SCA Book

From SEPsesam
Jump to: navigation, search
Draft.png WORK IN PROGRESS
This page is a draft. Treat the information on this page with caution as it may be incomplete.

Contents

Part I: Introduction

Imprint

Any form of reproduction, duplication or distribution of the contents, in part or in whole, is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, the information in SEP sesam user documentation is subject to change without notice due to continuous product development. SEP AG cannot guarantee the accuracy of the explanation and shall not be liable for the use of provided information and the product implementation.

SEP sesam and SEP-related modules are trademarks of SEP AG. All other trademarks used at this site are the property of their respective owners.

SEP sesam Release Versions

Release Version Release date Release notes Specific extension versions End of support
4.4.3 Beefalo V2 4.4.3.84 SP2
***
4.4.3.84 SP1
***
4.4.3.79-.84
December 16, 2020
***
October 14, 2020
***
May 11, 2020 - August 3, 2020
Beefalo V2 Service Packs Releases (SP1 and SP2)
***
Release Notes 4.4.3 Beefalo V2
4.4.3 Beefalo 4.4.3.70-.72 July 25, 2019 Release Notes 4.4.3 Beefalo
4.4.3 Grolar 4.4.3.60-.64 July 23, 2018 - October 29, 2018 Release Notes 4.4.3 Grolar Upcoming: October 2021
4.4.3 Tigon V2 4.4.3.48 December 5, 2017 Release Notes 4.4.3 Tigon V2 December 2020
4.4.3 Tigon V1 4.4.3.42 August 10, 2017 Release Notes 4.4.3 Tigon September 2020
4.4.3 4.4.3.22-.29 September 21, 2016 - April 4, 2017 Release Notes 4.4.3 January 2020
4.4.2 4.4.2.66-.88 August 6, 2015 - April 27, 2016 Release Notes 4.4.2 January 2020
4.4.1 4.4.1.14-.48 July 16, 2014 - March 11, 2015 Release Notes 4.4.1 January 2020
4.2.2 4.2.2.1-.40 June 25, 2013 - August 4, 2014 Release Notes 4.2.2 September 2016
4.2.1 4.2.1.5-.41 July 16, 2012 - January 18, 2013 Release Notes 4.2.1 December 2014
4.0.5 4.0.5.26, 4.0.5.28 February 24, 2012 Release Notes 4.0.5 July 2013
4.0.3 4.0.3.30 July 13, 2011 / September 29, 2011 Release Notes 4.0.3 July 2013
4.0.2 4.0.2.13, 4.0.2.30 June 2011 Release Notes 4.0.2 July 2013
4.0.1 4.0.1.19 November 2010 / May 2011 Release Notes 4.0.1 July 2013
3.6 3.6.4.x October 2009 / August 2010 Release Notes 3.6 June 2012
3.4 3.4.1.x August 2008 / October 2009 Release Notes 3.4 December 2010
3.0 3.0.1.xx 2006/2007 Release Notes 3.0 December 2009

Part II: Architecture Overview

SEP sesam Requirements

For smooth installation of SEP sesam backup software in the network, name resolution must work properly. Specify a fully qualified name for each SEP sesam component, e.g., every server and client in network.

When finding a client, the operating system (Windows or Linux) first checks the hosts file for name resolution. Next, the configured DNS server is checked. If the DNS server is misconfigured or missing, the hosts file must be set up correctly to provide DNS. You have to enter the names and addresses of all SEP sesam components: SEP sesam Server, backup clients and machines running the graphical user interface (GUI). You must not remove or modify any existing entry of localhost in your hosts file. For details, see How to check DNS configuration.

A DNS server is preferred over entries in the hosts files of all devices. A DNS server allows a system-wide solution. All SEP sesam components must have their names and IP addresses (reverse lookup) added to the DNS server.

PostgresSQL/64-bit

On 64-bit Linux, FreeBSD and Solaris PostgresSQL is used as the SEP sesam database. When SEP sesam is installed on MS Windows, SQLite database is automatically installed. When SEP sesam is installed on a 64-bit Unix operating system, PostgresSQL has to be installed before the SEP sesam Server to enable the DB instance to be set up for use.

.NET

On MS Windows, .Net Framework 4 is required for SEP sesam Server installation.

Antivirus software

Deactivate or remove the antivirus software before installing SEP sesam components on each computer. Failure to disable active antivirus software may result in a failed, corrupt or incomplete installation. If antivirus software is installed, it is strongly recommended to turn off any on-demand scanning while a backup is running. For more details, see What effect does an antivirus scanner have on SEP sesam.

Hardware Requirements

The following are the hardware requirements for the SEP sesam Server, RDS or SEP sesam Client. They are similar for both servers, SEP sesam Server and RDS, except for the required space on the file system for the SEP sesam database, which is not necessary for RDS.

The hardware requirements for the SEP sesam components represent the common requirements. Additional amount of RAM/CPU may be required for bigger Si3 data stores. For details, see Si3 Deduplication Hardware Requirements.

Requirements SEP sesam Server Standard edition SEP sesam Advanced Server edition SEP sesam Premium Server edition SEP sesam Enterprise Server SEP sesam Client
Memory (without Si3 deduplication) 8 GB RAM Minimum 16 GB RAM 32 GB RAM Minimum 64 GB RAM 2 GB (recommended 4 GB)
Memory (with Si3 deduplication) Minimum 16 GB RAM Minimum 32 GB RAM 64 GB RAM Minimum 128 GB RAM Minimum 4 GB
Core (without Si3 deduplication) 1x CPU with 4 cores (≥ 2,4 GHz) 1x CPU with 8 cores (≥ 2,4 GHz) Minimum 1x CPU with 8 cores (≥ 2,4 GHz) Minimum 2x CPUs with 4 cores (≥ 2,4 GHz) -
Core (with Si3 deduplication) 1x CPU with 6 cores (≥ 2,6 GHz) 2x CPUs with 8 cores (≥ 2,6 GHz) 2x CPUs with minimum 8 cores (≥ 2,6 GHz) Minimum 2x CPUs with 8 cores (≥ 2,6 GHz) -
Minimum hard disk space for SEP sesam metadata 100 GB 300 GB 500 GB 500 GB 4 GB (for all client data)
No. of backup clients Up to 15 Recommended up to 50 Recommended up to 150 Recommended for more than 150 -

Si3 Deduplication Hardware Requirements

  • For the minimum Si3 hardware requirements that apply to SEP sesam Si3 deduplication server, see the above requirements list. Keep in mind that these requirements represent the demand for deduplication only. In addition, the amount of memory for the operating system and other services should be taken into account.
  • For details on the required Java version, see Java Compatibility Matrix. Si3 is not mandatory, therefore there is no dependency rule in the RPM/DEB packages for it.
  • When estimating the maximum size for a deduplication store, you have to ensure that there is enough space available for dedup trash or the deduplication store will run out of space. You should calculate the required disk space based on the representative sample of your full backup and add the amount of extra space equal to approx. 50% of the representative full backup.

Disk attachment and protocols

Si3 supports any kind of direct-attached disk storage, such as serial attached SCSI (SAS), Serial ATA (SATA), and Fibre Channel (FC)/LUN. Si3 is NOT supported for CIFS and NFS network protocols.

Restriction

To avoid issues arising from combination of too large Si3 deduplication stores and inefficient hardware, the maximum initial Si3 deduplication store size is restricted to 40 TB since Tigon V2 (4.4.3.46). This restriction is valid when creating a new Si3 deduplication store in GUI. Note that customers with special requirements for larger Si3 deduplication store should contact SEP support to be able to increase the value up to an optimum size for their specific environments.

Required additional amount of RAM and CPU cores

The following tables show the required additional amount of RAM and CPU cores for one Si3 data store. The TB value is the capacity of the Si3 data store.

Information sign.png Note
It is not recommended to run Si3 deduplication (SEP sesam Server or RDS) on a virtual machine. If this is the case, like evaluation or test, consider to limit the capacity of Si3 data store to 100 GB thus ensuring normal VM operation. Have in mind that deduplication consumes a lot of server resources for reading, processing, and writing deduplicated data, therefore you should be aware of running Si3 on a VM deployment limitation.
Si3 data store capacity (check initial size restriction) RAM
<20 TB 16 GiB
20-40 TB 32 GiB

To find out how much RAM is required by Si3 at which capacity, enter the command sm_dedup_interface propose jvmconfig <Si3-CAPACITY> at an admin command line (you must set sesam profile to run the command). The MaxDirectMemorySize output is the required RAM value.

The following table shows the amount of CPU cores required for one Si3 data store. The TB value is the amount of backed up data (before deduplication)!

Backed up data (before dedup) CPU cores
10 TB 4
20 TB 4
40 TB 8
Information sign.png Note
Keep in mind that the stated requirements represent the demand for deduplication only. In addition to these requirements, the amount of memory for the operating system and other services should be taken into account.


Java Compatibility Matrix

Java version SEP sesam version
OpenJDK 11 LTS 4.4.3 Beefalo Note1
Java 11 4.4.3 Beefalo Note1
Java 10 is not supported!
X
Java 9 is not supported!
X
Java 8 ≥ patch level 111 (both Windows and Linux) 4.4.3 Grolar; 4.4.3 Beefalo Note1
Java 8 (at least patch level 111) ≥ JRE 1.8.0_111 (required for Linux) v. ≥ 4.4.3 Tigon V2
Java 8 (required for Windows) v. ≥ 4.4.3
Java 7 (all OS except Windows) 4.4.3 Note2
Java 7 4.4.2
Java 6 4.2.1 & 4.2.2
Note1

Java 1.8 (≥ 1.8.0_111) is only accepted if it is already installed and the computer does not have a 4K display.

Note2

SEP sesam versions 4.4.3 until 4.4.3 Tigon V1 running on non-Windows platform require Java 7, however, SEP sesam uses JavaFX for its web dashboard and user-defined schedules features. If you want to have all the 4.4.3 features available, you need OpenJFX package or Oracle®'s Java 8 (already includes JavaFX) on your SEP sesam GUI client.

Directory layout

SEP sesam always creates two directory structures during installation – one for static data and one for variable data. Both structures can be either in the same main directory or in two different directories. On Unix, the installation directories are represented in the file /etc/sesam2000.ini.

SEP sesam directory aliases

Directory aliases are used to refer to the specified paths in the default SEP sesam directory structure.

<SESAM_BIN>
Refers to the part of the directory structure of a Linux package installation in which the unchangeable files (e.g., binaries) are stored. Path /opt/sesam can not be selected during installation.
<SESAM_VAR>
Refers to the part of the directory structure of a Linux package installation in which the variable files (e.g., configuration and log files) are stored. Path /var/opt/sesam/var is not arbitrary during installation.
<SESAM_ROOT>
Refers to the install location of the SEP sesam file structure for a Linux tarball or a Windows installation. This means that both tarball and Windows installations show <SESAM_BIN> and <SESAM_VAR> on the same location in the file system (referred to as <SESAM_ROOT> here). The install directory must be specified during a tarball installation (default path is /opt/sesam) and also during Windows installation (default path is C:\Program Files\SEPsesam).

SESAM_BIN directory

This directory contains all unchanged files, such as programs, templates, etc. The following directory structure is created during SEP sesam installation:

What Where
Database components

SESAM_BIN/bin/db

GUI components

SESAM_BIN/bin/gui

Dedupe components

SESAM_BIN/bin/sds

Server components

SESAM_BIN/bin/sesam

Communication components

SESAM_BIN/bin/sms

Templates incl. raw versions for first installation SESAM_BIN/skel
Templates for programmable interfaces SESAM_BIN/skel/templates

SESAM_VAR directory

This directory contains all changeable data, such as SEP sesam database, protocols and log files. The following directory structure is created during setup:

What
Where
Database

SESAM_VAR/db[_pg]

SEP sesam database backup

SESAM_VAR/db[_pg]/backup

Configuration files

SESAM_VAR/ini

SSH keys for control communication

SESAM_VAR/ini/sm_ssh

SSL certificates for data transfer

SESAM_VAR/ini/ssl

Notification and metadata logs

SESAM_VAR/lis

Main directory for log files

SESAM_VAR/log

Logs of the Pre- and Post- jobs

SESAM_VAR/prepost

Status and daily logs

SESAM_VAR/prot

Media action logs

SESAM_VAR/prot/media

SEP sesam interface logs

SESAM_VAR/prot/notification

Restore logs

SESAM_VAR/prot/restore

Temporary files for transient storage

SESAM_VAR/tmp

Temporary files for longer storage

SESAM_VAR/work

Mountpoint for VMware and other single item restore tasks

SESAM_VAR/work/mnt

Example

 C:\Program Files\SEPsesam

Sample directory structure

The following is common SEP sesam directory layout after an RPM or DEB installation on Linux. The programs are located in /opt/sesam, the files are in /var/opt/sesam:

 barometrix:~ # find /opt/sesam/ /var/opt/sesam/ -type d
 /opt/sesam/
 /opt/sesam/bin
 /opt/sesam/bin/db
 /opt/sesam/bin/gui
 /opt/sesam/bin/gui/html
 /opt/sesam/bin/sesam
 /opt/sesam/bin/sms
 /opt/sesam/skel
 /opt/sesam/skel/db
 /opt/sesam/skel/templates
 ###
 /var/opt/sesam/
 /var/opt/sesam/var
 /var/opt/sesam/var/ini
 /var/opt/sesam/var/ini/root
 /var/opt/sesam/var/log
 /var/opt/sesam/var/log/db
 /var/opt/sesam/var/log/lgc
 /var/opt/sesam/var/log/sms
 /var/opt/sesam/var/tmp
 /var/opt/sesam/var/work
 /var/opt/sesam/var/work/smslis
 /var/opt/sesam/var/work/info
 /var/opt/sesam/var/work/ctl
 /var/opt/sesam/var/work/sem
 /var/opt/sesam/var/times
 /var/opt/sesam/var/lis
 /var/opt/sesam/var/not
 /var/opt/sesam/var/qm
 /var/opt/sesam/var/glbv
 /var/opt/sesam/var/prepost
 /var/opt/sesam/var/prot
 /var/opt/sesam/var/sel
 /var/opt/sesam/var/db
 barometrix:~ #                      
 /opt/sesam/bin
 /var/opt/sesam

The /var/ini directory contains the following initialization files:

sm.ini
sm_java.policy
sms.ini
odbc.ini
debug.ini
sm_lic.ini
stpd.ini

Part III: SEP sesam Installation and Configuration

Licensing

SEP provides a flexible approach to the licensing of hybrid SEP sesam backup solutions that simplifies procurement and meets the specific needs of various organisations.

SEP sesam licenses fall into one of the following broad categories:

Component-based licensing

SEP's component-based licensing model begins with the main Backup Server (SEP sesam Server), Remote Device Servers (media agents), clients and databases or groupware agents. Expansion modules are customised to suit the existing environment and the license can be adjusted when extensions are added or the data protection environment is restructured.

In complex environments (data zones) where the average amount of backup data per client is greater than 250 GB, the classic component-based licensing model will likely be the more economical solution.

The concept behind this model is to license only what the customer actually uses.

Capacity-based licensing

SEP also provides capacity-based licensing models that offer convenient and flexible licensing for continually changing environments.

SEP sesam's volume licensing model is primarily aimed at large and dynamic security environments in which numerous different database or groupware applications are used. Rental licenses are based on volume and provide maximum flexibility with minimal management effort at no additional cost. This license is ideal for large installations, without depreciation expense.

This model gives customers access to most features and functionality and the only relevant factor is the amount of data backed up. Customers are therefore able to customise their backup solutions to suit their specific financial blueprint and infrastructure.

SEP licensing models

For more information on SEP licensing models and available licenses, contact SEP support.

SEP volume perpetual licensing

The SEP volume licensing model is based on front side data volume size. In addition, a further delineation is set depending on the types and sophistication of databases in use (Level 2 and/or Level 3). The licenses are perpetual and maintenance is included within the first 12 months. After the subscription period, SEP sesam save sets can be further used for restores, however, backing up data is no longer possible.

Calculating front-side capacity

All SEP sesam capacity-based licenses are calculated by how much original, source-side data is protected (front-side TB). This equates roughly to the sum of all files, databases and hypervisor snapshots of the clients to be backed up. In practice, this means that the maximum volume of all backup jobs (normally the biggest FULL) is calculated, provided that it is stored on any SEP sesam media (retention policy). The original data is cumulated before deduplication or compression.

SEP subscription licensing

SEP sesam subscriptions are purchased per year, based on data volume per front-side terabyte and depend on the utilisation of SEP database agents. Maintenance is included in any subscription time frame. Subscriptions are licensed for a period of 12 months and include full maintenance.

After the subscription period, SEP sesam save sets can be further used for restores, however, backing up data is no longer possible.

SEP classic perpetual licensing

The SEP sesam classic model provides item-based, perpetual licenses that are individually tailored to a customer's needs. Licensing is modular and scalable, expansions of any license components such as database and groupware agents can be carried out at any time. Maintenance is included within the first 12 months.

SAP Business One Edition

SEP sesam SAP Hana Business One Edition is licensed per number of SAP Business One users. SAP Business One Edition basic license covers the backup of up to 10 SAP Hana Business One users. SAP Hana Business One Edition is recommended for companies with up to 25 SAP users. SEP classic licenses can be added at any time. The complete SAP portfolio can be licensed with a SEP sesam volume or classic license.

SEP maintenance

All SEP sesam Backup Server licenses for volume models, classic models and SAP Business One Edition include maintenance of 12 months. SEP maintenance consists of software updates (incl. the latest features, patches and bugfixes) or renewal services and technical support. Extensions (at first purchase or later) are always adopted to the runtime of an existing SEP sesam Backup Server environment and include a maximum maintenance validity of 12 months. Excluded are consulting services, such as analysis of the data to be backed up, infrastructure analysis, determination of the target state, creation of a solution concept, and installation service.

VM Essential Edition

The SEP sesam VM Essential Edition is licensed according to the installed sockets. A maximum of 6 sockets can be used in one license environment. VM Essential (Plus) Edition VMware and Essential (Plus) Edition Hyper-V can be mixed. Note that it is not possible to combine VM Essential and VM Essential Plus Editions.

It is also not possible to extend the functionality, however, a conversion into the volume license model is possible.

Managed Service Provider

The SEP MSP license model is suitable for managed service providers and data center operators who use SEP sesam for offering their customers Backup as a Service (BaaS). On the basis of long-term contracts with various service levels, you get a complete full-service package.

Licensing is based on TB data volume (front-side capacity), which is divided into service classes for database usage (level 2 and level 3).

Offers, order confirmations and invoices are made on a monthly basis.

The SEP sesam MSP maintenance consists of the software upgrade, update service and the SEP sesam 2nd and 3rd level support. Excluded are consulting services, such as analysis of the data to be backed up, analysis of the infrastructure, determination of the target state, creation of a solution concept, and the installation service. During the maintenance period, customers can download patches and bug fixes as well as the latest SEP sesam versions.

After the first qualified error analysis, the SEP is available to the MSP for 2nd and 3rd level support via the SEP hotline (+49 (0) 700 737 787 767 8) from Monday to Sunday (0 a. m. - midnight). For details on current support information, see SEP support.

Also available are SEP CAPS (SEP Cloud App Protection Service) licenses for cloud-2-cloud backups and restores of SaaS applications such as Microsoft Office 365, Dynamics 365, G Suite, and Salesforce.

The data volume of the backed up items is limited to 1 TB per user (Exchange Online 50 GB) but can be divided among all users as desired. There are no costs for uploading/downloading data and also inactive users (excluded from the backup) are not billed.

License administration

Requirements

To create an application-specific license, you will need the following information about the SEP sesam backup server:

  • Host name
  • IP address
  • Delivery note number
  • Hardware platform (i386, x86, PPC, ia64, ...)

The SEP sesam Server name and IP address can be found in the SEP sesam GUI menu bar: Help -> License Info or by using the keyboard shortcut ALT + L.

Information about the delivery note number and the hardware platform can be accessed on the Linux console with the command:

uname -i 

or the Windows command line with the command:

set 

and on Windows 2003 also with

systeminfo

Send this information to sales@sep.de. If you have any questions during the 30 day installation support, please refer to support@sep.de.

Information sign.png Note
After installing SEP sesam, all functions are available without limitation for 30 days. Seven days before the end of the temporary license, you will be reminded of the upcoming license renewal. After the 30-day time limit has passed, the software’s backup functions are blocked. However, restores up to that point are still possible.

Entering a license

Licenses are usually sent as attachments by email. The attachment contains the license file, which you must enter into the SEP sesam Server.

  • extract the file sm_lic.zip on the target machine
  • copy the file sm_lic.ini to <SESAM_ROOT>/var/ini

To determine the correct host name and IP address for your SEP sesam license, follow these simple instructions:

  • In the SEP sesam GUI menu bar, select Help -> License Info.
  • UNIX command line:
 #> source <SESAM_ROOT>/var/ini/sesam2000.profile 
 #> sm_info c  
  • Windows command line:

> <SESAM_ROOT>\var\ini\sm_prof

> sm_info c

Information sign.png Note
Before entering a new license, make a backup copy of your existing license. If there are any problems with the new license, you can restore your working state with the original license at any time.

Changing an existing license

If the IP address or the server name of the backup server is changed, you have to transfer a SEP sesam Server license. This includes adjusting the existing server license to match the changed server name and/or new IP address.

Send the old and new license information to SEP AG (by email to sales@sep.de) to ensure that there were no errors during the transfer and to notify the contact person.

The transferred license is sent by email within the warranty's response time. New versions of the existing license and service documentation are created and the customer center is updated.

The license transfer is free of charge for customers with an existing SEP upgrade contract.

License and service documentation

In addition to the license file, which is sent digitally (usually by email), the customer also receives license certificates for the purchased modules and an upgrade/support card (if they opted for an upgrade or support contract).

The documentation contains a summary of all relevant information (IP address, server name, license details, run time and reaction times) and is sent by regular mail or as a PDF document by email.

Licensing FAQs

How do I order a new licence?

To obtain a license, contact SEP sesam sales at SEP contact page or sales@sep.de and provide the following information:

  • host name of the SEP sesam Server
  • IP address of the SEP sesam Server

To determine which specific names are used by SEP sesam (for example, if more than one network card is installed on the server), go to Help -> License Info in the SEP sesam GUI menu bar and check the details. Licenses are available immediately after your purchase or renewal is completed and will be sent to you by email.

License Info displays all licensed components which are currently in use. It also shows you the number of clients and modules needed by your configuration if your SEP sesam Server is currently running in trial mode.

Information sign.png Note
Some features require a special license, for example, SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro. SEP sesam licenses are issued on the basis of the size and requirements of your environment, so make sure that you are aware of feature/application specific licensing. For details on newly introduced licenses, see SEP sesam Exchange Recovery Pro license and SEP sesam SharePoint Recovery Pro license.


License info Beefalo V2.jpg

How do I activate a license?

You can activate licenses easily by importing the license in the SEP sesam GUI. Note that the SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro extensions require special licences and specific activation steps, as described in the section Activating special licenses.

Activating licenses in the SEP sesam GUI

After you have received your SEP sesam license by email, proceed as follows:

  1. From the SEP sesam GUI menu bar -> Help, select License Info. The SEP sesam License Info window appears.
  2. Click the button Import New License. A new window opens prompting you to paste a valid license file.
  3. Copy a valid license file sm_lic.ini and paste it from the clipboard or use the file manager to browse and select the required license as .ini or .zip file.
  4. Click Apply to enable the license.
  5. License info import Beefalo V2.jpg

SEP Tip.png Tip
The License Info also enables you to check the expiration date and to upgrade your license. All licensed components currently in use are displayed.

If the program displays any errors (for instance, in the host name or IP address), email the SEP sesam License Info to SEP sesam sales by clicking the Send as Mail button. Clicking the button opens an email with the license information loaded. Address the message to sales@sep.de and send it.

Activating special licenses

To activate the special licenses, such as SEP sesam Exchange Recovery Pro or SEP sesam SharePoint Recovery Pro, proceed as follows:

  1. Go to Start -> All Programs -> SEP sesam Exchange Recovery Pro or Start -> All Programs -> SEP sesam SharePoint Recovery Pro and open the extension. A License file not installed message appears.
  2. Click the License info button and import the license.ini file.

Both, SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro extensions require specific installation and configuration. For details on these procedures, see SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro.

How do I obtain the community version?

The SEP sesam community version is available to the general public for private use on Microsoft Windows and Linux. Please note that the software, manuals, licensing and terms from SEP AG and SEP Software Inc remain unchanged.

During the installation of a SEP sesam demo version (available at SEP Download Center), a community license file is created automatically. This file must be copied to the license file location after the 30-day trial period is over.

The file sm_lic.ini.com can be found at <SESAM_ROOT>/skel. Copy the file to <SESAM_ROOT>/var/ini and rename it to sm_lic.ini.

If you want to check the license status, go to Help -> License Info.

Technical support is not provided for the SEP sesam community version and it cannot be upgraded. Visit the SEP Forum or search SEP Wiki for help.

Why does the W008-License TCPIP address not match the local address 127.0.0.2?

This problem usually occurs on SLES-based Linux systems. Check the file /etc/hosts and change the relevant entry for the loopback address "127.0.0.2" or remove it from the /etc/hosts file entirely.

About Installation and Update

Overview

SEP sesam hybrid backup is the ideal data backup solution for heterogeneous IT infrastructures. It supports an extensive portfolio of virtualization platforms, operating systems, databases, and applications as well as provides protection for cloud environments; for details, see SEP sesam OS and Database Support Matrix. SEP sesam software and extensions are available at SEP Download Center. SEP sesam software requires a license.

Licensing

SEP sesam requires a paid license after the trial period expires. SEP sesam provides various licenses and editions that you can combine according to your needs to implement optimized backup. Some features require additional licenses. For details, see Licensing.

Essential modules

The essential modules of each SEP sesam environment are: SEP sesam Server, SEP sesam GUI, SEP sesam Remote Device Server (RDS), and SEP sesam Client(s). Each module is installed separately. The SEP sesam environment is managed centrally by the SEP sesam GUI.

Additional modules/extensions

SEP sesam also provides additional modules and functionality that enable consistent backup of databases (Oracle, MS SQL, IBM DB2, Informix SAP R/3, etc.), applications (such as SAP), groupware systems, virtualization environments, and cloud-to-cloud backup. Some of these extensions are already part of a Client package, and some require a separate license in order to function. Check the SEP sesam OS and Database Support Matrix to learn what is supported on each of the platforms. For a list of all supported extensions and their configuration, see Extensions.

Installation requirements and procedure

Once you have determined how you want to set up your SEP sesam environment, you can install the required components. Make sure that the hardware and software requirements are met before configuring SEP sesam environment. For details, see SEP sesam Requirements.

The installation procedure depends on the platform on which you are installing a SEP sesam package:

Note that when Si3 deduplication is used, Java is required on all systems that serve as SEP sesam Server, SEP sesam GUI client or SEP sesam Remote Device Server (RDS). For details, see Installing and Managing Java.

Component compatibility

SEP sesam Server and GUI client have to work with the same GUI. This means that whenever you update the SEP sesam Server, GUI update is required. SEP sesam prompts for GUI update when the server is updated.

Updates

After you have installed and configured your SEP sesam components according to your environment, SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. During this period, you can download bug fixes, patches, service packs, and the latest SEP sesam version(s) if you have a valid license.

  • Installing either Windows or Linux-specific distributions is pretty straightforward. For Linux systems, SEP provides special service pack executables that ease the installation of service packs and patches; see Applying Service Packs on Linux.
  • Updating SEP sesam extensions, e.g., BSR Pro for Windows, is done automatically during the SEP sesam update process.
SEP Tip.png Tip
SEP generally recommends upgrading the SEP sesam Server and Client components to the latest version during the regular upgrade process. For the complete list of releases, see SEP sesam release versions.

SEP may request that you install a particular update (i.e. fix, patch, or service pack) to resolve a specific problem. To get instantly notified about SEP sesam vulnerabilities and updates, click to subscribe to the SEP sesam RSS feed.

Updating methods and settings

There are a number of options available for updating SEP sesam software.

Install/Update options in GUI (available in newer version of SEP sesam – v. ≥ 4.4.3 Beefalo)
You can set up your server to automatically check, download and install updates or decide to do it manually, you can update all clients within the location at once or select to update only OS-specific clients (Windows/Linux update), you can exclude a particular client from being updated, etc. For details, see Updating SEP sesam.
CLI command sm_update_client (available in newer version of SEP sesam – v. ≥ 4.4.3 Beefalo)
You can perform all of the mentioned options above by using sm_update_client. The sm_update_client command implements all the features of the sm_update_client, as well as the previously used sm_remote_installer and sm_config_client commands that have been deprecated. For details, see Updating SEP sesam Using CLI.
Information sign.png Note
Updating SEP sesam is version-related hence some of the update options may not be available in earlier versions. If you are running a version ≤ 4.4.3 Grolar, see 4 4 3:Updating SEP sesam in earlier versions.

SEP sesam release cycle

Approximate release frequency of SEP sesam software is once a year for a major release, followed by a minor SEP sesam version which includes all preceding fixes and also introduces new features and functionality.

SEP sesam provides service pack executables that ease the installation of service packs and patches. Service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. Download and installation of service packs are pretty straightforward on Windows and Linux; for the latter, SEP provides special service pack executables that ease the installation of service packs and patches, see Applying Service Packs on Linux.

SEP sesam Quick Install Guide

The complete SEP sesam environment consists of different modules, which can be combined according to your needs to implement optimized backup. Modules interact with one another through SEP APIs which are also used for interaction with another software.

The essential modules of each SEP sesam environment are: SEP sesam Server, SEP sesam GUI, SEP sesam Remote Device Server (RDS), and SEP sesam Client(s). Each module is installed separately. The SEP sesam environment is managed centrally by the SEP sesam GUI.

SEP sesam also provides additional modules and functionality that enable consistent backup of databases (Oracle, MS SQL, IBM DB2, Informix SAP R/3, etc.), applications (such as SAP), groupware systems, and virtualization environments. Some of these extensions are already part of a Client package, and some require a separate license in order to function. For details on licenses, see Licensing. Check the SEP sesam OS and Database Support Matrix to learn what is supported on each of the platforms. For a list of all supported extensions and their configuration, see Extensions.

Once you have determined how you want to set up your SEP sesam environment, you can install the required components. Note that the installation procedure depends on the platform on which you are installing a SEP sesam package and that Java is required on all systems that serve as SEP sesam Server, SEP sesam GUI client or SEP sesam Remote Device Server (RDS) when Si3 deduplication is used. For details, see Installing and Managing Java.

After you have installed and configured your SEP sesam components according to your environment, SEP sesam provides free updates from previous versions of SEP sesam to new versions and new features within the maintenance period. During this period, you can download patches and bug fixes as well as the latest SEP sesam versions, if you have a valid license. For details, see Updating SEP sesam.


Microsoft Windows installation

Prerequisites

  • Before starting the SEP sesam installation, make sure that you are logged in as a local administrator or domain administrator.
  • For remote access via remote desktop connection (RDC), the RDC administrator needs the same access rights as the local administrator.
  • To install any of the SEP sesam components (SEP sesam Server, RDS, Client or GUI), you will require an installation file which can be downloaded from the https://download.sep.de/windows/. Make sure to download the correct file for your processor type.
Information sign.png Note
SEP sesam RDS does not have a dedicated installation package. To install RDS, use the SEP sesam Server package.
  • If you are planning to install a server (including the GUI) or the GUI, Java Runtime Environment (JRE) must be installed on the system, see Installing and Managing Java and check Java versions.
  • SEP sesam GUI requires a screen resolution of at least 1920x1080 (full HD).
  • The .Net Framework 4 is required for server installation and can be deselected for all other SEP sesam components during installation.
  • x86 operating systems with more than 3.25 GB RAM must either reduce the amount of RAM to below to 3.25 GB or migrate to an x64 operating system. This is necessary because SEP sesam requires 64 KB blocks for LTO (Linear Tape Open) whereas an x86 system can only write 32 KB blocks to tape drive because the PAE (Physical Address Extension) is automatically activated. Also, the loader cannot be accessed properly by SEP sesam.
  • SEP sesam uses name resolution for server to client communication. Before installing, you should test the DNS name resolution by simply pinging (using both, long and short name) from the server to the client and back. For details on DNS resolution check, see How to check DNS configuration.
  • Ensure that any used SCSI devices are recognized by the operating system to which you are installing SEP sesam. SEP sesam checks the SCSI bus attached storage devices during the installation and adds its data to the database. SEP sesam can only see devices recognized by the operating system.
  • Disabling the firewall is recommended to avoid problems during the SEP sesam installation. Once SEP sesam is installed, you can enable the firewall with exceptions made for the SEP sesam services.
  • For details on the SEP sesam default ports, see Which are the SEP sesam default TCPIP ports?

Installation

SEP sesam provides four installation packages: SEP sesam Client, SEP sesam GUI, SEP sesam RDS and SEP sesam Server (includes the Client and the GUI components). In the installation example below, we will use the SEP sesam Server installation package.

  1. Locate the download folder where you saved the SEP sesam installation package and double-click the sesam-srv-<Version_ID>-windows.x<SysType>.exe file to start the installation. Note that on Windows 7, you must explicitly execute the .exe file as administrator even if you are logged in as an administrator. Select your installation language and click Next.
  2. Agree to the license agreement and click Next again.
  3. Choose whether you want the SEP sesam services to run under the Standard system account or a Custom user account. It is recommended to give the SEP sesam Server services a Domain user account belonging to the Domain admins and the Local administrators groups. After choosing a user account, click Next.
    InstallStartAs en.png
  4. Select an installation directory for the program files (including the folders <SESAM_ROOT>\bin and <SESAM_ROOT>\skel) and the application data (including the folder <SESAM_ROOT>\var. This folder requires significant storage space if installing a server). Click Next.
    InstallChangeInstallationFolder en.png
  5. In the next window, select which of the four SEP sesam components you want to install (SEP sesam Server, SEP sesam Remote Device, SEP sesam GUI or SEP sesam Client). There is an additional option of installing a GUI with the SEP sesam Remote Device and a client with the SEP sesam GUI.
    InstallSesamFeatures en.png
  6. After selecting a component, click Next.
    Information sign.png Note
    SEP sesam Server package already includes all other components. If you are installing a Remote Device Server (RDS), you can also include a GUI. If you are installing a GUI, you can also include the Client.
  7. Depending on which components you are installing, proceed accordingly:
    • If you are installing the SEP sesam Server, click Install and then Finish to complete the installation.
    • If you are installing the SEP sesam RDS, the SEP sesam GUI or the SEP sesam Client, type the name of the SEP sesam Server (in the example below, the name of the server is Informatix).
    Information sign.png Note
    You must enter the hostname and not the IP address of the SEP sesam Server. The server name may not contain underscores.

    InstallServerName en.png

  8. Click Next. The firewall information dialog is only intended for informative purposes. Take note of the information and click OK. Click Install to install the selected SEP sesam component and then click Finish to complete the installation.

If you have problems or questions regarding installation, also check FAQ: Installation and configuration.

Updates

SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. You can decide to either automatically or manually check for and install updates. See Updating SEP sesam. Installing an update on Windows is easy; simply download the executable file for your version of SEP sesam and install it. Make sure that you select the Update and Repair option, as shown below.

Update SEP sesam.png

Linux

SEP sesam provides RPM packages for the most common Linux distributions (for example, SuSE and RedHat) and DEB files for Debian Linux distributions. The latter run on most Debian-based distributions, such as Ubuntu. For details on SUSE- and RedHat-based distributions, see RPM Repository. For more information on Debian packages, see Debian Repository.

SEP Tip.png Tip
SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. You can decide to either automatically or manually check for and install updates. To install and update on Linux, you must make the service pack executable after downloading it. For details, see Applying Service Packs on Linux.

Prerequisites

  • Before starting the SEP sesam installation, make sure that you are logged in as the root user.
  • SEP sesam uses network resolution for server to client communication. Before installing, you should test the DNS name resolution by simply pinging (using both, long and short name) from the server to the client and back. For details on the DNS resolution check, see How to check DNS configuration.
  • SEP sesam GUI requires a screen resolution of at least 1920x1080 (full HD).
  • Ensure that any used SCSI devices are recognized by the operating system to which you are installing SEP sesam. SEP sesam checks the SCSI bus attached storage devices during the installation and adds its data to the database. SEP sesam can only see devices recognized by the operating system.
  • Disabling firewall is recommended to avoid problems during the SEP sesam installation. Once SEP sesam is installed, you can enable the firewall with exceptions made for the SEP sesam services.

SEP sesam Server installation

SLES-based distributions

SLES includes the standard tool zypper which is common for package management. With this tool packages can be installed (and uninstalled) in the command line. Before you install any of the SEP sesam components (e.g., Server, Client or GUI), make sure that you have configured the RPM repository for SLES-based distributions properly. For details, see RPM Repository.

The SEP sesam Server package includes all dependencies that are needed for the standard SEP sesam Server installation. For details on the supported SLES versions, see SEP sesam OS and Database Support Matrix.

On SLES12, it is recommended to install required Java packages before installing the SEP sesam Server to avoid possible installation errors. Use the following command sequence:

zypper install java-11-openjdk

To install or update the SEP sesam Server, use the following command:

# zypper install sesam_srv<version.OS.system_type>
SEP Tip.png Tip
To perform a simple update without adjusting the dependencies of the installed SEP sesam version, e.g., on SLES11, you can use the command rpm -Uvh (only recommended for advanced administrators!). Alternatively, update the server by using the above zypper command.
RHEL/CentOS-based distributions

All RHEL- and CentOS-based distributions include the standard tool yum which is common for package management. With this tool, packages can be installed (and uninstalled) in the command line. Before you install any of the SEP sesam components (e.g., Server, Client or GUI), make sure that you have configured the RPM repository for RHEL-based distributions properly. For details, see RPM Repository.

The SEP sesam Server package includes all dependencies that are needed for standard SEP sesam Server installation. For details on the supported RHEL/CentOS-based versions, see SEP sesam OS and Database Support Matrix.

To install the SEP sesam Server, use the following command:

# yum install sesam_srv<version.OS.system_type>
Information sign.png Note
On RHEL, the SEP sesam installation changes the permissions of /var/run/postgresql to grant SEP sesam users PostgreSQL access privileges.
Debian-based distributions

The Debian-based distribution (Debian/Ubuntu/UCS) includes the standard tool apt-get which is common for package management. With this tool packages can be installed (and uninstalled) in the command line. Before you install any of the SEP sesam components (e.g., Server, Client or GUI), make sure that you have configured the Debian repository properly. For details, see Debian Repository.

The SEP sesam Server package includes all dependencies that are needed for the standard SEP sesam Server installation. For details on the supported Debian-based versions, see SEP sesam OS and Database Support Matrix.

To install the SEP sesam Server, use the following command:

root@hostname#: apt-get install sesam-srv

Use the following command to install *.deb files:

dpkg -i sesam-srv<version.system_type>.deb
Information sign.png Note
Installing SEP sesam on Debian and Ubuntu requires additional steps. For details, see Debian Repository.

SEP sesam Client installation

Note: Because the SEP sesam GUI already contains the client components, the SEP sesam Client package cannot be installed in addition to the GUI.
To install the SEP sesam Client, select the download folder where you have saved the SEP sesam Client installation package.

  • For SLES based distributions, use the following command:
  • # zypper install sesam_cli<version.OS.system_type>
    
  • For RHEL (Red Hat Enterprise Linux), use the following command:
  • # yum install sesam_cli<version.OS.system_type>
    
  • For Debian-based distributions, use the following command:
  • root@hostname#: apt-get install sesam-cli
    

    Use the following command to install *.deb files:

    dpkg -i sesam-cli<version.system_type>.deb
    
    Information sign.png Note
    Installing SEP sesam on Debian and Ubuntu requires additional steps. For details, see Debian Repository.

Run the following command on the client to grant access rights to the SEP sesam Server and to allow it to contact and backup the client:

/opt/sesam/bin/sesam/sm_setup set_client <SEP sesam Server Name>

If you have problems or questions regarding installation, also check FAQ: Installation and configuration.

SEP sesam GUI installation

The SEP sesam GUI package is intended for the administration of the SEP sesam Server from another computer.
Note: Since the GUI component is already included in the SEP sesam Server package, it cannot be installed additionally on the SEP sesam Server.

To install the SEP sesam GUI, select the download folder where you have saved the SEP sesam GUI installation package.

  • For SLES based distributions, use the following command:
  • # zypper install sesam_gui<version.OS.system_type>
    
  • For RHEL (Red Hat Enterprise Linux), use the following command:
  • # yum install sesam_gui<version.OS.system_type>
    
  • For Debian-based distributions, use the following command:
  • root@hostname#: apt-get install sesam-gui
    

    Use the following command to install *.deb files:

    dpkg -i sesam-gui<version.system_type>.deb
    
    Information sign.png Note
    Installing SEP sesam on Debian and Ubuntu requires additional steps. For details, see Debian Repository.

On KDE and Gnome, the installation generates a link on the root user desktop to start the GUI. This link must target the correct SEP sesam Server. Open the link properties and add the following parameter to the command line:

-S <SEP sesam Server Name>

If you have problems or questions regarding installation, also check FAQ: Installation and configuration.

Afterwards, to start the SEP sesam GUI, use the following command:

/opt/sesam/bin/gui/sesam_gui -S <hostname_backup_server>

AIX

For reference which AIX versions are supported and which components are available for AIX, check SEP sesam OS and Database Support Matrix.

