Mainframe Storage

 View Only

What's New in IBM Copy Services Manager

By Randy Blea posted Thu June 29, 2023 01:00 AM


In June 2023 IBM GA'd a new version of IBM Copy Services Manager 

Copy Services Manager Download

IBM Copy Services Manager is a storage replication product that provides a single place to manage all the replication across your IBM storage environment.  With IBM Copy Services Manager customers can simplify the management of their replication solutions while providing disaster recovery and high availability to their applications. 

As always, we're very excited to provide the following key features being released in this new version.  We develop Copy Services Manager in an agile development cycle and as such have included a number of customer requested features!!!

IDEA CSM-I-130– New FlashCopy session options to better secure target data

  • Safeguarded Copy sessions provide added protection to prevent either modifying or deleting a point in time copy of your data.  However, Safeguarded Copy was never intended as a replacement for FlashCopy.  There are still a lot of various reasons to use FlashCopy or a combination of FlashCopy and Safeguarded Copy.
  • In the 6.3.7 release of CSM, a couple new options will now appear on DS8000 FlashCopy sessions that will help users continue to use FlashCopy but better protect the target data.

    • Inhibit Target writes - This option allows customers to take advantage of the already existing DS8000 FlashCopy setting which prevents a customer from mounting the target volume and issuing writes.  In essence, this option prevents the data from being manipulated after the point in time the FlashCopy was taken.

    • Minimum Time Frame per Flash (mins) - This option is similar to the option available on the Safeguarded Copy session.  A customer can set a time in minutes which indicates the acceptable time between Flash commands.  This helps prevent an accidental or malicious Flash over the data until the next scheduled Flash time.  NOTE:  This value ONLY prevents flashes through the CSM session and interfaces.  This does not prevent DSCLI issued commands to the FlashCopy relationships.

  • It's important to note that the above features do not prevent deletion or other forms of manipulation outside of the CSM FlashCopy session.  It is highly suggested that you ensure proper authority across all interfaces to secure actions against the relationships.  In addition, Dual Control support can be used to better lock down actions within the CSM interface itself. 


IDEA CSM-I-89– New Dual Control Mode for Safeguarded Copy operations

  • Dual Control mode has been available in CSM since Safeguarded Copy has been supported.  With Dual Control mode, two users must approve any action that could be malicious or cause issues on the server.  Some customers, however, have indicated that they would only like to protect the Safeguarded Copy backups with Dual Control, allowing them to manage other session types without needing two users for approval. 
  • In CSM 6.3.7, there are now two forms of Dual Control that can be enabled: Full Protection Mode and Safeguarded Copy Mode.
  • Full Protection Mode provides the same level of Dual Control support that exists today.  All actions across the server require two users to run.
  • Safeguarded Copy Mode provides Dual Control support only on actions related to manipulating Safeguarded Copy backups.  These actions include, manually expiring backups, recovering or restoring the session, modifying properties on the session and modifying Scheduled Tasks tied to the Safeguarded Copy session. 
    • NOTE: Creating backups does NOT require two people when Safeguarded Copy Dual Control is enabled.  There is a property on the session to set the minimum timeframe between backups.  This property can help prevent malicious intent when creating backups.
  • Dual Control status as well as enablement/disablement is no longer provided as buttons on the Administration panel.  At the top of the Administration panel as well as on top of the Dual Control Requests panel, you can now see what mode Dual Control is enabled in, or if it's not enabled.  The icon will also display differently depending on the mode.


IDEA CSM-I-74– Define Operator roles with more action granularity

  • CSM provides the ability to assign user roles to users that have access to the CSM server.  The Operator role gives the user access to certain sessions defined by the Administrator or User Administrator, without giving them overall admin level authority to the server.  In previous releases though, the Operator role had access to issue any command against that session. 
  • Starting in CSM 6.3.7, Operators can now be setup to only issue actions selected by the Administrator or User Administrator.  This provides a much more granular level of security allowing customers to configure the system to protect against malicious or accidental actions.
  • For example, an Operator could be assigned to a Safeguarded Copy session and given the authority to issue actions "Create Safeguarded Copy Backups" but NOT given the authority to "Expire Safeguarded Copy Backups".  This means that user can issue the Backup command but if they attempted to Expire a backup, the command would fail due to lack of authority. 
  • Available actions to select are categorized between Remote Copy, Point in Time Copy and Misc categories.  If unsure about which actions to select view the help for the View/Modify Access wizard.


