TSM has the ability to encrypt data at the client node before sending the data to the TSM server. There are two methods that are available

1. Transparent Encryption

• This is where the encryption key is managed by and stored on the TSM server
• If the client node needs to be rebuilt data can be easily restored
• Data can be restored back to any node that is allowed to impersonate the original node

2. Client Side Encryption

• This is where the encryption key is manually managed and stored on the client using an encryption password
• More secure as data can only be restored if the encryption password is known
• If the password is lost then the data cannot be restored

To enable encryption at the client there are two parameters for setting up and a couple of include and exclude statements for selecting or excluding which files are to be encrypted.

ENCRYPTKEY

The ENCRYPTKEY option is used to choose either transparent encryption or client-side encryption. For client-side encryption there are two options to choose from

ENCRYPTKEY=SAVE  ( Client-Side )

This option will prompt for an encryption password on the initial backup and then store this password in the password file. The password will be retrieved from this file for each subsequent backup.

ENCRYPTKEY=PROMPT ( Client-Side)

This option will prompt for an encryption password for each backup and restore. To be able to restore the data the same password that was using when backing the data up will be required

ENCRYPTION=GENERATE (Transparent)

This option will have TSM generate an encryption key password which is stored on the TSM server and managed by the TSM server.

 ENCRYPTIONTYPE

The ENCRYPTIONTYPE parameter selects what type of encryption is used either DES56 or AES128 with the AES128 algorithm being the stronger of the two

Next is to select which file or directories to include in the backup

use the include.encrypt statement to include files and directories to be encrypted and takes the same format as any other include statement
use the exclude.encrypt statement to exclude files and directories to be encrypted and takes the same format as any other exclude statement

example

ENCRYPTKEY=GENERATE
ENCRYPTIONTYPE=AES256
INCLUDE.ENCRYPT /home/…/
EXCLUDE.ENCRYPT /home/…/test.fil
INCLUDE.ENCRYPT  C:…*
EXCLUDE.ENCRYPT  C:windows…*

When using the client-side encryption the encryption passwords are stored in the TSM.PWD files in unix or in the registry for windows

I would recommended using transparent encryption unless you have a specific requirement not to.

I am option asked how to prove that the data is encrypted. There is no way to do this with TSM and they only way to do this is use a network packet tracing tool such as wireshark. If you are interested on how to do this just send me an email  gelliott@spiritsoftware.biz

For more information see Chapter 5 of IBM Tivoli Storage Manager: Building a Secure Environment

Permalink.

In Windows you can use the Preview Include-Exclude option in the backup client.

Start the backup client and go to the utilities menu and select Preview Include-Exclude

In the Preview Include-Exclude Dialog, choose the type either Backup or Archive ( Your normal nightly jobs will usually be of type backup )

Choose either to just show included files, excluded files or both. This information is ascertained from settings in your dsm.opt file

Choose  the directories and files to be reported on. If you have a large file system and you choose a top level directory this command may take a long time to run and produce a large output file

Lastly choose the output file and select ok

When the task finishes open the output file with notepad and it will look as follows with the files on the left and the management class on the left hand side

The same preview include-exclude can be achieved with the backup-archive command line in both unix and windows as follows.  This example will produce the same out as above

the -traverse=y tells the backup-archive client to include subdirectories

Permalink.

This article describes installation and configuration of the TSM Scheduler Service on windows. The TSM Scheduler service is used by the TSM Scheduling Services to automate client node backups.

I am using the version 6 client for these examples, even though the screens look different it is still the same process for the version 5 clients

After installing the Windows Backup Archive client start the Backup-Archive GUI go to the Utilities–>Setup Wizard

Select Next

Select Next on TSM Schedule Wizard Screen

Choose Install a new or additional scheduler

Choose a Name for the Service. This the name you will in the Windows Services Manager

This is what you will see in Windows Service Manager

Choose an options file to be associated with this TSM Scheduler Service. It is possible to run multiple TSM Scheduler Service’s using different option files

Choose the node name for this TSM Service. Again it is possible to use a different node name for each TSM Scheduler Service and input the password. This node name will need to be registered on the TSM Server or the service will not start.

Choose the userid that the service will start as.  This userid will need to have access to all the files it must backup or be a member of the backup operators group in windows

Choose the location for the scheduler service log files

NOTE:  Some of these options are stored with the TSM Scheduler service and not in the options file and will override the option file settings. These values are stored in the registry at the following location

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTSM Client SchedulerParameters     (replace TSM Client Scheduler with the name you used when installing the service )

Permalink.

Expiring old backup and archive data from TSM is controlled by the EXPINTERVAL in your dsmserv.opt file.

EXPINTERVAL=24  specifies to run the expire process every 24 hours.

EXPINTERVAL=0 disables automatic expiration.

Removing old data from TSM can be run manually using the expire inventory command. Data is expired using the “Management Class” definitions that you have set on your files or if none are defined then the defaults for the policy set are used.  ( I will discuss policy sets in an upcoming article )

In version 5 expiration can only be run system wide, in version 6 you can run the expire inventory command on individual nodes, this is useful when changing management classes on individual nodes.

I recommend that you set the EXPINTERVAL to 0 so that you can control at what time this process runs and the setup an admin schedule to run the expire inventory command

Permalink.

We suggest you read the following Article on Collocation before reading this Article –> Read Here

As noted in the article on collocation. The main problems you will come across with collocation is running out of scratch tapes andor a large number of tapes in a filling status. The main cause of this is having a storage pool with a collocation method of Group and then having no collocation groups or nodes not in collocation groups.

Using TSM Studio go to the Trouble Shooting category and open the Nodes not in Collocation Group dataview.

To Add a Node(s) to a Group simply right click the select Add to A Group

After putting all your nodes in a group, You will now need to move the data off the current tapes so that TSM can collocate the nodes and their data.

There are a number of ways to do this and here are two of them

1. To do this use the Move Data command on each tape and move the data back to the primary disk pool so that the migration process can move the data back to tape using the collocation you specified.

2. Or use the Move Data command to move the data to the same storage pool as the tape is already in, TSM will then move the data from the selected tape and collocate the data with nodes from the same group on other tapes.

Using TSM Studio to run the move data command. Open the Volumes Dataview from the Libraries and Volumes category Right Click on the Tape and Choose Move Data

Choose the Storage Pool to move the data to

Permalink.

The Administrative Client is part of the normal windows backup-archive client install but by default it is not installed. You will need to apply a custom install as shown below:

1. Start the Tivoli Storage Manager Client InstallShield(R)

2. Choose the Destination Folder

3. Choose Custom Setup as the Setup Type

4. IMPORTANT – Make sure that you select the Administrative Client Command Line Option as shown below and choose ‘ run all ‘ from my computer

5. Click the Install option

6. To verify the installation, verify the existence of dsmadmc.exe in the C:\Program Files\Tivoli\TSM\baclient directory

You may come across an error if the paths are not correctly set up. If you see the following message when starting the administrative cli program or when testing a TSM Server connection in TSM Studio, follow the suggested action below.

ANS0101E Unable to open English message repository ‘dscenu.txt’

This error is a result of the administrative cli  program, “dsmadmc.exe”, unable to find the message file.

To start, you can check if the dscenu.txt file exists in the c:program filestivolitsmbaclient directory ( assuming, you installed the TSM client in the default location ).   

If the file exists, try adding the following environment variable   

DSM_DIR=C:\Program Files\Tivoli\TSM\baclient

Permalink.

All the articles that I have written are from my own personal experiences using TSM for the past 15+ years. TSM is a diverse product that can be setup and deployed in many ways. Before using any of the methods in the articles, ensure that you use due diligence to test that all steps will work as described in your environment.

If you have comments, like help with the contents in one of the articles or would like to see an article on a particular TSM topic please send me an email at gelliott@spiritsoftware.biz. You are welcome to use these articles on your own sites as long as you have a link on the article back to this site

Example:  Written by Spirit Software Solutions

Graeme Elliott CEO,
Founder and Chief Architect
Spirit Software Solutions

All Articles are copyrighted by Spirit Software Solutions

*** LEGAL STUFF ***

Direct, incidental, consequential, indirect, or punitive damages arising out of your access to, or use of, the site and articles within. Without limiting the foregoing, everything on the site is provided to you ‘AS IS’ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON INFRINGEMENT. “Please note that some jurisdictions may not allow the exclusion of implied warranties, so some of the above exclusions may not apply to you. Check your local laws for any restrictions or limitations regarding the exclusion of implied warranties.”

Permalink.

It is possible to enable VSS on a per drive basis by using the following in the dsm.opt file

INCLUDE.FS C: SNAPSHOTPROVIDER=VSS ( Change C: to the drive letter you require )

Permalink.

The following command will show all unique management classes used by a node

SELECT DISTINCT(CLASS_NAME) FROM BACKUPS WHERE NODE_NAME = ‘XXXXXX’

to see only management classes used on directories use

SELECT DISTINCT(CLASS_NAME) FROM BACKUPS WHERE NODE_NAME = ‘XXXXXX’ AND TYPE = ‘DIR’

to see only management classes used on files use

SELECT DISTINCT(CLASS_NAME) FROM BACKUPS WHERE NODE_NAME = ‘XXXXXX’ AND TYPE = ‘FILE’

Permalink.

If you find that it takes upwards of 30 seconds of  establish a session to the TSM Server from the Admin CLI (dsmadmc.exe). It maybe because your TSM server is unable to resolve the clients name or the TSM Server is unable to communicate with any DNS Servers.

Permalink.