How The Latest TRs Bolster HA/DR And Security
October 28, 2019 Alex Woodie
High availability, disaster recovery, and security are more important than ever, as enterprises look for ways to eliminate risks to their operations, applications, and data. To that end, it’s not surprising that IBM bolstered the HA/DR and security capabilities in IBM i with the latest Technology Refreshes that are slated to begin shipping November 15.
Let’s start with the new HA features in Db2 Mirror for IBM i, the new business continuity offering that implements an active-active database cluster atop two unique IBM i logical partitions. Db2 Mirror, you’ll remember, was delivered with IBM i version 7.4, so it’s not available on earlier releases.
When IBM developed Db2 Mirror, it was assumed that large companies, such as those that belong to the Large User Group would be the primary IBM i users who were interested in the technology. The LUG, after all, had been asking IBM to develop the technology for years.
The actual implementation of Db2 Mirror relied on a super-fast interconnect, called Remote Direct Memory Access (RDMA) over Converged Ethernet, or RoCE, to swiftly move data between the two databases with the extremely low latency that production transaction environments demand. However, the RoCE requirement added to the product’s aura as a high-end thing.
After Db2 Mirror shipped, IBM was pleasantly surprised when demand for the product started coming out of all parts of the IBM i woodpile. While there was nothing in the Db2 Mirror software itself to prevent smaller customers from using it, the company did not support the $4,000 RoCE adapters on smaller boxes, specifically the Power S922 server.
IBM has rectified that error with IBM i 7.4 TR1, which adds support for using the RoCE adapters on the Power S922 server, the popular server at the low-end of the midrange. With the 940 firmware update for the Power S922, “SR-IOV logical ports for RoCE can be assigned to the IBM i LPAR on an S922,” IBM says in the announcement letter.
“Every time we present Db2 Mirror, we have more interest from other clients that we honestly had not expected in the first little while of its life,” says IBM i offering manager Alison Butterill, who was in Australia last week for IBM Technical University. “This is nothing but goodness for us, for our clients, and our partners.”
Another Db2 Mirror feature that favors larger clients is the fact that it requires external storage, like the pricey DS8900 line. But IBM made a statement of direction with 7.4 TR1 that it will be supporting internal DASD with an upcoming release of IBM i 7.4.
“We had a lot of demand, from clients both big and small, to be able to support internal drives using Db2 Mirror,” Butterill says. “Clients have invested heavily in internal drives and so we need to support that investment of their while still giving them the advantage of using Db2 Mirror.”
IBM is also introducing something called the Application Evaluation Support Tool for Db2 Mirror clients. The product basically provides a GUI designed to gives customers a better understanding of how to incorporate applications into Db2 Mirror environments.
Tim Rowe, the IBM i business architect in charge of application development and middleware, says IBM has been engaging with clients in proof of concepts (POCs) to help them figure out how their applications are going to fit into a mirrored environment.
“The tool is basically designed to help you visually see that in a much quicker, easier way, so you can make the right decision as you can determine, which objects, what tables, what files you do want to have part of Db2 Mirror or not part of Db2 Mirror,” Rowe tells IT Jungle.
IBM is also bolstering PowerHA SystemMirror for IBM i, the older HA solution that uses data replication to provide application and data resiliency. (PowerHA, by the way, can work at distances greater than 10 kilometers or so, which is a physical limitation on Db2 Mirror imposed by RoCE that relegates it to the category of providing continuous availability for a single-campus site, as opposed to providing global high availability that can withstand a city-wide or regional disaster.)
With IBM i 7.3 TR7 and 7.4 TR1, IBM has improved several aspects of the product, including the management GUI. Previously PowerHA had a hard limit of 45,000 resources that could be monitored by the administrative domain, according to the announcement letter. A resource is considered a user profile, a system value, or a device description.
However, as IBM i environments continue to grow, some customers were starting to exceed that 45,000 limit, which led to greater operational complexity to manage those environments. So, to streamline management for its customers, IBM has increased the resource limit to 200,000 resources.
Several other PowerHA enhancements were made, including:
- Improvements to the handling of user profile passwords that have been set with the QSYSUPWD API.
- Better management of the administrative domain, allowing users to easily sort and filter monitored resources with the WRKCADMRE command.
- Simpler setup of the PowerHA administrative domain with a streamlined way to easily find and add many resources using a single command.
- The ability to, with a single command, restore normal operations following a failover in an environment that uses HyperSwap LUN-level switching.
BRMS, the IBM utility that’s a key part of most customer’s DR strategy, also gets several enhancements with this release. For starters, customers using virtual devices, like virtual tape libraries (VTLs), will benefit from better management of tape images in the catalog. “When BRMS uses a virtual device for a backup,” IBM says, “the device will be unloaded from the image catalog and varied off to free up any resources that were used by the BRMS backup process.”
Improvements were also made in BRMS for customers who do cumulative incremental backups, specifically the lifting of the restriction on *ALLUSR backups. IBM also modified the “change control group attributes” API to allow a program to specify the control group attributes for the devices and media policies to use for the backup. An improved volume selection process in BRMS should help reduce the chance of “volume selection collisions” from occurring on busy BRMS networks. Improvements to the backup omit processing hierarchy should also smooth out backup operations, while a new backup control group exit program should give customers the ability to run the at the end of a control group, according to IBM.
On the security front, IBM has made two important improvement to IBM i’s cryptography environment with 7.3 TR7 and 7.4 TR1.
For starters, IBM has added support for new crypto libraries to ensure that IBM i shops sending sensitive data over the wire are encrypting the data in the manner that their partners expect. To that end, it has added support for emerging TLS version 1.2 and 1.3 standards, including elliptic curve Diffie-Hellman key exchange using Curve25519(x25519) and Curve448(x448) in TLS 1.2 and 1.3; ChaCha20 Poly1305 cipher suites in TLS 1.2; support for Online Certificate Status Protocol (OCSP) stapling support in TLS 1.2 and 1.3; and the RSASSA-PSS certificate type in 1.3.
IBM also bolstered the IBM i Digital Certificate Manager with these TRs. “With the Digital Certificate Manager, now we have a full complement of APIs now,” Rowe says. “And this fall we’re upgrading and creating a whole new user experience for DCM. So now we have a nice modern UI for our admins to manage their certificates.”