Prerequisites

  • Before starting the SEP sesam installation, make sure that you are logged in as the root user.
  • Installing the SEP sesam component for AIX (depending on availability, either the SEP sesam Client or the Remote Tape Server can be installed) requires special RPM packages to be installed with the standard RPM package manager (part of the AIX default installation). You can download the SEP sesam RPM packages from the https://download.sep.de/aix/7/ and required prerequisites from: ftp://www.oss4aix.org/latest (openssl and readline) and copy them to the AIX system to /tmp/rpm-packages/. Then install the package via RPM:
  • cd /tmp/rpm-packages/
    rpm -i *
    
  • The SEP sesam GUI requires Java Runtime Environment to be installed on the system. For details on the required Java version, see Java Compatibility Matrix.

SEP sesam Remote Tape Server or Client installation

  1. Download the relevant SEP sesam package from the https://download.sep.de/aix/7/ and copy it to the /tmp directory on your AIX system. The following example shows the installation of the sesam_rts package. The procedure for installing the SEP sesam Client is slightly different; the name of the package is substituted with sesam_cli.
  2. Unzip the archive by using the following commands:
     gunzip sesam-rts-<version>-aix_powerpc.tgz
     tar -xvf sesam-rts-<version>-aix_powerpc.tar

    A new directory sesam_rts_<version> is created:

     # tar -xvf sesam-rts-4.4.2.58-aix_powerpc.tar 
     x sesam_rts_4.4.2.58
     x sesam_rts_4.4.2.58/aix_rts.4.4.2.58.tgz, 22440192 bytes, 43829 media blocks.
     x sesam_rts_4.4.2.58/sm_setup, 2168068 bytes, 4235 media blocks.
  3. Go to the unzipped directory
    cd sesam_rts_<version>
  4. Execute the setup executable sm_setup as the root user:
     # cd sesam_rts_<version>
     # ./sm_setup
  5. Follow the wizard and select the relevant components that you wish to install, tapeserver or client, respectively:
     # ./sm_setup
     Found 1 valid archive(s): 'aix_rts.4.4.2.58.tgz,'.
     What do you want to install? (tapeserver,client)
     tapeserver
  6. Set the installation directory; the recommended place to install sesam is /opt/sesam. Make sure that there is at least 10 GB of free disk space available. Optionally, choose another installation directory that has enough free space:
     In which directory do you want to install (If not existing it will be created): 
     '''/opt/sesam/'''
     In which directory do you want to install (Read-Write): 
     '''/opt/sesam/'''
  7. Specify the SEP sesam Server hostname in your environment; you must provide the DNS hostname of your backup server. The DNS Server must be correctly resolved on the AIX system. For details, see How to check DNS configuration.
     To which SEP sesam Server should be connected?
     '''backupserver.hostname'''

Once you specify all the required information, the SEP sesam software installation and configuration start. If you have problems starting the SEP sesam services, check the Troubleshooting Guide.

Mac OS X

Prerequisites

  • Before starting the SEP sesam installation, make sure that you are logged in as a local administrator or domain administrator.
  • If you are planning to install a GUI, Java Runtime Environment must be installed on the system. For details on the required Java version, see Java Compatibility Matrix.

Steps

SEP sesam does not provide a dedicated MAC OS package. You should download the latest SEP sesam Linux GUI package from https://download.sep.de/linux/repositories/debian/pool/main/s/sesam-gui/, copy it to your MAC system, extract it with the command:

 ar x <sesam-gui_4.4.3-xx.lenny_i386.deb> && tar xfz data.tar.gz

and copy the extracted directory to your program files directory; then use the <SESAM_BIN>/gui directory:

/opt/sesam/bin/gui/sesam_gui -S <hostname_backup_server>

Or, in case your backup server is a Linux system, you can connect via the command line (X must be enabled) and start the GUI:

/opt/sesam/bin/gui/sesam_gui -S <hostname_backup_server>  

The SEP sesam for Mac OS X supports standard file backups with ACL's. Disaster recovery is not supported!

If you have problems or questions regarding installation, also check FAQ: Installation and configuration.

Univention UCS

For the list of supported Univention UCS versions and available SEP sesam components for UCS, check SEP sesam OS and Database Support Matrix.

Prerequisites

  • Before installing, you should test the DNS name resolution by simply pinging (using both, long and short name) from the server to the client and back. For details on the DNS resolution check, see How to check DNS configuration.
  • Disabling the firewall is recommended to avoid problems during the SEP sesam installation. Once SEP sesam is installed, you can enable the firewall with exceptions made for the SEP sesam services.

Installing SEP sesam on UCS

You can install SEP sesam on UCS by using any of the following options:

Option 1: Installing via the Univention App Center (only the SEP sesam Server and Client)
  1. Open the Univention Management Console in your browser.
  2. Go to Software -> App Center.
  3. Search for SEP sesam.
  4. Install either SEP sesam Server or SEP sesam Client.
Option 2: Installing via the SEP Debian Repository
  1. Open a terminal session as the root user.
  2. Enable Univention unmaintained repositories with the following command (this enables the UCS system to install the dependencies for SEP sesam):
    ucr set repository/online/unmaintained=yes
  3. Add the SEP Debian Repository as described in Debian Repository:
    • UCS 4.2 is based on Debian 8 Jessie.
    • UCS 4.3 is based on Debian 9 Stretch.
  4. Update the repositories by using:
    apt update
  5. Install SEP sesam package via apt: For example, to install the SEP sesam Server package, use
    apt install sesam-srv

    Other options are listed here: Debian Repository.

Option 3: Installing manually
  1. Open a terminal session as the root user.
  2. Enable Univention unmaintained repositories with the following command (this enables the UCS system to install the dependencies for SEP sesam):
    ucr set repository/online/unmaintained=yes
  3. Download the desired installation package from the SEP Download Center.
    • UCS 4.2 is based on Debian 8 Jessie.
    • UCS 4.3 is based on Debian 9 Stretch.
  4. Update the repositories by using:
    apt update
  5. Install SEP sesam package via apt:
    apt install /path/to/downloadedpackage

Configuring UCS firewall

By default, the Univention firewall is included in all UCS installations with all incoming ports blocked. You have to enable access to certain ports to allow SEP sesam to work.

Information sign.png Note
Installing a SEP sesam App Center package will automatically open the required ports for SEP sesam except for the Si3 Replication and REST API.
Disable UCS firewall

You may consider deactivating the UCS firewall completely by setting the Univention Configuration Registry variable security/packetfilter/disabled to true:

ucr set security/packetfilter/disabled=yes
service univention-firewall restart
Use SEP sesam with enabled UCS firewall

Check the list of required ports for SEP sesam: List of Ports Used by SEP sesam.

To open a port or a range of ports, use the following commands:

ucr set security/packetfilter/tcp/portnumber_or_portrange/all=ACCEPT
service univention-firewall restart

Client firewall settings

If you want to back up a client behind a firewall using STPD, you have to specify an open port range in the client's STPD Options as follows:
Open SEP sesam client Properties and switch to the Options tab. If you have installed a client from the App Center, the port range is 11002-11007.

For more information on client configuration, see Configuring Clients.

Remote Installation of Windows Clients

As of Beefalo V2, you can remotely install any SEP sesam package (Client, RDS, etc.) from your SEP sesam Windows Server to any Windows system by using SEP sesam GUI (once your Windows clients are added to SEP sesam environment). You may prefer to use a command line to install SEP sesam remotely. In this case, use the sm_update_client install command as described in Updating SEP sesam Using CLI as the previously used sm_remote_install command is now deprecated.

Step 1: Enable Update mode

After you have installed SEP sesam Windows Server, you can install any SEP sesam package on your Windows clients (Client, RDS, etc.) by using SEP sesam GUI Topology or Clients view. The displayed status details and the options available from the right-click menu in the Topology or Clients view depend on the selected Update mode option. The Install SEP sesam option is only available if your update mode is set up to enable the install/update feature.

By default, SEP sesam does not check, download and install updates. You can change your update mode in SEP sesam menu bar -> Configuration -> Defaults -> click the tab Install/Update and select one of the modes that enable the automatic check function. For details, see Setting preferred update mode.

Step 2: Install SEP sesam remotely

  1. Once you have set the update mode that allows SEP sesam to check for installation and update packages, from Main Selection -> Topology or Clients, right-click the selected Windows client to perform individual installation, then select Install SEP sesam.
  2. Install SEP sesam Beefalo V2.jpg

  3. A new window opens where you have to specify the following:
    • User: Specify the name of the domain or local admin user account that has installation and backup rights; the latter are required when using the option Run SEP sesam service as given user (see below).
    • Password: Enter the password for the specified local or domain administrator account.
    • Sesam package: Choose the package that you want to install: SEP sesam Client, SEP sesam Remote Device (RDS), or SEP sesam GUI. For each package, you can select to install additional extensions or features by selecting the relevant check box below: install SEP sesam Client with BSR, SEP sesam RDS with BSR and/or GUI, and SEP sesam GUI with BSR and/or Client.
    • Run SEP sesam service as given user: If you are installing Exchange DB or Hyper-V cluster, select this option and run the service under the admin account that has the backup rights (see the first option).
    • Force installation: If you want the installation to be performed in any case, even if a previous version exists or the version is identical or some warnings are encountered during the process, select this option.
  4. Win Client-install SEP sesam dialog.jpg

Hovering over a client displays information about the installation status.

Applying Service Packs on Linux

As of SEP sesam version ≥ 4.4.3.25, SEP offers special service pack executables for Linux systems that ease the installation of service packs and patches. A service pack is cumulative and contains all released fixes for the corresponding SEP sesam version.

As of version 4.4.3.61 Grolar, the service packs are available for the following components:

In previous versions only service packs for the SEP sesam Server were available.

Downloading SEP sesam service pack

All service packs are available at the download portal: https://download.sep.de/servicepacks/

To download the service pack for SEP sesam 4.4.3 for Linux, go to https://download.sep.de/servicepacks/4.4.3/<release_version_number>/linux/, for example, https://download.sep.de/servicepacks/4.4.3/4.4.3.61/linux/.

Within version-specific directory you will find service packs for all supported Linux distributions. Service packs are provided as executable files, named in the following manner:

sesam_patch_srv-<version>_<distribution>_<architecture>-<sesam-version>.sh

The following example shows a SEP sesam service pack for Debian Jessie on x64:

root@system:~# wget "https://download.sep.de/servicepacks/4.4.3/4.4.3.61/linux/sesam_patch_srv-c325b58_jessie_amd64-4.4.3.61.sh"

Installing SEP sesam service pack

Information sign.png Note
  • All commands have to be executed as root user or as an administrative user with the sudo command prefixed.
  • SEP sesam service pack installation will not check for running SEP sesam operations. Applying a patch while some SEP sesam operations are still running, for example backup or migration, will stop all running operations!

After downloading the relevant service pack for your operating system, you must make the downloaded service pack executable:

root@system: ~ # chmod +x sesam_patch_srv-b50baae_sles12_x86_64-4.4.3.25.sh

Then you can continue with the installation:

root@system: ~ # ./sesam_patch_srv-b50baae_sles12_x86_64-4.4.3.25.sh 
Verifying archive integrity... All good.
Uncompressing SEP sesam service pack    37% 

Checking Access State

You can use the Check Access State option to make sure that you have access to your SEP sesam Client(s).

To determine whether the client is accessible, that is, to verify that the SEP sesam software is present on the client, the network connection works and hence the client is reachable from the SEP sesam Server, proceed as follows:

From the SEP sesam GUI

  1. In the SEP sesam GUI -> Main Selection -> Topology, right-click the target SEP sesam Client.
  2. Select Check Access State and click Yes.
  3. Check access state.png

Note that availability of the update/install options depends on your selected update mode. If the Update mode is set to Turn off (hide from all users) the option Check Access state is not visible.

In the background the command for checking the access state (see the section below), will be executed asynchronously.

From the SEP sesam Server command line

Execute the following command on SEP sesam Server console:

sm_update_client check_client -C r -c <client_name> -m SMSSH

where the option -C r means that remote access of the client should be checked and -m SMSSH means that ssh should be used to check the connection.

Checking the results in the SEP sesam GUI

You can check the results in Topology in the column Access State, Last Access and Last sesam Message.

SEP Tip.png Tip
If the Topology columns are not visible, right-click a column header and select the option Column Visibility. Then simply select the relevant check boxes to set up which columns will be displayed.

Updating SEP sesam

Overview

Once you have set up your SEP sesam environment, SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. During this period, you can download bug fixes, patches, service packs, and the latest SEP sesam version(s) if you have a valid license.

Manual and auto update

SEP sesam software update feature provides an easy way to control your updates. It can be used to either automatically or manually check for and install updates. The following options are available for updating SEP sesam software.

  • You can set your preferred update mode in GUI Install/Update as explained in section Setting preferred update mode. Depending on your selected mode, the displayed status details and the options available from the right-click menu in the Topology or Clients view may vary, see below Checking update status.
  • Alternatively, you can use the CLI sm_update_client command, as described in Updating SEP sesam Using CLI.
  • You can also update your clients manually by copying the required package to the client and update directly on the client.

Update process

SEP sesam software update functionality is designed to check the SEP sesam versions currently in use against the latest versions available from SEP and propose updates when a newer version is available. The process can handle everything needed to update SEP sesam environment, including installing service packs for SEP sesam Server, SEP sesam Server UI update and clients update. The process of auto updating SEP sesam consist of the following:

  1. First, the index.txt file is checked to get the list of all available packages at SEP sesam repository.
  2. The index.txt contains the list of all available packages. It is typically downloaded from SEP Download Center. If you would like to update your clients with the packages that are stored locally (for example, when your SEP sesam Server has no access to the internet), you have to provide the index.txt file to the update manager, as described in Use custom package source. In case more than one package in the index.txt matches a given client, the update routine will always take the last match in the file.

  3. Depending on the selected update mode, SEP sesam packages may be downloaded and installed automatically or manually later by the administrator. Software packages can be downloaded from SEP Download Center.

If you decide to stick to manual updates, you can download and install the relevant Windows- or Linux-specific distribution, as described in SEP sesam Quick Install Guide. For Linux systems, SEP provides special service pack (SP) executables that ease the installation of service packs and patches. Installing on Windows is easy; simply download the executable file for your version of SEP sesam and install it. On Linux, however, you must make the SP executable after downloading it. For details, see Applying Service Packs on Linux. SEP sesam software packages can be downloaded from SEP Download Center.

Setting preferred update mode

You can set your update mode in SEP sesam menu bar -> Configuration -> Defaults -> click the tab Install/Update. The displayed status details and the options available from the right-click menu in the Topology or Clients depend on the selected update mode. By default, SEP sesam does not check, download and install updates.

Defaults install BeefaloV2.jpg

The following options are available:

  • Turn off (hide from all users): If selected, the install and update feature is not shown in the GUI. No install/update options are visible for any of the users, not even the administrator until this mode is switched on.
  • Do not check or install automatically (default): If selected, updates are not checked, downloaded nor installed when a new version is available.
  • Check automatically, but install manually: If selected, updates are checked by using index.txt to get the list of all available packages, but you have to download and install them manually.
  • SEP Tip.png Tip
    To start the download and update process in the background, select Update client from the context menu (Topology -> client -> right-click -> Update client).
  • Check, download and install automatically: If selected, updates are automatically checked, downloaded and installed, based on SEP sesam NEWDAY when a new version is available in the SEP Download Center. This option may not be recommended, depending on the configuration of your SEP sesam environment and its activity.
  • Information sign.png Note
    This option is only available in the Expert UI mode. So if you run the GUI in Basic or Advanced UI mode, you first have to change the mode to Expert, as described in Selecting UI mode.

Use custom SEP sesam package source

By selecting this option, you can update your SEP sesam Clients by using a SEP sesam custom package source which may be stored locally, on the network drive, or is available at the specified URL. The advantage of using a custom package is that you have full control over the version that is getting installed.

For this, you have to browse for or specify the full path (a file system location) to the index.txt file for the specified custom package. How you specify the path depends on the file location and your OS, see examples below.

Generating index.txt

If index.txt does not yet exist in the selected folder, it is automatically created by your SEP sesam only considering files in the given directory (subdirectories are not considered). This only happens the first time you activate the custom package source.

If the index.txt already exists, you have to recreate generate the file manually to get the list of relative paths of all available packages at your SEP sesam Server. You have to recreate the index.txt file each time you have downloaded a new package version to your custom source folder. To create the index.txt file, open the command prompt and navigate to the directory with your downloaded packages. Depending on your operating system and the package location, run the following command:

Windows

cd C:\temp\sesam_download
dir /B >index.txt

Linux/UNIX

cd /tmp/sesam_download
find . -name "*sesam*" -printf "%P %k %TY-%Tm-%Td %TH:%TM:%TM \n" >index.txt 

Specifying path to the index file

  • The package and index.txt are located in the local directory, e.g., in the directory <TEMP>/sesam_download/index.txt. On Windows, specify the path to the index file as:
  • file:///C:\temp\sesam_download
    

    On Linux:

    file:////tmp/sesam_download
    
    Information sign.png Note
    You have to use the syntax file:, followed by /// or //// and the path to the index file. On Windows, these first 3 forward slashes are mandatory, then also a backslash is allowed. On Linux, specify the path with 4 forward slashes: ////!
    .
  • The package and index.txt are on a network share, e.g., on Windows: <win_share>\users\admin\sesam\4.4.3
  • file:\\<win_share>\users\admin\sesam\4.4.3
    

    On Linux: <linux_share>/users/admin/sesam/4.4.3_beta

    file://<linux_share>/users/admin/sesam/4.4.3
    
  • To load the SEP sesam packages from the custom URL, simply enter the URL. For example, to install SEP sesam beta packages enter the SEP sesam beta download repository where the file index.txt is located:
  • http://beta.sep.de/
    
SEP Tip.png Tip
The latest index.txt file with all available packages can be retrieved from the SEP Download Center.

Checking update status

You can enable the automatic check for updates in the Defaults -> Install/Update menu or you can check the update status manually by using the right-click menu -> option Check Update State. The availability of the latter option depends on your selected update mode, see above Setting preferred update mode.

Topology and Clients view – right-click menu

Topology-right click menu Beefalo V2.jpg

Changed view with bigger icons

Clients view-hover over Beefalo V2.jpg

A message that a client is up to date is shown when there are no available updates (shown below in green frame). If an update is available, a yellow arrow will appear on the client (shown below in yellow frame). For more details on status icons, see Client status icons.

Client state-update.jpg

Performing mass update

You can simultaneously update all clients in the same location or decide to update only the Linux or Windows clients that belong to the selected location. The mass update will update all existing clients in the selected location according to your selected option (all, all Linux or all Windows) except the SEP sesam Server itself. For details on how to update the server, see section SEP sesam Server update.

For example, you may have a location that contains both, Windows and Linux clients and you only want to update the Linux clients. In this case, select your target location, right-click it and select Update all Linux Clients. The right-click update menu options are available in the Topology and Clients view if your update mode is not set to Turn off (hide from all users); for details, see above Setting preferred update mode.

Client update-all.jpg

Installing SEP sesam Service Pack

You can install SEP Sesam service packs by using the Update Client context menu. In the update message window, you can select the option Install SEP sesam client service pack (if available) and the service pack will be installed in addition to the new packages.

  • If you check the update status and there is only a service pack available, the client is marked with New version available. Performing the update with service pack installation will install the service pack.
  • SEP sesam service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. SEP sesam sends notifications via RSS feeds to alert administrators of important issues affecting your SEP sesam environment, such as the availability of a service pack, the notification of the error, or the announcement of a new release. These notifications can be accessed in the Notification Center in the upper right corner of the GUI and Web UI.

SP install en.png

SEP sesam Server update

SEP sesam Server cannot be automatically updated. It can only be updated manually by copying/downloading the required package to your SEP sesam Server and then executing it manually.

However, there are two special update options available in the GUI exclusively for the SEP sesam Server : Install UI Server Service Pack (a GUI SP for server) and Install Service Pack.

  • SEP sesam service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. SEP sesam sends notifications via RSS feeds to alert administrators of important issues affecting your SEP sesam environment, such as the availability of a service pack, the notification of the error, or the announcement of a new release. These notifications can be accessed in the Notification Center in the upper right corner of the GUI and Web UI.
Information sign.png Note
Whenever you update the server, you also have to update the GUI client because the GUI client and the SEP sesam Server have to work with the same GUI.

Client server-update.jpeg

Verifying updates

You can easily check whether your update was successful by checking the log files or the client status in the Topology or Clients view, if you have enabled either of the following two modes: Check automatically, but install manually or Check, download and install automatically (see above Setting preferred update mode).

If you have selected the Turn off update mode and you want to check if the update was successful, proceed as follows:

  1. Check the connection between a GUI client and the SEP sesam Server. The connection should work.
  2. Open the SEP sesam GUI and from the menu bar select Help -> About SEP sesam. Both, SEP sesam GUI client and SEP sesam GUI Server must have the same build versions.
  3. About SEP sesam Beefalo V2.jpg


How to check DNS configuration

Overview

Certain problems may occur when configuring new clients in SEP sesam if the DNS server is misconfigured or missing. SEP sesam needs a proper DNS to work and will not work with an IP address only. All DNS names must be correctly resolved (forward and reverse DNS lookup).

If the DNS server is missing, you will have to use the hosts file of the client and backup server to make systems available via a DNS name. The hosts file can be found in the following locations:

Linux
/etc/hosts
Windows
C:\Windows\system32\drivers\etc\hosts
Information sign.png Note
The hostname of the SEP sesam server may not include an underscore "_" sign. For hostname restrictions, see Restrictions on valid host names.

Tools to check DNS resolution

Several tools are available for checking the DNS resolution, however, SEP recommends that you use sm_setup check_resolution.

sm_setup check_resolution (recommended)

The SEP sesam sm_setup tool is part of the SEP sesam Client and Server installation and can be used from the command line to resolve DNS names. Before using this tool, you will have to set up a SEP sesam profile as described in the FAQ: What happens when I set a profile?

SEP recommends that you run this command on the backup server AND on the client with same arguments. It's important that the client and the backup server resolving themself correct.

Syntax
Client:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver
Client:~ # sm_setup check_resolution client
Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client


Backupserver:~ # sm_setup check_resolution client
' Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client

Backupserver:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver


The returned addresses and hostnames must match. If the reverse resolve returns an official name that is different from the name specified on the command line, there will be problems with backing up the client (see Common error messages).

nslookup (Windows and Linux)

The nslookup tool is a network administration command-line tool for querying the DNS to obtain a hostname or IP address.

It is useful for troubleshooting DNS issues but not for full hostname resolution as it ignores the hosts file. SEP sesam resolves its hostnames via "common library function" and will first use the hostname specified in the hosts file of the system. By default, nslookup will translate a domain name to an IP address (or vice versa).

Use the nslookup command to check if the name resolution forward with and without FQDN as well as reverse is correct. Check on the SEP sesam Server AND on the SEP sesam Client. If the DNS is not used and the verification is taking place over the etc/hosts file, use ping to verify individual clients.

Syntax
       nslookup {client}
       nslookup {IP-Address of client}                         # important reverse lookup
       nslookup {SEPsesam Server name}
       nslookup {IP-Address of SEPsesam Server}                # important reverse lookup

Example: check mysesam name resolution and reverse lookup:

     #>nslookup mysesam
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1
     #>nslookup 192.168.1.1
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1

host (Linux only)

The host command can also be used to resolve a hostname into an IP address and vice-versa. It defaults to the name server configured in /etc/resolv.conf but can also be used with a DNS server as an additional argument. It will query the DNS server of the system first.

Syntax
Client:~ # host backupserver
                     backupserver.sep.de has address 172.16.1.146

Client:~ # host 172.16.1.146
                     146.1.16.172.in-addr.arpa domain name pointer backupserver.sep.de

ping

ping is a network administration software utility used to test the reachability of a destination device on an IP network via ICMP echo request. It is not a proper tool for checking the DNS resolution and will not always be 100% correct. Although ping does resolve an IP address, it is not strictly a name server lookup tool and can return a potentially outdated cached result.

In addition, it is not possible to correctly reverse resolve the DNS names. For more details, see ping description on Wikipedia.

Common error messages

The following common error messages indicate that there is a problem with your name resolution:

CLIENT_HOSTNAME: Login to stpd from <CLIENT_HOSTNAME> to <SESAM_SERVER_HOSTNAME> incorrect.
Login incorrect. Client resolves his IP address [X.X.X.X] to [RANDOM_HOSTNAME], but server resolves it to [X.X.X.X]. Please adjust your name resolution.  (0)

In such case, check your name resolution (DNS or etc/hosts file). The SEP sesam Server and SEP sesam Client must be reachable with or without FQDN and should be able to resolve each other and also itself correctly, including the reverse lookup.

In case you have changed an entry in your DNS configuration, but Windows still reports a wrong hostname/IP, try to run ipconfig /flushdns as administrator.

Uninstalling SEP sesam

A complete SEP sesam environment consists of different components (SEP sesam Server, SEP sesam Client, etc.) or modules, which can be installed and combined according to your needs to implement optimized backup. If any SEP sesam component has to be removed from a system, for example, after a failed installation or if the current installation is corrupted, it is important to follow the correct uninstallation procedure. This procedure is operating system dependent.

Typically, uninstalling a SEP sesam package would remove all related files, however, in some scenarios, you may have to troubleshoot uninstallation issues or take extra steps, as described in Troubleshooting external components – BSR Pro.

Uninstalling SEP sesam on Windows

There are three different ways to uninstall SEP sesam components on Windows:

  1. Double-click the installed MSI or SEP sesam package, click Continue, select Remove and click Next to uninstall the SEP sesam from your system completely.
  2. Open Control Panel -> Add or remove programs or Programs and Features (depending on OS) and select the relevant SEP sesam component. Then click Uninstall.
  3. SEP Tip.png Tip
    After a successful and complete uninstall, the keys listed below (see registry entries) should no longer exist. If any of the listed keys is still present, it can be deleted manually as described in the next procedure.
  4. If the procedures above cannot be successfully applied, you have to manually remove the SEP sesam installation.
  5. Information sign.png Note
    The following steps describe how to modify the registry. If you modify the registry incorrectly, serious problems might occur. If you are not sure about what you are doing, we recommend that you contact SEP support at support@sep.de for assistance.
    1. In the Command Prompt, execute C:\Program Files\SEPsesam\bin\sesam\sm_main stop.
    2. Open the Task Manager and search for processes beginning with sm_ or with sm_main; if any running processes are found, terminate them.
    3. In the Start menu/Search box, type regedit and click Enter. The Windows Registry Editor window opens.
    4. Delete the registry entries:
    5. HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\7737007073521AA...
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7737007073521AA...
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F92326AFAEF5DA...
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sm_main
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SEP sesam BSR Pro
      
    6. Delete directories C:\Program Files\SEPsesam and C:\ProgramData\SEPsesam\....

Uninstalling SEP sesam on Linux

The uninstallation procedure on Linux depends on the installation type (RPM, DEB, etc.). For details on different installation types, see Linux Quick Install Guide.

Uninstalling tar archive (TGZ)

First, you have to make sure that your SEP sesam component was installed from a tar archive. Then uninstall SEP sesam with the command:

/opt/sesam/bin/sesam/sm_setup delete

Uninstalling RPM package

If you are uninstalling the Linux installation with RPM, use the following commands. The first command identifies the package name and the second command removes the SEP sesam Server from the system:

smsrv:~ # rpm -qa | grep sesam
sesam_srv-4.4.3-64.sles11
smsrv:~ #
smsrv:~ # rpm -e sesam_srv-4.4.3-64.sles11
smsrv:~ #
Information sign.png Note
You can use the same procedure for uninstalling other SEP sesam components.

Uninstalling debian package

If uninstalling the Linux installation with dpkg, use the following commands. The first command identifies the package name and the second command removes the SEP sesam Server from the system:

smsrv:~ # dpkg -l | grep sesam 
ii  sesam-srv   4.4.3-64.stretch~pg   amd64   SEP sesam server for Linux
smsrv:~ #
smsrv:~ # dpkg -r sesam-srv
smsrv:~ #

Uninstalling SEP sesam manually

If the procedures described above are not possible, the following steps are required to manually remove the SEP sesam installation:

SEP Warning.png Warning
Incorrectly performing the following steps can result in database corruption and loss of data. If you are not sure about what you are doing, we recommend that you contact SEP support at support@sep.de for assistance.
  1. Stop all SEP sesam services with the command:
  2.  systemctl stop sepsesam.service (Distributions with SYSTEMD start system)
    /etc/init.d/sesam stop (Distributions with INIT start system)
    /opt/sesam/bin/sesam/sm_main stop
    /opt/sesam/bin/sesam/sm_shutdown
    
  3. SEP sesam processes that are still running are identified with ps fax | grep sm_. If the output looks similar to the following, then the stop command was not successful. If just a few processes remain, only these are displayed.
  4. smsrv:~ # ps fax | grep sm_
    4433 ? S 0:00 /opt/sesam/bin/sesam/sm_qm_main
    4449 ? S 0:00 \_ /bin/sh /opt/sesam/bin/db/sm_db_main
    4464 ? S 0:00 \_ /opt/sesam/bin/sms/sm_passd
    4476 ? S 0:00 \_ /opt/sesam/bin/sms/sm_stpd_main
    4489 ? S 0:00 \_ /opt/sesam/bin/sesam/sm_ctrld_main
    4519 ? S 0:00 \_ /opt/sesam/bin/sesam/sm_sepuler -d
    4597 ? S 0:00 \_ /bin/sh /opt/sesam/bin/sesam/sm_rmi_main
    4760 ? Sl 0:01 | \_ java -classpath /opt/sesam/bin/gui//sm_rmigui.jar -
    Djava.rmi.server.hostname=smsrv -Djava.security.policy=/var/opt/sesam/var/ini//
    sm_java.policy de.sep.sesam.gui.server.GUIServer -c11401 -D11401 -rde
    5136 ? S 0:00 \_ /opt/sesam/bin/sms/sm_sms_main
    5138 ? S 0:00 | \_ sm_data_server 0 MAIN
    5141 ? S 0:00 | | \_ sm_data_server 0 ADMIN
    5142 ? S 0:00 | | \_ sm_data_server 0 KILLADMIN
    5143 ? S 0:00 | | \_ sm_data_server 0 DATA
    5144 ? S 0:00 | | \_ sm_data_server 0 DATA
    5145 ? S 0:00 | | \_ sm_data_server 0 DATA
    5162 ? S 0:00 | | \_ sm_data_server 0 DATA
    5163 ? S 0:00 | | \_ sm_data_server 0 DATA
    5164 ? S 0:00 | | \_ sm_data_server 0 DATA
    5165 ? S 0:00 | | \_ sm_data_server 0 DATA
    5166 ? S 0:00 | | \_ sm_data_server 0 DATA
    5187 ? S 0:00 | | \_ sm_data_server 0 DATA
    5188 ? S 0:00 | | \_ sm_data_server 0 TAPE
    ...
    
  5. Remove all running processes from the system. The following list shows how to shut down the SEP sesam main process at first. If this does not work, you have to terminate the remaining processes with kill <PID>. If this does not work either, then you have to use the hammer method to remove these processes from the system.
    • killall /opt/sesam/bin/sesam/sm_qm_main command tries to terminate all processes that depend on sm_qm_main.
    • kill 4433 command tries to terminate the process sm_qm_main (see a process list above).
    • kill -9 4433 command is the hammer method and removes the process out of the system.
  6. SEP sesam configuration files are removed from the etc directory:
  7. smsrv:~ # rm -v /etc/*sesam*
    removed ‘/etc/sesam2000.ini’
    removed ‘/etc/sesam_cmdusers.allow’
    
  8. Remove the start scripts from the Linux system:
  9. chkconfig -d sesam (INIT)
    rm /etc/init.d/sesam (INIT)
    systemctl disable sepsesam.service (SYSTEMD)
    rm /lib/systemd/system/sepsesam.service (SYSTEMD)
    
  10. Remove the SEP sesam directory:
  11. rm -rf /opt/sesam
    rm -rf /var/opt/sesam
    
  12. Remove a database entry from the package database:
  13. Suse and RedHat
    rpm -e --justdb sesam_srv-4.4.3-64.sles11
    
    Debian
    dpkg --purge sesam-srv
    

Troubleshooting external components – BSR Pro

Any incorrect uninstallation could leave invalid registry entries behind. In the case of SEP sesam, uninstallation may fail and leave behind external component files or packages, such as SEP sesam BSR Pro. As the uninstaller information is typically corrupted after a failed uninstallation, you have to get rid of any potentially harmful registry leftovers to ensure normal operation of SEP sesam. There are two possible ways to deal with failed uninstallation leftovers.

  1. The best way to uninstall these components is to use the installer; you should first reinstall BSR Pro in order to repair it, and only then uninstall it again.
  2. SEP Tip.png Tip
    After a successful and complete uninstall of the BSR Pro component, the keys listed below (see registry entries) should no longer exist. If any of the listed keys is still present, it can be deleted manually as described in the next procedure.
  3. If the procedure above cannot be successfully applied, you have to manually remove the BSR Pro installation.
  4. Information sign.png Note
    The following steps describe how to modify the registry. If you modify the registry incorrectly, serious problems might occur. If you are not sure about what you are doing, we recommend that you contact SEP support at support@sep.de for assistance.
    1. In the Start menu/Search box, type regedit and click Enter. The Windows Registry Editor window opens.
    2. Delete the registry entries:
    3. HKEY_LOCAL_MACHINE\SOFTWARE\O&O\O&O DiskImage
      HKEY_LOCAL_MACHINE\SOFTWARE\O&O\O&O LiveUpdate\SEP sesam BSR Pro
      


Part IV: SEP sesam Processes and Commands

SEP sesam Processes

Overview

The following list introduces SEP sesam processes that are required for uninterrupted operation of the SEP sesam Server. You can use different commands to check the functionality of the individual processes. For example, you can use the command sm_main status to see if all daemons are running. You can also check the status of the SEP sesam processes in the GUI (Main Selection -> Monitoring -> Processes).

Note that antivirus programs may disrupt network communication and cause SEP sesam processes, such as backup and replication, to fail. One program that is known to cause SEP sesam processes to terminate is Sophos Firewall with IPS (Intrusion Prevention System) enabled. Make sure that there are no antivirus, firewall, IDS or IPS programs preventing interaction with SEP sesam.

Daemon summary

Use the command sm_main status to quickly check if all relevant daemons are running on a computer where SEP sesam is installed or if one is missing. As an additional information you can see the general version of SEP sesam and when the individual sub processes were (re)started.

Windows
C:\Program Files\SEPsesam\bin\sesam>sm_main status
2019-04-30 19:01:34: $Id: 30e8e5a23e (HEAD -> v4_4_3_4, tag: v_4_4_3_64, tag: v4_4_3_4_build, origin/v4_4_3_4) 2018-10-22 10:30:29 +0200 $
2019-04-30 19:01:34: VERSION='server,4.4.3.64,20190319141846'
2019-04-30 19:01:34: sm_main[5588]
2019-04-30 19:01:34: Arguments: sm_main status
2019-04-30 19:01:34: Daemons: ['qm', 'passd', 'sms', 'stpd', 'ctrl', 'sshd', 'sepuler', 'rmi']
2019-04-30 19:01:34: qm         [  2884]: online
2019-04-30 19:01:34: Found job:   2    passd                 0      4076 2019-03-19 14:27:37
2019-04-30 19:01:34: passd      [  4076]: online
2019-04-30 19:01:34: Found job: 1788    sms                   0      7692 2019-04-30 08:00:18
2019-04-30 19:01:34: sms        [  7692]: online
2019-04-30 19:01:34: Found job:   4    stpd                  0      4016 2019-03-19 14:27:37
2019-04-30 19:01:34: stpd       [  4016]: online
2019-04-30 19:01:34: Found job:   5    ctrl                  0      2420 2019-03-19 14:27:38
2019-04-30 19:01:34: ctrl       [  2420]: online
2019-04-30 19:01:34: Found job:   6    sshd                  0      2260 2019-03-19 14:27:38
2019-04-30 19:01:34: sshd       [  2260]: online
2019-04-30 19:01:34: Found job:   7    sepuler               0      3676 2019-03-19 14:27:39
2019-04-30 19:01:34: sepuler    [  3676]: online
2019-04-30 19:01:34: Found job:   8    rmi                   0      7976 2019-03-19 14:27:39
2019-04-30 19:01:34: rmi        [  7976]: online
2019-04-30 19:01:34: Found job:  39    sds-11                0      6796 2019-04-30 11:42:17
2019-04-30 19:01:34: sds-11     [  6796]: online
STATUS=SUCCESS MSG=All daemons online
Linux/Unix
backupsrv:/opt/sesam/bin/sesam # ./sm_main status
2019-04-30 18:58:06: $Id: 30e8e5a (HEAD, tag: v_4_4_3_64, tag: v4_4_3_4_build, origin/v4_4_3_4, v4_4_3_4) 2018-10-22 10:30:29 +0200 rev:48355
2019-04-30 18:58:06: VERSION='server,4.4.3.64,20181024102619'
2019-04-30 18:58:06: sm_main[21443]
2019-04-30 18:58:06: Arguments: ./sm_main status
2019-04-30 18:58:06: Found SDS configuration file: "/var/opt/sesam/var/ini/stpd_conf/Si3-Store_2.ini"
2019-04-30 18:58:06: ATTENTION: Java options for SDS set in sm.ini to: -Xms10080M -Xmx10080M
2019-04-30 18:58:06: Daemons: ['qm', 'db', 'passd', 'sms', 'stpd', 'ctrl', 'sshd', 'sepuler', 'rmi', 'ui', 'sds-2']
2019-04-30 18:58:06: qm         [  4126]: online
2019-04-30 18:58:06: Found job:   2    db                    0      4137 2019-01-14 20:21:08
2019-04-30 18:58:06: Check DB service. Retry: 1
2019-04-30 18:58:06: db         [  4137]: online
2019-04-30 18:58:06: Found job:   3    passd                 0      4316 2019-01-14 20:21:15
2019-04-30 18:58:06: passd      [  4316]: online
2019-04-30 18:58:06: Found job:  15    sms                   0      6102 2019-01-14 20:21:37
2019-04-30 18:58:06: sms        [  6102]: online
2019-04-30 18:58:06: Found job:   5    stpd                  0      4332 2019-01-14 20:21:15
2019-04-30 18:58:06: stpd       [  4332]: online
2019-04-30 18:58:06: Found job:   6    ctrl                  0      4339 2019-01-14 20:21:16
2019-04-30 18:58:06: ctrl       [  4339]: online
2019-04-30 18:58:06: sshd               : unused
2019-04-30 18:58:07: Found job: 25068    sepuler               0      5849 2019-03-27 17:13:23
2019-04-30 18:58:07: sepuler    [  5849]: online
2019-04-30 18:58:07: Found job: 29267    rmi                   0     18503 2019-04-26 18:23:24
2019-04-30 18:58:07: rmi        [ 18503]: online
2019-04-30 18:58:07: ui                 : unused
2019-04-30 18:58:07: Found job: 29268    sds-2                 0     18618 2019-04-26 18:23:25
2019-04-30 18:58:07: sds-2      [ 18618]: online
STATUS=SUCCESS MSG=All daemons online

Description of the SEP sesam processes

sm_qm_main

This is the main process of the SEP sesam process structure. All other SEP sesam processes derive from it. The queue manager follows all individual drive queues. This process has to run on SEP sesam Server, SEP sesam RDS and SEP sesam Client.

Windows

The sm_qm_main process is associated with the service SEP Sesam visible in the Windows services list.

On Windows, all processes can be found in the Task Manager or on the command line as a tree view.

C:\Program Files\SEPsesam\bin\sesam>sm_list -t | findstr sm_
    sm_qm_main.exe (2884)
      sm_passd.exe (4076)
      sm_stpd_main.exe (4016)
      sm_ctrld_main.exe (2420)
      sm_sshd.exe (2260)
      sm_sepuler.exe (3676)
      sm_java.exe (7976)
      sm_sms_watch.exe (4556)
      sm_sms_watch.exe (4740)
      sm_sms_watch.exe (5464)
      sm_sms_watch.exe (4408)
      sm_sms_watch.exe (7024)
      sm_sms_main.exe (7692)
        sm_data_server.exe (2432)
        sm_data_server.exe (1320)
  sm_javaw.exe (3700)
  sm_list.exe (3832)

C:\Program Files\SEPsesam\bin\sesam>sm_kill list | findstr sm_
 2884  (0x0B44)    "C:\Program Files\SEPsesam\bin\sesam\sm_qm_main.exe"
 4076  (0x0FEC)    "C:\Program Files\SEPsesam\bin\sms\sm_passd.exe" -D
 4016  (0x0FB0)    "C:\Program Files\SEPsesam\bin\sms\sm_stpd_main.exe" -D
 2420  (0x0974)    "C:\Program Files\SEPsesam\bin\sesam\sm_ctrld_main.exe" -D
 2260  (0x08D4)    "C:\Program Files\SEPsesam\bin\sesam\sm_sshd.exe" -D
 3676  (0x0E5C)    "C:\Program Files\SEPsesam\bin\sesam\sm_sepuler.exe" -D
 7976  (0x1F28)    "C:\Program Files\SEPsesam\bin\sesam\sm_java.exe" server -ren
 6140  (0x17FC)    "C:\Program Files\Java\jre1.8.0_111\bin\java" -classpath "C:\Program Files\SEPsesam\bin\gui\sm_ui.jar" -Djava.rmi.server.hostname=backupsrv -Dsep.sesam.config="C:\ProgramData\SEPsesam\var\ini\sm.ini" -Djava.security.policy="C:\ProgramData\SEPsesam\var\ini\sm_java.policy" de.sep.sesam.gui.server.GUIServer -ren
 4556  (0x11CC)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 0
 4740  (0x1284)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 4
 5464  (0x1558)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 11
 4408  (0x1138)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 13
 7024  (0x1B70)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 14
 3700  (0x0E74)    "C:\Program Files\SEPsesam\bin\sesam\sm_javaw.exe" client -uAdministrator -Sbackupsrv -lwindows -p11401 -P local -v2 -ren
 4832  (0x12E0)    "C:\Program Files\Java\jre1.8.0_111\bin\javaw.exe" -Djava.io.tmpdir="C:\Users\ADMINI~1\AppData\Local\Temp\2" "-splash:C:\Program Files\SEPsesam\bin\gui\splash\splash.png" -classpath "C:\Program Files\SEPsesam\bin\gui\sm_ui.jar" de.sep.sesam.gui.client.Frame -uAdministrator -Sbackupsrv -lwindows -p11401 -P local -v2 -ren
 7692  (0x1E0C)    "C:\Program Files\SEPsesam\bin\sms\sm_sms_main.exe" -D
 2432  (0x0980)    sm_data_server.exe 2
 1320  (0x0528)    sm_data_server.exe 3
 3776  (0x0EC0)    C:\Windows\system32\cmd.exe  /K "C:\ProgramData\SEPsesam\var\ini\sm_prof.bat"
 5624  (0x15F8)    sm_kill  list
Linux/Unix

On modern Linux this process is associated with systemd unit "sepsesam.service". On systems with SysV-style init this process gets called by the init script /etc/init.d/sesam.
Use the commands pstree and ps to search for it's sub-processes.

backupsrv:/opt/sesam/bin/sesam # pstree | grep sm_
     |-sm_qm_main-+-java---98*[{java}]
     |            |-sm_ctrld_main
     |            |-sm_passd
     |            |-sm_postgres---su---postmaster---10*[postmaster]
     |            |-sm_restore
     |            |-sm_rmi_main---java---91*[{java}]
     |            |-sm_sepuler
     |            |-sm_sms_main
     |            |-4*[sm_sms_watch]
     |            `-sm_stpd_main-+-sm_stpd_utl_mai
     |                           `-4*[{sm_stpd_main}]
backupsrv:/opt/sesam/bin/sesam # ps -ef | grep sm_
root      4126     1  0 Jan14 ?        02:09:17 /opt/sesam/bin/sesam/sm_qm_main
root      4137  4126  0 Jan14 ?        00:00:00 /bin/sh /opt/sesam/bin/sesam/sm_postgres
root      4316  4126  0 Jan14 ?        00:00:00 /opt/sesam/bin/sms/sm_passd
root      4332  4126  0 Jan14 ?        17:22:30 /opt/sesam/bin/sms/sm_stpd_main
root      4339  4126  0 Jan14 ?        00:00:00 /opt/sesam/bin/sesam/sm_ctrld_main
root      4348  4332  0 Jan14 ?        00:05:51 /opt/sesam/bin/sms//sm_stpd_utl_main 0
root      4647  4126  0 Jan14 ?        00:06:00 /opt/sesam/bin/sesam/sm_sms_watch 0
root      5849  4126  0 Mar27 ?        00:21:02 /opt/sesam/bin/sesam/sm_sepuler -d
root      6102  4126  0 Jan14 ?        00:00:00 /opt/sesam/bin/sms/sm_sms_main
root      6253  4126  0 Jan14 ?        16:09:58 /opt/sesam/bin/sesam/sm_sms_watch 2
root      6404  4126  0 Jan14 ?        00:56:51 /opt/sesam/bin/sesam/sm_sms_watch 3
root     13106  4126  0 Jan18 ?        00:33:41 /opt/sesam/bin/sesam/sm_sms_watch 1
root     15092 22052  0 18:25 pts/0    00:00:00 grep --color=auto sm_
root     18503  4126  0 Apr26 ?        00:00:00 /bin/sh /opt/sesam/bin/sesam/sm_rmi_main
root     18618  4126 24 Apr26 ?        23:04:29 /opt/sesam/bin/sesam/java -Xmx5004M -XX:MaxDirectMemorySize=5204M -Xms10080M -Xmx10080M -classpath /opt/sesam/bin/sds/i2dedup-server.jar -Dlogback.configurationFile=/var/opt/sesam/var/ini/sm_sdslog.xml -Dgv_rw_stpd=/var/opt/sesam/var/log/sms -Ddrive_num=2 -Dconfig.inifile=/var/opt/sesam/var/ini/stpd_conf/Si3-Store_2.ini i2.dedup.streaming.BinaryProtocolServer start
root     18759 18503  8 Apr26 ?        07:46:53 java -classpath /opt/sesam/bin/gui//sm_ui.jar -Dsep.sesam.config=/var/opt/sesam/var/ini/sm.ini -Djava.rmi.server.hostname=backupsrv.sep.de -Dfile.encoding=UTF-8 -Djava.security.policy=/var/opt/sesam/var/ini//sm_java.policy de.sep.sesam.gui.server.GUIServer -p11401 -ren
root     29964  4126  5 17:06 ?        00:04:31 /opt/sesam/bin/sesam/sm_restore -I 20190430170610436@3Hc_4aCsINJ -r backupsrv_all-20190430_170610 -S backupsrv.sep.de -d 3

sm_ctrld_main

Via control daemon it is possible to execute SEP sesam commands on the SEP sesam Client. This daemon listens on TCP port 11301. For example, if the SEP sesam Server sends the command sm_ctrlc -l root <backup_client> sbc -b -s @/tmp/test.sav /etc, then a backup job of the /etc directory is started on the client. Backed up data is saved in the file test.sav in the client's local /tmp directory. This process has to run on the SEP sesam RDS and SEP sesam Clients.

sm_sshd

SEP sesam provides an SSH tunnel for secure control communication. If a new backup client gets installed, the SM_SSH daemon will be automatically listen on TCP port 11322. Over time, the encrypted SSH communication replaces the old unencrypted control communication. You can start a test backup on a Linux client with the following command:

sm_ssh <backup_client> sbc -b -s @/tmp/test.sav /etc

This process has to run on the SEP sesam RDS and SEP sesam Clients.

postmaster (Linux only)

This is a database server which administers SEP sesam database. This process has to run on SEP sesam Server.

sm_passd

This is an authentication daemon for the Sesam Transfer Protocol Daemon (STPD – a service that requests the backup data from the SMS Server and manages the data flow between the SEP sesam Server and a client) via name resolution. This process has to run on SEP sesam Server and RDS. If source-side deduplication should be used this process also has to run on SEP sesam Client.

sm_rmi_main

This is the GUI server which is the interface between a GUI client and SEP sesam kernel module (like database, logfiles, etc.). It listens on TCP port 11401. This process has to run on the SEP sesam Server in order to access its database.

sm_sepuler

SEPuler is a permanently active background routine (daemon), constantly searching for events to be executed. When SEPuler finds a scheduled task or manually triggered event, the execution of the corresponding program is initiated. This process has to run on SEP sesam Server. For details, see SEPuler - an event calendar.

sm_sms_main

This is the main process of SMS (Sesam multiplex stream service) and it's the parent process for all sm_data_server processes. This process has to run on SEP sesam Server and RDS.

sm_data_server

The data server processes receive the individual data streams of the backup tasks and then transfer them multiplexed to the storage device (tape or disk). This process has to run on SEP sesam Server and RDS.

sm_stpd_main

The Sesam Transfer Protocol Daemon (STPD) waits for the data which is delivered via network from clients during a backup. It listens on TCP ports 11000 (HTTP), 11001 (FTP) and 11443 (HTTPS) for transfer of backup data. This process has to run on SEP sesam Server and RDS. If source-side deduplication should be used this process also has to run on SEP sesam Client.

sds

This is the SEP sesam deduplication engine. It depends on Java for the execution.


How to start and stop SEP sesam

Overview

After the installation, the SEP sesam software will start automatically. You can use the command sm_main status to see if all processes are running. You can start and stop the SEP sesam services manually by using the commands below.

Start/stop SEP sesam on Windows

One central SEP sesam service is running on Windows systems. It is called SEP Sesam and is running under the system account of the Windows operating system. This service starts all other required services.

Start
  • using the Windows services control panel
  • in Windows Task Manager using the Services tab
  • on CMD or Powershell: net start sm_main
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_main start
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_startup -f
Stop
  • using the Windows services control panel
  • in Windows Task Manager using the Services tab
  • on CMD or Powershell: net stop sm_main
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_main stop
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_shutdown -f

Start/stop SEP sesam on Linux

One central SEP sesam service is running on Linux systems that controls all other SEP sesam services. SEP sesam services are always running under the Linux root user account. Depending on the Linux distribution, the following commands can be used:

Start
  • in the Linux shell: /etc/init.d/sesam start (distrib. with INIT start system)
  • in the Linux shell: systemctl start sepsesam.service (distrib. with SYSTEMD start system)
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_main start
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_startup
Stop
  • in the Linux shell: /etc/init.d/sesam stop (distrib. with INIT start system)
  • in the Linux shell: systemctl stop sepsesam.service (distrib. with SYSTEMD start system)
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_main stop
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_shutdown


How to check DNS configuration

Overview

Certain problems may occur when configuring new clients in SEP sesam if the DNS server is misconfigured or missing. SEP sesam needs a proper DNS to work and will not work with an IP address only. All DNS names must be correctly resolved (forward and reverse DNS lookup).

If the DNS server is missing, you will have to use the hosts file of the client and backup server to make systems available via a DNS name. The hosts file can be found in the following locations:

Linux
/etc/hosts
Windows
C:\Windows\system32\drivers\etc\hosts
Information sign.png Note
The hostname of the SEP sesam server may not include an underscore "_" sign. For hostname restrictions, see Restrictions on valid host names.

Tools to check DNS resolution

Several tools are available for checking the DNS resolution, however, SEP recommends that you use sm_setup check_resolution.

sm_setup check_resolution (recommended)

The SEP sesam sm_setup tool is part of the SEP sesam Client and Server installation and can be used from the command line to resolve DNS names. Before using this tool, you will have to set up a SEP sesam profile as described in the FAQ: What happens when I set a profile?

SEP recommends that you run this command on the backup server AND on the client with same arguments. It's important that the client and the backup server resolving themself correct.

Syntax
Client:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver
Client:~ # sm_setup check_resolution client
Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client


Backupserver:~ # sm_setup check_resolution client
' Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client

Backupserver:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver


The returned addresses and hostnames must match. If the reverse resolve returns an official name that is different from the name specified on the command line, there will be problems with backing up the client (see Common error messages).

nslookup (Windows and Linux)

The nslookup tool is a network administration command-line tool for querying the DNS to obtain a hostname or IP address.

It is useful for troubleshooting DNS issues but not for full hostname resolution as it ignores the hosts file. SEP sesam resolves its hostnames via "common library function" and will first use the hostname specified in the hosts file of the system. By default, nslookup will translate a domain name to an IP address (or vice versa).

Use the nslookup command to check if the name resolution forward with and without FQDN as well as reverse is correct. Check on the SEP sesam Server AND on the SEP sesam Client. If the DNS is not used and the verification is taking place over the etc/hosts file, use ping to verify individual clients.

Syntax
       nslookup {client}
       nslookup {IP-Address of client}                         # important reverse lookup
       nslookup {SEPsesam Server name}
       nslookup {IP-Address of SEPsesam Server}                # important reverse lookup

Example: check mysesam name resolution and reverse lookup:

     #>nslookup mysesam
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1
     #>nslookup 192.168.1.1
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1

host (Linux only)

The host command can also be used to resolve a hostname into an IP address and vice-versa. It defaults to the name server configured in /etc/resolv.conf but can also be used with a DNS server as an additional argument. It will query the DNS server of the system first.

Syntax
Client:~ # host backupserver
                     backupserver.sep.de has address 172.16.1.146

Client:~ # host 172.16.1.146
                     146.1.16.172.in-addr.arpa domain name pointer backupserver.sep.de

ping

ping is a network administration software utility used to test the reachability of a destination device on an IP network via ICMP echo request. It is not a proper tool for checking the DNS resolution and will not always be 100% correct. Although ping does resolve an IP address, it is not strictly a name server lookup tool and can return a potentially outdated cached result.

In addition, it is not possible to correctly reverse resolve the DNS names. For more details, see ping description on Wikipedia.

Common error messages

The following common error messages indicate that there is a problem with your name resolution:

CLIENT_HOSTNAME: Login to stpd from <CLIENT_HOSTNAME> to <SESAM_SERVER_HOSTNAME> incorrect.
Login incorrect. Client resolves his IP address [X.X.X.X] to [RANDOM_HOSTNAME], but server resolves it to [X.X.X.X]. Please adjust your name resolution.  (0)

In such case, check your name resolution (DNS or etc/hosts file). The SEP sesam Server and SEP sesam Client must be reachable with or without FQDN and should be able to resolve each other and also itself correctly, including the reverse lookup.

In case you have changed an entry in your DNS configuration, but Windows still reports a wrong hostname/IP, try to run ipconfig /flushdns as administrator.


Part V: Using Storage Devices

Configuring Loaders and Drives

Overview

A loader (also called tape library or autoloader) is a device that consists of drive(s), a magazine with slots for tape cartridges and a robotic mechanism that moves media between the slots and drives. In SEP sesam there is no dependency to use specific manufacturers' devices or device types; you can check the list of supported hardware at Supported Storage Hardware.

SEP sesam can detect and automatically configure storage hardware in your environment if the hardware is supported and recognized by the operating system (it must be listed in the OS device manager), where the SEP sesam Server or Remote Device Server is installed.

During SEP sesam Server installation, SEP sesam checks the SCSI API of the operating system for connected storage devices and puts accessible device files (SCSI address) into the SEP sesam database. This auto-detection works for most devices, but for certain types of loaders the connection between loader and drives cannot be recognized automatically. You have to manually verify and configure such devices. You also have to manually configure any backup device that is connected after SEP sesam installation. Note that the procedure differs depending on your operating system (Linux or Windows).

Automatically detected storage devices

SEP sesam displays automatically detected backup devices in GUI: Main selection -> Components -> Loaders. All detected loaders are displayed; you only need to select a loader to review its properties, and then click OK to confirm the loader configuration.

SEP Tip.png Tip
It is recommended that SEP sesam auto-configures backup devices, but even for the automatically configured backup devices you should enable persistent naming and check their configuration to configure them as required and avoid errors in SEP sesam operation. See sections Enabling persistent naming for tape devices and Using slu topology for detecting devices.

Preparing loaders and drives

Preparation of storage devices is based on the following general sequence. Note that this sequence might differ for specific devices and might require some additional steps.

  1. Connect a storage device to SEP sesam Server or SEP sesam Remote Device Server (RDS). Follow the configuration instructions specified by the device vendor or the operating system.
  2. Install the latest vendor driver for the tape drives, and also the latest driver for the loader. Note that during SEP sesam Server installation SEP sesam will check the SCSI API of the operating system for connected storage devices and enter working device files (SCSI address) into SEP sesam database automatically. Typically, this auto-detection will work for most devices, but there are some exceptions that need manual verification and configuration of the server operating system to allow device discovery.
  3. Restart the system to ensure that connected storage devices become known to the system.
  4. Check your device vendor documentation for any additional steps that may have to be performed.

Manually configuring loaders and drives

Checking hardware configuration on Windows

If your loader is detected by SEP sesam automatically, you can skip this step. If you have to add it manually to your Windows system, you must ensure that the hardware is recognized correctly by the operating system in the Windows Device Manager.

  1. Open Windows Device Manager and check that the selected hardware is present and recognized, as shown in the example below.
  2. Device Manager Changer known.jpg
    If it is not recognized, it will be shown with a status Unknown Medium Changer as in the following example.
    Device Manager Changer.jpg
    If it is shown as unknown, right-click it and select Update Driver Software to open the Update Driver Software-Unknown Medium Changer window. Then select or download and install the appropriate driver.

    Information sign.png Note
    A wrong driver (or no driver at all) is a common cause of errors. Identify the hardware manufacturer and download the correct driver from their support website to ensure proper configuration of your hardware device. For more information, check the documentation provided by the hardware manufacturer.
  3. In the Device Manager window, also check that the tape drives have a Tape Symbolic Name displayed.

Enabling persistent naming for tape devices

Persistent naming or binding is an option that enforces file names for loaders and tape drives, thus making them persist across reboots of the operating system. Without this feature the SCSI addresses may be changed during reboots, especially in environments with several tape libraries attached to a server, and the operating system might mix the SCSI addresses between different loaders and library tape drives. Consequently, SEP sesam may have problems accessing devices, such as unloading incorrect drives, read/open errors, volume errors, lost connections ...

Persistent naming means using symbolic names for loaders, tape drives in autoloaders and tape libraries, as well as for single tape drives. These names stay unique during server reboots, regardless of the order in which the operating system discovers the tape hardware. For example, while Tape0 is a logical name that could change during system restart, the persistent name Tape2147483644 is unique and will not change.

Configuration of persistent naming depends on the used driver. Once OS is configured for persistence naming, update SEP sesam configuration with the help of slu topology.

Information sign.png Note
Persistent naming is not part of SEP sesam as each hardware vendor handles it differently. If you need any assistance, consult your respective OS and hardware vendor support. The following information are only for reference and are not meant to replace the official vendor documentation.
Configuring persistent naming on Windows

To enable persistent bindings of symbolic tape and library names, you have to modify the registry key. Make sure that you have a valid SEP sesam and operating system backup before proceeding!

Standard Windows drivers
For standard Windows drivers, proceed as follows:
  1. Open Registry Editor: use Start and type regedit.
  2. Locate and select the following registry subkey:
  3. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Tape
    
  4. From the Edit menu, select New and then DWORD Value.
  5. Type Persistence and then press ENTER.
  6. Right-click the Persistence registry entry, then click Modify.
  7. Type 1 in the Value data box, and then click OK.
  8. Close Registry Editor and restart the computer.

When you set the Persistence registry entry to 1, symbolic names become persistent. For example, if your tape drive has the name \\.\\tape1, this name is reserved for use by that device even after your server reboots.

IBM drivers
For IBM drivers, proceed as follows:
  1. Go to
  2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ibmtp2k<x>  
    

    where the value <x> in ibmtp2k specifies the Windows Server version, for example, ibmtp2k8 for Windows Server 2008, ibmtp2k12 for Windows 2012, and ibmtp2k16 for Windows 2016, respectively.

  3. Add DWORD:PersistentNaming=1.
  4. Close Registry Editor and ensure that AutoRun is set to 0 for the driver prior to rebooting; for details, see official Microsoft documentation, e.g., Windows Server 2003 cannot perform backup jobs to tape devices on a storage area network or refer to the article Disable Autorun/Autoplay.
  5. Restart the computer.

For more details, see IBM article Configuring drives with persistent naming with IBM devices on Windows.

HP LTO drivers
For HP LTO drivers, follow the procedure as provided by data-protector.org:
  1. Make sure that you have installed the required HP tape drivers.
  2. Copy the following code and insert it into text editor, then save the content as .reg file.
    • Tape drives:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hplto]
    "AutoRun"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Tape]
    "Persistence"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
    "Start"=dword:00000004
    • Changer:

    If you have more than one medium changer include the following two lines as well:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MChgr]
    "Persistence"=dword:00000001
  3. Execute the .reg file and reboot the Windows system.
Configuring persistent naming on Linux

Device persistence on Linux is based on preconfigured udev rules. These rules create aliases in the device filesystem in /dev/tape.

Once the persistent naming is configured, you have to identify the WWN of the device and its name. This is because after each reboot on Linux, if you have, for example, two tape drives: /dev/nst0 (typically, the automatically assigned name for the first tape drive on Linux) and /dev/nst1 (the second tape drive), they may be switched around. The device name of a loader may also be changed after reboot. For example, a loader is currently recognized as /dev/sg9, but after reboot its name is changed to /dev/sg6. Changing the device name(s) after each reboot makes it impossible for SEP sesam to recognize the devices without adjustment, causing automated backup processing to fail.

To correctly identify the persistent names of devices on Linux, use the slu scan command and then the /dev/tape/by-id, as shown in the example below.

For example, the slu scan output is as follows:

ID=9:0:9:0    Tape:    STK      T10000B          0105 (/dev/nst4)
ID=9:0:10:0   Tape:    STK      T10000B          0105 (/dev/nst5)
ID=9:0:11:0   Tape:    STK      T10000B          0105 (/dev/nst6)
ID=9:0:12:0   Tape:    STK      T10000B          0105 (/dev/nst7)
ID=9:0:0:0    Loader:  STK      L700             0105 (/dev/sg17)
ID=9:0:8:0    Loader:  STK      L80              0105 (/dev/sg18) 

The output of ls -l /dev/tape/by-id/ shows the following:

total 0
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab000900 -> ../../st4
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab000900-nst -> ../../nst4
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab001000 -> ../../st5
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab001000-nst -> ../../nst5
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab001100 -> ../../st6
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab001100-nst -> ../../nst6
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab001200 -> ../../st7
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab001200-nst -> ../../nst7
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-SSTK_L700_XYZZY_A -> ../../sg17
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-SSTK_L80_XYZZY_B -> ../../sg18

In our example, by using /dev/tape/by-id/scsi-350223344ab000900-nst instead of /dev/nst4 for the particular drive, the device name will automatically use the correct nst device even after reboot. The same is true for loader names, for example, /dev/tape/by-id/scsi-SSTK_L80_XYZZY_B should be used instead of /dev/sg18.

Information sign.png Note
Make sure that you use the non-rewind device name nst, in the above example scsi-350223344ab000900-nst, and not the auto rewind version st. If you specify auto rewind version st, a rewind command will be issued to the tape drive and the tape will be positioned at the beginning at the tape. When accessing a non-rewind tape device nst, a rewind command is not issued.

For more details, refer to your hardware manufacturer documentation; for example, IBM article Configuring drives with persistent naming for IBM devices on Linux.

Using slu topology for detecting devices

After persistent naming is configured, you have to identify the name of the loader(s) and tape drives and their connection to the SEP sesam internal number of the drive (this drive number is set automatically by SEP sesam) to properly configure devices on the SEP sesam Server.

slu topology is a SEP sesam SCSI loader utility that provides information about the loaders and drives connected to the system; it also shows their relation which is required to identify unique IDs of tape drives and configure them by using SEP sesam GUI.

  1. To be able to run the SEP sesam commands globally, you must set up a profile as described in FAQ: What happens when I set a profile?
  2. To list all attached SCSI devices, run slu topology:
  3. <SESAM_BIN>/sesam/slu topology
    

    If the devices are properly connected, you should get the output similar to the one shown below.

    Slu topology output.png

  4. By examining the output you are able to determine the correct names of loaders and tape drives; in the latter case, you can also determine the connection between the drive name and the drive number sequence. Each tape drive is listed in a separate line with its name (Tapexxx) and its relation to the pre-set drive number in the loader; this pre-set drive number is the last in the line and specifies the number of the tape drive in the loader as referenced by SEP sesam. SEP sesam assigns a number to each tape drive, starting with 0 (0: the first tape drive in the loader; 1: the second tape drive in the loader ...). The equivalent GUI field is named the Drive No. in loader.
  5. For example, from the above output you can read the following characteristics that are required for (re-)configuration of loaders and drives in GUI:

    Loader: HP 	 MSL6000 Series 3G3ALRT572VN (Changer0)
            Drive: HP      Ultrium 4-SCSI  HU18111L60 (Tape2147483644) (adr=480) 0
            Drive: HP      Ultrium 4-SCSI  HU18111L66 (Tape2147483643) (adr=481) 1
            Drive: HP      Ultrium 4-SCSI  HU18141PP1 (Tape2147483645) (adr=483) 3
    

    In our example, the tape drive with the persistent name Tape2147483644 relates to drive number 0 (the first tape drive in the loader). You enter the unique tape drive name, e.g., Tape2147483644, when (re)configuring your backup hardware in GUI.

  6. You can also check the number of slots in the loader. SEP sesam numbers the slots from 0 to the number of cartridges in the loader.
  7. Loader setup 04en.JPG

    In our example, the loader has 56 slots (0–55) and a port slot which is not configured in SEP sesam.

Now you have all required information to manually (re-)configure your storage hardware.

(Re-)Configuring loaders and drives in SEP sesam GUI

These steps differ slightly if you are manually configuring a new device or re-configuring an already existing device. If you are re-configuring an existing device, select it from the list of Loaders and double-click to open the properties and review them, as described in the following steps. Then proceed with re-configuration of drives.

Manually configuring a new loader
  1. If you are configuring a new device, in SEP sesam GUI from the Main selection select Components then Loaders. Click New Loader.
  2. In the New Loader window, enter its properties which you can read from the output of:
  3. <SESAM_BIN>/sesam/slu topology
    

    Slu topology output-loader.png
    Check the output to see if the devices are used correctly by SEP sesam and detect the available SCSI addresses. For details, see above section Using slu topology for detecting devices.

    • Device name: SCSI device filename of the loader. In our Windows example, this is Changer0. On Linux systems it would be, for example, /dev/sg2.
    • Device server: SEP sesam Server or Remote Device Server (RDS) to which the loader is connected. In small environments, the loader or disk array is usually installed directly on the SEP sesam Server. More complex backup environments use RDS instead.
    • Type: The device type, e.g., LTO4.
    • Ctrl : Make sure that DIR_SLU is selected. This is applicable for all loaders which are connected by SAS/iSCSI/FC to the SEP sesam Server or RDS, and provide a robotic control of tape media. (Other options are DIR_VIRT which defines a virtual loader, DIR_DISK which enables controlling a pool of several hard disks, and DIR_ACSLS which defines an ACSLS loader.)
    • Slots: Number of slots in the loader.
    • Ports: Number of mail slots in the loader.
    • Barcode: Depending on whether the loader has a barcode reader or not, select yes or no.
    • Auto unload function: Almost all autoloaders and tape libraries allow explicit commands to transport tapes to and from the loader mechanism. It is strongly recommended to disable Auto unload function by setting it to No and allow the manufacturer's drive settings to perform as designed.

    Example of a configured loader

    Loaders Beefalo V2.jpg

Creating or re-configuring drives
  1. From the Components, select Drives. In SEP sesam, every drive has to be a member of a drive group. If you have not yet created a drive group, you have to create it now: click the New Drive Group button and enter the name of the new drive group, e.g., Tape_Drives.
  2. SEP Tip.png Tip
    It is recommended to group all drives that belong to the same loader in the same drive group.
  3. Select the drive group for which you want to (re-)configure the drives, e.g., Tape Drives, and create new drives by clicking New Drive or select existing drives for which you enforced the persistent naming and you have to reconfigure.
  4. In the New Drive window/Drive properties, the following fields are available:
    • Drive number: Number is automatically assigned by SEP sesam; you can change it if you are creating a new drive.
    • Drive name: Optionally, enter a description, e.g., logical identifier of a drive.
    • Drive type: Select the drive type from the drop-down list of existing drives (LTO, DLT, SLR, etc.)
    • Loader: If the drive belongs to the loader, select 1. If it is a single tape drive, select No loader option. (Number 0 defines the virtual loader.) As of 4.4.3 Beefalo V2, you can also select ACSLS, see Configuring ACSLS-Managed Libraries.
    • Drive no. in loader: Check the information you got by using slu topology:
    • For example, for the Drive no. in loader with the value 0 you would enter the related persistent name of the drive into the field Device (non-rewinding).
    • Device server: The name of the server or RDS to which the drive is connected. The drop-down list displays all available hosts.
    • Drive group: Is already selected, based on your previous choice when starting with drive configuration.
    • Device (non-rewinding): Based on slu topology output, you have to match the drive's persistent name with the drive number. In our example, for the Drive no. in loader with the value 0 you would insert the persistent drive name Tape2147483644. For details on checking the output, see above section Using slu topology for detecting devices.
    • Configure drives-persistent name Beefalo V2.jpg

    • Device Block Size: As of v. 4.4.3 Beefalo V2, it is possible to change the default write density for tapes to achieve better tape performance by using the Device Block Size option. See Setting device block size.
    • Tape in drive: If a medium is loaded into the drive, SEP sesam label is displayed.
    • Information: If indicated, the messages from the drive hardware are displayed.
    • Max. channels: The number of simultaneous backups that can be operated through drives.
    • Encryption capable: For already configured drives, it shows whether they are encryption capable. The field is shaded for new drives. Note that SEP sesam provides native support for managing LTO-based encryption; the LTO encryption of tape drives can be enabled on a media pool level. For details, see LTO Encryption.
  5. Click OK to (re-)configure the drive.
  6. Repeat the procedure for each drive by entering its persistent name.

Configuring a Data Store

Data store is a device type used for writing the savesets directly on one or several configured storage locations – into the file system. Data store configuration consists of specifying data store capacity and high watermark (HWM) (note that low watermark is obsolete as of v. 4.4.3 Beefalo). The default data store type is Path, also available are SEP Si3 deduplication store and (depending on version) NetApp Snap Store, HPE StoreOnce and HPE Cloud Bank Store. As of SEP sesam version 4.4.3, SEP EasyArchive data store and FDS deduplication store are no longer supported. For details on data store concept, see Data Store.

The SEP sesam data store feature has been enhanced in SEP sesam Beefalo with new data store types and a better overview of all data stores and their state. GUI has also been redesigned to be more user-friendly without significantly changing the interface logic, thus your display may vary slightly from what is shown here depending on your SEP sesam version.

You can also configure a data store for backing up to and from CIFS share. For details, see How to use CIFS share (NAS) as data store and how to back up data from CIFS share.

Procedure

  1. In the Main selection -> Components, click Data stores to display the data store contents frame.
  2. From the Data stores menu, select New data store. A New data store dialog appears.
  3. Data store new create Beefalo.jpg

    Segment Data Store

  4. Under the Data store properties in the Name field, enter a meaningful name for the data store.
  5. The following data store types are available:
    • Path data store
    • Si3 deduplication store
    • NetApp Snap Store (available as of v. ≥ 4.4.3 Grolar)
    • HPE StoreOnce (available as of v. ≥ 4.4.3 Beefalo)
    • HPE Cloud Bank Store (available as of v. ≥ 4.4.3 Beefalo V2)
    From the Store type drop-down list, select Path. Skip the Messages section, which is used by SEP sesam to display the last executed action.
  6. Information sign.png Note
    When configuring any other store type than Path, e.g., Si3 deduplication store, HPE StoreOnce or HPE Cloud Bank Store, you should be aware of the requirements and recommendations before you start using these special data store types. For details, see Configuring Si3 Deduplication Store, NetApp Snap Store, HPE StoreOnce, and HPE Cloud Bank Store, respectively.

    Segment Drive Parameter

  7. Make sure that the option Create drive for data store is checked under the Drive parameter properties. The predefined value for the drive is automatically added to the Drive number field.
  8. As of SEP sesam 4.4.3 Tigon, the option Create second drive is available.
  9. SEP Tip.png Tip
    It is recommended to use the option Create second drive for both data store types (Path and Si3). Without it, SEP sesam can only allocate a drive either for reading or writing, running one job at a time on the same drive. By using the additional dedicated drive for restore, you are able to run a backup on the first drive and restore your data from the second drive simultaneously. You can also add a third drive for migration.
    • Note that any additional drive dedicated for restore or migration must have the access mode set to read in the Drive properties.
    • When using additional drives, all backup jobs must be configured to use the drive dedicated for backup. You specify the drive number for a backup job as described in Creating a Backup Event.
    • In case you use the additional drive for migration, you have to specify the dedicated drive as described in Creating a Migration Task.
    • You can configure the number of streams per drive. This enables you, for example, to limit the number of parallel backups to 5, but use a higher number of concurrent streams for migration.
  10. From the Device server drop-down list, select the device server for your data store. Note that the standard device server is always the SEP sesam Server itself. Other available device servers included in the drop-down list are additional SEP sesam Remote Device Servers (RDS).
  11. In the Path field, enter the location for your data store or use the Browse button to select the relevant folder and click OK.
  12. Data store new path Beefalo.jpg
    When using the Browse button to select the folder, the New data store information window appears with predefined recommended values for your data store size. Click OK to confirm the selected location and the recommended size values. You can modify your data store size later under the Size properties (see step 12). For details on how the size is calculated, see How do I calculate the data store capacity.

    Recommended values data store Beefalo.jpg

  13. Option This drive uses data deduplication technology ... is only available for default data store type Path. Select this check box only if deduplication is enabled on the selected drive. In this case, the projected amount of storage available for backups will also include the deduplication factor.
  14. Under the Drive group properties, select Create new drive group if you want to create a new group or Use existing drive group to add a drive to one of the configured groups, available in the drop-down list.
  15. The predefined number of channels is already displayed in the Max. channels drop-down list. The number of available channels depends on your SEP sesam Server package. The standard license supports 5 concurrent streams, enabling 5 backup processes to run simultaneously. For details on SEP sesam licenses, see Licensing.
  16. Segment Size

  17. Under the Size properties, the predefined recommended values for your data store size are already displayed. If not, enter the following values manually.
    • Capacity: The size (in GB/GiB) of the partition for backups.
    • High watermark: The value (in GB/GiB) for the high watermark (HWM). The HWM defines the upper value for used disk space. When this value is reached, a data store purge process is started for all EOL-free savesets, thus freeing up the capacity of the data store.
    • Information sign.png Note
      In previous versions of SEP sesam (≤ 4.4.3.42 Tigon), if HWM was set and exceeded, backups could no longer be started while running backups were allowed to finish. Purging is done until the low watermark is reached (if set). This behaviour has changed with SEP sesam v. ≥ 4.4.3.48 Tigon V2; if HWM is set, exceeding it will only issue an information message but will no longer prevent backups to be started.
    • Low watermark (LWM): Obsolete as of v. 4.4.3 Beefalo, relevant only for previous versions of SEP sesam.
    For details on what should be considered when specifying the size, see How do I calculate the data store capacity.
  18. Segment (read-only) Disk Space Usage

    The Disk space usage properties are used by SEP sesam to report the following:

    • Used: Total used space (Gib/Tib) on the partition.
    • Total: Maximum available space (Gib/Tib) on the partition as reported by the operating system.
    • Free: Available disk space (Gib/Tib) for SEP sesam.
    • Deduplication rate: If applicable. The deduplication ratio is depicted as ratio:1.
  19. Click OK to configure your data store. You will be prompted to create a new media pool for it immediately. If you answer No, you have to create the media pool later and your configuration is finished. If you answer Yes, a new media pool dialog is displayed.
  20. Creating a media pool

  21. Enter a media pool name, select a drive group and set up the Retention time in days. Retention time is a media pool related parameter that specifies the number of days, for which the media from the pool are protected from writing, thus preserving the backed up data and keeping it available for restore (see Managing EOL). Once the retention time expires, the media are writable again. For details on how to configure a media pool, see Configuring media pools for data stores.
  22. Data store new media pool Beefalo.jpg


Once you set up your backup strategy, you can back up your data to your new media pool. You can start a configured backup task immediately or schedule it to run after you have created a schedule and linked a backup event to it. For details, see Creating a Schedule and Creating a Backup Event.

If you want to start the backup task immediately, right-click the name of the backup task and click Immediate start. Note that you only need to select the appropriate media pool referring to your data store and click Start.

Configuring Si3 Deduplication Store

SEP sesam provides a target-based (Si3T) and source-based deduplication (Si3S). For details on deduplication concept and recommendations, see Deduplication.

Both, Si3T and Si3S require a configured Si3 deduplication store. Only one Si3 deduplication store can be configured on a server. A valid licence is required for each Si3 deduplication store. Note that you can also configure an Si3 deduplication store by using a command line. For details, see Configuring and Administering Si3 Deduplication Store by using CLI.

You can download SEP Tachometer to analyse the structure of your data and calculate potential savings with SEP sesam Si3 deduplication. Check SEP Tachometer.

Prerequisites

For the minimum Si3 hardware requirements that apply to SEP sesam Si3 deduplication server, see Hardware requirements. Keep in mind that these requirements represent the demand for deduplication only. In addition, the amount of memory for the operating system and other services should be taken into account.

In addition, the following prerequisites must be met to configure an Si3 deduplication store.

Additional RAM / CPU requirements

  • For details on the required Java version, see Java Compatibility Matrix. Si3 is not mandatory, therefore there is no dependency rule in the RPM/DEB packages for it.
  • When estimating the maximum size for a deduplication store, you have to ensure that there is enough space available for dedup trash or the deduplication store will run out of space. You should calculate the required disk space based on the representative sample of your full backup and add the amount of extra space equal to approx. 50% of the representative full backup.

Disk attachment and protocols

Si3 supports any kind of direct-attached disk storage, such as serial attached SCSI (SAS), Serial ATA (SATA), and Fibre Channel (FC)/LUN. Si3 is NOT supported for CIFS and NFS network protocols.

Restriction

To avoid issues arising from combination of too large Si3 deduplication stores and inefficient hardware, the maximum initial Si3 deduplication store size is restricted to 40 TB since Tigon V2 (4.4.3.46). This restriction is valid when creating a new Si3 deduplication store in GUI. Note that customers with special requirements for larger Si3 deduplication store should contact SEP support to be able to increase the value up to an optimum size for their specific environments.

Required additional amount of RAM and CPU cores

The following tables show the required additional amount of RAM and CPU cores for one Si3 data store. The TB value is the capacity of the Si3 data store.

Information sign.png Note
It is not recommended to run Si3 deduplication (SEP sesam Server or RDS) on a virtual machine. If this is the case, like evaluation or test, consider to limit the capacity of Si3 data store to 100 GB thus ensuring normal VM operation. Have in mind that deduplication consumes a lot of server resources for reading, processing, and writing deduplicated data, therefore you should be aware of running Si3 on a VM deployment limitation.
Si3 data store capacity (check initial size restriction) RAM
<20 TB 16 GiB
20-40 TB 32 GiB

To find out how much RAM is required by Si3 at which capacity, enter the command sm_dedup_interface propose jvmconfig <Si3-CAPACITY> at an admin command line (you must set sesam profile to run the command). The MaxDirectMemorySize output is the required RAM value.

The following table shows the amount of CPU cores required for one Si3 data store. The TB value is the amount of backed up data (before deduplication)!

Backed up data (before dedup) CPU cores
10 TB 4
20 TB 4
40 TB 8
Information sign.png Note
Keep in mind that the stated requirements represent the demand for deduplication only. In addition to these requirements, the amount of memory for the operating system and other services should be taken into account.


Steps

The SEP sesam data store is a disk based storage that enables savesets (backed up data) to be backed up directly to the configured storage locations. SEP Si3 target deduplication is easily configured and ready to use by selecting Si3 deduplication data store type.

  1. In the Main selection -> Components, click Data Stores to display the data store contents frame.
  2. From the Data Stores menu, select New Data Store. A New Data Store dialog appears.
  3. Under the Data store properties in the Name field, enter a meaningful name for the Si3 data store.
  4. From the Store type drop-down list, select SEP Si3 Deduplication Store.
  5. New Si3 data store Beefalo V2.jpg

  6. Make sure that the option Create drive is checked under the Drive parameter properties. The predefined value for the drive is automatically added to the Drive number field.
  7. It is also recommended that the option Create second drive is checked. Without it, SEP sesam can only allocate a drive either for reading or writing, running one job at a time on the same drive. By using the additional dedicated drive for restore, you are able to run a backup on the first drive and restore your data from the second drive simultaneously. You can also add a third drive for migration.

  8. Then select Create new drive group and enter the name for your Si3 deduplication store dedicated group.
  9. The predefined number of channels is already displayed in the Max. channels drop-down list. The number of available channels depends on your SEP sesam Server package. For details on licensing, see Licensing.
  10. From the Device server drop-down list, select the device server for your data store.
  11. In the Path field, enter the location for your data store or use the Browse button to select the relevant folder. Check the relevant folder and click OK.
    When using the Browse button to select the folder, the New Data Store information window appears with predefined recommended values for your Si3 deduplication store size. Click OK to confirm the selected location and the recommended size values. You can modify your data store size later under the Size properties (see step 10).
  12. GUI new data store information Beefalo V2.jpg

  13. Under the Size properties, specify or modify the following:
    • Capacity: Specify the size (in GiB) of the partition for backups.
    • High watermark: Specify the value (in GiB) for the high watermark (HWM). The HWM defines the upper value for the used disk space on the data store. When this value is reached, a purge process is triggered for all EOL-free (End-of-lifetime) savesets, thus freeing up the capacity of the data store. The oldest free savesets are deleted first.
      Information sign.png Note
      In previous versions of SEP sesam (≤ 4.4.3.42 Tigon), if HWM was set and exceeded, backups could no longer be started while running backups were allowed to finish. Purging is done until the low watermark is reached (if set). This behavior has changed with SEP sesam v. ≥ 4.4.3.48 Tigon V2; if HWM is set, exceeding it will only issue an information message but will no longer prevent backups to be started.
    • Si3 repair area: Specify the value (in GiB) for the Si3 repair area. The Si3 repair area (subdirectory trash) defines space for Si3 files (DDLs) that were identified by a garbage collection job and are no longer used. These files are still kept in the repair area to enable possible repair of Si3 if there are any structural problems (may be caused by a file system error or by a crash of an operating system). The files in the repair area will be removed automatically after the specified amount of time (SEP sesam default: 4 days) or when the disk usage threshold is reached. Note that when the value is set to 0, then the Si3 repair functionality is turned off.
    • Information sign.png Note
      The Si3 repair area for managing disk space dedicated to Si3 files (DDLs) is only available in the Expert UI mode. So if you run the GUI in Basic or Advanced UI mode, you first have to change the mode to Expert, as described in Selecting UI mode.

    The Disk space usage properties are used by SEP sesam to report the following:

    • Used: Total used space (in GiB) on the partition.
    • Total: Maximum available space (in GiB) on the partition as reported by the operating system.
    • Free: Available disk space (in GiB) for SEP sesam.

You can view the properties of your Si3 deduplication by double-clicking relevant Si3 deduplication store.

  • You can modify existing and set additional drive options by double-clicking the first drive. In the Drive Properties window, you can browse the path for the data store. To configure Si3 data encryption, you have to create a deduplication security password file. For details, see Encrypting Si3 Deduplication Store.
    In v. ≥ 4.4.3 Beefalo, under the tab OS Access specify the credentials to access the respective systems. Use DOMAIN\USER format for domain accounts or HOST\USER for local accounts.
  • Si3 drive properties Beefalo V2.jpg

  • You can view the status of your Si3 deduplication by clicking the Si3 State tab. You can check the last deduplication message, status of active tasks, encryption status, number of stored objects, data size before/after deduplication, DedDup ratio, saved storage space, etc.
  • Si3 state tab Beefalo V2.jpg

Information sign.png Note
If fsck (file system consistency check) detects irregularity in the Si3 file system, the affected pages and chunks are recorded in the recovery.log. The Si3 deduplication store in GUI is marked red and the Si3 purge is no longer executed. The purge is stopped to prevent the files in the Si3 repair area to be deleted as they may be required to repair Si3 in case of problems. Once the errors are fixed and the recovery.log is empty, the Si3 data store is no longer marked red and the Si3 purge is working again.

Si3 deduplication store red Beefalo.jpg

Configuring a Media Pool

Media pool is a group of media of the same type that you use for backups. How you configure a media pool depends on the type of the used storage device. With loaders, you set up a media pool that will be used for backing up directly to tapes. For backing up to disks (disk storage) you have to set up a data store first, but still have to create a dedicated media pool for it.

Once a media pool is configured SEP sesam automatically labels each medium with a unique media label during initialization. Media labels are stored in the SEP sesam database. The labels consist of the pool name and a 5-digit number assigned by SEP sesam within the pool.

Media pools are the base for building a backup strategy. Each media pool stands for a set of media, foreseen for a specific purpose. For example, media pools can be created and managed for work days, weekends, certain locations, certain types, databases, etc. You may have different kind of media pools for different types of backup data, backup sources (e.g., file backup, DB backup) or drive types.

It is possible to configure special GFS media pools for storing a data to tape according to the GFS (Grandfather-Father-Son) retention strategy. For details, see GFS Backup Retention Strategy.

Note that the Options tab for configuring a special set of options to allow sharing of media across media pools is only available when configuring the media pools for tape media.

Configuring media pools for tape media

After you configure your backup hardware and create a new drive group, you have to create a new media pool and assign it to the drive group which contains your newly created drives. With loaders, you can configure a media pool that will be used for backing up directly to tapes. The way you set up your backup strategy depends on the data that is being backed up. Typically, you would create at least three media pools. For details on how to set up loaders and drives, see Configuring Loaders and Drives.

Steps

  1. From Main Selection -> Media Pools, click New Media Pool. The New Media Pool window appears.
  2. In the Media Pool window, specify the required fields:
  3. Media pool tape Beefalo V2.jpg

    • Name: Specify a name of a media pool, for example, MP_tape_day (for daily backups), MP_tape_week (for weekly backups), etc.
    • Description: Optionally, insert the description of the pool.
    • Drive group: From the drop-down list of all available drive groups, select the relevant drive group to which a media pool will be attached (e.g, Tape_Drives, RDS_LTO_Dives, etc.). For details on drive groups, see Drives.
    • Retention time [days]: Specify the retention time for media pool. The retention time period starts with the date a saveset is written to the media and lasts for the period defined by media pool's retention time (in days). The expiration date of the retention time is the EOL of the saveset. When a saveset is stored on tape, every stored saveset has its own saveset EOL, however, the expiration date of the tape corresponds to the maximum retention time (the longest EOL) identified on it. For details, see tape media EOL.
    • Set media pool inactive: You can deactivate a media pool that it is not available for use.
    • Information sign.png Note
      In the case of a clone media pool, the option Set media pool inactive controls not only whether a media pool is available for use but consequently also whether the upload – synchronization with the S3 cloud is performed. If you deactivate a clone media pool by selecting the option Set media pool inactive, the data will no longer be synchronized with the S3 cloud. For details, see Configuring replication to S3 cloud.
  4. Readability check is used to check the readability of data on tape and its structure, and to ensure that the backup sets on tape are recorded in the database and vice versa. Use the following options to specify the readability check settings:
  5. Media pool readability Beefalo V2.jpg

    • Readability check limit [days]: By default, the value is 0 (zero) and the readability check is switched off. If you set a number > 0 , a medium is checked after the specified number of days and marked by status Readability check needed. Note that readability check can only be applied if a medium EOL has not expired and is not applicable for EOL-free media. For details, see Managing EOL.
    • Expiration of read check overdue [days]: Specify the number of days when a readability test will be overdue. This calculation is based on the readability check limit [days] and the value of expiration overdue.
    • Repeat rate for readability check [times]: If you select Unlimited, the medium is checked according to the specified frequency. If you define Execute, the check is repeated as many times as specified.
    Information sign.png Note
    To perform the readability check, you have to set up a schedule and link a media event to it. When creating a media event you have to select readability check option and a media pool for your event. For details, see Configuring a Readability Check.
  6. In v. ≤ 4.4.3 Grolar, the Options tab is available when configuring a new media pool. As of v. 4.4.3 Beefalo, the Options tab is only available in the media pool properties (Main Selection -> Media Pools -> double-click a media pool). Under the Options tab, you can configure a special set of options (according to your strategy) to allow sharing of media across media pools. The following media management options may be useful if media from the respective pool are not available for backup. In this case a system requires new media.
  7. Media pools options Beefalo V2.jpg

    • May use empty, foreign media: If you select this option, SEP sesam will use unknown or blank tapes for backup when no tapes are available in the respective pool.
    • May use EOL free media: If you select this option, you may use other EOL free media than the requested one in a single tape drive (without a loader).
    • May use SPARE media: This option can be used if you have configured media pool SPARE_ before (see below section). By enabling the SPARE media option, SEP sesam automatically uses the media from the SPARE pool if there are no available tapes in the target media pool. For details, see Spare Pools.
    • May use media from another pool: This option enables SEP sesam to use available tapes of other media pools if there are no available tapes in the target media pool.
    • Another media pool may use media from this pool: If you select this option, you enable another media pool that runs out of its own tapes to use the available tapes from the respective media pool.
  8. Click OK.

Configuring spare pools

You configure a spare pool in the same way as you any other media pool except for the name of the pool - SPARE_. The name of the spare pool must follow the rule to use SPARE_ as the naming convention. This way, SEP sesam is able to identify this pool as a spare pool.

Media pool spare pool Beefalo V2.jpg

Configuring media pools for data stores

With data stores, you configure media pools to be used for backing up to disks (disk storage). First you have to configure a data store, and then you create a dedicated media pool for it. For details on how to configure a data store, see Configuring a Data Store.

Steps

  1. When you configure your data store, you are prompted to configure a media pool immediately. You can also configure a media pool later from the data store properties -> click Create Media Pool, or from Main Selection -> Media Pools, click New Media Pool. New Media Pool window appears.
  2. Media pool data store Beefalo V2.jpg

  3. As described above, enter a media pool name, select a drive group and set up the Retention time. Media pool retention time is specified in days and defines how long the backed up data on media remains protected after the data is written to the medium. The retention time period starts with the date a saveset is written to the medium. The expiration date of the retention time is the EOL of the saveset. After the protection has expired, saveset is deleted while purge is running on the data store and the memory space is released. For details, see retention time of media pool.
  4. Information sign.png Note
    Before backing up to S3 cloud, you also have to create one clone media pool by selecting Clone as a media pool type. For details, see S3 Cloud Storage Backup.
  5. Click OK.

You can check which media pools are configured with a data store in the data store properties: from Main Selection -> Data Stores -> double-click the selected data store -> select the Media (previously Areas) tab. By clicking the media pool in the list, its properties are displayed.

Data store media tab Beefalo V2.jpg


Part VI: Authentication

About Authentication and Authorization

Overview

SEP sesam introduces new authorization concept to grant and restrict access to SEP sesam Server, specific clients and locations. Note that authentication is the first step of authorization. This means that first the identity of a user who is accessing a SEP sesam Server is authenticated by verifying a user credentials (username and password).

After successful authentication starts the authorization, when SEP sesam validates if an authenticated user has appropriate permissions for accessing a specific resource or operation within SEP sesam Server.

Authorization is implemented through the following elements:

  • Permissions based on user type
    Users can connect to SEP sesam Server only if they are granted appropriate permissions. Their user rights depend on the user type. SEP sesam user types are admin, operator and restore.
    • Admin is the only user role with full control over the SEP sesam.
    • The Operator monitors the SEP sesam Server backup status.
    • The Restore user is only allowed to start restores.

    Note that the displayed GUI components depend on the user type. For details on GUI elements, see SEP sesam GUI.

  • Access Control Lists (ACLs)
    ACL specifies which users or groups are granted access to specific objects. As of SEP sesam version 4.4.3 Grolar, you can configure ACLs for locations and clients, if you have the admin rights. For details on ACLs configuration, see Using Access Control Lists.

After the initial installation of SEP sesam, no users are configured except the administrator. Depending on version, SEP sesam provides different authentication methods that are mutually exclusive: database-based authentication (for v. ≥ 4.4.3 Tigon) which is simply called authentication, and policy-based authentication (for all SEP sesam versions). By default, policy-based authentication is active. Note that only one authentication method can be active at any time.

Information sign.png Note
In SEP sesam v. ≥ 4.4.3 Tigon, you can bypass authentication for local server for all users by setting the parameter localFullAccess in the <SESAM_ROOT>/var/ini/sm.ini file to true as described in the section below.

Database-based authentication

SEP sesam provides database-based authentication that allows administrators to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the relevant user group.

As of 4.4.3 Grolar, SEP sesam can be configured to use LDAP/AD authentication in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP/AD directory. If LDAP/AD authentication is enabled in SEP sesam and the users are mapped correctly, they can log in to SEP sesam according to their entry in the LDAP/AD directory and the user mapping information. For details, see Configuring LDAP/AD Authentication.

The assigned user group (based on user type) determines the actions that the group members can perform. The database-based authentication can be enabled from GUI by activating authentication under the Configuration ‐> Permission Management. This is the only way to set the password for the Administrator.

If the DB-based authentication is activated via GUI, the authEnabled parameter is set to true in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. For details on database-based permissions, see Configuring Database-Based Authentication.

Policy-based authentication

Policy-based authentication represents a traditional approach to managing user's permissions with SEP sesam v. ≥ 4.4.3. SEP sesam GUI is based on Java and uses sm_java.policy file to grant the required permissions. The policy file is by default located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

With policy-based authentication permissions are assigned to user/host combination in the sm_java.policy file. You can also grant users the required permissions by using GUI: Main Selection -> Configuration ‐> User Permissions. For details on policy-based permissions, see Configuring Policy-Based Authentication.

Configuring localFullAccess in sm.ini

localFullAccess defines whether a user that is logged to the SEP sesam Server directly may use SEP sesam CLI and GUI without any authentication. If set to true, authentication is not required. If set to false, the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in.

If database-based authentication is enabled, localFullAccess flag is set to false automatically. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in <SESAM_ROOT>/var/ini/ssl.

Information sign.png Note
  • On Unix, only the system root user can access this directory and use the command line without authentication.
  • On Windows, use Windows User Account Control (UAC) to limit the access to certificate file.

How to change the localFullAccess flag

  1. Locate the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server (where <SESAM_ROOT> is the pathname of the SEP sesam home directory). Open the sm.ini file using a text editor and set the flag for the localFullAccess parameter to true.
  2. Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The sm.ini file is preserved when you upgrade your SEP sesam Server.
Information sign.png Note
For SEP sesam versions ≤ 4.4.3: It is strongly recommended to leave the localFullAccess flag set to true.

Configuring LDAP/AD Authentication

Overview

SEP sesam can be configured to use LDAP (Lightweight Directory Access Protocol) authentication in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP directory (Active Directory, OpenLDAP, NetIQ eDirectory, etc.) in addition to its own database authentication. It provides integration of user and password management together with SEP sesam permissions or access rights granted according to assigned user types.

  • Note that the setup of LDAP/AD with SEP sesam requires profound knowledge of LDAP administration.
  • SEP sesam Active Directory authentication method is not compatible with Azure AD.

How it works

When LDAP authentication sources are configured, the login sequence to SEP sesam is as follows:

  • A user logs in to SEP sesam by entering the appropriate credentials (user name and password).
  • The user name and password are checked against the internal SEP sesam user database.
  • Then the user name and password are checked against the first source in the list. If the user name and password do not match any record, the second/third, etc. source is checked until the first match. Once the first match is found, a source directory is queried about the user group membership.
  • The groups returned by the directory are compared to the configured external groups in the SEP sesam database. If a user is a member of several groups, he/she can have the permissions of more than one group. In this case, the user is logged in as a member of the group with the highest privileges.
  • Access to SEP sesam is denied if the user is not found, if the user is found but the credentials do not match, or if a user is not a member of any configured authorization group.
Information sign.png Note
  • When SEP sesam authenticates against LDAP, it may result in slower SEP sesam login performance as the LDAP server requires time to make a network connection and retrieve the data.
  • The login process stops after the first match of the user name. If there are users with the same login names in different sources, only the first matching user will be able to log in.

You can enable SSL connection to your LDAP/AD server to secure LDAP for authentication by importing a public certificate of certification authorities (CAs) that signs your LDAP server certificate to the Java keystore on the SEP sesam Server. For details, see Securing LDAP connection by LDAPS.

Disabling LDAP/AD sources does not remove your existing LDAP settings. It only disables SEP sesam integration with this specific LDAP/AD source. You can reenable the LDAP/AD authentication at any time by selecting the check box Enable in front of the source definition.

Requirements

  • LDAP or AD user accounts that you intend to use for authentication must already exist within your corporate LDAP/AD prior to configuring authentication with SEP sesam. The LDAP/AD service must be running (for example, Active Directory, OpenLDAP, NetIQ eDirectory, etc.).
  • SEP sesam Server must have globally enabled authentication. You can set the relevant parameters in the sm.ini file, i.e.
  • [UI] 
    …………….
    authEnabled=true 
    auth.db.enabled=true 
    auth.ldap.enabled=true 
    auth.ldap.autocreate=true 
    auth.ad.enabled=true 
    auth.ad.autocreate=true 
    …………….
    

    and activate authentication in the SEP sesam GUI, see Configuring Database-Based Authentication.

  • For the LDAP directory, a user within the respective LDAP tree must have the rights to read the attributes of your LDAP groups.
Information sign.png Note
SEP sesam Active Directory authentication method is not compatible with Azure AD.

Configuring LDAP authentication

By integrating LDAP and SEP sesam authentication, SEP sesam internal groups are mapped to groups into the LDAP service tree, providing the members of the LDAP groups with SEP sesam access rights depending on the user type (Admin, Operator or Restore). SEP sesam then authenticates the users according to both, its own database and against the external LDAP directory.

Configuring LDAP authentication is a two step process:

  1. Ask your LDAP administrator which LDAP attributes are used for the login name and member value in the LDAP groups or identify the values by yourself.
  2. In the SEP sesam GUI, configure an LDAP authentication source and add your LDAP groups to SEP sesam external groups.

OpenLDAP configuration

Step 1: Identify the LDAP parameters and values

  1. In the LDAP browser, enter the DNS name/IP address of your LDAP server, for example, sles11-nfs.jge.home.
  2. Create a (service) user within your LDAP tree or use an existing user with Read right to the member attribute of groups to ensure that the specified account can read the group memberships of all User accounts in the directory.
  3. OpenLDAP LDAP browser.jpg

  4. Define one container (LDAP tree level) where your groups reside. For example, base for groups are ou=group,dc=jge,dc=home.
  5. OpenLDAP groups.jpg

  6. Specify the group names; you can use sepadmin, sepoperators and/or seprestore.
  7. Identify all LDAP containers with existing users that will be granted access to SEP sesam.
  8. Identify the unique identifier of your users, for example, ee, jge.

LDAP summary for OpenLDAP example

LDAP server: 					      sles11-nfs.jge.home
LDAP user with read rights of member attribute:       cn=Administrator,dc=jge,dc=home
LDAP group container/base:			      ou=group,dc=jge,dc=home
LDAP group which will be used:                        sepadmin, sepoperators, seprestore
LDAP user container(s)/base(s):		              ou=people,dc=jge,dc=home
LDAP unique identifier:			              uid

Step 2: Configure the LDAP authentication in the GUI

  1. Make sure that the database authentication is enabled, as described in Configuring Database-Based Authentication. Then from the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
  2. Switch to the Sources tab and click the + (plus) button to add a new authentication source.
  3. LDAP new source en.png

  4. In the Authentication Configuration window, select LDAP as a Source Type and specify the values that you have already investigated for OpenLDAP:
    • URL: Specify the LDAP URL for the source directory server instance.
    • User Search Base: Set the pattern which will be used to supply a Distinguished Name (DN) for the user. The pattern name should be related to the root DN. The {0} placeholder will contain the user name.
    • Manager DN: Specify the Distinguished Name (DN) of the service user, which will be used to log in to and request data from the directory service.
    • Password: Define the password used for login to the directory service.
    • Group base and Group filter options are only available if the user interface (UI) mode is set to Expert. This field is NOT visible if the UI mode is set to Basic or Advanced. For details on UI modes, see Selecting UI mode.

    You can also change SEP sesam permission configuration by changing URL to ldaps://<ldap server name>:636/. For details on how to secure LDAP for authentication, see LDAP with eDirectory example.

    Click OK.

    LDAP new source filled en.png

  5. Switch to External Groups tab and click Create New for each external group you want to map to SEP sesam groups: select ADMIN, OPERATOR or RESTORE.
    Click OK to map your external LDAP groups to SEP sesam internal groups. Access to SEP sesam is denied if the LDAP user is not a member of any configured authorization group.
  6. LDAP new external group filled admin en.png

(Micro Focus) NetIQ eDirectory configuration

Step 1: Identify LDAP parameters and values

  1. Log in to iManager as administrator.
  2. Enter the DNS name/IP address of your eDirectory LDAP server, for example, oes15-srv1.sep.de.
  3. Create a (service) user within your eDirectory tree or use an existing user that has the permission to read users' group.
  4. Define the container where your groups will reside.
  5. IManager.jpg

  6. Specify the group names; you can use sepadmingroup, sepoperatorgroup, seprestoregroup.
  7. Identify all eDirectory LDAP containers with existing users that will be granted access to SEP sesam.
  8. EDirectory container.jpg

  9. Identify the unique identifier of your users.
  10. EDirectory identifier.jpg

LDAP summary for eDirectory example:

LDAP server:					        oes15-srv1.sep.de
LDAP user with read rights of member attribute:	        cn=Admin,o=sep
LDAP group container/base:		                ou=groups,o=sep
LDAP group which will be used:			        sepadmingroup, sepoperatorgroup, seprestoregroup						
LDAP user container(s)/base(s):			        ou=users,o=sep; ou=it,o=sep; ou=gurus,ou=it,o=sep							
LDAP unique identifier:				        cn

Step 2: Configure the LDAP authentication in the GUI

  1. Make sure that the database authentication is enabled, as described in Configuring Database-Based Authentication. Then from the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
  2. Switch to the Sources tab and click the + (plus) button to add authentication source.
  3. In the Authentication Configuration window, select LDAP as a Source Type and specify the values that you have already investigated for eDirectory:
    • URL: Specify the LDAP URL that will be used to connect to the directory service.
    • User Search Base: Set the pattern which will be used to supply a Distinguished Name (DN) for the user. The pattern name should be related to the root DN. The {0} placeholder will contain the user name.
    • Manager DN: Specify the Distinguished Name (DN) which will be used to log in to the directory service.
    • Password: Define the password used for login to the directory service.
    • Group base and Group filter options are only available if the user interface (UI) mode is set to Expert. This field is NOT visible if the UI mode is set to Basic or Advanced. For details on UI modes, see Selecting UI mode.

    You can also change SEP sesam permission configuration by changing URL to ldaps://<ldap server name>:636/. For details on how to secure LDAP for authentication, see LDAP with eDirectory example.

    Click OK.

    EDir new source filled 01 en.png
    Create authentication source for each LDAP container where your (SEP sesam) users exist. In our example, there are four different LDAP containers (eDirectory contexts) with users.

    EDir new source ready en.png

  4. Switch to External Groups tab and click Create for each external group you want to map to SEP sesam groups: select ADMIN, OPERATOR or RESTORE.
    Click OK to map your external LDAP group to SEP sesam internal groups. Then repeat the procedure for each external group you want to map. You can configure any number of groups. Access to SEP sesam is denied if the LDAP user is not a member of any configured authorization group.
  5. EDir new external group filled admin en.png

Univention UCS OpenLDAP configuration

Step 1: Identify the LDAP parameters and values

Use an LDAP browser and identify all required values. Univention UCS uses a non-standard port for LDAP.

In the following example, the attribute of the groups for members is uniqueMember.

LDAP summary for UCS OpenLDAP example:

LDAP server:			                           majestix.sep.de
LDAP port:	                                           7636
LDAP user with read rights of member attribute:            uid=ldapreader,cn=users,dc=sep,dc=de
LDAP group container/base:		                   cn=groups,dc=sep,dc=de
LDAP group which will be used:			           grp-technik
LDAP user container(s)/base(s):			           ou=2_1_2_consulting,ou=2_1_it,ou=2_user,ou=hk,dc=sep,dc=de							
LDAP unique identifier:				           uid
LDAP attribute for group members:                          uniqueMember 

Step 2: Configure the LDAP authentication in the GUI

The configuration procedure is the same as for OpenLDAP or eDirectory, described above.

For example, in the source configuration the LDAP connection is secured by LDAPS, as shown in the following screenshot:

UCS new source filled en.png

Configuring Active Directory (AD) authentication

Information sign.png Note
SEP sesam Active Directory authentication method is not compatible with Azure AD.

The integration of Active Directory with the SEP sesam enables you to use user information from the Active Directory server for authentication on SEP sesam. Once the prerequisites are met, the actual configuration is simple: In the first step you have to identify your active directory containers for user searches and the AD groups names that will be used. Then you configure the AD authentication in the SEP sesam GUI by using these values.

The queries for users will walk through the AD tree, starting from the defined level to the bottom. That means that you can define the base DN on the highest level and the query will search for the user through whole AD tree. This can be a time-consuming process that relies on the first match policy; once a match is found, any other possible match is skipped.

SEP sesam then authenticates the users according to both, its own database and against the external AD directory.

Step 1: Identify Active Directory parameters and values

  1. Create a new AD group on the domain controller or use an existing AD group. In our example, we will use the AD groups named SEPADMIN and SEPOPERATOR.
  2. AD group names.png

  3. Identify the container(s) where your users reside. In our example, all users exist in the OU=Users,OU=MyCompany,DC=ad16,DC=local and the OU=Admin-Users,OU=MyCompany,DC=ad16,DC=local. We want to set the search base DN to enable only the users in these OUs access to SEP sesam.
  4. AD User base DN 01 en.png

  5. Identify the domain extension of User logon name used by a user to log in. This is especially important in multi-domain environments..
  6. AD User domain.png

Example: LDAP summary for Active Directory:

LDAP server:					   ad16-1-dc.sep.de
AD User Domain extension:                          ad16.local
LDAP group container/base:                         cn=groups,dc=sep,dc=de
LDAP group which will be used:                     grp-technik 
LDAP user container(s)/base(s):                    ou=2_1_2_consulting,ou=2_1_it,ou=2_user,ou=hk,dc=sep,dc=de

Step 2: Configure the AD authentication in the GUI

  1. Make sure that the database authentication is enabled, as described in Configuring Database-Based Authentication. Then from the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
  2. Switch to the Sources tab and click the + (plus) button to add a new authentication source. In the Authentication Configuration window, select AD as a Source Type and specify the required values that you have configured before, i.e., URL, Domain and User Search Base DN values.
  3. AD new source filled 01 en.png
    Then repeat the procedure for each AD source you want to add. In our example, two AD sources have been added to SEP sesam.

    AD new source ready en.png

  4. Switch to the External Groups tab and click Create new for each external AD group you want to map to SEP sesam groups: select ADMIN, OPERATOR or RESTORE.
  5. Click OK to map your external AD group to SEP sesam internal groups. You can configure any number of groups. Access to SEP sesam is denied if a user is not a member of any configured group.

    AD new external group filled admin en.png

Managing authentication

The following tips can help you configure and manage your LDAP/AD authentication in combination with SEP sesam:

  • It is possible to mix different authentication sources.
  • The first source is always a SEP sesam internal database.
  • The order of all following authentication sources is determined by the order in the SEP sesam GUI (Permission Management -> tab Sources).
  • You can change the order of authentication sources by selecting the source entry and moving the rows up and down with the arrows at the bottom of the panel.
  • Auth source sort order en.png

  • You can enable or disable any individual source by checking the check box in the column Enabled.
  • Auth source enable disable en.png

  • Every user that has logged in is displayed in the SEP sesam GUI: Permission Management -> tab Users.
  • AD and LDAP users are greyed out as it is not possible to manipulate them; the displayed values are only of an informative nature.
  • Auth user view en.png

  • AD/LDAP users cannot log in without a working LDAP/AD connection as these users are not valid user objects in the SEP sesam database.

Securing LDAP connection by LDAPS

SEP sesam uses a Java framework for authentication. As SEP sesam is only a user of the Java virtual machine, you have to make sure to secure traffic and use secure connection. This procedure is not part of SEP sesam configuration. Therefore, the provided steps in this section serve for reference only and are subject to change. Make sure to read your vendor documentation for the most up-to-date steps and more details.

  1. Ask your PKI/Root CA administrator for the public certificate of the Root CA used for signing the certificate of your LDAP server.
  2. Import the public certificate to the Java keystore of the Java VM used by the SEP sesam Server by using a Java keytool.
  3. Change the LDAP source protocol in the SEP sesam GUI (Permission Management -> tab Sources) from ldap to ldaps and add the relevant LDAP port.
  4. Restart the RMI service on the SEP Sesam Server by using the following command:
  5. sm_main restart rmi
    

For detailed information on how to export the Root CA certificate, check the documentation of your Root CA, e.g., Microsoft Certificate Services, Micro Focus eDirectory CA, OpenLDAP, etc.

For importing a certificate to the Java keystore, use the Java keytool (part of every Java installation). Another way to manage this kind of certificate is by using a third party utility for Windows, such as KeyStore Explorer.

Example for securing LDAP with eDirectory

With SEP sesam it is possible to secure LDAP for authentication, however, SEP sesam has to trust the LDAP server certificate. You have to import the public certificate of certification authority (CAs) to the Java keystore, which signs your LDAP server certificate. Note that eDirectory works with self-signed certificates (eDirectory tree CA).

The following example shows the SEP sesam Linux Server (SLES). To use a secure LDAP connection, the eDirectory Root CA certificate needs to be exported. Then you have to import it into the java keystore of the SEP sesam server.

Step 1: Exporting a public certificate from root ca

Note that the iManager must have the latest plugin for the Micro Focus certificate server and access to work properly.

  1. Launch and log in to iManager.
  2. Select eDirectory Administration -> Modify Object.
  3. Then select Modify object.
  4. Use the magnifying glass to browse to the container where the <Tree Name> CA object resides and select it. Click OK.
  5. Switch to the Certificates tab.
  6. Select the Self Signed Certificate check box and click Validate.
  7. Select the Self Signed Certificate check box again and click Export.
  8. Deselect the Export private key check box and click Next.
  9. Select Save the exported certificate. Note that you can select either File in binary DER format or File in Base64 format.
  10. Save the file and give your certificate a meaningful name that clearly identifies it, for example, SelfSignCert.der.
  11. Click Close and then OK to export your public certificate.

After the certificate is exported, copy it to the SEP sesam Server.

Step 2: Importing a public certificate to Java KeyStore

If you want to import your certificate to Java KeyStore, you first have to identify (as root user) the keystore for your Java version by using a command:

find / -iname 'cacerts'
/usr/java/jre1.8.0_144/lib/security/cacerts
/usr/java/jre1.7.0_40/lib/security/cacerts 

As shown in the example above, SEP sesam uses Java 1.8, therefore the relevant keystore for this version is /usr/java/jre1.8.0_144/lib/security/cacerts.

The following example shows how to import public certificate on a Linux server. After the certificate was exported, it has to be visible on the Linux server. Copy the certificate to your SEP Sesam server.

Procedure:

  1. Open a terminal prompt and switch to the root user (hint command: su).
  2. In the terminal prompt, enter keytool and press Enter.
  3. SEP Tip.png Tip
    This should just display a list of commands and options, it's only for checking if the keytool application is in the path. If not, you should add the Java bin directory to the PATH variable to launch the keytool application.
  4. Import the public certificate (for example, SelfSignedCert.b64) into the Java CA KeyStore by using a following command:
  5. keytool -import -alias < ldap server dns name> -keystore <path to Java CA keystore> -file <certificate file> 
    

    Example:

    keytool -import -alias ldap.allnet.com -keystore 
    /etc/alternatives/java_sdk/jre/lib/security/cacerts -file /home/admin/SelfSignedCert.b64 
    
    Information sign.png Note
    You can find the Java CA KeyStore file which is usually named cacerts in the <java sdk/jdk>/jre/lib/security directory. It is possible that during an update of the Java code, a cacerts is backed up and replaced with a new version which does not yet include the manually imported certificate. In this case, the LDAP authentication on the SEP sesam Server will stop running.
  6. When prompted for a password, enter changeit.
  7. Accept the certificate import by answering yes and close the terminal prompt.

The certificate has been imported into the keystore and the SEP sesam Server can use SSL for its LDAP authentication.

Command examples
  • Check in the keytool application whether the certificate has been properly imported by using -list command (keytool -list -keystore <keystore filename>).
/usr/java/jre1.8.0_144/bin/keytool -list -keystore /usr/java/jre1.8.0_144/lib/security/cacerts | grep oes15

When prompted for password, enter changeit.

Output example

Keystore-Kennwort eingeben:  
oes15tree, 07.05.2018, trustedCertEntry,
  • You can check access to the keystore.
/usr/java/jre1.8.0_144/bin/keytool -list -keystore /usr/java/jre1.8.0_144/lib/security/cacerts 

Output example

Keystore-Kennwort eingeben:  

 Keystore-Typ: JKS
 Keystore-Provider: SUN

 Keystore enthält 105 Einträge

 verisignclass2g2ca [jdk], 25.08.2016, trustedCertEntry, 
 Zertifikat-Fingerprint (SHA1): 
 B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 digicertassuredidg3 [jdk], 25.08.2016, trustedCertEntry,
 Zertifikat-Fingerprint (SHA1): 
 F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89
 ….............
  • You can import the CA public certificate (exported from eDirectory) from /tmp/, the file name is oes15tree_public_cert.der.
/usr/java/jre1.8.0_144/bin/keytool -import -alias oes15tree -keystore  /usr/java/jre1.8.0_144/lib/security/cacerts -file 
/tmp/oes15tree_public_cert.der

Output example

Keystore-Kennwort eingeben:  
 Eigentümer: O=OES15TREE, OU=Organizational CA
 Aussteller: O=OES15TREE, OU=Organizational CA
 Seriennummer: 21c14e16e79e3e28b6e89a3fbda8091477857741cdbf48bc44d12f70a0a0202060dfa50
 Gültig von: Tue Dec 01 11:12:27 CET 2015 bis: Sun Nov 30 11:12:27 CET 2025
 Zertifikat-Fingerprints:
         MD5:  41:48:73:BD:1C:59:C3:C1:5E:00:6D:11:6B:F4:A2:C7
         SHA1: 49:CB:2B:D5:2C:0B:11:2B:31:00:66:08:0E:CC:F4:D4:9F:61:3E:27
         SHA256: 01:61:BA:80:A1:67:6D:C7:15:9C:01:E5:24:F6:5B:BB:20:90:64:6D:95:A8:56:B2:32:37:CA:23:EF:D5:E6:BB
         Signaturalgorithmusname: SHA1withRSA
         Version: 3

 Erweiterungen: 

 #1: ObjectId: 2.16.840.1.113719.1.9.4.1 Criticality=false
 0000: 30 82 01 B7 04 02 01 00   01 01 FF 13 1D 4E 6F 76  0............Nov
 0010: 65 6C 6C 20 53 65 63 75   72 69 74 79 20 41 74 74  ell Security Att
 0020: 72 69 62 75 74 65 28 74   6D 29 16 43 68 74 74 70  ribute(tm).Chttp
 0030: 3A 2F 2F 64 65 76 65 6C   6F 70 65 72 2E 6E 6F 76  ://developer.nov
 0040: 65 6C 6C 2E 63 6F 6D 2F   72 65 70 6F 73 69 74 6F  ell.com/reposito
 0050: 72 79 2F 61 74 74 72 69   62 75 74 65 73 2F 63 65  ry/attributes/ce
 0060: 72 74 61 74 74 72 73 5F   76 31 30 2E 68 74 6D 30  rtattrs_v10.htm0
 0070: 82 01 48 A0 1A 01 01 00   30 08 30 06 02 01 01 02  ..H.....0.0.....
 0080: 01 46 30 08 30 06 02 01   01 02 01 0A 02 01 69 A1  .F0.0.........i.
 0090: 1A 01 01 00 30 08 30 06   02 01 01 02 01 00 30 08  ....0.0.......0.
 00A0: 30 06 02 01 01 02 01 00   02 01 00 A2 06 02 01 18  0...............
 00B0: 01 01 FF A3 82 01 04 A0   58 02 01 02 02 02 00 FF  ........X.......
 00C0: 02 01 00 03 0D 00 80 00   00 00 00 00 00 00 00 00  ................
 00D0: 00 00 03 09 00 80 00 00   00 00 00 00 00 30 18 30  .............0.0
 00E0: 10 02 01 00 02 08 7F FF   FF FF FF FF FF FF 01 01  ................
 00F0: 00 02 04 06 F0 DF 48 30   18 30 10 02 01 00 02 08  ......H0.0......
 0100: 7F FF FF FF FF FF FF FF   01 01 00 02 04 06 F0 DF  ................
 0110: 48 A1 58 02 01 02 02 02   00 FF 02 01 00 03 0D 00  H.X.............
 0120: 40 00 00 00 00 00 00 00   00 00 00 00 03 09 00 40  @..............@
 0130: 00 00 00 00 00 00 00 30   18 30 10 02 01 00 02 08  .......0.0......
 0140: 7F FF FF FF FF FF FF FF   01 01 00 02 04 14 E1 6E  ...............n
 0150: 79 30 18 30 10 02 01 00   02 08 7F FF FF FF FF FF  y0.0............
 0160: FF FF 01 01 00 02 04 14   E1 6E 79 A2 4E 30 4C 02  .........ny.N0L.
 0170: 01 02 02 02 00 FF 02 01   00 03 0D 00 80 FF FF FF  ................
 0180: FF FF FF FF FF FF FF FF   03 09 00 80 FF FF FF FF  ................
 0190: FF FF FF 30 12 30 10 02   01 00 02 08 7F FF FF FF  ...0.0..........
 01A0: FF FF FF FF 01 01 FF 30   12 30 10 02 01 00 02 08  .......0.0......
 01B0: 7F FF FF FF FF FF FF FF   01 01 FF                 ...........


 #2: ObjectId: 2.5.29.35 Criticality=false
 AuthorityKeyIdentifier [
 KeyIdentifier [
 0000: D3 91 1B 7E 38 C8 A1 05   62 61 22 03 8E 38 AD 12  ....8...ba"..8..
 0010: 6F 43 00 B6                                        oC..
 ]
 ]

 #3: ObjectId: 2.5.29.19 Criticality=false
   CA:true
   PathLen:2147483647
 ]

 #4: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
  Key_CertSign
  Crl_Sign
] 

 #5: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: D3 91 1B 7E 38 C8 A1 05   62 61 22 03 8E 38 AD 12  ....8...ba"..8..
 0010: 6F 43 00 B6                                        oC..
 ]
 ]

 Diesem Zertifikat vertrauen? [Nein]:  Ja
 Zertifikat wurde Keystore hinzugefügt

Checking if LDAP with eDirectory works properly

If you have problems with authentication, check if LDAP with eDirectory works properly.

  1. Open iManager and enable LDAP trace.
  2. Enable LDAP trace.jpg

  3. On the shell or iMonitor use ndstrace, and enable only LDAP trace.
  4. LDAP trace output.jpg

  5. Log in to SEP sesam GUI as a user from a mapped group with correct eDirectory password. In our example for eDirectory, a configured user is sepadmin from the ou=it,o=sep.

Output example for ndstrace (successfull)

New TLS connection 0x13ae5880 from 192.168.x.x:58610, monitor = 0xcc357700, index = 488
Monitor 0xcc357700 initiating TLS handshake on connection 0x13ae5880
DoTLSHandshake on connection 0x13ae5880
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x13ae5880
DoBind on connection 0x13ae5880
Bind name:cn=sepadmin,ou=users,o=sep, version:3, authentication:simple
Failed to resolve full context on connection 0x13ae5880, err = no such entry (-601)
Failed to authenticate full context on connection 0x13ae5880, err = no such entry (-601)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x13ae5880
Monitor 0xcc357700 found connection 0x13ae5880 ending TLS session
DoTLSShutdown on connection 0x13ae5880
Monitor 0xcc357700 found connection 0x13ae5880 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x13ae5880
Server closing connection 0x13ae5880, socket error = -5871
Connection 0x13ae5880 closed
New TLS connection 0x13ae5880 from 192.168.x.x:58612, monitor = 0xcc357700, index = 488
Monitor 0xcc357700 initiating TLS handshake on connection 0x13ae5880
DoTLSHandshake on connection 0x13ae5880
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x13ae5880
DoBind on connection 0x13ae5880
Bind name:cn=sepadmin,ou=it,o=sep, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x13ae5880
DoSearch on connection 0x13ae5880
Search request:
        base: "cn=sepadmin,ou=it,o=sep"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        no attributes
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
Empty attribute list implies all user attributes
Sending search result entry "cn=sepadmin,ou=it,o=sep" to connection 0x13ae5880
Sending operation result 0:"":"" to connection 0x13ae5880
DoUnbind on connection 0x13ae5880
Connection 0x13ae5880 closed
New TLS connection 0x13ae5880 from 192.168.x.x:58613, monitor = 0xcc357700, index = 488
Monitor 0xcc357700 initiating TLS handshake on connection 0x13ae5880
DoTLSHandshake on connection 0x13ae5880
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x13ae5880
DoBind on connection 0x13ae5880
Bind name:cn=ldapuser,o=sep, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x13ae5880
DoSearch on connection 0x13ae5880
Search request:
        base: "ou=groups,o=sep"
        scope:2  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(member=cn=sepadmin,ou=it,o=sep)"
        attribute: "cn"
        attribute: "objectClass"
        attribute: "javaSerializedData"
        attribute: "javaClassName"
        attribute: "javaFactory"
        attribute: "javaCodeBase"
        attribute: "javaReferenceAddress"
        attribute: "javaClassNames"
        attribute: "javaRemoteLocation"
 nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
 Sending search result entry "cn=seprestoregroup,ou=groups,o=sep" to connection 0x13ae5880
 Sending search result entry "cn=sepoperatorgroup,ou=groups,o=sep" to connection 0x13ae5880
 Sending search result entry "cn=sepadmingroup,ou=groups,o=sep" to connection 0x13ae5880
 Sending operation result 0:"":"" to connection 0x13ae5880
 DoUnbind on connection 0x13ae5880
 Connection 0x13ae5880 closed

Output example for ndstrace (unsuccessfull, wrong password)

New TLS connection 0x167e9180 from 192.168.1.11:59405, monitor = 0xcc357700, index = 485
Monitor 0xcc357700 initiating TLS handshake on connection 0x167e9180
DoTLSHandshake on connection 0x167e9180
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x167e9180
DoBind on connection 0x167e9180
Bind name:cn=sepadmin,ou=users,o=sep, version:3, authentication:simple
Failed to resolve full context on connection 0x167e9180, err = no such entry (-601)
Failed to authenticate full context on connection 0x167e9180, err = no such entry (-601)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 ending TLS session
DoTLSShutdown on connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x167e9180
Server closing connection 0x167e9180, socket error = -5871
Connection 0x167e9180 closed
New TLS connection 0x167e9180 from 192.168.1.11:59408, monitor = 0xcc357700, index = 485
Monitor 0xcc357700 initiating TLS handshake on connection 0x167e9180
DoTLSHandshake on connection 0x167e9180
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x167e9180
DoBind on connection 0x167e9180
Bind name:cn=sepadmin,ou=it,o=sep, version:3, authentication:simple
Failed to authenticate local on connection 0x167e9180, err = failed authentication (-669)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 ending TLS session
DoTLSShutdown on connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x167e9180
Server closing connection 0x167e9180, socket error = -5871
Connection 0x167e9180 closed
New TLS connection 0x167e9180 from 192.168.1.11:59409, monitor = 0xcc357700, index = 485
Monitor 0xcc357700 initiating TLS handshake on connection 0x167e9180
DoTLSHandshake on connection 0x167e9180
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x167e9180
DoBind on connection 0x167e9180
Bind name:cn=sepadmin,ou=gurus,ou=it,o=sep, version:3, authentication:simple
Failed to resolve full context on connection 0x167e9180, err = no such entry (-601)
Failed to authenticate full context on connection 0x167e9180, err = no such entry (-601)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 ending TLS session
DoTLSShutdown on connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x167e9180
Server closing connection 0x167e9180, socket error = -5871
Connection 0x167e9180 closed


Configuring Database-Based Authentication

Overview

SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication which can be combined with Lightweight Directory Access Protocol (LDAP) or/and Active Directory. Only one (policy-based or database-based authentication) can be active at any time. By default, policy-based authentication is active.

Activating database-based authentication has to be done via GUI to set the administrator password. Once SEP sesam GUI Server and Client are restarted, the administrator is able to configure default user access rights that are based on predefined user type. These are:

  • Admin: The only user role with full control over the SEP sesam.
  • Operator: Can monitor the whole environment.
  • Restore: Only allowed to start restores.

You can further configure authorization based on user roles, introduced in Grolar.

Note that the displayed GUI components depend on the user type. For details on GUI elements, see SEP sesam GUI.

Prerequisite

  • Make sure that the reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.

Activating database-based authentication in GUI

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management.
  2. Click Activate Authentication. Set up the password for the Administrator user; note that this is the only way to set the administrator's password.
  3. Authentication activate Beefalo V2.jpg

  4. After activating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
  5. Authentication restart Beefalo V2.jpg

  6. In v. ≤ 4.4.3 Grolar, you have to enable LDAP or/and Active Directory to authenticate users against an external LDAP directory. From v. 4.4.3 Beefalo, LDAP/AD authentication is enabled by default. For details on how to configure LDAP/AD authentication, see Configuring LDAP/AD Authentication.
  7. Log in as an administrator to configure the users and add them to relevant group. By default, the following user types are available: Admin, Operator, Restore.
  8. You can create your own subgroups (e.g., SUB_ADMIN) to grant users more specific roles. Under the Groups tab, click Create New to configure a new subgroup. The Sub Group window opens.
  9. Specify a group name and from the drop-down list select the relevant role to be applied to the whole group: Administrator, Operator or Restore (in v. ≥ 4.4.3 Beefalo).
  10. Authentication sub group Beefalo V2.jpg

    Information sign.png Note
    If you want to combine LDAP/AD, you have to use the external groups. Add the group from LDAP/AD and select Based on group option to map to this particular SEP sesam group; see Configuring the LDAP authentication in the GUI.
  11. Under the Users tab, click Create New to configure a new user. The Create User window opens.
  12. Specify a name (e.g., mustermann), password and assign a user to the relevant group, for example, RESTORE.
  13. Authentication create user Beefalo V2.jpg

  14. A user can be a member of one or more groups. Under the Groups tab, double-click the relevant group and select or deselect the users to assign them to the respective group or remove them from it.
  15. Permission management groups Beefalo V2.jpg

  16. Now you can configure ACLs (access control lists) to specify which users or groups are granted access to location (group of clients) or a specific client. For details, see Using Access Control Lists.
Information sign.png Note
When activating database-based authentication via GUI, parameter authEnabled is changed to true in the sm.ini file. Setting the flag to false enables policy-based authentication and deactivates database-based authentication.

Resetting user password

To reset the password of another user, you must have Admin privileges. Resetting a password is a two step process: The administrator has to reset a password in the command line by using sm_cmd command and then use the newly generated password to be able to change the password under the Permission Management in GUI.

Resetting password in the command line

To reset a user password, log in to SEP sesam Server console and enter the following command:

sm_cmd reset user <ID or name>

The output of the above command is shown in the example.

Example:
In this example, the user name is mustermann.

sm_cmd reset user mustermann
C:\Program Files\SEPsesam\bin\sesam>sm_cmd reset user mustermann
bouryper39

Changing password in the GUI

After resetting a user password by using sm_cmd reset user command, you can change the password for the respective user in the Permission Management in GUI by using the automatically generated password from the command output. Note that only an Admin user has enough privileges to use the Permission Management and configure users.

  1. From the menu bar select Configuration ‐> Permission Management. The Permission Management window opens.
  2. Select the user for which you want to reset the password and click Change. In our example, the user is named mustermann.
  3. Permission management Beefalo V2.jpg

  4. In the Change User window, click Change Password.
  5. Change user Beefalo V2.jpg

  6. The Change Password window opens. Enter the password which you have obtained by resetting a password in the command line (in our example bouryper39), specify a new password and click OK.
  7. Change password Beefalo V2.jpg

Deactivating database-based authentication

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management -> tab Activation.
  2. Click Deactivate Authentication.
  3. After deactivating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
  4. Now policy-based authentication is enabled and the flag authEnabled is set to false in the sm.ini file.


Part VII: SEP sesam Backup

About Backup

Overview

SEP sesam backup is a process by which file system and application data specified by a backup task is copied and stored to savesets on backup media.

SEP sesam supports heterogeneous computing environments (Windows, UNIX, VMS or NetWare) and provides preset task types, such as ordinary file system backup (type Path), Exchange, MySQL, SAP HANA, etc., as well as task types for virtual environments enabling image-level backups and single-file restore.

Backed up data on savesets is preserved according to their retention time. Data can be migrated, deduplicated and replicated in order to provide fast and reliable restore. Note that standard backup does not prepare for disaster recovery. Such recovery requires special preparation and configuration with SEP sesam disaster recovery solutions: Bare Metal Recovery Linux, Bare Metal Recovery MS Windows and SEP sesam self-recovery.

Backup levels

SEP sesam provides four different backup levels: full, differential, incremental and copy. The backup level is specified when creating a backup event in the Main Selection -> Scheduling -> Schedules -> New Backup Event.

The following backup levels are available:

A FULL backup always copies all data specified by the backup task, regardless of whether it has been changed or not. A saveset created as FULL is the basic saveset for subsequent DIFF or INCR savesets. While the backup time of a full backup can be significant, restore is fast and simple since only one backup saveset is required. Information about the backup status is stored in the SEP sesam database. Note that the archive bits are not deleted on Windows systems. If you want to force-reset of the archive bits, you can enter the command -o clear_archive in the backup options.

A DIFF (differential) backup saves only data which was created or changed after the last FULL saveset had been created (of the same task). A differential backup is faster than a full backup, however, to restore the whole data source, first the saveset of the full backup has to be restored followed by restore of the DIFF saveset. For this, SEP sesam provides generation restore that enables browsing for and selecting for restore all generations of backed up files since the last full backup.

An INCR (incremental) backup saves only data which was created or changed after the last backup (FULL, DIFF or INCR) of the same task. This is the fastest backup method and requires the least storage space. Restoring from incremental backups is the slowest, because it requires all related savesets to be copied back – the saveset of the last full backup as well as all INC backups. You should consider the advantages of time and resources when planning your backup strategy. A combination of FULL backups stored to tape drives, and DIFF or INC backups stored to virtual disk media is a common method.

A COPY backup is a full backup that has no influence on following differential (DIFF) or incremental (INCR) backups. For the treatment of archive bits, see FULL backup above. COPY backup is usually used for additional full backups, e.g., monthly backups, or backups for archiving, i.e. removal from storage.

Information sign.png Note
In case no initial FULL backup exists, differential (DIFF) or incremental (INCR) backups are automatically performed as FULL backups.

Backup procedure

The standard backup procedure applies to file systems and application data and may differ from the backup procedures for SEP sesam extensions, which might involve additional tasks or include other options. As special methods are used to back up such data, make sure to use the backup procedure specific to the data you want to back up. For details on supported extensions, their features and backup procedures, see SEP sesam Extensions and the SEP sesam OS and Database Support Matrix.

The standard backup procedure involves the following steps:

  1. Creating a backup task by selecting the data to be backed up
  2. Creating a backup schedule by specifying when you want to back up your data
  3. Creating a backup event by selecting where to back up your data to and how

For details, see Standard Backup Procedure.

Automated backup

SEP sesam introduces a powerful scheduling service called SEPuler that constantly checks for backup, restore and other predefined tasks scheduled for execution. When such tasks are found, SEPuler initiates the execution of the event. To prevent possible tasks conflicts and efficiently manage tasks in execution queue, SEP sesam uses the event priorities.

Once the SEP sesam environment has been configured and backup tasks for clients have been created, backups can be scheduled to run automatically. The schedules are comprehensive and flexible and can be created for any kind of event. For example, a daily schedule can be created for a number of events or several schedules (e.g., weekly full, daily incremental) can be configured for the same data protection. Available schedules are daily, weekly, monthly, yearly and custom. A schedule must have at least one event assigned to it.

To create a schedule, see Creating a Schedule. See also Creating Custom Calendar.

Parallel Backups

SEP sesam supports parallel i.e. simultaneous backup of multiple data sources onto one drive. This is called Sesam Multiplex Stream (SMS). It offers up to 124 channels for a single drive. Each of 124 channels can serve one backup source.

Data of the different streams are distributed into packets, each packet is supplied with an identification mark and copied to the backup media. The data of a certain stream is not contiguously positioned on the media, but interrupted by packets of other streams. The identification marker of the packets enables SMS to restore the initial stream during reading.

Furthermore, SMS is able to split savesets across several media that still have some free space left (specified by media properties parameter EOM – End of Media).

The maximum number of parallel streams that can be used during backup to the backup drive is specified under the Drive properties by parameter Max. channels. For details, see Drives. Note that the number of available data streams depends on the type of Server license, e.g., ONE provides 1 backup stream, Standard provides 5 backup streams etc. For details on licenses, see Licensing.

Encryption

SEP sesam provides data encryption types on different levels: backup-task encryption for savesets (explained below, set in the backup task), Si3 encryption for Si3 deduplication store (set in the Si3 deduplication store properties), and hardware-based LTO encryption for LTO tape drives (done on a media pool level). For details on the latter two, see LTO Encryption and Encrypting Si3 Deduplication Store.

SEP sesam encryption for savesets can be enabled in the backup task properties under the tab Encryption and compression for each backup task. For details, see Setting Encryption.

Backup with VSS on Windows

Microsoft Volume Shadow Copy Service (VSS) is a Windows service for backing up running applications. VSS coordinates with other VSS-aware applications and services, and creates a shadow copy or snapshot of data for backup purposes. VSS uses a copy-on-write snapshot, allocating a small temporary storage space for it. Once the snapshot is completed, the temporary storage space is freed up again.

Backup with VSS is enabled by default for file system task type Path. All other task types, for example System state, use the required VSS writer by default. For details on SEP sesam VSS, how to activate/deactivate VSS and exclude a VSS writer from backup manually, see SEP sesam Volume Shadow Copy Service (VSS) for Windows.

NDMP backup

Starting with version 4.4.3., SEP sesam enables you to protect and manage your storage file servers by providing support for Network Data Management Protocol. NDMP is a common protocol for backing up and restoring data on storage devices that do not support installation of a backup agent. It ensures interoperability between NAS file servers and SEP sesam, and is used as an interface that enables SEP sesam to backup various NAS appliances and copy this data to a SEP sesam Server or Remote Device Server. SEP sesam supports version 4 of the NDMP protocol.

For details, see NDMP Backup. For a list of supported NAS appliances, see the support matrix. For details on backing up the NetApp NFS volumes via NFS, see NetApp Volume Backup.

HSM-aware backup for Windows

Hierarchical Storage Management (HSM) is a method for reducing the costs of data storage and facilitating data management tasks. Starting with SEP sesam version 4.4.2, HSM-aware backup for Windows comes as an integral part of the SEP sesam package. It provides efficient backup of data on Windows systems that is managed by HSM. SEP sesam as an HSM-aware solution recognises the reparse tags in stub files and does not trigger a recall of the original files, but performs a backup of the placeholder files without retrieving their contents. For more details, see HSM-aware Backup for Windows.

Support for NTFS alternate data streams (ADS) for Windows

From SEP sesam version 4.4.3, ADS are backed up by default when backing up a NTFS file system. They are automatically restored to any ADS-aware system. ADS are backed up by default, but can be excluded from backup by using a special option in the backup task properties.

Alternate data streams are a unique data-hiding feature of NTFS file systems. A file in NTFS consists of the unnamed data stream where the data is actually contained, and of alternate data streams that can store additional metadata. Applications may use ADS for storing file attributes. For details, see Support for NTFS alternate data streams (ADS) for Windows.

Configuring SESAM_BACKUP

To prepare for a possible breakdown of the SEP sesam Server, a self-backup of the SEP sesam installation must be performed. This means that you have to configure at least one backup task with the name SESAM_BACKUP. This will back up SEP sesam's var directory, including all listings, log files, database, and INI-files. This backup should be run daily, in either COPY or FULL mode. For details, see Preparation for Disaster Recovery below.

Additionally, a disaster interface must be properly configured to help carry out the disaster recovery process: sm_disaster (Linux) or sm_disaster.cmd/sm_disaster.ps1 (Windows). The disaster interface sends an email describing the recovery procedure in the event of disaster and an attachment containing the SEP sesam bootstrap database with all essential data for the disaster recovery. For details on how to activate this interface, see Preparation for Disaster Recovery below.

The self-backup procedure consists of the following:

  • When the SEP sesam self-backup starts (SESAM_BACKUP), the entire SEP sesam database is exported to the path <SESAM_ROOT>/var/<db>[_pg]/backup. Export files have names such as sesam_db_20121223-20121224060003.sql.gz and are backed up to a pre-defined media pool. It is recommended that you configure a SEP sesam DR-dedicated media pool for storing all your SEP disaster recovery savesets.
  • Every time SESAM_BACKUP is executed, a bootstrap file of the SEP sesam database (for example, sesam_bootstrap_db_[datetime].sql.gz) is exported to the <SESAM_ROOT>/var/db[_pg]/backup directory. This file contains the SEP sesam configuration and data history of SEP sesam self-backups for the last 30 days.
  • sm_disaster copies the contents of input arguments (DISASTER or SESAM_BACKUP) from the SEP sesam Server to predefined locations on another computer (emails, copies of files, etc.). Information about SEP sesam's last disaster backup is also stored.
  • Finally, an email with a short recovery description and the bootstrap file as an attachment are sent regularly to the email address you have configured. The bootstrap export is used exclusively for SEP sesam system recovery in the event of a disaster, therefore you should save every version of this file to a safe location.

To fully utilize disaster recovery's functionality and ensure that all disaster-related information is generated and sent, the following steps must be carried out:

  1. The backup task SESAM_BACKUP is ordinarily configured after the installation of a SEP sesam Server. Hence it should already be present. If it is not, you have to configure it:
    Open the GUI and from the Main selection -> Tasks -> By Clients -> select your SEP sesam Server -> New Backup Task. The name of the backup task must be SESAM_BACKUP. It typically encompasses the <SESAM_ROOT>/var and <SESAM_ROOT>/bin/sesam directories, and excludes the work and log directories. Click OK to save the task.
    SEP sesam backup task Beefalo V2.jpg
  2. Once your disaster recovery task is configured, set up a backup schedule (GUI -> Scheduling -> Schedules). The SEP sesam backup should run at a time when no other activities are running in the SEP sesam environment. It is recommended to run this task every day. For details on scheduling, see Creating a Schedule.
  3. Create an event to be linked to the schedule. Select the backup level COPY. It is recommended that you choose a disaster recovery dedicated media pool for storing all your disaster recovery savesets. For general information on creating a backup event, see Creating a Backup Event.
  4. Activate the sm_disaster interface: In the SEP sesam GUI menu, select Configuration -> Interfaces -> Disaster Interface. A window with the interface script is displayed.
    Activate disaster interface Beefalo V2.jpg
  5. Click Save to confirm the dialog. The sm_disaster file is read and stored in the directory <SESAM_ROOT>/bin/sesam.
    Tip: After installing SEP sesam, the file sm_disaster (Linux) or sm_disaster.cmd/sm_disaster.ps1 (Windows) is located in the <SESAM_ROOT>/skel/templates/ directory. Alternatively, you can activate the disaster interface by copying sm_disaster from <SESAM_ROOT>/skel/templates to <SESAM_ROOT>/bin/sesam.
    Information sign.png Note
    The sm_disaster file has been completely redesigned for SEP sesam version 4.4.2. If your SEP sesam Server version is 4.4.2 or lower, you must replace the sm_disaster file after updating to SEP sesam Server 4.4.2:
    • Windows: The MSI Installer will ask you if the existing interface should be overwritten. Choose <yes> to overwrite the existing interface. Alternatively, copy <SESAM_BIN>/skel/templates/sm_disaster.ps1 to <SESAM_BIN>/bin/sesam/sm_disaster.ps1.
    • Linux: Copy <SESAM_BIN>/skel/templates/sm_disaster to <SESAM_BIN>/bin/sesam/sm_disaster to get the latest version of the disaster interface.
  6. Configure the SEP sesam email for the account sesam so that the interface sends messages after the self-backup: From the GUI menu, select Configuration -> Email Settings -> New. An Email Account window is displayed.
    • In the Account field, type the name sesam (it must be written in lowercase).
    • Optionally, enter the name in the Customer field.
    • Specify the name of the sender (the name of the respective SEP sesam Server).
    • In the SMTP server field, specify the name or the IP-address of the outgoing mail server.
    • In the SMTP user field, specify the user name for the SMTP server. If the SMTP user name is not specified, then the SMTP server presumably does not require authorization.
    • If the mail server requires authentication, enter the password in the Password field.
    • Optionally, specify the SMTP port.
    • In the Recipient field, enter the address of the recipient of the DR notification emails. Typically, this is the backup administrator's address.
    • Optionally, specify additional recipients in the CC and BCC field.
    Create e-mail account Beefalo V2.jpg

Creating Exclude List


Overview

</noinclude>

For each backup you can back up only selected files, files that match a specific pattern and exclude specific files, file types or directories from backups.

Some files are only temporary while others are permanently in use. These files should be either excluded from the ordinary backup or be backed up in a special way. For example, you may not want to back up any temporary (.tmp) files, read-only files, or files from specific directories (e.g., download directory). SEP sesam provides a number of ways for setting up exclusion:

Exclude list in GUI

When creating a backup task, you specify the source for your backup as well as define any files or patterns you want to exclude from the backup. Note that when the number of files to be excluded from backup exceeds allowed length for the exclude list, you should set up exclusion as described in section Create a custom exclude list on client. Such custom exclude list (e.g., -X C:/sesam/exclude_list.txt) takes precedence over any exclude list specified in GUI.

  1. From Main Selection -> Tasks -> By Clients, select your client and click New Backup Task. The New Backup Task window opens.
  2. Specify the Source. If you want to back up individual files, you can either browse for directories and files that you want to include in the backup or enter their names followed by a comma (C:/Program Files/SEPsesam/var/db,C:\Users\AA\Documents\references). If you want to back up the whole file system, set the source as all. If you want to back up only files that match a specific pattern, use the include list instead. Note that if you select the source by browsing, the task type and task name are set automatically. If you enter the source manually, you have to enter the task name and select relevant task type.
  3. In the Exclude list, specify the files or folders which you do not want to back up in one of the following ways:
    Exclude by using the browse button
    The simplest way to exclude the specific files or folders from the backup is by using the big browse button (next to the fields Source and Exclude list) and selecting your source for exclude in the Client File View window. In our example we have excluded logs and program files from the backup, as shown in the screenshot below.
    Basic exclude list Beefalo V2.jpg
    Add files, file types or regular expressions in the Exclude list editor
    In the Exclude list editor, specify the exclusions by using regular expressions. On Windows, you can also use the option Pattern exclude, however on Linux it is only possible to exclude by using regular expressions (RegExp exclude).
    Add the exclusion patterns one by one followed by a comma. For example, if you want to back up source /usr but skip *.tmp and old*.c files and all old* directories, add the following pattern to the editor: \.tmp$, /old.*\.c$, /old.*/$
    Exclude list Beefalo V2.jpg
    Click OK.

For more examples on excludes using regular expression patterns, see Examples for Excluding Matched Patterns.

Information sign.png Note
Exclude by using regular expressions is the default setting, but you can change it to use the file pattern (?,*) instead of regexp by modifying the configuration file <SESAM_VAR>/var/ini/sm.ini on the SEP sesam Client. In the config file sm.ini change the entry
EXCLUDE_MATCH= REGEXP to EXCLUDE_MATCH= PATTERN.

Create a custom exclude list on client

You can specify a custom exclude list of items to be skipped during backup by creating a special file on SEP sesam Client. Typically, you would create a separate exclude file when the number of files or directories to be excluded for backup exceeds allowed length for exclude list (max. 1024 characters in SEP sesam version ≥ 4.4.3; max. 255 characters in version ≤ 4.4.2). Such custom exclude list takes precedence over any exclude list specified in GUI (the latter is ignored if both are specified).

A custom exclude list must be a text file that is created on the SEP sesam Client on which the backup will be executed. The syntax for exclude entries is platform/OS dependent, see:

Once you have created the exclude file, for example exclude_list.txt, enter it in the backup task properties as follows:

Create or open the backup task, select the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the specified file in the form:

-X C:/sesam/exclude_list.txt 

Exclude list on Linux

Create the exclude file on the client in the directory /etc/sesam, for example /etc/sesam/exclude_list.txt. The following rules apply:

  • Each file or directory that you want to exclude from backup must be specified in a separate line (one entry per line).
  • Wildcards are not supported.
  • The exclude entries have to be set up with a regular expressions syntax.

This is an example of the exclude_list.txt on Linux:

 \./tmp$
 \./home/John Doe/videos.zip$
 \./home/John Doe/Business Documents/YearEnd Closing for business year 2006$
Information sign.png Note
In SEP sesam versions < 4.4.3.45, the exclude list, defined on Linux/UNIX in a Lotus Notes backup task, does not work if specified with \.. For versions < 4.4.3.45, specify the exclude list for Notes without the preceding backslash and a dot, e.g., use /srv/notesdata/help$ instead of \./srv/notesdata/help$'.

Exclude list on Windows

Create the exclude file on the client in the directory C:\Program Files\SEPsesam\var\ini, for example exclude_list.txt. The following rules apply:

  • Use only / (slash) in the exclude file and NOT \ (backslash).
  • Each file or directory that you want to exclude from backup must be specified in a separate line (one entry per line). This also applies to paths that include spaces.


This is an example of the exclude_list.txt on Windows:

D:/DOWNLOAD
D:/PREKITS
D:/Dev
D:/kit_2_3_1_7
D:/kit_2_3_1_5
D:/knoppix
D:/ACHIM
D:/gui

Exclude list for Micro Focus OES (formerly Novell OES)

Create the exclude file on the client in the directory /etc/sesam, for example /etc/sesam/exclude_list.txt. The following rules apply:

  • Each file or directory that you want to exclude from backup must be specified in a separate line (one entry per line).
  • Use only the pattern format for exclude.
  • Wildcards are allowed in the file or directory entries.
  • An exclude folder must end with a / (slash).


This is an example of the exclude_list.txt:

/media/nss/VOL1/tmp/
/media/nss/VOL1/USR/*/Notes/Workspace/
/media/nss/VOL1/data/do_not_backup.txt

For example, /media/nss/VOL1 is entered as source in the backup task. This means that the complete VOL1 will be backed up, excluding the items in the exclude file that is specified by the following entry in the backup task properties -> Options tab -> Backup options (previously Save options) field:

 -X /etc/sesam/exclude_list.txt

SEP sesam will exclude all the files and directories from the backup that are listed in the file.

Creating a special file nosbc to permanently exclude a directory

You can permanently exclude a directory from all backups on the client by creating a special file in the directory itself – this file is .nosbc on Unix or nosbc on Windows. By creating such a file in the directory, the directory will not be backed up even though is might be included in the specified source.

The behavior can be switched off for a specific backup task by entering the -o noexcl switch under the backup task properties, tab Options -> Backup options (previously Save options).

Using sm.ini to completely exclude files from backups on the client

You can use the central SEP sesam config file sm.ini to specify the files on the client that should never be backed up. The advantage of using this method is that you can exclude files or directories from all backups performed on the respective client.

The default location of the sm.ini file is <SESAM_ROOT>\var\ini\sm.ini.

To define the excludes for the client, open the sm.ini file and under the parameter SBC_EXCLUDE enter one parameter per line.

  • On Linux, use regular expressions to define the excludes in sm.ini. For example, to exclude the directories /dev, /mnt and /media from the backup, specify the following:
  • [SBC_EXCLUDE]
    ExcludePattern1=\./mnt$
    ExcludePattern2=\./dev$
    ExcludePattern3=\./media$
    
    Information sign.png Note
    As of 4.4.3 Beefalo V2, the ExcludePattern900 and higher exclude parameters are used for SEP sesam specific exclude patterns. In order to define your own exclude patterns, use parameters ExcludePattern1 to ExcludePattern899.
  • On Windows, use file patterns to define the excludes in sm.ini. You can use this to exclude files that match the specified names or paths (note that <file_name> can include wildcard characters, e.g., * and ?).

Enforcing Full Backup

SEP sesam provides different types of backup, called backup levels, to enable specifying the level of data that is copied from source to destination. There are four different backup levels in SEP sesam: full, differential, incremental, and copy. The backup level is specified when creating a backup event in the Main Selection -> Scheduling -> Schedules -> New Backup Event.

Incremental and differential backups are typically used to reduce the storage space as they save only data which was created or changed after the last FULL backup (DIFF backup) or after the last backup (INCR backup) – regardless whether this is FULL, DIFF or INCR – of the same task. A saveset created as FULL is the basic saveset for all subsequent DIFF or INCR savesets, therefore you have to perform FULL backups regularly to ensure that you can at any point revert to the previous versions.

For example, INCR backup that was taken after the third INCR after the FULL, requires the FULL, the first, the second, and the third INCR to provide complete restore capability. If some saveset in the backup chain is missing, you will not be able to recover your data to a specific point in time.

Regardless of the backup level specified in the backup event, a backup may run as FULL (or DIFF) when one of the following conditions – explicit (option Enforce FULL) or implicit (assure valid backup chain) – is triggered.

  1. By enabling the Enforce FULL option when creating INCR and DIFF backup events you can ensure that a FULL backup is run within the specified interval; see section Enabling Enforce FULL option in GUI.
  2. SEP sesam has a built-in mechanism to ensure that your chain of backup savesets has always the last full backup available. It automatically maintains control over dependencies among the individual backup savesets and provides dependency-based automated retention. For details, see section Conditions for performing a FULL backup instead of a DIFF/INCR.

Enabling Enforce FULL option in GUI

For details on how to create a backup event, see Creating a Backup Event. This section only provides information which is specific to the option Enforce FULL.

  1. From Main Selection -> Scheduling -> Schedules, right-click the schedule for which you want to create a new event then click New Backup Event. If you have already created a backup event, select the relevant schedule and then double-click the backup event to open its properties. The Parameter dialog opens automatically.
  2. Under Object from the drop-down list select the task for which you are creating this backup event.
  3. Under Parameter, specify the Backup level: select DIFF or INCR. You should consider the advantages of each backup level (regarding time and resources required to store and restore your data) when planning your backup strategy.
  4. Information sign.png Note
    In case no initial FULL backup exists, differential (DIFF) or incremental (INCR) backups are automatically performed as FULL backups.
  5. Once your backup level is set to DIFF or INCR, you can enable the Enforce FULL option. This option ensures that a FULL backup is run within the specified interval. For example, setting the number to 7 will enforce a full backup every seven days instead of an incremental or differential backup if the planned full backup fails. This ensures that a full backup is always performed within the specified time interval, in our example, once a week. You should consider the advantages and disadvantages of the enforced full backup frequency, as it is slower than other backup levels and has the highest storage space requirements.
    If the value is set to 0, the system checks whether the last FULL backup was successful or run with warning for each backup performed. If the last FULL backup was terminated or run with error, the DIFF/INCR backup to be started is automatically performed as FULL backup.
  6. Bck enforce full.jpg

Conditions for performing a FULL backup instead of a DIFF/INCR

In addition to the option Enforce FULL which can be enabled manually in the GUI (see the section above), there are also specific circumstances that will trigger a full backup automatically. SEP sesam performs a FULL backup instead of a DIFF/INCR when the following happens:

copy_reformat_lis failed
For example, if *.lis files cannot be transferred from RDS to SEP sesam Server. *.lis files contain information about the backup's unique files; once the backup is finished, these files have to be copied from RDS to the SEP sesam SESAM_VAR/lis directory as this data is needed for a selective restore.
The previous backup chain (FULL–DIFF–INCR) is not complete
For example, if EOL of a saveset is gone or a saveset is missing, SEP sesam will enforce a FULL backup. For more details on retention behavior and different EOL parameters, see Managing EOL.
DIFF/INCR backup has failed, FULL may be enforced for some specific task types
This behavior depends on the task type. Failed DIFF/INCR may enforce FULL for IBM Domino (LotusNotes), IMAP, Exchange, GroupWise, KOPANO, Citrix XEN, and Hyper-V, while failed INCR (transaction log backup) may enforce DIFF (cumulative) for MS SQL Server and SAP_ASE.
A subtype of a VMware backup task was changed after a FULL backup
For example, if a VMware FULL backup used the Backup as Image option (enabled by default, subtype "_IMG"), it performed a FULL raw backup of VMDK without CBT. If the subtype has been manually altered, it may break the backup chain. Therefore SEP sesam enforces a full backup to create a new initial full backup saveset that is unchanged and can act as the base for consecutive differential and incremental backups. For details on available backup options, check VMware backup.
Exchange Server validating backup integrity by using CHKSGFILES
CHKSGFILES is used to verify the data before performing a backup to ensure that the databases to be stored are not corrupted. If sm_reformat_lis failed for DIFF/INCR (*.lis files were not retrieved/read), the next run of a backup job will be FULL.
A backup task is renamed or copied
SEP sesam must be able to recognize the renamed or copied backup task as a new backup task and not as a continuation of the previous renamed task, therefore such newly created task will run as FULL automatically.

Backup on the Remote Device Server

Generally speaking, all data of the clients in the Chemnitz location (backed up onto media in the media pool PoolChemnitz) is only moving on the net segment of that particular site. Therefore, no data is transported to the SEP sesam Server over WAN.

To test this, set up a test backup task in the SEP sesam GUI (Main Selection -> Tasks -> By Clients-> New Backup Task) that will perform a quick self-backup of the SEP sesam RDS (directory /etc) to the storage mounted on RDS. For details, see Creating a Backup Task.
RDS bck task.jpg
Once you have configured a test backup, start it:

  1. In the Main Selection -> Tasks -> By Clients, right-click the test backup task and select Immediate Start.
  2. In the Immediate Start:Backup window, select the Media pool referring to the data store you have previously configured on RDS, in our example, PoolChemnitz and click Start.
  3. SEP Tip.png Tip
    You can view the status of your backup jobs in the SEP sesam GUI -> Main Selection -> Last Backup State. As of 4.4.3 Beefalo V2, you can also check the details of your backups online by using new Web UI. For details, see SEP sesam Web UI.

    RDS immediate start Beefalo V2.jpg
    You can also schedule your test backup. For details, see Creating a Schedule.

Now your RDS is configured and ready to use.

Information sign.png Note
Make sure that you follow the general recommendations and configure required exclusions with your antivirus product as well as ensure that the antivirus scans are not scheduled during backup operations.


Part VIII: Scheduling

Creating a Custom Calendar

SEP sesam provides flexible scheduling features to customize how and when your events are processed. By using the User defined option of a schedule, you can create a calendar that is customized according to your country- or company-specific requirements.

For example, you can define a calendar with specific days on which you want to perform special job executions, such as backup and migration. It also provides the ability to define specific dates on which the scheduled jobs are prevented from running, allowing you to set up a custom calendar of public holiday dates for each year and linking events with blocking date to it to stop scheduled jobs from running during holidays.

Schedule-user defined Beefalo V2.jpg

You can create as many custom calendars as you need. A custom calendar can be defined for a limited period of time, e.g., for one year if the holidays and other specific dates are entered only for the next year, for several years, or for an unlimited time.

When creating a calendar, you can change the month or year in a calendar by clicking the single arrow (at the top/right corner of the calendar) for selecting a month or the double arrow for selecting a year.

After entering a calendar name and saving a calendar, you can switch to a calendar table view by selecting the Table View option. This view provides an overview of all your events, i.e., event start/end date and whether the event is active or not. You can add a new event by clicking the Add Event button (below the Events table). You can also modify and delete an existing event by double-clicking it (or selecting it and clicking Change Event/Delete Event button).

Note that you can simply modify, import, export, and delete your custom calendar, as described in the section Managing custom calendars.

Setting up a custom calendar

To create a custom calendar with dates on which you want to run additional jobs or prevent scheduled jobs from running, proceed as follows:

  1. From Main Selection -> Scheduling -> Schedules, click New schedule. The New Schedule window appears.
  2. The Execution is enabled by default. If you select the Execution off option, all events that are linked to this schedule will be deactivated.
  3. Specify the start time for the schedule in the Start field. By default, the current date is already entered. In the next field, specify the start time, e.g., 18.30. The schedule will be activated after the specified date and time. If you want your schedule to be valid only for a limited period of time, use the Expiration date option.
  4. Custom calendar dialog 01 Beefalo V2.jpg

  5. In the table providing selection of different time parameters tabs (Once, Daily, Weekly, Monthly, Yearly, User Defined), click the User Defined tab and then click the New button below the Calendar name field. The New Calendar dialog is displayed.
  6. Custom calendar dialog 02 Beefalo V2.jpg

  7. In the Name field, enter the name for your custom calendar. You can either add calendar events by single-clicking the days you want to include in your calendar or by double-clicking the desired date to open the Change event dialog. In the Change event dialog you can write a description in the Event field, expand the date range to several days, and choose the start and end time of the event. Deselecting the Active check box will deactivate the calendar event. Click OK to add the calendar event to the calendar.
  8. Calendar event Beefalo V2.jpg

  9. After adding all calendar events needed for the calendar, save your custom calendar by clicking the Create Calendar button.
  10. Under Advanced settings you can further refine your schedule.
    • To define the maximum allowed startup time (the amount of time an event can be in the queue), specify the startup time in days and/or hours in the Start time frame field. The actual event startup depends on the processor load of the system. At the starting time of the event, every event is forwarded into the queue, where it might wait until jobs with a higher priority are finished. For jobs with the same priority, the FIFO rule (first in, first out) applies. If the event cannot be executed within this specified time frame, it will not be executed at all.
    • You can also specify the time frame for the event to be repeated. Select the Repeat task check box and then specify the repetition cycle to repeat the event every n hours or minutes. Use the For a duration of field to specify the duration of the repeated event in days and/or hours.
    • To specify the time frame after which the scheduled event will be cancelled, select the check box in front of the option Stop task if runs longer than and set the amount of time (days and/or hours) after the event's scheduled start time at which the event will be cancelled.
    • Select the Expiration date check box if you want your schedule to be valid only for a limited period of time, e.g., until the end of the year. Then specify the date of schedule suspension. The schedule will be deleted after the Expiration date criterion is met. By default, this option is disabled and the schedule will be repeated in perpetuity.
  11. Click OK to save the schedule.

You can access all your configured schedules and events under Scheduling in the Main selection pane. Depending on the purpose of creating an event for a custom calendar, select one of the following procedures:

> Create an event for running additional jobs on specified dates

> Create an event to prevent scheduled jobs from running on specified dates

For general details on how to create the SEP sesam events, see Schedules Overview.

Create an event for running additional jobs on specified dates

You have to create the event(s) you want to run on the dates set by your newly created schedule:

  1. Select the schedule and right-click it. Then select the event type you want to add, for example backup, and click New Backup Event.
  2. Under Sequence control, set up the Priority of your event. SEPuler always executes the schedules with the highest priority first. The default priority level is 1, which is the lowest priority (the highest priority is 99). The only exception are schedules with priority 0, which override all other priorities and are always executed. For details, see event priorities.
  3. Under Object, select the task or task group to which you want to link this event. Then click OK to save the event.
  4. Add event to schedule 01.jpg

Create an event to prevent scheduled jobs from running on specified dates

You have to create the event(s) you want to prevent from running on the dates set by your newly created schedule:

  1. Select the schedule and right-click it. Then select the event type you want to add, for example backup, and click New Backup Event.
  2. Under Sequence control, set up the Priority of your exclude event. SEPuler always executes the schedules with the highest priority first. The default priority level is 1, which is the lowest priority (the highest priority is 99). The only exception are schedules with priority 0, which override all other priorities and are always executed. For details, see event priorities. Then select the Blocking date check box. Make sure that this option is used together with a high priority that prevails over priority of the event you want to block.
    Information sign.png Note
    A Blocking date option is used to prevent the activation of certain events on specific days (e.g., end of year, holidays) or to prevent the execution of other jobs related to the same object only within the specified hours. For details on the latter, see Special Schedules.
  3. Under Object, select the task or task group to which you want to link this event. Then click OK to save the event.
  4. Add event to schedule 02 Beefalo V2.jpg

Managing custom calendars

You can modify, import, export, and delete your SEP sesam calendar(s). You can only manage one calendar at the time.

  1. From Main Selection -> Scheduling -> Schedules, double-click the calendar-related schedule, e.g., bank_holidays.
  2. In the table providing selection of different time parameters tabs (Once, Daily, etc.), click the User Defined tab.
  3. From the Calendar Name drop-down list, select the target calendar. Depending on what you want to do with it, select one of the following options:
    • Change: Enables you to modify an existing calendar or change its specific events. The procedure is the same as when you create a new calendar, see above section Setting up a custom calendar.
    • Delete: Delete the calendar. If the calendar is still being used by another schedule, you will receive a message.
    • Import: Enables you to add an existing online calendar (iCalendar) to your SEP sesam custom calendars by importing it. This way you can easily add country's or region's holidays (that are already defined in some other online calendar) to your list of calendars without having to manually create each holiday/event. To import the calendar, in the file browser select the .ics calendar file that contains the events you want to import and click Open. Note that it may take some time to load the imported calendar.
    • Export: Enables you to use the SEP sesam calendar by other applications, such as Google and Apple Calendar. To export the calendar, in the file browser select the directory where you want to save your exported calendar. Optionally, change the name of your exported file. By default, a calendar is exported as an .ics file. You can also copy all events from one SEP sesam calendar to another by exporting and then importing a calendar.
    • Custom calendar options.jpg


Special Schedules

SEP sesam establishes schedules as a frame, to which you link different events, such as backup, migration, replication etc. A schedule defines the recurrence of an event and may be executed in minutes, hours, days, months or years. All schedules and related jobs are configured and run in the time zone of the SEP sesam Server. For more details on scheduling concepts, see SEPuler – an event calendar.

SEP sesam also provides options to prevent activation of individual events on specific days, such as holidays, and on certain hours:

  1. From v. 4.4.3 onwards, SEP sesam scheduling includes new User defined option which enables you to quickly and simply create a customized calendar, which enables you to set the dates on which you would like to run additional jobs or prevent specific jobs to be run. For details, see Creating Custom Calendar.
  2. When your custom calendar is set, create the desired event for it. Use the option Blocking date in the Event properties to prevent a job from being run. Such event is called a blocking event: any type of event with a higher priority that obstructs another event of the same type and prevents it from being activated. It can be specified to prevent activation of a specified event on specific days or hours. The latter example is given below. For general details on how to configure a schedule and link an event to it, see Standard Backup Procedure, step 2 and 3.

Configuring a blocking event only for the specified hours

A blocking event is created during configuration of an event or later in the event properties. It is used to prevent the activation of certain events on specific days (e.g., end of year, holidays). It may also be configured to prevent the execution of other jobs related to the same object only within the specified hours.

Information sign.png Note
  • By default, a blocking event suppresses any job with the same task name at respective (SEP sesam backup day) day, regardless of whether it is scheduled to be run before, during or after the blocking event.

If you want to set the blocking event to be applied only within the specified hours, you must perform some specific steps. If you are configuring a blocking event that is valid for a whole SEP sesam backup day (default), see Creating an Event.

To enable the blocking event within the specified hours, the SEP sesam database table defaults must contain an entry suppress_with_timerange with value yes. Without this entry the blocking event prevents related jobs to be activated for the whole sesam day!

  1. Set a SEP sesam profile as described in FAQ: What happens when I set a profile.
  2. Once you set the profile, use the command line to insert the following to SEP sesam database:
  3. sm_db "INSERT INTO defaults (key,user_name,value) VALUES ('suppress_with_timerange','sesam','yes');"
    
  4. The following scenario presumes that you have already defined an hourly-scheduled backup for ORACLE with command event Oracle all and event priority 1 (default). Now you want to disallow execution from noon till 2 p.m. Therefore you need to create another schedule, e.g., block_ORACLE_1200-1400. For details, see Creating a Schedule. In this schedule, you specify recurrence as:
    • weekly execution, from Monday till Friday
    • starting time 12:00 o'clock, duration 2 hours
  5. Blocking schedule execution Beefalo V2.jpg

  6. You must connect your newly created schedule, in our example block_ORACLE_1200-1400, to the same command event as mentioned above, e.g., Oracle_all (right-click the schedule and select New Command Event). Browse for the existing event (e.g., Oracle_all) and set the priority to a higher value. Note that this event's priority must be higher than the priority of the linked event. Then enable the Blocking date option.
  7. Blocking schedule execution params Beefalo V2.jpg


If you want to use this function with a regular backup job, keep in mind that the blocking event has to reference the same task name as the backup event does.


Part IX: SEP sesam Operation in the Network

Backup over an alternate network

Your license must first be modified to match the new server name and/or IP address. Send the original license, the new server name, and the IP address to info@sep.de.

When you receive the new license information, you can change the SEP sesam Server name using sm_setup.

  1. Set the SEP sesam profile and enter the following command:
  2. sm_setup change_servername <mynewserver>
    
  3. After executing the command, check the interfaces of the renamed SEP sesam Server: Main selection -> Components -> Clients -> double-click the server (Client) to open its properties. In the Interfaces field, manually remove the old interfaces and enter the new interfaces for http and https.
  4. RDS interfaces.jpg

Configuring SSL Secured Communication for SEP sesam Backup Network

As of 4.4.3 Tigon, SEP sesam uses SSL (Secure Sockets Layer) protocol to authenticate identities, encrypt and securely transfer data. SSL requires certificates to authenticate clients and establish a secure and trusted communication channel between SBC (sesam backup client) and STPD (sesam Transfer Protocol Server), thus preventing unauthorized access from clients to STPD. SEP sesam backup environment is protected with self-signed certificates, based on OpenSSL. SEP sesam does not provide certificates by default; they have to be created by an administrator and copied to clients and RDSs in the backup network.

  1. Create self-signed root Certificate Authority (CA) on the SEP sesam Server
  2. Create server and client certificates on the SEP sesam Server and copy them to server and clients
  3. Generate and copy server certificate for each RDS
  4. Edit configuration file on each client and server or RDS
  5. In case a client certificate cannot be trusted anymore, revoke the certificate.
  6. Call a function on SEP sesam Server to get authorization.

Directory structure for the SSL certificates

The following directory structure is used for storing the SSL certificates and related parameters:

What

Where

SEP sesam configuration files:sm.ini andstpd.ini

/var/opt/sesam/var/ini

Root SSL certificate and master key:rootCA.pem androotCA.key

/var/opt/sesam/var/ini/ca

Generated client certificate and key:client.pem andclient.key

/var/opt/sesam/var/ini/x.509

Generated server certificate and key:server.pem andserver.key

/var/opt/sesam/var/ini/ssl

Steps

Creating self-signed root Certificate Authority (CA) on the SEP sesam Server

  1. On the SEP sesam Server, remove any old self-generated SSL keys from
  2. /var/opt/sesam/var/ini/ssl
    
  3. Then create directories /ca and /x.509 to store your keys and certificates.
  4. /var/opt/sesam/var/ini/ca
    /var/opt/sesam/var/ini/x.509
    
  5. To create the root certificate, run the sm_ssl_cert ca command line utility as shown:
  6.  /opt/sesam/bin/sms/sm_ssl_cert ca 
    

In the folder /var/opt/sesam/var/ini/ca, the process creates two files:

  • A master key, also known as rootCA.key; keep this key private as it is needed for generation of new server and client certificates and is the basis of trust for all your certificates.
  • Information sign.png Note
    After generating server and client keys, you should remove the rootCA.key from the server and keep it in a safe place.
  • A root SSL certificate rootCA.pem; it is used to verify existing server and client certificates. Make sure that the root CA has a long expiry date. Once it is expired, all certificates signed by it become invalid. This certificate must be present on all clients connecting to servers signed with the CA certificate.

Once you have created the CA certificate and key, you can create and sign certificates.

Creating server and client certificates on the SEP sesam Server

  1. First, you have to create the server certificate on the SEP sesam Server:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<hostname>
    

    where <hostname> must be the same as the name specified in the interface settings in GUI (Main Selection -> Components -> Topology -> Clients, <server_name> -> field Interfaces).

    You can also use the IP address for <hostname> or use an * (asterisk) in the hostname, e.g., *.serverdomain.com or 192.168.1.*. Multiple server or domain names must be separated by a comma, e.g.:

    /opt/sesam/bin/sms/sm_ssl_cert server --common-name=myserver,myserver.domain.com
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/ssl:

    server.pem 
    server.key
    
  3. For each server, copy the files as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509
  4. Then, create the client certificate on the SEP sesam Server:
  5. /opt/sesam/bin/sms/sm_ssl_cert client 
    

    Optionally, you can create client.pem/client key with unique subject field by using:

    /opt/sesam/bin/sms/sm_ssl_cert client --oid={options}
    

    {options}: comma separated list of

       C:{country_name}             - country name
      CN:{common_name}              - common name
      DQ:{dn_qualifier}             - dn qualifier
      GN:{given_name}               - given name
      GQ:{generation_qualifier}     - generation qualifier
       I:{initials}                 - initials of some or all of an individual's names, but not the surname(s)
       L:{locality_name}            - locality name
       N:{name}                     - name
       O:{organization_name}:       - organization name
      OU:{organizational_unit_name} - organization unit name
       P:{pseudonym}                - pseudonym
      PC:{postalcode}               - postalcode
       S:{surname}                  - surname
       T:{title}                    - title
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/x.509:

    client.pem 
    client.key 
    
  6. For each client, copy the files to it as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509

Generating and copying server certificates for each RDS

If you want your RDSs to have its own server certificate, you have to generate server certificate for each RDS. In this case, the SEP sesam Server and every RDS have its own server certificate signed with the same self-signed root CA. This configuration allows to back up a client either to SEP sesam Server or any RDS.

  1. To generate server certificate for each RDS, run the following command:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<RDS_hostname> --path=<RDS_server_certificate_path>
    
  3. Copy the generated server.pem and server.key files from <RDS_server_certificate_path> to each RDS into the folder /var/opt/sesam/var/ini/ssl.
  4. Copy rootCA.pem to each RDS into the folder /var/opt/sesam/var/ini/ca.
Information sign.png Note
All generation is performed only on server.

Edit configuration file on each client and server or RDS

On SEP sesam Client
  1. Locate the /var/opt/sesam/var/ini/sm.ini file on the SEP sesam Client. Open the sm.ini file using a text editor and set the following:
  2. [SBC_SSL]
    SBC_CLIENT_SSL_AUTH=1   #For client-side verification
    SBC_SSL_SERVER_VERIFY=1 #For server-side verification
    
  3. Once you have changed the settings, save your changes and restart the client for the changes to take effect.
On SEP sesam Server or RDS
  1. Locate the /var/opt/sesam/var/ini/stpd.ini file on the SEP sesam Server. Open the stpd.ini file using a text editor and set the following:
  2. [STPD_Server]
    STPD_HTTPS_USE_CLIENT_CERT=2 #Possible values: 0: Do not validate
                                                   1: Validate but show warning 
                                                   2: Validate and show error
    
  3. Once you have changed the settings, save your changes and restart the server for the changes to take effect.

Revoking client certificate

If a client certificate cannot be trusted anymore (e.g., it was leaked), then it is important to invalidate the client certificate. In case the certificate was leaked and malicious clients are using the certificate, then the server needs a way to identify the invalid certificate and prohibit clients connecting with this certificate. One option is to use Certificate Revocation Lists (CRLs). CRLs are a list of all invalid certificates.

To add client certificate (client.pem) into CRL, proceed as follows:

  1. Create directories:
  2. /var/opt/sesam/var/ini/revoked
    
  3. Create Certificate Revocation Lists (CRLs) on the server:
  4. /opt/sesam/bin/sms/sm_ssl_cert revoke --certificate="/var/opt/sesam/var/ini/x.509/client.pem"
    
    Information sign.png Note
    Certificate Revocation Lists creation works only on Linux. Looks like the problem on Windows is old (probably own build/configured) version of GnuTLS lib. To create CRL file on Windows, you have to download GnuTLS from the ftp gnutls.
    Two files will be created in /var/opt/sesam/var/ini/revoked:
    crt
    certs.pem
    
  5. In case of RDS configuration, copy also to RDS PC:
  6. crt ==> /var/opt/sesam/var/ini/revoked
    
Example

If a client with revoked certificate tries to connect to a server:

2016-08-30 18:05:01: sbc-3536: Info:     # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 #
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-30 18:05:01: sbc-3500: Info:     Verify SSL Server Cert: 1
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: URL: https://SEP-RDSWin10:11443
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: SSL integrity check enabled
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: SSL client authentication is enabled
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: BSACreateObject: Error:  GNUTLS_CERT_REVOKED
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: new connection
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: Call connection callback
20160830 18:05:01.710 [3428] SSLConnectionCb:: Starting SSL connection
20160830 18:05:01.710 [3428] SSL mode. Checking for client certificate
20160830 18:05:01.731 [3428] SSL error: Error:  GNUTLS_CERT_REVOKED

At the same time the other client with other client.pem/client.key tries to connect to a server:

2016-08-30 18:06:33: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 #
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  URL: https://SEP-RDSWin10:11443
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-30 18:06:33: sbc-3007: Info:    Operation successful.

Useful commands

curl -X "PUT" -F file=@c:\windows\system32\drivers\etc\hosts -H "XBSA-USER:SESAM_SECURE_AUTHENTICATION" -H  "XBSA-PASS:" \
-H "XBSA-TYPE:I" -H "XBSA-CWD:." -H "XBSA-STOR:TestBak.bak" -H "XBSA-QUIT" https://aoseredchuk-PC:11443 \
--key "c:\Program Files\SEPsesam\var\ini\x.509\client.key" --cacert "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \
--cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" --ipv4 --tlsv1.0 --verbose
openssl s_client -connect aoseredchuk-PC:11443 -CAfile "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \
-cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -key "c:\Program Files\SEPsesam\var\ini\x.509\client.key"
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" -noout -text
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -noout -text

Certificate testing

Test with correct certificates

Clients authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:00:45: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:00:46: sbc-3007: Info:    Operation successful.
Server authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:34:50: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
...
2016-08-29 15:34:52: sbc-3007: Info:    Operation successful.
Double authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:13: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:01:13: sbc-3007: Info:    Operation successful.

Test with wrong client.key/pem certificates

Clients authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:59: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:59: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:01:59: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:59: sbc-3005: Info:    Closing saveset.
2016-08-29 15:01:59: sbc-3310: Info:    Checksum (adler32): 1. (test)
2016-08-29 15:01:59: sbc-3052: Info:    Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test)
2016-08-29 15:01:59: sbc-1156: Error:   Operation failed!
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: new connection
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: Call connection callback
20160829 15:01:59.879 [16340] SSLConnectionCb:: Starting SSL connection
20160829 15:01:59.879 [16340] SSL mode. Checking for client certificate
20160829 15:01:59.880 [16340] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Server authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:33:05: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
...
2016-08-29 15:33:07: sbc-3007: Info:    Operation successful.
Double authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:46: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:01:47: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:47: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:01:47: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:47: sbc-3005: Info:    Closing saveset.
2016-08-29 15:01:47: sbc-3310: Info:    Checksum (adler32): 1. (test)
2016-08-29 15:01:47: sbc-3052: Info:    Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test)
2016-08-29 15:01:47: sbc-1156: Error:   Operation failed!
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: new connection
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: Call connection callback
20160829 15:01:46.987 [18740] SSLConnectionCb:: Starting SSL connection
20160829 15:01:46.988 [18740] SSL mode. Checking for client certificate
20160829 15:01:46.989 [18740] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

Test with wrong rootCA.pem certificates

Clients authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:28:21: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:28:26: sbc-3007: Info:    Operation successful.
Server authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:48:54: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
2016-08-29 15:48:57: sbc-3502: Info:    XBSA:  BSACreateObject: Client SSL certificate is missing or invalid
2016-08-29 15:48:57: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:48:57: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: new connection
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: Call connection callback
20160829 15:48:54.801 [2808] SSLConnectionCb:: Starting SSL connection
20160829 15:48:56.218 [2808] SSL mode. Checking for client certificate
20160829 15:48:57.028 [2808] SSL error: Client SSL certificate is missing or invalid
Double authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:49:56: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:50:03: sbc-3007: Info:    Operation successful.

Test with wrong rootCA.pem and client.key/pem certificates

Clients authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:44:50: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:44:53: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:44:50.877 [18796] ConnectionHandlerCb:: new connection
20160829 15:44:50.878 [18796] ConnectionHandlerCb:: Call connection callback
20160829 15:44:50.878 [18796] SSLConnectionCb:: Starting SSL connection
20160829 15:44:52.451 [18796] SSL mode. Checking for client certificate
20160829 15:44:53.158 [18796] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Server authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:42:36: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
2016-08-29 15:42:39: sbc-3502: Info:    XBSA:  BSACreateObject: Client SSL certificate is missing or invalid
2016-08-29 15:42:39: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:42:39: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:42:37.051 [11924] ConnectionHandlerCb:: new connection
20160829 15:42:37.052 [11924] ConnectionHandlerCb:: Call connection callback
20160829 15:42:37.052 [11924] SSLConnectionCb:: Starting SSL connection
20160829 15:42:38.363 [11924] SSL mode. Checking for client certificate
20160829 15:42:39.072 [11924] SSL error: Client SSL certificate is missing or invalid
Double authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:41:39: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:41:42: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:41:42: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:41:42: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: new connection
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: Call connection callback
20160829 15:41:39.832 [0728] SSLConnectionCb:: Starting SSL connection
20160829 15:41:41.218 [0728] SSL mode. Checking for client certificate
20160829 15:41:41.927 [0728] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

List of Ports Used by SEP sesam

SEP sesam client-server communication requires certain TCP ports to be open to enable SEP sesam components to communicate with each other through a firewall. Daemons are specific to the SEP sesam Client/SEP sesam Server/RDS installation and are using different port numbers.

The ports required may be SEP sesam version-specific. As of version ≥ 4.4.3 Beefalo, SEP sesam uses fewer ports per default than in the previous versions:

Ensure that all required ports are available on the system for SEP sesam daemons and that they are not blocked by a firewall; these ports may not be assigned to another service. If the required ports are not available, SEP sesam will not function correctly.

Additionally, you might need to open relevant network ports to ensure communication between SEP sesam Server or SEP sesam data mover and additional modules, e.g., VMware vSphere, NDMP, etc. For the list of module-related ports, see below section Module-related ports.

Used default ports in version ≥ 4.4.3 Beefalo

If a firewall is used, then only the following TCP ports must be allowed for SEP sesam backup in versions ≥ 4.4.3 Beefalo. SEP recommends SMSSH for secure control communication between SEP S sesam Server and SEP sesam Clients/RDS and the HTTP protocol for data transfer from SEP sesam Client to the SEP sesam device server. SMSSH and HTTP are the default protocols, if no other protocol is specified in the client configuration and in the different events (backup/restore/migration etc.).

Component/Description Direction Source port Destination port Protocol Configuration in GUI
SEP sesam Server
SMSSH: Encrypted communication to the client outbound random 11322 TCP/SSH Client properties -> Access Mode -> select SMSSH
Backup data over HTTP inbound random 11000 TCP/HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
SEP sesam Client
SMSSH: Encrypted communication to the client inbound random 11322 TCP/SSH Client properties -> Access Mode -> select SMSSH
Backup data over HTTP outbound random 11000 TCP/HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
SEP sesam Remote Device Server
SMSSH: Encrypted communication to the client inbound random 11322 TCP/SSH Client properties -> Access Mode -> select SMSSH
Backup data over HTTP inbound random 11000 TCP/HTTP Client properties -> Interfaces -> enter <http://hostname:11000>

SEP sesam full ports list

The following is the full list of ports used by SEP sesam. You only need to open the ports in your firewall which you're using. If you decide to configure all control communications over SMSSH, you don't have to open the CTRL port 11301 in the firewall.

Port numbers for SEP sesam Server

Port number Description Configuration in GUI/Example
11301 CTRL: Unencrypted communication to the client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11001 Data over FTP Client properties -> Interfaces -> enter <hostname> or <ftp://<hostname>:11001>
11000 Data over HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
11443 Data over HTTPS Client properties -> Interfaces -> enter <https://hostname:11443>
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter port range in STPD options
11701+drive number Replication and source-side deduplication (SDS) port For example:
  • If you replicate from dedup drive 2 (source) to the RDS drive 5 (target), the port is 11703 (daemon on the machine with drive 2).
  • If you replicate from dedup drive 5 (source) to the RDS drive 2 (target), the port is 11706 (daemon on the machine with drive 5).
11401 GUI/WEB UI (RMI) listen port
Information sign.png Note
For external backups (BSR, SAP, Informix, MaxDB ...), the client must always be able to reach the SEP sesam Server via ports 11000 (for HTTP backups), 11443 (for HTTPS backups) and 11001 (for FTP backups), and not only the RDS. This must be taken into account in the firewall rules.

Port numbers for SEP sesam Remote Device Server

Port number Description Configuration in GUI/Example
11301 CTRL: Unencrypted communication to the client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11001 Data over FTP Client properties -> Interfaces -> enter <hostname> or <ftp://hostname:11001>
11000 Data over HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
11443 Data over HTTPS Client properties -> Interfaces -> enter <https://hostname:11443>
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter port range in STPD options
11701+drive number Replication and source-side deduplication (SDS) port For example:
  • If you replicate from dedup drive 2 (source) to the RDS drive 5 (target), the port is 11703 (daemon on the machine with drive 2).
  • If you replicate from dedup drive 5 (source) to the RDS drive 2 (target), the port is 11706 (daemon on the machine with drive 5).
Additional ports for SEP sesam Remote Device Server with GUI
- no incoming ports for GUI on RDS

Port numbers for SEP sesam Client

Port number Description Configuration in GUI/Example
11301 CTRL: Unencrypted communication to the client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter port range in STPD options

Port numbers for SEP sesam GUI PC (not SEP sesam Server)

Port number Description Configuration in GUI/Example
- no incoming ports to GUI PC
Additional ports for SEP sesam GUI PC with installed SEP sesam Client
11301 CTRL: Unencrypted communication to the client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter port range in STPD options

Module-related ports

The following tables shows the required network ports used for communication (connection or data transfer) between SEP sesam Server or SEP sesam data mover and extra modules.

Port numbers for VMware vSphere

From To Description Port number Protocol
SEP sesam Server vSphere (vCenter/ESXi) Connection to vCenter Server or ESXi server 443 HTTPS/TCP
SEP sesam data mover vSphere (vCenter/ESXi) Connection to vCenter Server or ESXi server 443 HTTPS/TCP
SEP sesam data mover ESXi server Data transfer to ESXi host 902 TCP

Port numbers for Citrix XenServer

From To Description Port number Protocol
SEP sesam data mover Citrix XenServer Connection to Citrix XenServer 443 HTTPS/TCP
SEP sesam data mover Citrix XenServer Required for backups with CBT 10809 HTTPS/TCP

Port numbers for NDMP

From To Description Port number Protocol
SEP sesam data mover NDMP server Data transfer between components 1000 NDMP

Port numbers for HPE StoreOnce

From To Description Port number Protocol
SEP sesam Server HPE StoreOnce Default command port; for communication with HPE StoreOnce 9387 TCP
SEP sesam Server HPE StoreOnce Default data port; for communication with HPE StoreOnce 9388 TCP


Configuring clients in the firewall environment

If your client is behind a firewall, you have to configure the communication ports. By default, SEP sesam uses random ports which are specified by the operating system. However, if you want to back up a client which is behind a firewall, you must manually define the ports. Switch to the Options tab. The available options depend on the client type.

  • In the Access Options field, enter the port over which the client is reachable by using the command -p <port_no> (e.g., -p 17301). The default listen port for the CTRL daemon on the clients is 11301, and for SMSSH 11322.
  • Use STPD Options to set up the communication port for transferring data from backup client to the SEP sesam Server. Note that each backup running simultaneously on a client requires two ports; e.g., three simultaneous backups on the backup client use ports 11002-11007. When the HTTP protocol is used for data transfer (SEP sesam Server interface is http://<SEP sesam server>:11000), the TCP port 11000 is used.
  • Listen Port is the initial STPD port for device servers (SEP sesam Server, RDS). It is 11001 by default. If you need to alter the default port, insert a new port number.
  • Use WOL (Wake-on-LAN) function requires the command sm_wol to exist as a binary or script in the directory <SESAM_BIN>/bin/sesam of the SEP sesam Server. If the option Use WOL is enabled, this command is called before a backup is executed and the client is started. For details, see Wake-on-LAN.
  • Configuring client- win cli-options.jpg

Part X: SEP sesam Events

Newday Event

SEP sesam Newday is a predefined SEP sesam daily event that resets the backup event calendar and is managed by SEPuler. It is accessible under schedules: Main Selection -> Scheduling -> Schedules. A Newday event is used by SEP sesam to reorder its database and enable uninterrupted activity of SEP sesam processes, therefore it must never be completely deactivated or it will cause SEP sesam to stop working properly. See Newday event roles. Newday is used to define a new backup day. All SEP sesam protocol and log files are created with the date of the backup day.

If a Newday event is set for 08:00 (SEP sesam default), the backup day is defined from 8 a.m. of the current day to 8 a.m. of the next day. Backups that run after midnight – the actual date change – are 'time-stamped' with the previous day's date in order to avoid the creation of two backups for the same data (one saveset for day 1 and another for day 2).

With SEP sesam Newday, all media backed up from one sesam day, e.g., from Monday 8 a.m. to Tuesday 7.59 a.m., have the same date. SEP sesam Newday gives system administrators flexibility to extend backup routines to run after midnight and retain the backup date of the prior day. This is very useful when the computers requiring backups exceed the time allotment between the end of day and midnight.

When checking in SEP sesam GUI, for example, backups by state, the selected/displayed date always refers to sesam backup day with the timespan of hours defined by Newday. In the above example of a defined backup day (from 8 a.m. of the current day to 8 a.m. of the next day), the 13th of November would define the backup day from Monday, 13.11. from 8 a.m., to Tuesday, 14.11. to 7.59 a.m. Keep in mind that the backup day by default does not correspond to calendar day.

Information sign.png Note

To ensure error-free execution of the SEP sesam backup environment, SEP Newday should never be completely deactivated. Switching Newday off prevents SEP sesam from reordering its database. SEP sesam will no longer be able to delete old log files and will cause the system to exceed system disk drive storage.

Besides resetting the event calendar and setting a new backup day, Newday also performs the following:

  • Deletes files and database entries for savesets which no longer exist.
  • Finalizes the SEP sesam status and daily log files.
  • Reorganizes SEP sesam database.
  • Advances the event calendar (SEPuler) by one day.
  • Restarts the SMS- and STPD-processes.

Preventing Newday from cancelling running activities

You can set a Newday behaviour to allow for uninterrupted running of SEP sesam operations. If you do not want to abort any active tasks during the Newday event, go to Schedules -> Newday event properties -> tab Parameter, and then select the check box All Events next to Do not cancel these activities.

If Newday is configured as explained above, it won't interrupt any running backup upon its start, therefore Newday can be set to be active at all times.

Newday event Beefalo V2.jpg

Creating a Backup Event

By creating a backup event, you select the backup level, set event priority and specify where to back up your data to. You can create an event for a specific task or for a task group. The latter enables you to trigger all the tasks in the task group with a single event.

  1. From Main Selection -> Scheduling -> Schedules, right-click the schedule for which you want to create a new event then click New Backup Event.
  2. Under the Sequence control, set up the Priority of your backup event. SEPuler always executes the schedules with the highest priority first. The default priority level is 1, which is the lowest priority (the highest priority is 99). The only exception are schedules with priority 0, which override all other priorities and are always executed. For details, see Setting Event Priorities. You can also enable Blocking date. This option should be used together with high priority for special events. If checked, events of the same type but of a lower priority will be blocked, ensuring that the backup will be processed even if other backups are scheduled for the same time.
  3. Under the Object, select the task or task group to which you want to link this event. In our example, you would link the newly created event to the task diagnostix_C.
  4. Under the Parameter, specify the Backup level:
    A FULL backup always copies all data specified by the backup task, regardless of whether it has been changed or not. A saveset created as FULL is the basic saveset for subsequent DIFF or INC savesets. While the backup time of a full backup can be significant, restore is fast and simple since only one backup saveset is required. Information about the backup status is stored in the SEP sesam database. Note that the archive bits are not deleted on Windows systems. If you want to force-reset of the archive bits, you can enter the command -o clear_archive in the backup options.
    A DIFF (differential) backup saves only data which was created or changed after the last FULL saveset had been created (of the same task). A differential backup is faster than a full backup, however, to restore the whole data source, first the saveset of the full backup has to be restored followed by restore of the DIFF saveset. For this, SEP sesam provides generation restore that enables browsing for and selecting for restore all generations of backed up files since the last full backup.
    An INC (incremental) backup saves only data which was created or changed after the last backup (FULL, DIFF or INC) of the same task. This is the fastest backup method and requires the least storage space. Restoring from incremental backups is the slowest, because it requires all related savesets to be copied back – the saveset of the last full backup as well as all INC backups. You should consider the advantages of time and resources when planning your backup strategy. A combination of FULL backups stored to tape drives, and DIFF or INC backups stored to virtual disk media is a common method.
    A COPY backup is a full backup that has no influence on following differential (DIFF) or incremental (INC) backups. For the treatment of archive bits, see FULL backup above. COPY backup is usually used for additional full backups, e.g., monthly backups, or backups for archiving, i.e. removal from storage.
    Information sign.png Note
    In case no initial FULL backup exists, differential (DIFF) or incremental (INC) backups are automatically performed as FULL backups.
    For DIFF and INC backups, you can also set the Enforce FULL option. This option ensures that a FULL backup is run within the specified interval. For example, setting the number to 7 will enforce a full backup every seven days instead of an incremental or differential backup if the planned full backup fails. This ensures that a full backup is always performed within the specified time interval, in our example, once a week. If the value is 0, the system checks whether the last FULL backup was successful or run with warning for each backup performed. If the last FULL backup was terminated or run with error, the INC/DIFF backup to be started is automatically performed as FULL backup. However, once you have decided on your backup schedule, you should consider the advantages and disadvantages of the enforced full backup frequency, as it is slower than other backup levels and has the highest storage space requirements. For details, see Enforcing Full Backup.
  5. From the Hot/Cold backup drop-down list, select the execution parameter (hot or cold backup).
  6. From the Media pool drop-down list, select the target media pool to which the data will be backed up. If you want to enable source-side deduplication, you have to select the media pool which is combined with an Si3 deduplication store backend.
    • Optionally, specify the drive number of the drive that will be used to write the data. Typically, you use this if you have configured additional drives and you want to assign a dedicated drive exclusively for backup. For details, see option Create second drive (introduced in SEP sesam 4.4.3 Tigon) in Configuring a Data Store.
    • You can also define the Interface: from the drop-down list, select another configured TCP/IP-name of the client. You can use this option to direct the data flow over a particular network connection to enable smooth execution of backups without blocking other network activities.
  7. Optionally, enable SEP Si3 source-side deduplication (introduced in v. 4.4.3). This check box is only available if you have a configured Si3 deduplication store and you have previously selected the Si3-related media pool.
  8. In the Follow up field (introduced in v. 4.4.3) you can configure events that are triggered on the SEP sesam Server once the initial event has completed. You can set up a migration, a saveset verify and other actions to be triggered immediately after a backup or other event is completed. For details, see Follow-up events.
  9. SEP Tip.png Tip
    In v. ≥ 4.4.3 Grolar, you can use Migration task option in New Backup Event window or task event properties to chose a follow up migration task.

    New backup event Beefalo V2.jpg

You can view the status of your backup jobs by selecting Monitoring -> Last Backup State in the Main selection window. The backup status overview provides detailed information on the last run of backup jobs, including the task name, start and stop time of the last backup, backup level, data size, throughput, assigned media pool, etc.

As of 4.4.3 Beefalo V2, you can check the status and details of your backup jobs online by using new Web UI. For details, see SEP sesam Web UI.

Creating a Media Event

A media event can be a user-defined event or an internal event created by SEP sesam. For example, if the specified media are unavailable at the start of a backup or if the end of media (EOM) is reached during data transfer, SEP sesam creates an internal media event which determines the next media for the backup. If no other media events are configured in the schedule, only internal media events are executed.

A user-defined media event is configured by using GUI and automatically activated by SEPuler. The following media events can be configured:

initializing
A process of preparing backup media for use with SEP sesam. If a medium meets the requirements (e.g., its EOL has expired and it is not write-protected – locked), it can be initialized, deleting all data contained on it and preparing it for use again. During initializing, SEP sesam assigns a new tape label for formatted media and deletes all existing content on these media. At the same time, it deletes all information about old backups from the SEP sesam system.
readability check
A process that checks the backup data readability. During the check the data on medium is read in blocks, and the structure of tape is checked and recorded. It also checks whether all determined backup sets on the tape are recorded in the database and vice versa. For details, see Configuring a Readability Check.
close tape
A process that marks the tape as full by defining EOM and closing the tape, regardless whether the tape is really full or not. Such a tape can no longer be used for storing the data.
archive adjustment
A process that scans media in selected loader to update SEP sesam information about the media in the loader. It is required if the media in the loader have changed, for example if new media are added. For details, see Setting up Archive Adjustment.

Steps

  1. In the Main Selection -> Scheduling -> Schedules, select the schedule to which you want to link the event, right-click it or select New and then New Media Event. A schedule is opened with a new tab Parameter.
  2. Under the Sequence control, set up the Priority of your media event. SEPuler always executes the schedules with higher priority first. Default priority level is 1, which is the lowest priority (the highest is 99). The only exception are the schedules with priority 0, which override all other priorities and are always executed. For details, see Setting Event Priorities. You can also enable the Blocking date. This option should be used together with high priority for special events. If checked, the blocking event will block events of the same type of a lower priority, ensuring the backup to be processed in case other backups are scheduled at the same time. For details, see Blocking Events.
  3. Under the Media action, select the type of event you want to create. You can select among the following: Initialize, Readability check, Archive adjustment and Close tape.
  4. Depending on previously chosen media event, some or all of the following options may be available.
    For options Initialize, Readability check, Close tape:
    • Media pool: Select the media pool for your event.
    • Drive: Optionally, select a drive.
    • Media: Optionally, select media for the event.
    For option Archive adjustment:
    • Media pool: Select the media pool where you want to perform the archive adjustment. Note that all media are shown regardless of the pool selected.
    • Drive: Optionally, select a drive.
    • Loader: Select the loader (tape library) for which you want to synchronize its contents with the SEP sesam database.
    • First slot and Last slot: You can limit synchronization to the specified loader parts by entering the number of the first and last slot.
    • Automatic introduction: Optionally, you can select that any unknown media (without SEP sesam label) found in the tape library is automatically added to the specified media pool. If selected, specify also the Tape type option by choosing the media type for automatic new media entry from the drop-down list.
      • If you have selected Automatic introduction, under the Handling of unknown SEP sesam media, select one of the following options:
        Overwrite option will overwrite all media entered to the target media pool that are not recognized by the SEP sesam Server and assign a new media pool label to them.
        Accept without initialization enables SEP sesam to enter other SEP sesam media, e.g., from another SEP sesam Server, into the target media pool.
    • Check label on tape: Optionally, enable this if you want to scan the tape labels; every tape label is re-read and verified, while the barcode information is ignored.
    • Adjustment by barcode only: Optionally, select this if you want SEP sesam to check the barcodes of all tapes which are not in drives. This enables you to adjust the archive while the drives are in use. SEP sesam scans only the tapes which are in slots, while the tapes in the drives are not scanned.

    New media event Beefalo.jpg

Creating a Migration Event

Migration event represents the last step in a migration job configuration. Creating a migration event consists of reviewing migration task parameters and (optionally) setting event priority.

Steps

  1. In the Main Selection -> Scheduling -> Schedules, select the schedule for which you want to create a new migration event, click New (or right-click the selected schedule) and click New Migration Event.
    Select new migration event Beefalo V2.jpg
  2. From the Task name drop-down list, select the name of the already configured migration task for which you want to create a migration job.
  3. In the Priority box, set up the Priority of your migration event. SEPuler always executes the schedules with higher priority first. Default priority level is 1, which is the lowest priority (the highest is 99). The only exception are the schedules with priority 0, which override all other priorities and are always executed. For details, see event priorities. You can also enable the Blocking date. This option should be used together with high priority for special events. If checked, the blocking event will block events of the same type of a lower priority, ensuring the backup to be processed in case other backups are scheduled at the same time. For details, see Blocking Events.
  4. The settings under the Media pool, Destination, Backup date, Backup state, Backup level, Object, and Special filter (previously Parameter and Filter) were defined when you have created the selected migration task. If required, you can modify these settings. The changes will only be applied to the current migration event and will not affect the original values set in the migration task. All changed values (in opposition to the settings in the migration task) are displayed in blue color when the event is re-opened. The check box Delete after successful migration sets the saveset EOL to the actual date and time of the successful migration. The source saveset is purgeable immediately after the migration. The saveset EOL has no effect for savesets stored on tape media.
    New migration event Beefalo.jpg
  5. Click OK to save your migration event.

To check the status of your migration job, go to the Main Selection -> Job State -> Migrations and Replications. Migration tasks are listed by name together with details on completion status, start and end time, and media pools used for the task.

As of 4.4.3 Beefalo V2, you can check the status and details of your migration jobs online by using new Web UI. For details, see SEP sesam Web UI.

SEP Tip.png Tip
As of version 4.4.3 Grolar, you can use Migration task option in the backup task and event properties to chose a follow up migration task.

Creating a Command Event

A command event allows the execution of an arbitrary program on a SEP sesam Client. As of SEP sesam version 4.4.2, new command events can be scheduled to run automatically.

Steps

  1. In the Main Selection -> Scheduling -> Schedules, select the schedule to which you would like to add a command event. Right-click it and select New Command Event. The New Command Event window is displayed.
    Note that if you have not configured a schedule yet, you have to configure it first by clicking the New Schedule button in the Schedules window. For details, see Creating a Schedule.
    New command event Beefalo.jpg
  2. Under the Parameter tab, specify the following settings:
    • Priority: Optionally, define a priority for the command event. SEPuler always executes schedules with higher priority first. The default priority level is 1, which is the lowest priority (the highest is 99). The highest priority level is 99. The only exceptions are schedules with priority 0, which override all other priorities and are always executed. For details, see Event Priority.
    • Blocking date: This should be used together with high priority for special events. If checked, it will block events of the same type of a lower priority, ensuring that the command event is processed when other command events are also scheduled at the same time. See Blocking Events.
    • Name: Enter a name for the new event or search for and select an already existing command event. Searching for command by clicking the Choose button opens a new window, where you can add a new command event, copy an already existing command event, select which existing command event you want to use again by clicking the Select button, and change or delete an existing command event.
      Select command Beefalo.jpg
    • Client: Select a client on which the command will be executed.
    • User: Enter the user name of a user with sufficient access to execute the command on the client.
    • Retention time: Specify for how long (in days) the command event results and logs will be kept.
    • Command: Enter the complete command. In v. < 4.4.3 Beefalo, you can also add here the additional parameters to command, if required.
    • Add to command (available in v. ≥ 4.4.3 Beefalo): Optionally, add additional parameters to command, e.g., sm_sho.
  3. Click OK to add your command event to a schedule. You can review your schedules and assigned events, trigger immediate start of events or delete them by right-clicking the selected schedule/event.
SEP Tip.png Tip

You can also access the configured commands from the Menu bar -> Configuration -> Command.

Setting permission to execute commands

Not every user on a specific client is authorized to execute all commands. Without additional entries authorizing selected users to run specific commands, the commands can only be run from the <SESAM_ROOT>/bin/sesam system directory. If a command should be started from another directory before the regular backup starts, this must be entered/permitted at the target client.

UNIX

Copy the file sesam_cmdusers.allow from the <SESAM_ROOT>/skel directory to /etc on the client and modify the file. You will now be able to enter a line for the user and command using the {user} {command} format. If you use a wildcard (*), all commands will be executed.

No explicit permissions are required to execute SEP sesam commands such as sm_loader.

Windows

To set access rights for the user and command, use the following key: \\HKLM\SOFTWARE\SEP Elektronik GmbH\sesam\CommandEvents\<user>\<command>

Additionally on the client computer the entry CTRLD_Path=ID/bin/sesam;ID/bin/sms in the file ID/var/ini/sm.ini in section [CTRLD_Server] must be extended with the directories where the desired programs reside.

  1. Open the Regedit editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH\sesam\ and create a new key called CommandEvents. If it does not already exist, right click and select New Key.
  3. Enter <user> and then <command> with the full path information as the key.

The available commands are:

Command Execution
* all instructions
cmd /c all DOS commands (dir, etc.)
DOS command (e.g., dir) only specific DOS command (e.g., dir)
specific command (e.g., ping) only specific command (e.g., ping)

If there are any other commands present, the last command will be executed. If you use a wildcard (*), all commands will be executed.

Registryentry.JPG

Below is an example of a registry file (*.reg) that allows all command events for the administrator and sesam user:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH\sesam\CommandEvents\sesam\*]
[HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH\sesam\CommandEvents\Administrator\*]

Information sign.png Note

The most common errors when setting up the desired user permissions and allowed commands are:

  • The necessary entries are not entered in the target client directories, not entered on the server or are entered incorrectly.
  • Instead of entering a command as a key, it is entered as a character string.

Scheduling Restore

SEP sesam enables you to configure a restore task in the GUI restore wizard or via the web Restore Assistant interface. The latter cannot be used for scheduling restore, as scheduling is only supported in the GUI mode. So a restore task can be started immediately from the GUI or web Restore Assistant, but it can only be scheduled by using the GUI Scheduling.

For example, a selective restore can be scheduled to run at the completion of the daily backup routine, e.g., the last backed up file can be restored to a new directory to check and control the data integrity. For details on creating a restore task, see Standard Restore Procedure.

Adding a restore task to a schedule

Once you have created and saved your restore task, you can edit it in the Main Selection -> Tasks -> By clients, or add it to an already existing schedule.

  1. In the Main Selection -> Scheduling -> Schedules, select the schedule to which you would like to add a restore task. Right-click it and select New restore event. If you have not configured a schedule yet, you have to configure it first by clicking the New schedule button in the Schedules window. For details, see Creating a Schedule.
  2. New restore event window is displayed. You can review the selected schedule parameters by clicking the Schedule tab.
  3. Schedule tab Beefalo.jpg

  4. Switch to the Parameter tab. From the Restore task drop-down list, select the name of the restore task you want to schedule.
  5. Schedule parameter tab Beefalo.jpg

  6. Select As defined in task option if you want to run the restore exactly as defined by the task parameters using the same backup saveset. If you want to adjust the restore task, for example to use the most recent backup saveset, select the Custom option. In the latter case, you can define the following settings:
    • Relative backup day defines the time range for the savesets that are considered for restore. Negative numbers specify days in the past, while positive numbers specify days in the future. For example, a range of -7 to 0 defines that a backup saveset to restore is less than a week old.
    • From the State drop-down list you can select the condition of the backup that will be used for restore:
      • Successfully or with warnings: The backup has completed successfully or with warnings.
      • Only successful: Only backup that completed successfully without warnings will be considered for restore.
      • Only with warnings: Only backup that completed with warnings will be considered for restore.
      • Partially restorable: The backup that failed but is listed as partially restorable in the main log.
    • Backup level allows you to specify which backup level of saveset will be used for restore: C (copy backup), F (full backup), D (differential backup), I (incremental backup).
    • Selection drop-down list provides the following options for the specific backup saveset to be restored:
      • Youngest: The most recent backup in the range of the relative backup day will be used for restore.
      • Oldest: The eldest backup backup in the range of the relative backup day will be used for restore.
    • Pool restriction allows you to define that a saveset must come from the specified media pool.
  7. Under the Sequence control, you can set the restore job priority and the blocking date.
    • Priority: You can define a priority of your restore event. SEPuler always executes the schedules with higher priority first. Default priority level is 1, which is the lowest priority (the highest is 99). The only exception are the schedules with priority 0, which override all other priorities and are always executed. For details, see Setting event priorities.
    • Blocking date: This should be used together with high priority for special events. If checked, the blocking event will block events of the same type of a lower priority, ensuring the restore to be processed in case other restores are scheduled at the same time. See Blocking events.
  8. Under the Destination parameter, you can specify the target drive that will be used for restore.
  9. Click OK to add your restore task to a schedule.

You can review your schedules and assigned events, trigger immediate start of events or delete them by right-clicking the selected schedule.

Follow-up Events

Overview

As of SEP sesam version ≥ 4.4.3, you can configure follow-up events that are triggered on the SEP sesam Server once the initial event is completed. You can set up migration, saveset verify and other actions to be triggered immediately after backup or other event is completed.

Key features

Follow-up events allow you to start actions based on events happening on the backup server.

The following event chains can be combined:

  • Start migration after the backup or task group is successfully completed.
  • Start single backup task or task group after the backup, task group or migration is successfully completed.
  • Start saveset verify after the backup or task group is successfully completed.

Activating follow-up events

To activate the follow-up events, enter the following commands in the shell/cmd.

On Windows:

c:\program files\sepsesam\var\ini\sm_prof.bat
sm_glbv w gv_use_follow_up 1
sm_db "update defaults set value='1' where key ='enable_gui_follow_up'"

On Linux:

source /var/opt/sesam/var/ini/sesam2000.profile
sm_glbv w gv_use_follow_up 1
sm_db "update defaults set value='1' where key ='enable_gui_follow_up'"

Event-based actions are logged within:

SESAM_INSTALL_DIR/var/log/lgc/sm_event_<date>.log
Information sign.png Note
If you need troubleshooting assistance, send this log file with a description of your issue to SEP sesam support.

Configuring follow-up events

A follow-up event can be configured in the backup event properties: Main Selection -> Scheduling -> Schedules -> New Backup Event. For details, see Creating a Backup Event.

In the Follow up field you can configure events that are started on the SEP sesam Server once the initial event is completed.

As of version 4.4.3 Grolar, you can use Migration task option to chose a follow up migration task.

Follow up events Beefalo V2.jpg

Information sign.png Note
A follow-up event is always configured for the schedule that should trigger the event.

Testing events on the command line

Backup events can be tested on the command line before configuration. As initial start of a backup the command line tool sm_cmd is used.

The notation of the command has a special syntax:

sm_cmd <cmd_command> -@ "<event_definition>"

The following example shows an sm_cmd command which then automatically starts a follow-up event to back up a task group:

sm_cmd backup -m MEDIAPOOL -j TEST_BACKUP -@ "sm_event backup task SESAM_BACKUP - -m MEDIAPOOL -"

See SEP sesam Command Line Interface for details.

Follow-up examples

In the following examples the elements within the angle brackets < > indicate that the enclosed element is mandatory and must be appropriately replaced by parameter or actual name. Do not type the angle brackets in the command line. Every follow-up command also requires the ending hyphen -. All specified tasks and migration tasks have to be configured in the GUI before the follow-up event is started. For example, first you configure a migration task and then you set up the event migrate saveset after the backup.

Verify saveset after the backup

Information sign.png Note
Verifying savesets is currently only available for Path task type.

To verify the backup, use the following command:

sm_event verify saveset -

After the backup is finished, a restore is started and data is being verified. No data is written to the target system. To view the status of your verification job, go to the Main Selection -> Job state -> Restores and check the verification status.

Migrate or replicate saveset after the backup

First, create a migration task or a replication task. Once the required task is created, you can set it up as a follow-up event after the backup has completed.