IDEA CSM-I-120– Support for z/OS PassTickets on CSM to z/OS Host Connection

  • CSM supports the ability to connect the CSM server to a z/OS system in order to manage features on sessions such as HyperSwap or Hardened Freeze.  This however requires a userid and password/passphrase to be entered in order to properly authenticate with the z/OS HyperSwap address space on the zSystem.  Customers often have security guidelines now that require users to change their passwords after x number of days.  When the password change occurs for the user used in the IP to z/OS connection, a customer has to remember to also change in on the CSM server.  
  • Starting in CSM 6.3.7, CSM will now support the IP to z/OS connection via z/OS PassTickets.  With PassTickets, a PassTicket key is generated for a user and applied to RACF.  Instead of entering a password or passphrase for the CSM to z/OS connection, a customer can. now provide the PassTicket key.  Every time the CSM server then attempts to connect to the z/OS system, CSM will generate a PassTicket using the provided key, which is then used for authentication on the z/OS side.  With this mechanism, there is no need to ever change the value on the CSM side for the connection,  because in essence a new ticket is created each and every time authentication is necessary.


IDEA CSM-I-125– New console message when FlashCopy background copy has completed

  • FlashCopy technology on IBM storage, provides a means to create a point in time copy of a set of volumes which becomes immediately available on the target volumes, before the data has even hardened to those target volumes.  This means as soon as the Flash command completes, you can mount the target volumes and access the data while in the background the data is physically copied to those volumes. 
  • CSM provides progress and a status message on the session indicating that a background copy is still running, however, there was never a message issued in CSM when we determine that background copy completed. 
  • In CSM 6.3.7, message IWNR2772I will now be issued to the console when CSM determines that there are no longer any out of sync tracks for the volumes in the session.  Customers can view the console or setup a remote syslog to catch the message and provide automation when the copy is complete. 
    • NOTE: CSM does not constantly query for FlashCopy progress and does so on an interval as to not cause too many commands down the the hardware.  As such, the time of the IWNR2772I is not an exact time for when the background copy completed, just an indication that it has. 

Active/Standby server improvements

  • CSM supports the ability to setup an active and standby server so that in the event that you lose access to the active server, you can issue a takeover command on the standby server and manage your replication from there.  In previous releases, the standby server would only receive the information pertaining to session configurations and storage system or z/OS host connection information.  If you setup basic or LDAP users on the active server or you changed server properties, this type of setup was not transferred to the standby and had to be done prior to setting up the active and standby connections. 
  • Starting with CSM 6.3.7, when the active and standby server are running on a Distributed Operating system or on a DS8000 HMC, CSM will transfer all necessary data to the standby server so that setup on the standby server will no longer be required.  All user information will be transferred and all properties files including csv files such as the port pairing csv file, will be transferred to the standby to ensure that after a takeover all data on the standby remained the same as on the active.


DS8000 Safeguarded Copy improvements

  • Two new options have been added to the Properties for DS8000 Safeguarded Copy sessions. 
  • Allow Backups to be Manually Expired
    • This option will change existing behavior of the session when you upgraded to 6.3.7.  By default the value will be "unchecked" and any Expire Backup command issued against the session will fail indicating that the command is not allowed.  Expiring backups should only be done in cases where there are capacity issues or other concerns where you need to manually remove the backups instead of waiting for retention to expire them automatically. 
  • Minimum Number of Backups Retention Should Always Maintain
    • This property allows a customer to define a number of backups they always want to maintain, even if there are backups that are older than the retention time set for the session.  For example, if for some reason backups stop forming on the regular schedule, retention today might kick in and expire backups leaving less backups than what is defined by the customer's Service Level Agreements.  With this value set, even if a backup is older than the retention period, if expiring the backup would cause the number of backups to drop below the set value, the backup will not be expired. 


Add z/TPF connections to CSM for faster FlashCopy/SGC support

  • In November 2021 CSM and the IOS team on z/OS released a feature that was documented in the following Hot Topic. 
    This solution provides a way for z/OS customers to create FlashCopies or Safeguarded Copy backups with less application impact than with the CSM HMC communication.  Starting with the 6.3.7 release, CSM now supports the feature for zTPF systems as well. 
  • Customers running production on DS8000 volumes with zTPF systems can connect the CSM server via an IP connection to the zTPF system similar to how CSM allows z/OS connections today.  Once set, customers can then define the system name in the SGC of FlashCopy session properties and CSM will call zTPF to issue the Flash or to take the Safeguarded Copy backup.  


CSM What’s New Video

Idea/RFE support for Copy Services Manager

If you wish to open a new IDEA (formally called a Request for Enhancement) on IBM Copy Services Manager, you can now do so through the following link.