SDP2 – Best Practices Network and Details

VOP 2.1
Version 2.1 document
Nov 2013
Table of Contents
Table  of  Contents  ......................................................................................................................................................  2
Introduction  ................................................................................................................................................................  3
SDP2/VOP  Overview  ...............................................................................................................................................  3
VOP  Installation  Options  and  Requirements  ................................................................................................  4
Security  .........................................................................................................................................................................  4
Networking  ..................................................................................................................................................................  6
Ports  ...............................................................................................................................................................................  8
Please  reference  the  Port  matrix  for  active  ports.Appendix  ..................................................................  8

  -­‐  2  -­‐  
Introduction

This document describes general best practices information for VOP/SDP2 2.1. VOP is the core
application for Tape remote Customer support in SDP2. It is also an onsite Tape maintenance
application for Customers and Oracle Support. Please see other documentation as to
functionality and feature for the VOP/SDP2 system as the user guide, installation and others.

SDP2/VOP Overview

 
Figure  1:  VOP  Connections  and  components

The VOP/SDP2 is described from general prospective:

• SDP2/VOP includes a Server and Client interface to manage library and drive status;
perform log collection; drive firmware installations; run health alerts; and perform system
monitoring.
• The server is located onsite and leverages remote client connection capability to service
networked tape equipment. The server connects directly to lib/drives and VSM using
various protocols.
• The server manages the automated fault detection, SR creation and log transfer. (note)
there is also a manual method to do this.
• The server connects through a DTS protocol with My Oracle Support, creates SRs and
sends fault logs for immediate analysis.
• The client connects to the server and manages VOP functions through a GUI. Both
manual maintenance functions and manual DTS connection for SR creation and log
transfer are done through this GUI.

  -­‐  3  -­‐  
Functional details of VOP components:

VOP consists of stand-alone and server components.

• VOP Client – The same VOP as from previous version with some additional functionality
and interfaces to connect/control the server. The VOP can be used in stand-alone (direct
to the devices) or in client mode (connected to a server). The same GUI interface is
present. When in client mode the system communicates directly to the server not the
devices so all functionality is through the server and then the server to the product.

• VOP Server – This is the main component that runs on a central system. The GUI
connects to this to access the data. The server handles automated call home for SDP
like events. The server handles all collection of events coming from a product, which in
turn can be used for ASR creation. Events that are received are in the form of SNMP,
Telnet, Vshell and others. Logs are used to indicate what is being saved for others use.

VOP Installation Options and Requirements

SDP2/VOP has a server component that can be installed. This provides the automatic call home
routines for the different products. The Stand Alone/Client provides access to the server.

The installation of the server allows all the following stand alone/client functions to be accessed.
The server allow for monitoring and then connecting up with all stand alone/client versions as
required.

There are three variation of Stand Alone/Client VOP to consider at installation. These are
installed on the local system not the server. Each one can access the server.

Available to Customers
• MDVOP System Admin - The customer System Admin (Full Functionality).
• MDVOP Operator - The Customer operator version (Limited Functionality).

Available to Oracle Internal Field Engineer’s:

• MDVOP CSE - The Multi Drive VOP CSE Version (Internal Support Functionality)

Please reference the user guide for details and Installation requirements.

Security

Because the intended environment for VOP is a secure, data center environment, the security
model for VOP is minimal, and depends on the computer and network being physically secured.
Authentication, access and accounting is based on the host system.

  -­‐  4  -­‐  
Data pulled by VOP is never customer data. The nature and design of VOP is to monitor and
pull machine level error information for analysis and break-fix. The data sent is exactly the same
as would be requested by a support representative. This is telemetry only based data.

VOP uses DTS, which employs a one-way outbound communication using port 443. This sends
data to the ASR-Backend and then VOP monitors for a change in status (return that a message
was received). There is also a daily heartbeat that is used to confirm that the system is still up
and running.

Since this is a software base solution, the customer can harden their systems running this
application. This can be based on their policies as needed. The only requirement is that
specified ports be allow to be open, specific levels of the application included in VOP and the
operating systems be maintained to be supported.

VOP applications runs as a separate non root user for both the server and stand-alone.

Since the internal (non Internet facing) products that VOP is monitoring and maintaining;
specific ports are required to be open. Since these are internal it is recommended that the
protocols reside on a service-based network that is private. These products might or might not
have secured communication. Ports potentially used are (additional ones are used for
application control).

Service personal (FE’s) require access to these devices over the Ethernet port when replacing
or trouble-shooting specific events. This requires the field personal to be able to plug in directly,
access the switch that the devices are attached to or access to the central SDP2 server to
perform these functions.

At no point should a tape/library or virtual storage product be placed outside of the firewall and
on the Internet. Fig 2 shows the two communication paths from SDP2.

  -­‐  5  -­‐  
Networking
VOP is hosted for the stand alone/client on a single system. The server VOP/SPD2 is on a
central system that can allow access to systems using the client to the devices.

Service Network
A service network as designed is built for maintaining and updating tape related products.
SDP2/VOP leverages this model and knowledge gained from using this type of network
architecture. This model is designed where product access is on a separate network than the
production or Customer network.

VOP is designed to operate on the service network configured as a private LAN. It uses the
service network Ethernet port for communications. This port can also be used by other
applications, such as Oracle Key Manager (OKM), formerly Key Management System (KMS),
used for secure encryption of tape drives.

The private LAN recommendation ensures security from unauthorized access.

Through the service network multiple libraries/drives/VSM can be discovered and maintained
through VOP. VLANS are requested on the switch.

 
Figure  2:  Basic  SDP2/VOP  Diagram

  -­‐  6  -­‐  
  
Figure  3:  Network  topology  using  a  single  layer2  switch.

The simplest topology through a private network is often the best because it:
• Offers maximum throughput
• Provides minimum resource contention
• Lends itself to higher security for library communication
• Is the least expensive alternative
• Provides quick identification of any problems within the network

The following are recommended:

• Connect the tape drive Ethernet port on a private network.
• Use static IP addresses, not dynamic addresses.
• Use Level 2 switches to isolate each library (highly recommended)
• Ensure that the latest firmware is loaded on all tape drives.
• The IP address for a new tape drive defaults to 10.0.0.1. When you configure the
network and tape drives, be sure to configure one tape drive at a time as you add them
to the network.
• VOP configuration requires a unique IP address to be assigned for each tape drive.

  -­‐  7  -­‐  
Ports

This section defines ports that are needed for the communication to various components for
VOP, both the standalone and server components to different devices. These ports need to be
opened for VOP communication. These are static ports with variation possibilities for the ones
that can be changed.

VOP uses ASR / DTS protocol that goes externally to Oracle Support. This component is
designed to be secure. VOP communicates through DTS (for transferring of information and
updates) to the ASR backend (this is the only Internet facing port). This is the protocol used
outside of the internal network. The following is the port that is used:

• HTTPS (443) - This is main communication to the ASR backend.

URL is https://transport.oracle.com/v1

Note that there can be a web proxy in place. This port can be changed based upon local
conditions. The use of Web Proxies is partially supported with future enhancements available.

VOP also has internal protocols that connect to current or legacy devices. These components
are based upon what each product supports at this time. Best practices for internal use (private
networks and etc.) should be used as required.

 
Figure  4:  Active  ports  to  maintain  product  and  back-­‐end  communications.

Please reference the Port matrix for active ports.

  -­‐  8  -­‐