The following command will start the respective migration after each completed backup task:

sm_event migrate saveset <migration_task> -

Replace <migration_task> with the actual name of the migration (or replication) task, as it is displayed in Tasks -> Migration Tasks or alternatively in Tasks -> Replication Tasks (previously Si3 Replications).

SEP Tip.png Tip
As of version 4.4.3 Grolar, you can use Migration task option in task event properties to chose a follow up migration task.

Migrate savesets after all backups in the group completed

First, create a migration task and then set it up as a follow-up event to start the migration for backup-group related savesets.

The following command will start the respective migration after all backups that are part of the group are completed:

sm_event migrate group <migration_task> - 

Replace <migration_task> with the actual name of the migration task (or replication), as it is displayed in Tasks -> Migration Tasks or alternatively in Tasks -> Replication Tasks (previously Si3 Replications).

Migrate saveset after the backup and delete it after successful migration

First, create a migration task. Once the required task is created, you can set it up as a follow-up event after the backup is completed by entering the following command:

sm_event migrate saveset <migration_task> - -r 1 -

The additional option "-r 1" will be passed to the migration task and the saveset will be deleted after successful migration.

Replace <migration_task> with the actual name of the migration task, as it is displayed in Tasks -> Migration Tasks.

Information sign.png Note
This follow-up event can only be used for migration, not for replication.

Start a single backup task after the backup

To start another backup task after the scheduled backup is finished, specify the following:

sm_event backup task <task_name> - -m <target_pool> -

Replace <task_name> with the name of the backup task and <target_pool> with the target media pool the data should be saved to.

Start a single backup task after all backups of a task group

To start another backup task after all backups of a scheduled task group are finished, specify the following:

sm_cmd backup -G <task_group> -m <target_pool> -@ "sm_event backup taskgroup <task_name> - -m <target_pool> -"

Replace <task_group> with the name of your task group, <target_pool> with the target media pool the data should be saved to, and <task_name> with the name of your backup task which should be started.

Information sign.png Note
The notation sm_event backup taskgroup ensures that all backups of the previous running task group have been completed.

For example, the name of the task group is MY_GROUP, the name of the target pool is MY_MEDIAPOOL, and the task name is SESAM_BACKUP:

sm_cmd backup -G MY_GROUP -m MY_MEDIAPOOL -@ "sm_event backup taskgroup SESAM_BACKUP - -m MY_MEDIAPOOL -"

Start task group after the backup

Sometimes you need to start a task group after the backup is finished:

sm_event backup group <task_group> - -m <target_pool> -l BACKUP-LEVEL -

Replace <task_group> with the name of the task group and <target_pool> with the target media pool the data should be saved to. With backup-level you can define F/C/D/I.

Start event on special drive

To start the target event on a different drive, specify the option -d:

sm_event backup task <task_name> - -m <target_pool> -d <drive_num> -

Send notification after the backup, migration or restore

You can trigger a notification after the backup, migration or restore event is finished.

sm_event notify result <username> -

In the example below, the notification will be send to the username configured as backup within Configuration -> Email Settings.

sm_event notify result backup -

For more information on e-mail configuration, see Email Settings. For details on how to send a SEP sesam daily protocol to an email account, check FAQ.


Part XI: SEP sesam Log Files

How to interpret SEP sesam's backup module's error messages?

SEP sesam backup modules are designed to produce extended error messages which may return information from 5 layers: SBC – XBSA – FTP – SMS – operating system. SEP sesam scans the protocol files for warnings and errors after backup and restore. In the event of a warning or an error, the first identified message is printed in the summary at the end of the protocol.

Every backup module uses the X/Open Backup Services API (XBSA) standard. SEP sesam XBSA is based on FTP implementation. The backup module connects to SEP sesam's FTPD daemon implementation – Sesam Transfer Protocol Daemon (STPD). STPD is a service that requests and delivers the backup data from or to the SMS Server and manages the data flow between the SEP sesam Server and a client. During a restore STPD receives the data from the SMS Server and sends it to the client, which then restores the data to the target system. Sesam Multiplex Stream (SMS) is a service that receives the backup data from STPD and writes the data to the backup media. During a restore, it reads the data from the backup media and sends it to STPD. Additionally, the SEP sesam backup client (SBC) module executes backup, migration and restore tasks. SBC collects and consolidates backup data on the client system and delivers it to STPD. A list of all SBC messages (C header file) can be found at SBC Messages.

An error message is composed of the messages from the triggering layer up to the upper layers. If an operating system returns an error, the error code and the operating system message are added to the SEP sesam error message. Because of this, error messages can also help troubleshoot problems that are not caused by SEP sesam (for example, OS problems).

Typical backup protocol

The following example shows a typical backup protocol. It is composed of 4 sections: about module, operational parameters, processing, and a summary.

2009-06-26 10:28:16: sbc-3036: Info:    # SESAM BACKUP CLIENT FOR Windows NT FILE SYSTEMS, VERSION: 3.2A17 Build
Revision: 1.257 (x64), Released: Jun 25 2009 #
2009-06-26 10:28:16: sbc-3063: Info:    -------------------- Operation Parameters --------------------
2009-06-26 10:28:16: sbc-3019: Info:    OS info:          Microsoft Windows Server 2008, Build: 6001 Service Pack 1 (x64)
2009-06-26 10:28:16: sbc-3100: Info:    Program PID:      42900
2009-06-26 10:28:16: sbc-3030: Info:    Operation:        BACKUP, Level: COPY
2009-06-26 10:28:16: sbc-3031: Info:    Storage Host:     qsbox3:11001,0-0:SESAM_SECURE_AUTHENTICATION:****
2009-06-26 10:28:16: sbc-3032: Info:    Control Host:     qsbox3:11001:SESAM_SECURE_AUTHENTICATION:*
2009-06-26 10:28:16: sbc-3040: Info:    Device:           SMS:disk1:SHARE:64
2009-06-26 10:28:16: sbc-3064: Info:    --------------------- Operation Messages ---------------------
2009-06-26 10:28:16: sbc-3002: Info:    Building file list from: [C:\SEPsesam\var\ini]
2009-06-26 10:28:16: sbc-3022: Info:    Command line ["sbc" "-b" "-C" "qsbox3:11001" "-S" "qsbox3:11001" "-l" "copy" "-s"
"SF20090626102812" "-d" "SMS:disk1" "-t" "weekly00001:1" "-j" "TEST_BACKUP" "-i" "job=TEST_BACKUP,nod=qsbox3,cmd=sbc,src=C/ /SEPsesam
/var/ini,ptf=WNT,typ=Path,exc=" "C:/SEPsesam/var/ini" ]
2009-06-26 10:28:16: sbc-3003: Info:    Opening saveset: SF20090626102812
2009-06-26 10:28:18: sbc-3104: Info:    Saveset info: [SEGMENT=3]
2009-06-26 10:28:18: sbc-3004: Info:    Begin writing to saveset...
2009-06-26 10:28:18: sbc-3074: Info:    Backup start time [20090626102818]
2009-06-26 10:28:18: sbc-3143: Info:    Starting with drive C:
2009-06-26 10:28:18: sbc-3006: Info:    Saveset size: 98304 bytes. Throughput: 189.820 MB/Hour.
2009-06-26 10:28:18: sbc-3005: Info:    Closing saveset.
2009-06-26 10:28:18: sbc-3052: Info:    Items processed correctly: [25]. Not processed or incorrectly processed items: [0].
2009-06-26 10:28:18: sbc-3007: Info:    Operation successful.
2009-06-26 10:28:19: sbc-3001: Info:    Exiting.

Backup error summary

The error message summary is prefixed by a short information string. The full error message is composed as follows:

{status}/{amount}/{saveset ID}/{SBCstart}/{message}

The components of this string have the following meanings:

{status} {amount} {saveset ID} {SBCstart} {message}

0 - successful
1 - warning
2 - empty LIS
3 - broken during backup
C - broken before data transfer
X - failed

Amount of data stored on media Automatically generated saveset ID Starting time on the client Message about the error

The following example shows a backup error summary with all 5 layers prefixed by a short information string.

X/0/SF20060629233007/20060629232907/Error: XBSA Call BSAEndData (closing saveset) failed:
System detected error, operation aborted. TRANSIENT or PERMANENT NEGATIVE reply:
553 STOR Failed. 1037: Writing data block on tape failed (23): Data error (cyclic redundancy check).
1039: Writing of Saveset Trailer failed.

The amount of details provided for backup or restore is defined by the log level.

Analyzing SEP sesam Log Files

Analyzing SEP sesam log files is very useful for detecting operations that caused errors or malfunctions, for example, in case of a failed backup.

SEP sesam creates two protocols or log files for each backup day: the status file and the day log. An error log is the subset of the entire day log, where only error messages are recorded. Log files can be printed or sent by email. The default location (main directory) for the log files is SESAM_VAR/log. You can check backup logs (state, day or error) in the GUI (Main Selection -> Logging -> State/Day/Error Log).

As of 4.4.3 Beefalo V2, you can also check your system logs online by using new Web UI. For details, see SEP sesam Web UI.

Log files creation order during a backup

When a scheduled backup is performed, the log files are generated in a certain order. Note that when you are analyzing a problem and you see that the corresponding log files are missing from a certain point in the past, a cause of the problem is most likely positioned just before that point. An example of how a log file is generated is given below.

  1. The SEPuler creates the log file sm_sepul_event_xxx.log, for example sm_sepul_event_20181004.log.
  2. The queue manager writes the sm_qm_main_xxx.log, for example sm_qm_main_20180913.log.
  3. If the backup was able to start, a bck_*.log is created.
  4. When the backup starts, a backup .not log (notification) is created in the SEP sesam's SESAM_VAR/lis directory, e.g., smhg00_all- 20181004_001_SF20131004090011986@YlyxvqJCsHm.not.
  5. In case of optional media init, a sm_init_X_20180915.log is created. The X stands for the SEP sesam drive number.
  6. The information for monitoring drives and performance data is written in the sms log (sm_sms_watch_X_20181004.log).
  7. The files which are backed up are first written to a *.lis file (list of the backed up files and directories) and to sgm file (segment-file of used segment markers on the used tapes) on the device server in the SESAM_VAR/work/smslis directory. Once the backup is finished, these files are copied from the device server to the SEP sesam SESAM_VAR/lis directory. This data is needed for a selective restore.

Course of action for log file analysis

The recommended course of action depends on the failure. For example, if a scheduled backup did not run or have failed, proceed as follows.

Check the backup log in the GUI/Web UI

From Main Selection -> Backups, double-click the relevant Failed backup and open the Main Log tab to check the backup log.

As of 4.4.3 Beefalo V2, you can also check your failed backups online by using new Web UI. For details, see SEP sesam Web UI.

Check if a medium init error happened

If a medium init error occured (bck_*.log), it is the cause a failed backup.

Check if a backup does not have a log or have failed

If the backup does not have a log yet or have failed:

  1. Check the status and daily logs in the SESAM_VAR/prot directory for events and errors at that particular time.
  2. Check if a .not log exists in the SESAM_VAR/lis directory. If not, then the possible causes for the error are as follows:
    • Client is not accessible (DNS, ping).
    • There is no media available.
    • The backup did not start yet.
  3. The process logs are stored in the SESAM_VAR/log/lgc directory. The logs should be listed chronologically in the terminal, e.g., Linux ls -lart).
    • The bck_*.log is created by the program sm_backup; name convention: bck_<job_name>_<save_set_ID>_<sesam_day>.log. Note that unlike most other logs, the bck_*.log must be read from the beginning to find the first error message that may reveal the cause of the failure.
      • Check the license.
      • Set time range: Check if the backup is within the starting time frame.
      • Alive test: Check if the client is active and reachable.
      • CHECK_MEDIUM: Check the availability of the media.
        • iGET_PREPARED_MEDIA: Check the media pool. If msg=0 appears, there is no media available.
        • GET_BACKUP_MEDIUM: The sm_sms_interface is doing something on the tape (getlabel, init, etc.). For tasks started simultaneously, search for the largest backup file which contains the log files of the executed media init.
        • In case of tape media, the following Options may be set as described in Configuring a Media Pool. They help you control which media will be used for a backup. For example, for devices which load media in sequential order, or if you do not want an unattended backup to fail because the specified media are not available, you may choose to use empty media policy.
          • empty: If this option is selected and there is no EOL-free media available in the requested media pool, SEP sesam uses any suitable media for backup – empty media and media that are unrecognized by SEP sesam.
          • spare: If this option is selected and there is no EOL-free media available in the requested media pool, then media from the SPARE_ pool are used for backup.
          • other: If this option is selected and there is no EOL-free media available in the requested media pool, then any EOL-free media from other media pools are used.
        • Note: The EOL defines how long the backed up data on media remains protected after the data is written to the medium (see Managing EOL). When the protection expires, SEP sesam can re-use the media for backups again. You can check the life cycle of a tape in the daily log; for details on media initialization, checked the *.sms log files in the <SESAM_VAR>/log/sms directory.
      • sm_notify is delivered.
      • With the search pattern "Cmd= sbc" you jump directly to the command given in the log which calls up the backup.
      • If the backup has been started successfully, then the .not log is created in the SESAM_VAR/lis directory.
      • During an active backup all log information are appended to .not log.
    • If there are any problems with the media init, the errors will be recorded in the sm_init_<drive>_<sesam_day>.log. If a log includes error: all media with eol restriction, then no media in the requested pool is available. There may be further attempts to get a backup media according to the media pool options you have specified (see above Options.
    • If there are any problems with the subsequent tapes after writing backup data until the End Of Media (EOM) is reached, they will be written in the sm_sms_watch_<drive>_<sesam_day>.log. If this log includes error: all media with eol restriction, then no media in the requested pool is available.
    • To check the communication between the client and the SEP sesam Server either over SMSSH (default, via port 11322) or over CTRL (via port 11301), look for sm_sshd_<sesam_day>.log or sm_ctrld_<PID>.lgc in the SESAM_VAR>/log/lgc directory on the client. The logs on the client are generated when the SEP sesam Server performs a task on the client, for example:
      • Execution of a backup.
      • Execution of a command.
      • Browsing the GUI file wizard (when creating a task).
    • Whenever the SEPuler finds a task that has to be executed, the operation is recorded in (sm_sepul_event_<schedule_identifier>_<sesam_day>.log). With QUE_SUBMIT a job is put into a queue; sm_backup shows that the backup is being put into the queue.
    • On a SEP sesam Server, search the log sm_sms_watch_<drive>_<sesam_day>.log from bottom upwards to check the drive information. This includes:
      • Monitoring of a drive. This log is generated only on a SEP sesam Server (also for the drives on RDS, the corresponding watch logs are located on the SEP sesam Server).
      • Data throughput of a drive.
      • The search string "‘+++ EOM"‘ shows media changes related to end of media (tape is full). The sm_sms_interface init command:
        • STATUS=SUCCESS: Successful media initialization.
        • STATUS=IO-ERROR: There is a problem with media or a drive. If necessary, check the SESAM_VAR>/log/messages on Linux or the event log on Windows for any hardware problems. To confirm that there is a hardware problem, check the sms log in the <SESAM_VAR>/log/sms directory.
    • The log sm_sms_watch_0_<sesam_day>.log regularly displays the process status of the sm_main processes and the processes in the sm_qm_main queues, in addition to regular check of available space GET_FREE_SPACE_OF_DIR.

Tips for Backup Troubleshooting

In the case of an unsuccessful backup, you should follow these tips:

  • Find out when the problem occurred using the day log (.prt) and the status log (.status). The day log shows the causal progression of all SEP sesam activities of the backup day. The files with a file extension ending in .prt.err contain just the error messages from the day log.
  • Display the directory files chronologically (with ls -lart on Linux).
  • Log files should be read backward from the end of file. If a backup has failed, the indication of errors and their causes may usually be found at the end of the respective log file.
  • Compare non-working and working backups:
    • Check when was the last successful backup of this task.
    • Detect the differences between not and bck logs by comparing two different backups.
    • Find out if there were any changes in the network or on the client.
  • The values of database calls in DB_ACCESS have the following explanations:
    1. result = 1: The database access is OK.
    2. msg > 0: Amount of the result > 0.
  • If the data throughput is very low and a backup is not running, it may be possible that the communication between hardware and RDS has stopped. Use netstat to check if the connection over the STP ports (11001, 11002, etc.) still exists and check if RDS is still reachable.
  • If a process attempts to write to the hardware device and hangs, using the command kill -9 on Linux will not help because the process is waiting for I/O and the kernel won't be able to stop it. The only solution is to restart the server. These processes usually only take split seconds, however, they hang if there are any hardware problems.
  • SEP sesam does not use kernel functions nor does it access the kernel while processing. All calls are only done via GLIBC (GNU C Library). The command that goes the deepest into the system is slu (SCSI Loader Utility). It accesses the SCSI interface directly. Only loader and tape mover commands are affected by this. If a backup is running, there is no direct access to the kernel or the hardware with SEP sesam. For details on command, see Using slu topology for detecting devices.


Part XII: SEP sesam Interfaces

Using Pre and Post Scripts

Overview

SEP sesam enables system administrators to perform additional actions before and/or after a backup or restore by using pre or post scripts.

Pre backup scripts are executed before backup jobs starts to perform specific operation. Typically, they are used to create commands that will stop or start the selected programs, for example, to stop a database or an antivirus service before the backup. Similarly, pre restore scripts are executed before restore starts.

Post backup scripts are executed when the backup session stops to perform specific tasks, such as starting a database or shutting down a computer after the backup. Similarly, post restore scripts are executed after the restore is done, for example, to start a database.

Pre and post scripts are represented as one of SEP sesam interfaces. These are configurable programs which can be programmed by using any text editor. Pre and post scripts are not provided by SEP sesam; you must create your own scripts to perform the desired actions.

Unlike other SEP sesam interfaces, the pre/post interfaces relate to a specific client only; they are created for each client individually and are only executed on the selected client.

Information sign.png Note
Configuring pre and/or post scripts is optional. The pre/post interface might affect backup or restore execution; when creating a script, have in mind that any pre/post script should not take a long time to complete as it can delay a backup or restore.

To use the pre/post script, you have to activate the relevant interface first and then create your own script.

Configuring pre and post scripts

SEP sesam provides several interface templates. They are located in the SEP sesam directory <SESAM_ROOT>/skel/templates. You can activate them automatically via GUI (recommended) or manually by copying them.

Activating interfaces via SEP sesam GUI

  1. From Configuration -> Interfaces, select the relevant interface type (Pre or Post) that you want to activate.
    Activating interfaces Beefalo V2.jpg
  2. The Edit Pre/Post Interface window opens: Select Backup or Restore interface and the client on which you want to run the script. Click OK.
    Edit pre interface Beefalo V2.jpg
  3. A new window with the Edit <name> interface script opens, allowing you to configure (insert) specific action at the end of the script.
    Information sign.png Note
    • Before the end of the procedure either STATUS:OK or STATUS:ERROR {text} must be written to standard output.
    • If you want to change a backup source, STATUS: messages have to includes keyword BACKUP_SRC=, for example, STATUS:OK BACKUP_SRC=C:,F:/DATA. It this case the backup will use this source instead of the source defined in a backup task.

    Pre interface Beefalo V2.jpg

    • For example, you may want to shut down a specific computer after the backup is finished. To configure this action, you have to select Post backup interface for a relevant client and add the following lines at the end of the sbc_post script:
      • For Windows
      • #=== Please insert your specific actions here ===================================== 
        echo "shutdown -s -t 120"
        shutdown -s -t 120
        rem echo STATUS:ERROR {message}
        echo STATUS:OK
        exit
        
      • For Linux:
      • echo "shutdown -h +2"
        shutdown -h +2
        
  4. This action invokes a shutdown of the computer two minutes after the backup has finished.
    • The first line shutdown ... is the message which is written in the Post log file during the backup.
    • If the post process ends with an error, the backup will complete with status Warning.
  5. After configuring a relevant pre or post action, click Save to activate the interface on a specific client.

Upon saving the template the script is read and copied to the <SESAM_ROOT>/bin/sesam. Now you have to add a pre/post script to backup or restore tasks.

For more examples on how to use pre and post scripts, see Configuring ownCloud restore.

Activating interfaces manually

Alternatively, you can activate the interfaces by copying the existing templates from the SEP sesam directory <SESAM_ROOT>/skel/templates under the names:

sbc_pre
sbc_post

to the directory <SESAM_ROOT>/bin/sesam.

Selecting a pre/post script for backup or restore

After configuring desired pre/post actions, specify whether any pre or post script should be applied on a specific client, by adding the script to backup or restore task.

Selecting a pre/post script for backup

You can select to run a pre/post script when creating a backup task or apply it to an already configured task. For details on how to create a new backup task, see Creating a Backup Task.

  1. From Main Selection-> Tasks-> By Clients, select your client and double-click it or click New Backup Task. The Properties or New Backup Task window opens. Switch to the Options tab.
    Tasks options Beefalo V2.jpg
  2. Depending on the desired action, select either Execute pre or Execute post backup and/or restore option(s):
    • Execute pre: Enable it if you want to run the pre script for this backup task.
    • Execute post: Enable it if you want to run the post script for this backup task.
    • Ignore pre error: Enable it to allow to force start backup even if the pre-script was not properly executed.
    • Ignore backup error: Enable it to allow to execute the post script after a faulty backup.
  3. Click OK to activate the pre/post script execution for the selected task.

Selecting a pre/post script for restore

You can select to run a pre/post script when creating a restore task or apply it to an already configured task (Main Selection -> Job State -> Restores -> open Properties). For details on how to create a new restore task, see Standard Restore Procedure. In both cases, you can select to run a pre/post script under the Expert Options.

Information sign.png Note
As of v. 4.4.3. Beefalo, the Expert Options button for specifying advanced restore options is only available in the Expert UI mode. It is not available for users that run the GUI in Basic or Advanced mode. In the latter case, if you want to access the Expert Options you first have to change the Basic/Advanced UI mode to Expert, as described in Selecting UI mode.
  1. In the Target Settings (previously Save and Start) dialog, click Expert Options and then select the tab Pre/Post.
    Restore pre post Beefalo.jpg
  2. Depending on the desired action, select either Execute pre or Execute post restore option(s):
    • Execute pre: Enable it if you want to run the pre script for this restore task.
    • Execute post: Enable it if you want to run the post script for this restore task.
    • Start restore in spite of pre error: Enable it to allow to force start restore even if the pre-script was not properly executed.
    • Start post in spite of restore error: Enable it to allow to execute the post script after a faulty restore.
  3. Click OK to activate the pre/post script execution for the selected task.

How to Configure Mail Notification

SEP sesam email notification is based on interface scripts that has to be activated first. You can activate them via GUI or manually by copying the templates that are available in the SEP sesam directory <SESAM_ROOT>/skel/templates.

SEP sesam interfaces require a configured email account that is used for sending the selected notifications by email.

The following interfaces exist:

  • sm_notify: Notify is executed on the SEP sesam Server. It can be used for reporting on successfully finished events, such as backup, restore, migration, media initialization, and start/finish of a NEWDAY event.
  • sm_alarm: Alarm is executed on the SEP sesam Server to warn the system administrator when a fatal error occurs or in case of a license violation.
  • sm_disaster: This interface must be properly configured to help carry out the disaster recovery process. For details on how to prepare, see SEP sesam Server Disaster Recovery. The disaster interface sends an email describing the recovery procedure in the event of a disaster and an attachment containing the SEP sesam bootstrap database with all essential data for the disaster recovery. sm_disaster is always called after the task SESAM_BACKUP is finished.

Configuring interfaces

The interface templates are located in the SEP sesam directory <SESAM_ROOT>/skel/templates. You can activate them automatically via GUI or manually by copying them.

Activating interfaces via SEP sesam GUI

  1. From Configuration -> Interfaces, select the relevant interface type (Alarm, Disaster or Notify), depending on which information you want to receive.
  2. Information sign.png Note
    The Disaster interface should always be configured to help carry out the disaster recovery process in case of a SEP sesam Server breakdown. This means that you have to configure at least one backup task with the name SESAM_BACKUP. For details, see SEP sesam Server Disaster Recovery.

    Configuration interfaces Beefalo V2.jpg

  3. Window with the interface script opens. Click Save to activate the interface.
  4. Alarm interface Beefalo V2.jpg

Upon saving the template script is read and copied to the <SESAM_ROOT>/bin/sesam. You can customize the script according to your needs. Now you have to configure an email account to enable sending the selected notifications by email.

Activating interfaces manually

Alternatively, you can activate the interfaces by copying the existing templates from the SEP sesam directory <SESAM_ROOT>/skel/templates to the directory <SESAM_ROOT>/bin/sesam. You can customize the script according to your needs.

By default, the interfaces are located in the SEP sesam <SESAM_ROOT>/skel/templates under the names:

sm_notify
sm_alarm
sm_disaster

Note that on Windows, all interfaces/commands have the ending .cmd or .ps1 when using Powershell. To activate the interfaces, copy the selected interfaces manually to <SESAM_ROOT>/bin/sesam.

Information sign.png Note
The Disaster interface should always be configured to help carry out the disaster recovery process in case of a SEP sesam Server breakdown. This means that you have to configure at least one backup task with the name SESAM_BACKUP. For details, see SEP sesam Server Disaster Recovery.

Now you have to configure an email account to enable sending the selected notifications by email.

Configuring email account and recipients

  1. From Configuration -> Email Settings, select Use SEP sesam mail program option and click New.
  2. Email account Beefalo V2.jpg

  3. The Email Account window opens. Use the account name sesam (the default email account) as shown in the example below, and enter the email addresses of the recipients. For details, see Email settings.
  4. Configuring email account Beefalo V2.jpg

  5. Click Send Test Email to check if your email account is configured properly, and then click OK.


Part XIII: Managing Media

Managing EOL

Overview

When configuring SEP sesam environment, you set up media pools and define the retention time. Media pool retention time is specified in days and defines how long the backed up data on media remains protected after the data is written to the medium. The retention time period starts with the date a saveset is written to the medium (at the end time of the first backup) and thus defines the expiration date of the saveset (saveset EOL). When the protection expires, SEP sesam can re-use the media for backups again. This is the basic principle and the simplest scenario.

However, to ensure restorability of the complete backup chain and to protect from data loss, SEP sesam provides dependency-based retention strategy performed by automated EOL adjustment.

What is dependency-based retention

For example, INCR backups require all previous savesets (FULL, DIFF and INCR) to be available for a successful restore. If the retention time is viewed only from the perspective of an individual backup, it can ensure restorability of data for this particular backup only. But to enable the complete restoration of data that was backed up in the backup chain, all dependent backup savesets must be tracked and their retention time must be managed according to their dependencies.

For example, INCR backup that was taken as the third INCR after the FULL, requires the FULL, the first, the second, and the third INCR to provide complete restore capability. If some saveset in the backup chain is missing, you will not be able to recover your data to a specific point in time. For this reason, SEP sesam maintains control over dependencies among the individual backup savesets and provides dependency-based automated retention.

SEP sesam also allows you to manually adjust EOL. You can adjust:

saveset EOL
You can change the expiration date of any individual saveset that is stored in the data store, see saveset EOL.
backup EOL
You can change the expiration date for all backup-related savesets. Unlike saveset EOL, which is applied individually to each selected saveset, changing the backup EOL always affects all dependent backup versions that are part of the same backup, see backup EOL.
tape media EOL
Some special rules apply to tape media since the expiration date of the tape corresponds to the maximum retention time (the longest EOL) identified on the tape, see tape media EOL.

Retention behavior and different EOL parameters

Typically, you specify a media pool retention time (in days) when creating a media pool. This retention time serves as a basis to determine EOL for backed up data. The retention time period starts with the creation date a saveset is written to the medium and defines the expiration date (EOL) after which the saveset may be deleted. For example, a media pool retention time is 30 days and the data is backed up to the medium on the 1st of January, therefore the saveset EOL is 31st of January. Note that in previous versions (v. ≤ Beefalo) this retention time parameter was called media pool EOL. As the use of this term was misleading, it was removed in Beefalo V2 and replaced with retention time.

Information sign.png Note
EOL refers only to backups and related migrated and replicated savesets. SEP sesam logs, readability check logs, calendar sheet entries and restore tasks have separate retention parameters. For details, see retention periods.

The EOL property can be managed for three object types:

Saveset EOL

This is the expiration date for each saveset. If a saveset is a part of a backup chain, its EOL follows the rules of dependency-based retention; EOL of a previous saveset in the chain must be the same or longer to enable the complete restoration of data.

For example, you specify a media pool retention parameter to 30 days and run a FULL backup. This FULL saveset will initially be kept for 30 days, for example, to the 31st of January. If any following INCR or DIFF saveset in the chain has longer EOL, for example, its expiration date is the 3rd of February, the EOL of all preceding savesets, including the FULL, will be adjusted to the longer expiration date. For details on dependency-based automated retention, see automated EOL adjustment. For details on manually adjusting EOL, see manual EOL adjustment.

Backup EOL

This is the expiration date for all data that belongs to the same backup. Backup EOL is determined based on the longest EOL of all savesets that belong to the same backup, including migrated and replicated savesets. For example, adjusting backup EOL of a particular saveset from the 3rd of February to the to 3rd of March results in changed EOL for all related backup data, i.e., original backup, migrated backup, replicated backup, as well as for all backups in a backup chain, if a saveset with adjusted backup EOL is a part of it. For details on dependency-based automated retention, see automated EOL adjustment. For details on manually adjusting EOL, see manual EOL adjustment.

Information sign.png Note
How SEP sesam manages failed backups depends on its version. In v. ≥ 4.4.3 Beefalo V2, SEP sesam keeps the failed backup according to media pool retention time together with the last successful backup or migration saveset. This is the default backup retention behavior and can be changed by modifying EOL-related keys, as shown in section Customizing retention policy. These keys may not be supported in earlier versions, where failed backups were automatically deleted after 3 days.

Tape media EOL

When a saveset is stored on tape, each stored saveset has its own saveset EOL, but this does not represent the actual expiration date of the tape. Its expiration date corresponds to the maximum retention time (the longest EOL) identified on tape. Only when all savesets on tape have expired and the tape is not locked (write-protected) is the entire tape eligible for re-use. For details on how manually extending EOL affects EOL of the tape media, see Manually extending EOL.

What happens when EOL is reached

Once a saveset's end of life is reached, its protection expires. The storage space of an expired saveset is not used immediately; SEP sesam uses the GET_OLDEST policy to preserve the data on the media for the longest possible time. The expired saveset can be re-used if the following conditions are met:

  • As a rule, there must be no other savesets that depend on this saveset. For details, see how SEP sesam handles EOL-related backup chain dependencies. You can override this condition by explicitly allowing the expiration date (EOL) of the whole backup chain to expire, thus deleting the backup data on all related savesets.
  • If a saveset is stored on tape, the EOL of all stored savesets must have expired.
  • SEP sesam Server automatically assigns the medium with the oldest EOL for re-use. The oldest medium is a medium with the oldest locked until (is backup day+ retention time) date in the media pool.
Information sign.png Note
If the saveset resides on tape media, the tape will not be re-used until all savesets on it have expired. Tape media EOL always corresponds to the maximum retention time (the longest EOL) identified on the tape. More precisely, a tape media EOL is the maximum EOL of all savesets stored on the tape. Only when the retention time of all savesets on tape has expired and the tape is no longer locked (write-protected) can the tape be re-used. Note that the tape media EOL may also depend on savesets that are not stored on this tape. This is when the tape contains savesets that refer to FULL/DIFF/INCR savesets stored on other media or even data stores.

Automated EOL adjustment

In some cases, SEP sesam automatically adjusts EOL to retain the consistency of backed up data and ensures successful restore. Every time EOL is modified, the corresponding information is shown in the main log.

Managing EOL-related backup chain dependencies

When a new INCR or DIFF backup is run or an INCR or DIFF backup is migrated, SEP sesam automatically adjusts EOL of all related savesets in order to retain the backup data and keep the backup chain readily available for restore. In some special cases, SEP sesam also automatically increases the EOL of the whole FDI backup chain, thus preventing the backup chains from being orphaned. See below sections for details.

Increased EOL of a DIFF or INCR saveset

If the EOL parameter of a DIFF or INCR saveset is increased, SEP sesam will increase EOL of all dependent backups (FULL and other DIFF and INCR). This way SEP sesam ensures that EOL for the FULL backup and other related DIFF and INCR is not shorter than the potentially modified DIFF or INCR saveset's EOL.

Decreased EOL of a DIFF or INCR saveset

If EOL of a DIFF or INCR saveset is decreased, SEP sesam will decrease EOL of all dependent backups (FULL and other DIFF and INCR). If you use the Expire function to delete the unneeded saveset(s) or backup set(s), SEP sesam will issue a warning message, prompting you to confirm your decision to expire the entire backup chain.

SEP Warning.png Warning
Expiring the DIFF or INCR saveset(s) results in purging and overwriting the complete backup chain!
Too short EOL of DIFF/INC savesets

If DIFF/INCR backup detects that a saveset belonging to a FDI chain has too short EOL, then any consecutive DIFF/INCR backup that is running on a pool with longer retention time will increase the EOL of the saveset from the respective pool.

Information sign.png Note
If EOL of a saveset belonging to a FDI chain has already expired, it will not be extended. In this case, the DIFF/INCR backup will be executed as a FULL backup.
Example
The backup chain has the following retention specified: FULL on pool MONTH (retention time:32), DIFF on pool WEEK (retention time:15) and INCR on pool DAY (retention time:7). EOL of such FDI chain is sufficient, therefore EOL is not modified.

Allow extending retention time of another media pool for migrated savesets

Typically, a chain of backup savesets is migrated to one target media pool. You may want to migrate savesets of one backup chain (FULL/DIFF/INCR) to different media pools. There are two ways to change the retention time of migration savesets.

  • You can enable extended retention time for migration by using a specific GLBV: 'gv_adjust_eol_migration_increases_eol_on_other_pool'.
  • You can enable migration to increase EOL of the referenced savesets on other media pools (not only on the target media pool) by adding (or modifying) the following key in global settings in GUI:
    1. In the menu bar, click Configuration -> Defaults -> Settings.
    2. Click [+] to add the following key to global settings (or modify the key value, if it already exists): eol_adjust_migration_on_other_pool|1|sesam
      where value=1 means that the key is active and sesam is the user name. For more details about EOL-related keys, see section Customizing retention policy.
    3. EOL adjust migration Beefalo.jpg


Last successful backup or migration is automatically retained

SEP sesam automatically retains the last successful backup or migration saveset when the next backup/migration fails. By extending the EOL of the previous successful backup/migration, SEP sesam ensures that at least one successful backup is retained. This behavior is enabled by default and can be changed by setting the values of the respective keys, eol_adjust_failed_backup and eol_adjust_failed_migration, to 0, as shown in section Customizing retention policy.

COPY backup fails

If a COPY backup fails, the EOL of the last successful or with warnings COPY backup is increased to the currently calculated EOL (creation date of the failed backup + media pool retention time).

Example
COPY backup in pool MONTH (retention time: 32) fails. SEP sesam checks for previous successful COPY backup in the same pool and increases its EOL, unless the backup EOL is not sufficient, e.g., a migrated saveset exists in the pool YEAR (retention time: 375).
FULL backup fails

If a FULL backup fails, the EOL of the last successful or with warnings FULL/DIFF/INCR backup is increased to the currently calculated EOL (creation date of the failed backup + media pool retention time).

Example
FULL backup in the pool MONTH (retention time: 32) fails. SEP sesam checks for previous successful or with warnings FDI backup chain in the same pool and increases the EOL of the entire chain (FULL/DIFF/INCR backups), unless the backup EOL is not sufficient, e.g., a migrated FULL saveset already exists in the pool YEAR (retention time: 375).

Manual EOL adjustment

It is not recommended to manually adjust EOL. This will override the EOL that was defined by the retention time (in days) in the media pool configuration and was started on the date when a saveset is being written to the media. The following options should be used for special cases and exceptions, for example, to allow premature deletion of an individual saveset or to increase the retention time of a particular backup chain that is to be stored longer than specified by the current EOL.

  • You can modify saveset EOL for each individual saveset that is stored in a data store or on tape media. The saveset EOL parameter is available under several views in GUI, e.g., whenever a task with the savesets is displayed (Job State -> Backups -> double-click a backup task -> Properties -> Saveset EOL, right-click to extend or expire), and under all media-related views, e.g., in the Media, Media Pools and Data Stores properties -> Saveset tab -> Saveset EOL. You can extend or shorten the saveset's retention time by setting the exact expiration date (saveset EOL) in the GUI calendar or directly expire (as of ≥ 4.4.3 Beefalo V2) the saveset by clicking the Expire -> Saveset EOL button. If the adjusted saveset is part of a backup chain, the whole chain might be affected.
  • Additionally, there is also the backup EOL parameter. This is the expiration date for all data belonging to the same backup, including migrated and replicated savesets. You can check and modify the backup EOL parameter by setting the exact expiration date for it by using the calendar function or directly expire (as of ≥ 4.4.3 Beefalo V2) the backup by clicking the Expire -> Backup EOL button. Expiring a backup affects all data belonging to the same backup (entire backup chain), including migrated and replicated savesets.

For details, see the section how SEP sesam handles EOL-related backup chain dependencies.
Backup EOL can be found in the Savesets properties that are available under several views in GUI, e.g., whenever a task with the savesets is displayed (Job State -> Backups -> double-click a backup task -> Properties -> Backup EOL) and under all media-related views, e.g., in the Media, Media Pools and Data Stores properties -> Saveset tab -> Backup EOL.

SEP Tip.png Tip
As of ≥ 4.4.3 Beefalo V2, you can simply right-click the selected saveset for which you want to modify EOL, for example, in all Media-related views, and then select to either extend EOL or to expire the saveset (individual EOL) or backup (EOL of the entire backup set). But be careful with the expire function as the expired backups are irrevocably lost!

Right-click EOL.jpg

Manually reducing EOL

Note that reducing EOL may result in potential data loss due to the inability to restore from a backup.

  • If you are reducing backup EOL, it is adjusted only for the savesets with EOL longer than the newly given EOL, while the savesets with shorter EOL are not affected (their EOL remains unchanged). As of ≥ 4.4.3 Beefalo V2, you cannot set the expiration date to a time in the past (the minimum allowed date is the current date). However, you can expire backup sets that you no longer need by using the right-click Expire function in any of the views showing the Savesets tab/properties -> Backup EOL -> Expire. Expiring backup EOL terminates the selected backup and all related savesets based on the same backup, including migrated and replicated savesets. This means that all dependent saveset versions that are part of the expired backup are deleted during the next purge.
  • If you are reducing saveset EOL, the new expiration date is set immediately for the selected individual saveset. As of ≥ 4.4.3 Beefalo V2, you cannot set the expiration date to a time in the past (the minimum allowed date is the current date). However, you can expire any individual saveset(s) you no longer need by using the right-click Expire function in any of the views showing the Savesets tab/properties -> Saveset EOL -> Expire. In contrast to the backup EOL approach, expiring saveset EOL only terminates the selected saveset(s) (that is/are deleted with the next purge) unless the saveset(s) is/are part of a backup chain; in the latter case, the entire backup chain is affected as described in Managing EOL-related backup chain dependencies.

Manually extending EOL

Extending EOL can be used for special cases, such as increasing the retention time of a particular backup data that has also been migrated and is stored on different media pools. How SEP sesam manages extending EOL depends on its version.

  • If you are extending the backup EOL (expiration date), the EOL is adjusted only for the saveset that already has the longest EOL, while EOL of other backups is not affected. This behavior has changed compared to the previous versions, where extended backup EOL resulted in extended EOL for all savesets based on the same backup, i.e., original backup, migrated backup, replicated backup, as well as for all backups in a backup chain, if a saveset with adjusted backup EOL was part of it. For details, see Manually extending EOL in versions 4.4.3-4.4.3 Grolar.
  • If you are extending the saveset EOL (expiration date) and one of the savesets is part of an FDI backup chain, then the EOL of the previous savesets in the chain will also be increased.
Information sign.png Note
  • Extending backup EOL of savesets stored on tape media may extend EOL of the tape media! For savesets stored on tape media, a specific retention time that would only apply to one of the stored savesets cannot be set. Each saveset that is stored on tape has its own EOL, but this does not represent the actual expiration date of the tape. Tape media EOL is the maximum EOL of all savesets stored on the same tape. Note that the tape media EOL may also depend on savesets that are not stored on this tape. This is when the tape contains savesets that refer to FULL/DIFF/INCR savesets stored on other media or even data stores.
  • To reduce or increase the tape media EOL (shown as Locked until in the tape properties), you can adjust the media EOL (identified by tape label). Manually adjusted EOL applies to all savesets on tape.
  • If the tape media EOL date has been reached, but the tape should not be re-used, you can also lock the tape (by using write protection). This option overrides media EOL.

Customizing retention policy

The default backup retention behavior can be changed by inserting or modifying EOL-related keys in the global settings in GUI: SEP sesam menu bar, click Configuration -> Defaults -> Settings. These keys may not be supported in earlier SEP sesam versions, for details check Managing EOL in versions 4.4.3-4.4.3 Grolar.

To change the retention policy, you can add or modify the following options.

