.pem
      • openSSL.client.privateKeyFile = /usr/certificates/privat-key-name.key
  6. When Secure Connect is used with any DMA - restart DMA services.

NOTE: If certificate validation fails, the connection between client and server will fail back to a normal connection.

Enabling MultiConnect

Before using MultiConnect, ensure that the default port configuration is appropriate for your environment. The port used by MultiConnect is:

  • 11000 - This is the standard MultiConnect communication port for backup.
  • 9920 - This is the standard MultiConnect communication port for managed replication.

To enable Secure Connect on a Windows client

  1. On the client server, press Win+R to open the Run window.
  2. Type sysdm.cpl and click OK.
  3. Click the Advanced tab, then Environment Variables.
  4. In the System Variables section, click New.
  5. In the Variable name field, enter REMOTE_CLNT_MAX_CONNS.
  6. In the Variable value field, enter one of the following:
    • 4 - establishes 4 connections.
    • 8 - establishes 8 connections.
    • 16 - establishes 16 connections.
  7. Click OK, then OK.
  8. Restart the DMA services for the change to take effect.

To enable MultiConnect on a Linux client

  1. At the command prompt on the client machine, enter the following command
    echo 'export REMOTE_CLNT_MAX_CONNS=<4|8|16>' >> /etc/profile

    Where:

    • 4 - establishes 4 connections.
    • 8 - establishes 8 connections.
    • 16 - establishes 16 connections.
  2. Restart the DMA services for the change to take effect.

To enable MultiConnect between QoreStor servers

  1. At the command prompt on the source machine, enter the following command
    echo 'export REPL_CLNT_MAX_CONNS=16' >> /etc/oca/oca.cfg
  2. Restart the ocards service for the change to take effect.

Configuring and using Rapid NFS and Rapid CIFS

Rapid NFS and Rapid CIFS enable write operation acceleration on clients that use NFS and CIFS file system protocols. Similar to OST and RDS, these accelerators allow for better coordination and integration between QoreStor backup, restore, and optimized duplication operations with Data Management Applications (DMAs) such as CommVault, EMC Networker, and Tivoli Storage Manager. For the current list of supported DMAs, see the QoreStor Interoperability Guide.

Rapid NFS is a new client file system type that ensures that only unique data is written to QoreStor. It uses user space components and file system in user space (FUSE) to accomplish this. Metadata operations such as file creates and permission changes go through the standard NFS protocol, whereas write operations go through Rapid NFS.

Rapid CIFS is a Windows-certified filter driver that also ensures that only unique data is written to QoreStor. All chunking and hash computations are done at the client level.

NOTE: The supported DMAs listed in the QoreStor Interoperability Guide are the DMAs that have been tested and qualified with Rapid NFS and Rapid CIFS. You can use Rapid NFS and Rapid CIFS with other DMAs, but those products have not been tested and qualified with Rapid NFS or Rapid CIFS.

Rapid NFS and Rapid CIFS benefits

When Rapid NFS and Rapid CIFS are used with QoreStor they offer the following benefits:

  • Reduce network utilization and DMA backup time
    • Chunk data and perform hash computation on the client; transfer chunked hash files on the back-end
    • Reduce the amount of data that must be written across the wire
  • Improve performance
  • Support DMAs such as CommVault, EMC Networker, and Tivoli Storage Manager. For the current list of supported DMAs, see the QoreStor Interoperability Guide.
  • Compatible with existing NFS and CIFS clients — just need to install a plug-in (driver) on the client
    • Can use Rapid NFS and Rapid CIFS to accelerate I/O operations on any client — including a client that uses home-grown backup scripts
    • Can service multiple and concurrent media server backups
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione