Chat now with support
Chat with Support

QoreStor 7.1.0 - User Guide

Introducing QoreStor Accessing QoreStor Configuring QoreStor settings
[[[Missing Linked File System.LinkedTitle]]] Configuring an SSL Certificate for your QoreStor System Configuring Active Directory settings Understanding system operation scheduling Configuring Secure Connect Enabling MultiConnect Configuring and using Rapid NFS and Rapid CIFS Configuring and using VTL Configuring and Using Encryption at Rest Configuring email notification settings Configuring and using the Recycle Bin Configuring Cloud Reader Configuring RDA immutability
Managing containers Managing local storage Managing cloud storage Managing replications Managing Users Monitoring the QoreStor system Managing QoreStor Remotely Support, maintenance, and troubleshooting

Deleting a cloud tier

Before deleting a cloud tier, review the details below:

  • Only the files for whom the on-premises retention age applies and the file data which resides in the cloud will be removed locally.
  • Data in the cloud bucket has to be deleted manually.
  • Cloud policy settings on the source containers will be removed and the source container made available for cloud replication to a new cloud or archive tier.

Deleting a cloud tier from the GUI

To delete a cloud tier, complete the following steps.

  1. In the navigation menu, click Cloud Storage to expand the menu, then click Cloud Tier.
  2. Click Delete.
  3. When prompted to confirm, click Delete.
  4. In the Passphrase field, enter the passphrase used for Cloud Tier encryption. This provides validation that the person deleting the cloud tier has the appropriate authorization.
  5. Review the containers linked to the cloud tier and confirm that data in these containers can be deleted. Any containers with managed replication configured must be deleted manually before the cloud tier can be deleted.
  6. Click Delete.

Deleting a cloud tier from the CLI

  1. Access the QoreStor CLI. Refer to Using the QoreStor command line for more information.
  2. Delete your cloud tier using the command below. Refer to the QoreStor Command Line Reference Guide for more information. 
    cloud_tier --delete
  3. At the prompt, enter y for yes and press [Enter].

Configuring an Archive Tier

Archive tiers can be configured via the UI or via the cloud_tier command in the QoreStor CLI. Before configuring an archive tier, ensure the following requirements are met:

  • Your cloud storage must be configured prior to configuring an archive tier.
  • Archive tier is not supported when QoreStor is installed in Cloud Optimized mode, Object Direct Small mode, or Demo mode.
  • Permissions for your cloud storage must be correctly configured. Refer to Configuring required permissions to restore from Archive Tier for more information.
  • Only RDA, VTL, and Object containers can be configured to tier data to Archive Tier.

NOTE: QoreStor's archive tier functionality relies on Amazon S3 Glacier and/or Amazon S3 Glacier Deep Archive storage. Before configuring an archive tier, your cloud archive storage must be properly configured. Please refer to the Amazon S3 documents below for more information:

Configuring required permissions to restore from Archive Tier

For QoreStor to perform batch operations for restoring objects to Amazon S3 storage from Amazon S3 Glacier or Amazon S3 Glacier Deep Archive storage, you must configure an AWS IAM policy with the required permissions and then attach the policy to your AWS account used to access the for accessing AWS S3 storage.

To configure required permissions to restore from Archive Tier

  1. From the AWS console, go to the IAM dashboard.
  2. Create a new role for allowing batch jobs for archive tier restore and attach a policy with the following permissions from the JSON document:

    Permissions from JSON

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:RestoreObject",           
                    "lambda:InvokeFunction",
                ],
                "Resource": [
                    "arn:aws:lambda:*:<account_id>:function:*",     
                    "arn:aws:s3:::<S3_bucket_for_archive_tier>/*"
                ]
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::<S3_bucket_for_archive_tier>/batch/*"
            }
        ]
    }
     
     
  3. Set the Trust Relationship to the Role for Batch and Lambda services by going to Role>Trust>Relationships>Edit Trust Relationship, and then replace the policy defined in JSON with the following policy document:

    Trust Relationship policy

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "batchoperations.s3.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        },
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

    You now have a new role with an attached policy and trust relationships for Batch and Lambda.

    NOTE: Take note of the Role ARN to use later when you configure User permissions.

  4. Give the IAM User the required permissions for cloud archive replication, beginning with a new policy, by completing the following steps:
    1. Create a new policy by going to IAM>Policies>Create Policy.
    2. Select the JSON for permissions.
    3. Replace the JSON with the following policy document, and then save it:

      Replacement policy document

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": [
                      "lambda:CreateFunction",
                      "iam:GetRole",
                      "lambda:InvokeFunction",
                      "lambda:GetFunction",
                      "lambda:UpdateFunctionConfiguration",
                      "s3:RestoreObject",
                      "s3:CreateBucket",
                      "lambda:GetFunctionConfiguration",
                      "s3:ListBucket",
                      "lambda:PutFunctionConcurrency",
                      "lambda:UpdateFunctionCode",
                      "s3:PutObject",
                      "s3:GetObject",
                      "iam:PassRole",
                      "lambda:GetFunctionConcurrency",
                      "lambda:DeleteFunction",
                      "lambda:DeleteFunctionConcurrency",
                      "s3:DeleteObject",
                      "s3:DeleteBucket"
                  ],
                  "Resource": [
                      "arn:aws:iam::<account_id>:role/IAMLambdaOps_Restrictive", <This is the ARN of the Role previously created. You can determine account ID from ARN itself.>
                      "arn:aws:lambda:*:<account_id>:function:QorestorArchiveRestore"  <QorestorArchiveRestore is the Lambda function provided by Quest.>
                      "arn:aws:s3:::<S3_bucket_for_archive_tier>"
                  ]
              },
              {
                  "Sid": "VisualEditor1",
                  "Effect": "Allow",
                  "Action": "s3:ListAllMyBuckets",
                  "Resource": "*"
              },
              {
                  "Sid": "VisualEditor2",
                  "Effect": "Allow",
                  "Action": [
                      "s3:DescribeJob",
                      "s3:UpdateJobPriority",
                      "s3:UpdateJobStatus"
                  ],
                  "Resource": "arn:aws:s3:*:<account_id>:job/*"            
              },
              {
                  "Sid": "VisualEditor3",
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListJobs",
                      "s3:CreateJob"
                  ],
                  "Resource": "arn:aws:s3:*:<account_id>:job/*"
              }
          ]
      }
       

      The policy creation is complete. Check that the permissions you entered are saved in the policy JSON document.

  5. To create an IAM User for the archive tier, go to IAM Dashboard>Users>Add User and complete the following steps:
    1. On the Add user page under Select AWS access type, to generate the access_key and secret_key, select Programmatic access.
    2. On the Permissions page, select Attach existing policy directly, and then select the policy you created in Step 1 to attach to this user.
  6. Following the directions in the remaining two tabs to finish creating the user.

    NOTE: Be sure to download the access_keys for this user to use when creating an archive tier in QoreStor.

Adding an archive tier

To add an archive tier

  1. In the navigation menu, click Cloud Storage to expand the menu, then click Archive Tier.
  2. In the Archive Tier pane, click Configure to add a cloud tier.
  3. In the archive provider drop-down, select AWS S3.
  4. Provide the name for your S3 bucket.
  5. Enter your Connection String using one of the two methods below:
    • Default - this option will compile your connection string into the correct format using the inputs below.
      • Access key - The access key is typically 20 upper-case English characters
      • Secret key - The secret key is generated automatically by AWS. It is typically 40 characters, including mixed upper and lower-case and special symbols.
      • Region - The region specifies the Amazon-specific region in which you want to deploy your backup solution. Your region name can be obtained from https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
    • Custom - this option allows you to enter your connection string with additional parameters.
      • Your connection string uses the following syntax:
        "accesskey=<ABDCEWERS>;secretkey=< >; loglevel=warn; region=<aws-region>;"

        Please note the following:

        1. The access key is typically 20 upper-case English characters
        2. The secret key is generated automatically by AWS. It is typically 40 characters, including mixed upper and lower-case and special symbols.
        3. The region specifies the Amazon-specific region in which you want to deploy your backup solution. Your region name can be obtained from https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region

        An example of a connection string with this syntax follows. Logically, each connection string is unique.

        accesskey=AKIARERFUCFODHFJUCWK;secretkey=p+8/T+o5WeZkX11QbuPazHX1IdWbwgFplxuVlO8J;loglevel=warn;region=eu-central-1;
  6. To apply encryption, in the Archive Tier Encryption section enter the following:

    • Passphrase — the passphrase is user-defined and is used to generate a passphrase key that encrypts the file in which the content encryption keys are kept. The passphrase is a human readable key, which can be up to 255 bytes in length. It is mandatory to define a passphrase to enable encryption.

      IMPORTANT: It is mandatory to define a passphrase to enable encryption. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. If this passphrase is lost or forgotten, data in the cloud will be unrecoverable.

    • Confirm Passphrase — re-enter the passphrase used above.

  7. In the Archive Tier Options section, enter the following:
    • Archive Retention in Warm Cloud - When restore operation succeeds, a temporary copy of the Glacier object is created in standard S3 storage. This setting specifies the number of days this temporary copy is held in S3 before it is deleted. Valid values are any integral values from 1 through 365.

    • Archive Role ARN - S3 must have permissions to perform Lambda and batch operations on behalf of the user. An IAM role must be created that has "Create Job", "Pass Role" and other permissions to access the buckets as well as perform the Lambda and batch operations. The account admin is expected to create such roles.

      NOTE: For more information on required permissions and lambda and batch operations, refer to Configuring required permissions to restore from Archive Tier and the AWS documents Granting permissions for Amazon S3 Batch Operations, What is AWS Lambda?, and The basics: S3 Batch Operations.

    • Archive Service Name- Select between S3-Glacier or S3 Deep Archive.
  8. Click Configure. A Cloud Storage Group will be created.
  9. To enable replication to the cloud, you must link a local container to the cloud using the procedures in Adding a cloud tiering policy.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating