Import custom certificates from GUI for HTTPS connections

• When running CSM on a standalone server (non DS8000 HMC installs), customers could always setup the server with their own custom certificates for HTTPS communication with the GUI/CLI/etc.  This however, involved manually adding the truststore to the environment which most customers do not have experience with making it a difficult task.
• Starting in CSM 6.3.1, you can now import a truststore from the CSM GUI.  On the Advanced Tools panel in the CSM GUI, there is a new section entitled, "Import custom Truststore for HTTPS connections to the server".  If you click the Import Truststore button, this will bring up the Import dialog allowing you to easily import the customer certificate. 
• On the import dialog you can click on Choose a Truststore to Import which will allow you to select a P12/jks file located on the server you are running the browser from.  If the truststore requires a password to use, enter it in the option input box. 
• After the truststore is applied, it will take affect the next time the CSM server has been restarted.
• Note: Prior to modifying the truststore, CSM will create a backup of the server in the event that there are any issues with connectivity.  This can be used to restore the server to regain access.

Support Restore to Production to Remote Copy Secondary volumes for DS8000 Safeguarded Copy

• In the CSM 6.3.0 release along with DS8000 9.2, a new feature was added allowing customers to Restore a Safeguarded Copy backup back to the production volume, when the Safeguarded Copy backup is taken on the remote copy target.  In other words, if you replicating from H1 to H2 and taking a backup off of H2, the feature allows you to restore a backup back to the H1 volume without a full copy of the data.
• In the CSM 6.3.1 release along with DS8000 9.2.1, this solution was now extended to support restoring that backup to the remote copy target volume, when the Safeguarded Copy backup is taken off of the primary volume.  In other words, if you are replicating from H1 to H2 and taking a backup off of the H1 volume, the feature allows you to restore the backup to the H2 volume.  In this solution, in order to get that backup data back to the H1 production, you can reverse the direction of the replication after the restore to copy the changed data from H2 back to H1. 
• The solution supports MM and GM configurations as well as Multi-target configurations.  In GM configurations, it's important to note that you'll need to Recover the GM session BEFORE you do the Restore Backup to Production command or the GM recover could overwrite the backup data with the last consistency group that was formed.  Below shows sample steps for performing a restore in both an MM and GM environment.  The Safeguarded Copy Redbook will also be updated to reflect these and other solutions.

Support for installing on CSM on AIX 7.3 servers

Clear SCSI reservations on DS8000 FlashCopy establishes

• Sometimes reserves are left out on the hardware which may prevent CSM from issuing a FlashCopy to the target volume.  Starting with the CSM 6.3.1 release, a new option will appear in the session properties for DS8000 FlashCopy and practice sessions.  When the option "Reset target reserves (FB only)" is set on the session, on the next Flash command to the session, the option will be set on the command to the hardware that will reset the reserve and allow the Flash to complete without failure.

New Scheduled Task Action to check DS8000 Global Mirror RPO

• In the 6.3.1 release a new type of Action will be available when creating a Scheduled Task.  The Validate Data Exposure action allows a customer to have the task check the current data exposure (RPO) for a selected session and role pair, prior to continuing on to the next action in the task. 
• In the action the customer defines a value in seconds for data exposure.  If the session and role pair is below that data exposure time then the action will complete and the task will move to the next action.  If the session and role pair however is above the data exposure time specified, the action will continue to check the data exposure on the session until the timeout time specified in the Action has been reached.  If the timeout is reached then the entire task will fail sending out a notification. 
• This new action type may help prevent issues when your scheduled task needs to Suspend the GM session.  A suspend to a GM session will Pause the Master on the hardware with consistency.  However, a high data exposure may indicate that the hardware is having trouble forming consistency groups.  This means that the Pause issued to the hardware will get stuck because a consistency group cannot be formed.  By adding this action before a Suspend to a GM role pair in a session, you can fail the task before even attempting to issue the Suspend and allow support to help figure out why consistency groups are failing to form.

Support user defined consistency group name on Multi-target MM-MM sessions and Multi-target MM-MM with 4 site replication sessions

• When CSM loads a HyperSwap or Hardened Freeze configuration to z/OS, it will use the session name and shorten it to fit into the allotted number of characters defined on the z/OS session.  However, customers can specify a user defined consistency group name on DS8000 MM role pairs.  When specified this is used instead of the shortened session name.  Prior to this release however, this was not supported for MT MM-MM configurations as both legs of the MM session are loaded for HyperSwap or Hardened Freeze. 
• There were however customers that experienced conflicts when the naming convention they used for their MT MM-MM session caused the different sessions to resolve to the same shortened name after a system IPL.  Starting in CSM 6.3.1 a customer can now specify a user defined consistency group name on these sessions.  By doing so, a different naming convention can be used to provide a unique name across the sessions that will be the same across system IPLs preventing the issue from occurring.

Enable consistent suspend across  DS8000 Global Mirror sessions sharing the same hardware master session

• CSM allows customers to manage up to 250 different GM session on the same DS8000 storage system, even though the hardware cannot manage that many separate sessions.  By specifying the same two-digit hex user defined consistency group name on a DS8000 GM role pair for a session, CSM will use the same Master session ID when setting up the relationships on the hardware.  Because each of these session appear as separate session in CSM, despite using the same underlying Master session, a suspend command issued to one of the sessions by default will Pause the Master but then proceed to restart all the shared sessions that the suspend command was not issued to.  This allows the customer to suspend one session without affecting the others. 
• There was a request however to allow an option to suspend all shared sessions consistently.  When a suspend command is issued to one of the shared sessions, all sessions that share that same consistency group name should remain suspended.  This can be accomplished starting in 6.3.1 by adding the following property to the Server Properties.  When set to true all sessions will remain suspended after the Suspend command is issued.

Allow programmatic server backup and log package creation with download

• Customer today can use the REST of CSM CLI to create a backup of the CSM server or a log package.  However, once created the customer has to manually go to the server or to the GUI panel to download the file. 
• There are cases though where you may want to automate not only the creation but the download of the file created.  For example, you may want to create a programmatic backup of the CSM server every 24 hours and offload it to a secure server.  Or you may want to create an external action that will open an internal ticket and collect a CSM log package to download from the CSM server and then upload for support.
• In CSM 6.3.1, the -dir parameter on the mkbackup and mklogpkg commands can be used to specify which directory to place the created file on the server where the CSMCLI is running. 
• On the REST API two new APIs are now available /system/backupserver/download and /system/logpackages/synchronous/download to not only invoke the file creation but perform the download. 
• NOTE: These commands are synchronous and will not complete until the file is created on the server and the download has completed.

New automation user role for easier automation in Dual Control environments

• In the CSM 6.3.1 release a new user role will be introduced called the "Automation" user.  An automation user can be used by customers to perform external automation such as running CSMCLI scripts or making REST API calls.  By using a specify user with automation authority, customers can use the audit records to better tell when commands were issued by automation versus manually by users. 
• By default an automation user can always invoke REST commands.  Administrators however can choose whether the automation user should have CLI or GUI access.  By preventing CLI/GUI access this may help provide a little extra security when the automation user is used.
• An automation user can manage all sessions which includes being able to do actions like creating copy sets, removing copy sets, starting/stopping sessions, etc.  Automation users however cannot manage other users. 
• If customers want to lock down what an automation user can do further, they can optionally select the "Only run Scheduled Tasks" check box.  When this is selected, the automation user can only run scheduled tasks and cannot issue any commands directly to a session.  An Administrator will need to create the scheduled task but the automation user will be able to invoke the run action against the task. 
• NOTE: When the "Only run Scheduled Tasks" check box is checked for an Automation user, you will not be able to grant the user GUI access.  GUI access is automation disabled.