EOL-related key Value Description Available from version Note
eol_adjust_migration_on_other_pool 1 (allow)
0 (disable)
Allow extending retention time of another media pool for migrated savesets 4.4.3 Beefalo
eol_adjust_failed_backup 1 (enable)
0 (disable)
Automatic retention of the last successful backup saveset 4.4.3.47 Tigon V2
eol_adjust_failed_migration 1 (enable)
0 (disable)
Automatic retention of the last successful migration saveset 4.4.3.47 Tigon V2
eol_for_failed_backups 0 (use media pool retention time)
> 0 (specify the retention time in days, e.g., 3)
Adjust the retention time (in days) for failed backups 4.4.3 Beefalo V2

By default, the backup retention policy (retention time of media pool) is applied equally to successful and failed backups. A failed backup is retained for the number of days specified by the retention time of media pool. If you want to free up space on the storage repository and shorten the number of days for retaining failed backups, specify the desired length of the retention for failed backups in days. For example, 3 means that SEP sesam will automatically delete all failed backups after 3 days. 0 (default) means that all failed backups are retained according to the media pool retention time.

eol_for_failed_not_file_system_backups 0 (use media pool retention time)
> 0 (specify the retention time in days, e.g., 3)
Adjust the retention time (in days) for all non-filesystem (non-Path) type backups, e.g., SAP Hana, Exchange Server, VMware vSphere etc. 4.4.3 Beefalo V2 The only difference with the previous parameter (eol_for_failed_backups, see above) is that you can specify the desired length of the retention specifically for all non-filesystem (non-Path) type backups. For example, 3 means that SEP sesam will automatically delete all failed non-filesystem backups after 3 days. 0 (default) means that all failed non-filesystem backups are retained according to the eol_for_failed_backups parameter if set to > 0, or according to media pool retention time if none of the eol_for_failed... parameters is set (value 0).

The screenshot shows the Defaults -> Settings table with the EOL-related paramaters.

EOL keys-settings.jpg

Checking backup chain dependencies

You can use the saveset tree view in GUI to determine dependencies and EOL of an FDI backup chain. You should use this overview before you manually change the EOL parameter to avoid breaking the backup chain.

SEP Tip.png Tip
Checking the saveset tree summary will provide instant information about the location and status of the available savesets for restore. By checking the summary, e.g., availability 5, you can search for savesets that are not readily available, and then migrate them to enable mount and selective restore.

The saveset tree displays details about a saveset together with potential dependent savesets that belong to the same backup chain. The saveset details are read-only. By providing an overview of the backup chain, you gain insight into the recoverability of backups.

You can open the saveset tree view by double-clicking the selected backup in the backup list:

  1. From Main Selection -> Job State -> Backups or from Main Selection -> Monitoring -> Last Backup State, double-click the selected backup.
  2. In the backup task properties window, open the tab Savesets.

Bck chain dependencies-Beefalo.jpg

The saveset tree displays all savesets that belong to the same backup chain with the following details:

saveset
SEP sesam unique identification assigned to a saveset.
starttime
The time when the backup was started.
level
The backup level used for the saveset: F (FULL), D (DIFF), I (INCR) or C (COPY).

More detailed information displayed for each saveset:

pool
The media pool to which the saveset belongs.
EOL
The time when the saveset's protection expires. For details, see section EOL-related backup chain dependencies.
avail
The priority number, based on the location of the savesets. It is useful for identifying savesets that are readily available for restore. For example, a saveset in the media pool DAY (data store) is migrated to another pool DeDup and then migrated to tape. The tape will have the lowest avail/priority because it is not readily available for restore. Check also the Availability in the Status at the end of the tree view, which is calculated from the avail of all displayed savesets. See below Availability for details.
reason
Explains the above avail – availability of individual savesets for restore. The following information shows the relation between the location and avail/prio. Priority is assigned numerically, where 1 is the lowest priority and 6 (or 7 if called with a specific pool) is the highest.
TAPE_SINGLE = 0
TAPE_NOT_IN_LOADER = 1
DISK_OFFLINE = 2
TAPE_ONLINE = 3
DISK_HARD = 4
DISK_STORE_CLONE = 5 
DISK_STORE = 6 
REQUESTED_POOL = 7 (shown if called with a specific pool, e.g., all savesets on the pool DAY and the saveset_tree was called with the target pool DAY)
drivegroup
Displays the name of the drive group related to the saveset's media pool.
drives
The number of the drive that was used for backup.
labels
Displays an internal identification of a saveset (a media pool name and a 5-digit number), a potential barcode, prio (numerical representation of availability, see above item), and comment.
status
Displays the summary of the savesets availability – status, availability message and a numeric representation. For example, as soon as 1 saveset is migrated to another pool and deleted from the original pool, availability is lowered.

Save set tree status.jpg

Checking and Labeling Tape Media

Each medium, whether a tape cartridge or a virtual tape in a VTL, is given a unique label for identification. The label is written to the beginning of a medium during the initialization. The medium label consists of the pool name (e.g., DAY, WEEK, MONTH) and a five-digit number that is automatically assigned to the respective media of the selected pool by SEP sesam. For example, a tape in the media pool DAY is labelled as DAY00001.

Manually identifying and relabeling tapes

You can check a tape label using the sm_drive info <drive_no.> command or the SEP sesam GUI.

  1. To check the label using the CLI, set the SEP sesam command environment and enter the command:
  2. sm_drive info <drive_no.>
    

    In our example, check the drive 1:

    sm_drive info 1
    

    Alternatively, you can also use the sm_sms_interface getlabel command which displays more information about the label (such as the creation date); for details, see FAQ: How can I determine whether a tape is a SEP sesam tape or not?

    Or, you can check the tape label using the GUI. Depending on your SEP sesam version, proceed as follows:

    • In v. ≥ 4.4.3 Beefalo, click on Components -> Loaders -> select the drive within the loader -> Drive Action -> Identify label -> Start.
    • In v. < 4.4.3 Beefalo, click on Components -> Drives -> select the drive -> Drive action -> Identify label -> Start.

    Drive-identify label Beefalo V2.jpg

  3. Then start the initialization and relabeling. This step must be done using the CLI. If you have not set the SEP sesam profile yet, you have to create it now so that SEP sesam commands can be executed globally. For details, see What happens when I set a profile?
  4. In the command line, execute the sm_drive init command. Attention: The tape will be overwritten without warning!
  5. sm_drive init <drive_no.> <label>
    

    In our example, insert the media in drive 1 with label DAY00001. Attention: The number must contain 5 digits!

    sm_drive init 1 DAY00001
    
    For alternative way of manually writing a label to tape, see FAQ: How can I manually write a label on a tape?

Usage scenario

In the standalone tape drive environment it might happen that multiple tapes are incorrectly marked with the same label. This happens because SEP sesam uses the get_oldest strategy to preserve the data on the tapes for the longest possible time. It automatically detects the oldest EOL-free medium and designates the label of the tape which is to be re-used next, e.g., DAY00004. When an alternate EOL-free tape is already inserted in a single tape drive, SEP sesam checks its label and detects a label mismatch. If the EOL of the inserted tape is not expired, SEP sesam will not use the tape. However, if the tape is EOL-free, SEP sesam will initialize it with the original (requested) label even though it may belong to another media pool and has its own label, e.g., MONTH00009. In such a case, a tape from another media pool may be accidentally overwritten if it is already EOL-free. This problem occurred in SEP sesam version 4.4.3.25 and was resolved by a service pack. For details, see Release Notes 4.4.3 – Known issues and limitations.

Resolving label conflicts

To resolve conflicts with duplicate media labels and avoid problems with potential data loss, you have to manually identify the tape with the original label that was duplicated, insert it in the stand-alone drive and relabel it with the original label of the second tape. Then you have to manually change the stick-on label or slide-in label (paper or card) on the front of both tapes. This way you will ensure that the newly written backup data will not be overwritten.

Example: Label MONTH00009 was overwritten with label DAY00004.

  1. Insert the tape that was original labeled DAY00004 and relabel it to MONTH00009. For details, see above procedure.
  2. Remove the label DAY00004 from the tape and stick the mismatched label MONTH00009 to it. Then put the label DAY00004 onto the newly written tape (formerly MONTH00009).

Configuring Removable Media

SEP sesam allows you to configure different removable media, such as RDX drives and USB drives, as your storage device. RDX is a disk-based removable storage which is intended as a replacement of a tape storage. RDX storage system offers reliable storage for backup, archive, data interchange and disaster recovery. It is based on the removable hard disk drives as well as solid state drives for storing big amounts of the backup data.

RDX uses SATA (hardware interface for connecting drives to the computer) for connecting the removable media in the drive and the USB port with external drive or SATA with internal drive for the connection to the computer. Note that WORM (Write Once Read Many) media are also available.

To configure the RDX or USB drives, proceed as follows:

  1. Create a new RDX or USB drive group.
  2. Configure and add a new RDX or USB drive.
  3. Create a new media pool for the RDX or USB drive.
  4. If required, create a new media type.
  5. Add media to a media pool.

Creating a new RDX or USB drive group

You have to create a new drive group for the removable drives (RDX or USB). From the Components -> Drives, click the New Drive Group button and create a new drive group, for example, RDX or USB.

RDX drive group Beefalo V2.jpg

Configuring and adding new RDX or USB drive

Depending on your operating system, proceed to the relevant section below.

> Linux

> Windows

Linux

To enable SEP sesam to access the removable device, ensure that you have sufficient privileges with read and write access to the device file for the RDX or USB drive. By default, such access is granted only to the root user.

The procedure is slightly different, depending on which drive you want to configure, RDX or USB.

  • USB:
    Before you can configure the USB drive on Linux, you have to create a mountpoint in the Linux system:
  • mkdir /media/usbdisk
    

    Then you have to connect the USB drive to the system.

  • RDX:
    Before you can configure the RDX drive on Linux, you have to check which device name is used for the RDX drive. If you attach the RDX drive to the Linux system, most distributions will automatically mount it (e.g., in /media).
    • If this is not the case, check by the dmesg command, which device is used for the RDX drive (usually /dev/sdXY).
    • It is important that each time you change the RDX drive, it is detected with the same device name. You can detect it with the udev rule. For details, see About udev rules.
    • It is also recommended to format the inserted RDX tapes with a common Linux file system (ext3/reiserfs/xfs).

After you have created the drive group and connected your drive to the server, add it to the drive group as follows.

  1. From the Components -> Drives, select the RDX or USB drive group and click the New Drive button. The New Drive window opens. Specify a drive name, type, and path for removable media – see device name of your drive above.
  2. Under the Drive tab, specify the following options:
    • Drive number: will be automatically assigned
    • Drive name: Optionally, enter a drive name, for example, Drive_7.
    • Drive type: From the drop-down list, select DISK_CHNG.
    • Loader: From the drop-down list, select No loader.
    • Device server: Select your backup server or the system to which the drive is attached.
    • Drive group: Select the relevant drive group which you have configured before (RDX or USB).
    • Path for removable media: Enter the volume name of the DISK_CHNG media with the directory.
      In our example, for the RDX drive enter /media/rdx-mountpoint
      or
      for the USB drive enter mkdir /media/usbdisk.

    RDX drive linux Beefalo V2.jpg

  3. Switch to the Options tab and proceed as follows:
    • Device path: Mount point where the media will be mounted.
    • Auto unload: Yes
    • Mount command: mount
    • Umount command: umount
    • Eject command: eject
    • Information sign.png Note
      Skip this step if the dynamic mount function should not be used for the USB drive.

      RDX drive linux options Beefalo V2.jpg

  4. Click OK to add a new drive.

Windows

After you have created the drive group and connected your drive to the server, add it to the drive group as follows.

  1. From the Components -> Drives, select the RDX or USB drive group and click the New Drive button. The New drive window opens.
  2. Under the Drive tab, specify the following options:
    • Drive number: will be automatically assigned
    • Drive name: Optionally, enter a drive name, for example, Drive_50.
    • Drive type: From the drop-down list, select DISK_CHNG.
    • Loader: From the drop-down list, select No Loader.
    • Device server: Select your backup server or the system to which the drive is attached.
    • Drive group: Select the relevant drive group which you have configured before (RDX or USB).
    • Path for removable media: Enter the volume name of the DISK_CHNG media with the directory. In our example, enter E:/SESAM-DISK for the RDX or USB drive.
    • RDX drive windows Beefalo V2.jpg

  3. Switch to the Options tab. Specify the drive letter for the Device path and sm_eject_media for the Eject command, as shown in the screenshot.
    RDX drive windows options Beefalo V2.jpg
  4. Click OK to add a new drive.

Creating a new media pool for the RDX or USB drive

After you have successfully created a drive, create a new media pool.

From the Components -> Media Pools, click the New Media Pool button. In the New Media Pool window specify the name of the pool (e.g., RDX_pool or USB_pool), select the relevant RDX or USB drive group and specify the retention time. For details, see Managing EOL.
RDX new pool Beefalo V2.jpg

Create a new media type (if required)

Under the Configuration -> Media Types, check whether a media type with enough capacity for your DISK_CHNG drive type exists (for example, DISK-RESERVE_1GB, DISK_5000, DISK_100000, etc.), as shown in the screenshot. Negative capacity values (e.g., DISK-RESERVE_1GB with the value -1.0) mean that the entire storage area of the medium, minus the specified size, is used.
RDX media type Beefalo V2.jpg
If it does not exist, create it by clicking New in the New Media Type window and specify the options, as shown in the screenshot.
RDX new media type Beefalo V2.jpg

Adding media to a media pool

Add your first RDX or USB media to the RDX or USB media pool. You have to repeat this step for all removable media.

Information sign.png Note

On Windows, the directory which is specified as a Path for removable media has to exist on media before adding it to the media pool.

From the Components -> Media Pools, right-click previously created media pool (RDX_pool or USB_pool) and click the New Media button. In the Adding a New Media window specify the relevant Media Pool, Drive, Type, etc., as shown in the screenshot for the RDX drive. Note that in case of the USB disks, you have to select the Overwrite option.
RDX add new media Beefalo V2.jpg

Information sign.png Note
If you are unable to add new media, check the day protocol under Logging -> Day Log on the SEP sesam Server for possible errors, see Day Log. As of 4.4.3 Beefalo V2, you can also check your system logs online by using new Web UI. For details, see SEP sesam Web UI.

LTO Encryption

LTO generation 4 and higher includes the ability for data to be encrypted by the tape drive hardware. SEP sesam provides native support for managing the LTO hardware based encryption by enabling the LTO encryption of tape drives on a media pool level.

During the LTO encryption process the data files are taken from the server and pass through the SCSI interface to the tape drive. The tape drive then encrypts and compresses the data before it writes it (or decrypts it if reading data) to or from the tape cartridge.

Supported drive types

Drive type
LTO generation
Supported since SEP sesam version
LTO Ultrium 7 (M8), LTO Ultrium 8 (L8) LTO 8 Note 4.4.3.64 + SP 2019-1
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 7 4.4.3.42
* This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 6 4.4.3
HP Ultrium 5-SCSI X64D
(SCSI, single tape drive)
LTO 5 4.4.2.53
Tandberg HH Z519
(SCSI, single tape drive)
LTO 5 4.4.2.53
HP Ultrium 4-SCSI B63W
(Fiber Channel, loader)
LTO 4 4.4.2.53
IBM Ultrium-HH4
(SCSI, loader)
LTO 4 4.4.2.53
IBM Ultrium-TD4 BBH4
(Fiber Channel, loader/single tape drive)
LTO 4 4.4.2.53
Note

Hardware encryption for LTO 8 is not supported for SEP sesam ≤ 4.4.3.64. However, it is possible to use the LTO encryption by installing the current service pack of January 2019 which contains a newer version of the required slu executable for your operating system, available at https://download.sep.de/servicepacks/4.4.3/4.4.3.64/ .

Setting up the LTO encryption

LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more drives to it which are all encryption capable (LTO generation 4 or higher). Afterwards, you need to create a dedicated media pool. The last step is to initialize the media, and only then the LTO tape is encryption ready.

Creating a new LTO (generation 4 or higher) drive group

Usually large auto loaders may have several internal drives, which are loaded from one magazine. All drives have to be organized into a group. Make sure to create a discrete drive group for the LTO drives of generation 4 or higher. Note that encryption will only be available if there are no older LTO drives (e.g. of generation 3) in the same group; however such a group can contain mixed LTO drives of generation 4 and higher.

  1. In the Main Selection -> Components, click Drives. The Drives contents frame is displayed.
  2. Click New Group to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click OK.

Creating a drive for the new LTO (4 or higher) drive group

  1. Right-click the newly created LTO 4 (or higher) drive group and click New Drive to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.
  2. In the Drive name field enter a meaningful name for the drive.
  3. From the Drive type drop-down list, select LTO.
  4. From the Loader drop-down list, select the relevant loader from the list of configured loaders or leave it empty in case of a single device.
  5. From the Device server drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.
  6. From the Drive group drop-down list, select the newly created LTO drive group.
    New LTO drive Beefalo V2.jpg
  7. In the Device (non-rewinding) field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewound after backup.
    SEP Tip.png Tip
    You can get the name of the device by running the command: <SESAM_BIN>/sesam/slu topology
    (e.g. Tape0 on Windows or /dev/nst0 on Unix/Linux).

    Sample output on Linux

    ID=0000 other:   ATA      ST380013AS 
    ID=1000 other:   TOSHIBA  ODD-DVD SD-M1802
    ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)
    ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)
    ID=7060 Loader:  HP       C1194F           1.04 (/dev/sg4)
    STATUS=SUCCESS MSG="OK"
    
  8. Click OK to create the new drive. Once an LTO (4 or higher) drive group has drives assigned, it becomes encryption capable. To check whether your LTO drive group is encryption capable, double click it or right-click it and click Properties. If the LTO drive group is configured correctly, the message "This drive group is encryption capable" is displayed.
    Information sign.png Note
    Encryption for a drive group will only be available, if there are no older LTO drives (e.g. generation 3) in the same group; however a group can contain mixed LTO tapes of generation 4 and higher.

    Drive group encrypt enabled Beefalo V2.jpg

Information sign.png Note
If the drive does not demonstrate the encryption capability, make sure that application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface. Also make sure that encryption functionality of your LTO generation is already supported by SEP sesam.

Creating a media pool for the new LTO (4 or higher) drive group

After you have assigned one or more drives which are all encryption capable (LTO generation 4 or higher) to the drive group, you need to create a dedicated media pool and enable encryption.

In v. ≤ 4.4.3 Grolar, the Encryption tab where you can enable encryption is available when creating a new media pool. As of v. 4.4.3 Beefalo, you first have to create a new media pool and then enable encryption in the media pool properties.

  1. In the Main Selection -> Components, click Media Pools. The Media Pools contents frame is displayed.
  2. Click New Media Pool to define a media pool for the LTO (4 or higher) drive group. The New Media Pool window is displayed.
  3. In the Name field enter a meaningful name for the media pool.
  4. From the Drive group drop-down list, select the name of your LTO (4 or higher) drive group. In v. ≤ 4.4.3 Grolar, as soon as you select the LTO drive group, a tab Encryption becomes available. From v. 4.4.3 Beefalo, a tab Encryption is available after creating a media pool in the media pool properties.
  5. In the Retention time field set the time period for which the media are locked after the initialization or the last backup, thus preserving the savesets and keeping them available for restore. The retention time is defined in days.
  6. To enable encryption, depending on your SEP sesam version, proceed as follows:
    • In v. > 4.4.3 Beefalo, click OK to create a media pool. Then double-click this media pool to open its properties. Switch to the Encryption tab and click Enable encryption.
    • In v. ≤ 4.4.3 Grolar, switch to the Encryption tab, and then click Enable encryption.
    Media pool encrypt enabled Beefalo V2.jpg
  7. Set the password for your tape encryption and re-enter it.
  8. SEP Warning.png Attention
    • Make sure to remember the password, otherwise you won't be able to change the encryption properties again or access data on tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such tape can still be used for backups, but the stored data can only be accessed by SEP sesam.
    • If you change the password, the updated password will take effect only after the tapes are initialized. Until then the old password is still valid.
    • The password is also required to disable encryption.

Initializing media from single LTO drive

To enable the LTO encryption, you have to initialize the LTO tapes, belonging to the LTO media pool. Only after the initialization the LTO tapes are ready for encryption. The LTO tapes that have been loaded before the encryption was set will be encrypted after their EOL expires. Until their EOL is valid, these LTO tapes are not writable, hence the data will be encrypted after they become EOL-free and are initialized again.

To initialize media, go to Activities -> Immediate Start -> Media Action. Choose Media action init, select the Media Pool and the Media you want to initialize. Click OK to start the initialization of the medium. For details, see Initializing media.

How to verify if encryption is enabled

There are two ways to check whether encryption is enabled. You can either check each individual medium's properties or search the day log for encryption-related messages.

Checking media properties

In the Main Selection -> Components -> Media, look for the Encrypted column in the table. Yes means that the medium is encrypted, No means that it is not encrypted. Or, you can double-click a medium in the table to open the Properties dialog. The Encrypted field states whether the medium is encrypted or not (Yes/No).

Media properties Beefalo V2.jpg

Checking day log

For each data protection operation, SEP sesam checks the drive to see if encryption is enabled. You can confirm this by checking the Day log file. For details, see Logging.

  1. In the Main Selection -> Logging, click Day Log. The Day Log contents frame is displayed.
  2. In the Search field type encrypt and press Enter. If the LTO encryption is enabled, you will see all related messages displayed. Use Next and Previous buttons to browse through all search results.
    Day log part Beefalo V2.jpg


Information sign.png Note
As of 4.4.3 Beefalo V2, you can also check your logs online by using new Web UI (System logs -> Day log). For details, see SEP sesam Web UI.

If the LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted, while the data itself is encrypted before it is written to the LTO tape.


Part XIV: Monitoring & Reporting

Monitoring, logging, reporting and notifications

SEP sesam enables you to easily monitor your entire SEP sesam environment by using its Web UI or SEP sesam GUI. Various monitoring features and real-time monitoring capabilities provide the complete oversight of your environment as well as valuable insights into KPIs of the backup and restore process to help effectively manage, control, monitor and restore backups.

By using reports, you can not only check the details of all events but also get an overview of all active jobs, next events, and different states, e.g., data store status, backups, migrations, etc. You can send these reports and log files in the form of email notifications.

Monitoring SEP sesam environment

You can monitor your SEP sesam environment through SEP sesam GUI or by using Web UI.

Note that all monitoring, reporting and notifications functionality accessible in the SEP sesam GUI is also accessible in Web UI with the advantages of being user-friendly and visually attractive, providing immediate access to the Web UI from mobile browsers and being easily available to anyone you authorize.

Web UI Dashboard and Monitoring

Web UI displays all important key information for your environment with standard dashboard for easy visualization of job completion status, errors, storage usage and more, based on metrics updated in real-time.

  • You can monitor your backup infrastructure on a daily/weekly/monthly basis.
  • You can check the status of backup-, migration-, replication-, restore-, and media actions job, data store status, backup and restore data size, data store utilization, upcoming events, etc.
  • You can expand the charts for better readability, generate reports, and filter the data.
  • For more details on Web UI and its various report widgets, see SEP sesam Web UI.
Web UI access

When running the SEP sesam GUI as an administrator, Web UI landing page opens by default with link to the Web UI (and links to documentation, etc). You can also access the online dashboard from the GUI by clicking the first icon – dashboard – in the toolbar or by selecting Dashboard in Main Selection -> Monitoring. Or you can simply type the following information in the browser address bar: http://[servername]:11401/sep/ui or https://[servername]:11401/sep/ui.

Monitoring in GUI

SEP sesam GUI provides monitoring capabilities for data protection activities, performance, and resource usage. The Main Selection navigation pane (located on the left side of the GUI window) is used to navigate through the components of the SEP sesam system. These include Clients, Data Stores, Loaders, Drives, Media Pools, Tasks and Scheduling, and provide the following dedicated views for monitoring SEP sesam environment.

Monitoring

SEP sesam GUI Monitoring feature allows you to check the last backup status, the status of SEP sesam processes, monitor drives, access the online dashboard, and check notifications (see section Notification Center). You can search and/or filter and export the data for reporting and analysis.

Job State

In addition, you can monitor the status of SEP sesam jobs, such as backups, restores, and migrations, by expanding the GUI item Job State and selecting All results to show details on all jobs, such as job ID, event type (backup, command, migration, restore, etc.), job status (successful or not), object (what was processed), task (its name, job's duration, start and end time), and other details.

Clicking the sub-item (Backups, Restores, Migrations and Replications, or Media Actions) provides detailed information on the selected job. For example, Backups provides detailed information on all backup jobs, including the task name, date of the last full backup, backup level, data size, throughput, assigned media pool, etc.

You can filter each status view to include only the tasks, status, clients, etc., that match certain criteria.

SEP Tip.png Tip
You can easily print or export different reports, as described in section SEP sesam reports.

Logging

The Logging view in GUI and System logs in Web UI are the central place to find information about what is occurring in your SEP sesam environment. SEP sesam creates the following protocols or log files for each backup day: the status file – State (<date of day>.status), the Day Log (<date of day>.prt), and the Error Log (<date of day>).

State
This detailed status log has one line written for each backup in chronological order.
Day Log
All SEP sesam modules write messages with a timestamp attached to it for each backup day. Each message contains a unique code consisting of message type (I=information, W=warning, E=error ), number, and originating module. You can filter the day log by using time selection (the from and to date) and search.
Error Log
Contains a record of critical errors that occurred during the backup day. This log is a subset of the entire day log where only error messages are recorded.

SEP sesam log files are used to detect operations that caused errors or malfunctions, for example, in case of a failed backup. For details, see Analyzing SEP sesam Log Files and Tips for Backup Troubleshooting. Log files are stored on the backup server in <SESAM ROOT>/var/prot. They can be printed or sent by email.

When you want to get more information about specific events or modules or when asked by support in the course of diagnosing your specific problem, you can run SEP sesam with a higher log level than default (0 for backup and restore). Note that increasing the log level increases the amount of information being logged and may negatively affect the performance of SEP sesam. For details, see Setting Log Level.

Information sign.png Note
You can also generate audit logs to record each action that was triggered by a user in the SEP sesam GUI and Web UI (e.g., triggering a restore or deletion of a data store). Audit logs ensure data integrity by providing a complete track record of the data-related operations, help increase security and compliance. For details, see Audit Logging.

It is recommended that you configure the interfaces (Alarm, Disaster and/or Notify) to automate sending email reports of errors and license violations, log files, and to help carry out the disaster recovery process in case of a SEP sesam Server breakdown. See section Email notifications.

You can check the log information of the SEP sesam Server interfaces by selecting the target interface (Alarm, Disaster or Notify) in GUI under Main Selection -> Interfaces or in Web UI under System logs.

Email notifications

SEP sesam allows you to send the logging messages (daily protocol, events and errors) to an email account. This feature is based on interface scripts that have to be activated via GUI or manually by copying the templates that are available in the SEP sesam directory <SESAM_ROOT>/skel/templates. For details, see Configuring interfaces.

SEP sesam interfaces require a configured email account to be able to send the selected notifications via email. You can configure it from the menu bar -> Configuration -> E-mail Settings, select the Use Sesam mail program option, click New and then configure the account with the account name sesam (the default email account; lowercase). For details, see Configuring email account and recipients.

It is recommended to configure the following interfaces to receive a daily log and notifications when certain events happen in SEP sesam environment.

  • sm_notify: Notify is executed on the SEP sesam Server. It can be used for reporting on successfully finished and erroneous events, such as backup, restore, migration, media initialization, and start/finish of a NEWDAY event.
  • Click on the right "Expand" button to view a sample failed jobs report

    Reporting failed job.jpg

  • sm_alarm: Alarm is executed on the SEP sesam Server to warn the system administrator when a fatal error occurs or in case of a license violation.
  • sm_disaster: This interface must be properly configured to help carry out the disaster recovery process. For details on how to prepare for it, see SEP sesam Server Disaster Recovery. The disaster interface sends an email describing the recovery procedure in the event of a disaster and an attachment containing the SEP sesam bootstrap database with all essential data for the disaster recovery.
  • Click on the right "Expand" button to view a sample disaster log

    Disaster log.jpg

For details on how to configure the interface scripts, see Configuring interfaces.

SEP sesam reports

SEP sesam reports provide various information on your backup environment. For example, you can check the status of the last backup, check which clients in your network are not configured for backup, the data storage usage and more.

Web UI reports

SEP sesam Web UI provides various reports by clicking Reports on the left navigation menu of the Web UI (browser: https://[servername]:11401/sep/ui/#/server-report).

The following reports are available as a drop-down list at the top left corner: Available Media Report, Backup Storage Report, Clients Report, Failed Jobs Report, Jobs Overview Report, Readcheck Report, Used Media Report, License Report (MSP Unit or Volume Frontside).

Web UI reporting.jpg

The reports can be filtered by using the date range picker or selector or by sesam_date, start_time, stop_time. You can send the reports in the form of email notifications, as described in Email notifications.

GUI reports

Depending on what you want to check, you can define the criteria and generate various types of reports using the SEP sesam GUI, including:

  • Location reports
  • License reports
  • Client reports
  • License reports
  • All results list
  • Backups list
  • Restores list
  • Migrations and Replications list
  • Media Actions list

You can manage the GUI reports in the following ways.

  • By generating a report for each client or location: Main Selection -> Topology -> Location/Clients, right-click the client/location and then select the Client/Location Report.
  • By printing or exporting reports: Use the Print or Export button at the top-right corner of the content pane. You can export reports in excel or csv format.
  • Print export.jpg

  • By sending email notifications, as described in Email notifications.
SEP Tip.png Tip
You can change the level of reported messages for a backup or restore session by changing the log level. For details, see Setting Log Level.

Additionally, you can use SEP sesam logs to check the recorded events and troubleshoot possible problems, as described above in Logging.

Notification Center

Notification Center is used to dynamically send different types of messages – notifications from SEP sesam Server to all open GUIs. These messages inform the user about license violations, unconfigured interfaces, etc., and contain other important information, such as the announcement of a new release or the notification of the error. Notifications are sent via RSS feeds. You can subscribe to a SEP sesam RSS feed via your email application or web browser, see Subscribing to SEP sesam RSS feeds.

Notifications can be accessed in Web UI and in SEP sesam GUI at the upper right corner by clicking the flag. (In GUI, it is also available under Monitoring -> Notification Center or from the menu bar -> Window -> Show Notification Center.) For more details, see Notification Center.


Part XV: Web Interface

Restore Assistant

There are two ways to restore your data in SEP sesam: by using GUI restore or through the web interface Restore Assistant. Even though most of the options are the same in both restore interfaces, the web Restore Assistant interface is designed to be more intuitive, offers additional advanced options, and makes it easy to restore your data.

You can use the web Restore Assistant to restore data from regular Path backups, NDMP and NSS file system Path backups, emails from Kopano backups, and virtual machines (Hyper-V, KVM/QEMU, Open Nebula, VMware vSphere, Citrix Hypervisor (XenServer), and Red Hat Virtualization (RHV)) to which you have been granted access.

Authentication required

Only authenticated users that have been granted the appropriate permissions are able to access the Restore Assistant and restore their data. These permissions are defined according to the user type. For details, see Configuring Database-Based Authentication.

Restoring encrypted backups

You can also perform an online restore of data from encrypted backups that are protected with a password. When restoring encrypted data with a password stored in the SEP sesam database, the password is automatically used for decryption during restore. However, if a password is not stored by SEP sesam, you will be prompted to enter it online. In the latter case, if you do not know the password, you won't be able to restore an encrypted backup and it will remain locked.

Basic and advanced web restore

With 4.4.3. Beefalo V2, the restore assistant provides basic and advanced features for online restore. Switching between the basic and advanced mode is available via Settings menu (-> UI mode), see Setting UI mode.

Restore features

Restore Assistant provides the following features:

  • As of 4.4.3. Beefalo V2, along with restoring data from regular Path backups, NDMP and NSS file system Path backups, emails from Kopano backups, and virtual machines you can now also restore KVM/QEMU VMs.
  • The newly introduced VMware Sandbox restore feature allows you to use a copy of the production environment for troubleshooting, testing and to verify the integrity of the VMs. For details, see VMware Sandbox Restore.
  • You can restore your data to the original or alternative location.
  • The flexibility to switch between basic and advanced restore mode allows more experienced users to fine-tune their restore.

Accessing Restore Assistant

You can access the Restore Assistant from the SEP sesam GUI (Activities -> Restore Assistant), from SEP sesam Web UI (left menu -> Restore Assistant) or by entering the following in the browser address bar:

http://[sesamserver]:11401/sep/ui/restore/

Information sign.png Note
If you cannot access the online Restore Assistant, check if you have been granted the appropriate permissions for online restore. For details, see About Authentication and Authorization.

Setting UI mode

As of ≥ 4.4.3 Beefalo V2, you can set your preferred UI mode by clicking the Settings icon located in the upper right corner and selecting Basic or Advanced UI mode. The basic restore mode is enabled by default.

The Settings menu also allows you to change the display language (German or English).

Restore assistant icons.jpg

SEP Tip.png Tip
The Monitoring, Dashboard, Help and Account icons (located in the upper right corner) enable you to quickly check the status of all restore jobs (Monitoring -> Restores), access SEP sesam Dashboard and online help, and log in/log out from the Restore Assistant.

Online restore in basic UI mode

The basic restore options cover the most frequent restore cases and are the recommended method of performing a restore. The basic restore procedure involves selecting the savesets which you want to restore, the restore target, etc., and provides the step by step restore wizard depending on the type of data you want to restore.

Two different procedures can be used for restore according to the data type:

Restoring files, directories and emails

  1. Open the Restore Assistant in the browser.
  2. From the Start window, select the restore type: Restore files and directories or Groupware Applications -> Restore Kopano Mail. Click Next.
  3. Restore assistant restore type Beefalo.jpg

  4. In the Source window, select your client. You can filter the clients by name, location or operating system. Click Next.
  5. Restore assistant source.jpg

  6. In the Backup window, under the Task selection select your backup task. A backup task defines the source data which was backed up from the client.
  7. Restore assistant select task Beefalo.jpg

  8. Then under the Backup selection select the exact backup version you want to restore. You can use the calendar function found in the upper right corner to filter a date range for the displayed backups. Click Next.
  9. SEP Tip.png Tip
    You can search for a file or a directory by entering your search term in the Search for files or directories in all backups.

    Restore assistant select bck Beefalo.jpg

  10. In the Files window, select the files, directories or emails you want to restore. Click Next.
  11. Restore assistant select file Beefalo.jpg

  12. The options in the Target window differ slightly depending on whether you want to restore from path or mail backups.
  13. Restore from path backups

    1. Check the target client for restore.
    2. Restore assistant select target Beefalo.jpg

    3. The option Restore to original target path is enabled by default. Skip this option to restore the files to the original location. Deselect it if you want to restore your data to a new restore target and specify the new target path; you can enter or browse the path where you want to restore your data.
    4. Restore assistant target directory Beefalo.jpg

    5. Under the Execution options you can set additional restore options:
    6. Do not restore existing items: Files will be restored only if they are not already present on the target system.
      Create new version: Restore files under a new name.
      Overwrite existing items: If the data exists on the target server, it will be replaced by the restored version.

    7. Decide how you want your data to be restored (maintain the original tree structure or flat):
    8. Keep original tree structure: When restoring to original location, the option Keep original tree structure is selected by default. The directory structure of the restored files is the same as the original directory structure of the backed up data.
      Restore all items flat in selected target directory: The backup is simply restored to a file without recreating the directory structure.
      Click Next.
      Restore assistant execution options Beefalo.jpg

    9. In the Finish window, review your restore task (restore type, client, backup level, restore options) and click Start restore.
    10. Restore assistant finish Beefalo.jpg

    Kopano mail restore

    1. Check the target client for restore.
    2. Restore assistant select target Kopano Beefalo.jpg

    3. Under the Target mail folder and user, enter a new mail user (the option Change user to ) and/or folder (Change folder to option) if you want to restore mail(s) to a different user mailbox or folder. Skip this step to restore the mails to the original location (default).
    4. Restore assistant new target Kopano Beefalo.jpg

    5. Under the Execution options you can set additional restore options:
    6. Do not restore existing folders and mails: Folders and mails will be restored only if they are not already present on the target system.
      Overwrite existing folders and mails: If the data exists on the target server, it will be replaced by the restored version.
      Click Next.
      Restore assistant execution options Kopano.jpg

  14. In the Finish window, review your restore task (restore type, client, backup level, restore options) and click Start restore.

For additional restore options in the advanced UI mode, see Restoring files, directories and emails in advanced UI mode.

Restoring virtual machines

When you choose to restore a virtual machine (VM), you can select from a list of VM types what you want to restore. The basic restore procedure is almost the same for all VM types, except that some additional options are available for some VM types. The procedure differs slightly for the VMware instant recovery and VMware sandbox restore. For the latter, see VMware Sandbox Restore.

  1. Open the Restore Assistant in the browser.
  2. In the Start window, select your target restore type: VMware vSphere, Microsoft Hyper-V, Citrix Hypervisor, KVM/QEMU, Proxmox VE, Red Hat Virtualization (RHV), or Open Nebula. Click Next.
  3. Restore assistant VM restore type Beefalo.jpg

  4. In the Source window, under Selection of the server select your target server.
  5. Restore assistant select server.jpg

  6. Then, under Selection of the virtual machine select the VM you want to restore.
  7. Click Next.
    Restore assistant select VM.jpg

  8. In the Backup window, under the Task selection select your source task. A backup task defines the source data which was backed up from the client.
  9. Restore assistant select VM task.jpg

  10. Then under the Backup selection select the exact backup version you want to restore. You can use the calendar function found in the upper right corner to filter a date range for the displayed backups. Click Next.
  11. Restore assistant select VM backup.jpg

  12. In the Backup window, under the Virtual machine from backup review, check or uncheck the target saveset you want to restore.
  13. Click Next.
    Restore assistant select VM saveset.jpg

  14. In the Target window, under the Target selection select your target environment for restore. You can use the drop-down list to select or filter VMs by name.
  15. Restore assistant select VM target.jpg

  16. Set additional restore options under the Execution options:
  17. Do not restore an existing virtual machine: VM will be restored only if it is not already present on the target system.
    Restore an existing virtual machine with a new name: VM will be restored under a new name. In case of Proxmox and OpenNebula restore the target VM name will be automatically created.
    Overwrite an existing virtual machine: If the VM exists on the target server, it will be replaced by the restored version. You can also select to shut down the running VM automatically.
    Click Next.
    Restore assistant VM execution options.jpg

  18. In the Options window, select the data mover and then under the Recovery options select if you want to start VM after restore or not.
  19. Restore assistant recovery options Beefalo V2.jpg

    Information sign.png Note
    As of v. 4.4.3 Beefalo V2, in case of VMware restore you can also select the desired transport mode from the list of available transport modes (HOTADD, SAN, NBD, or NBDSSL); click the displayed transport mode and rearrange the modes according to your preferences.
  20. Click the option Target options of the virtual machine to set additional target options, e.g., target server, data store, network interface(s), folder, and Resource pool/vApp.
  21. Click Next.
    Restore assistant target VM options.jpg

  22. In the last step, review your restore task and click Start restore.

There are some additional restore options available in the advanced UI mode, see Restoring VMs in advanced UI mode.

Online restore in advanced UI mode

For more experienced users, some additional restore options are available in the advanced UI mode (v. ≥ Beefalo V2). For example, in the Start window you can restore backups and VMs to the file system or write your backups and VMs into dump files. If you are restoring VMs, you can select among more specific VM restore types.

Restore assistant advanced start.jpg

As with the basic options, the advanced options also differ depending on the type of restore:

Restoring files, directories and emails in advanced UI mode

The following additional restore options are available when restoring files, directories or emails in the advanced UI mode:

  • In the Start window, you can restore backups to the file system or write backups into dump files. Although the restore procedure in such cases is similar, some options may not be available (e.g., the Source windows).
  • If you want to write your backups into dump files, you have to specify a restore target path in the Target window (by browsing or entering the path). Optionally, you can modify a name of the dump file. If the dump file name is not specified, it will be generated automatically.

    Restore assistant dump file.jpg

  • In the Backup window, you can select whether you want to perform a Generation, Selective or Complete restore.
  • Restore assistant select bck Beefalo V2.jpg

  • In the Options window (step 5 in the advanced mode of the restore dialog) you can set the following options:
  • Under the Optional data source selection, you can set your preferred media pool, drive, used media|barcode, and interface from the drop-down lists.

    Advanced options optional data.jpg
    Under the Advanced restore options, you can further fine-tune your restore:

    • Use the Include/Exclude Filter tab to specify which files or directories you want to include or exclude from restoring, e.g., enter *.docx to the relevant filter to include or exclude all MS Word *.docx files from restore.
    • Advanced options filter.jpg

    • Use the EOL, Generation, Pre/Post tab if you want to specify the EOL parameter for restore (how long (in days) the restore task will be kept), enable/disable a generation restore, and specify whether any pre- or post script should be applied for the restore task, see Pre/Post options.
    • Advanced options EOL.jpg

    • Use the Log, Special Options tab to change the log level for your particular restore, see Setting Log Level. You can specify additional commands for restore, which can be helpful for special options of the sbc command. For details on commands, see SBC CLI.
    • Advanced options log.jpg

Restoring virtual machines in advanced UI mode

If you turn on the advanced UI mode, you can set additional restore options. It is recommended that the advanced mode is only used by expert users as the basic options are sufficient to address most restore use cases. The following additional options are provided by using the Advanced UI mode.

  • In the Start window, you can restore virtual machines to a file system, or write virtual machines into dump files:
    • If you want to restore VMs to a file system, the restore procedure is the same as the restore procedure for files, directories and emails, as described in the above section Restoring files, directories and emails. You only have to select a server and VM as a source instead of a client.
    • If you want to write VMs into dump files, the procedure differs from the usual VM restore only in that you have to specify a restore target path in the Target window and optionally modify a name of the dump file (see the related section above).
  • In the Options window, you can modify the Recovery options: By clicking the Edit button (located in the upper right corner), you can activate/deactivate different recovery actions: conf, remove, start, etc., and perform VM-related checks: VM power state, VM guest tools state and VM network IP address.
  • VMs recovery options.jpg
    To add your custom action or your custom check, select the template from the Actions or Checks drop-down lists or enter your action/check commands manually. To activate your custom action/check, click Save. You can simply remove any action/check by clicking the recycle bin icon.

    VMs recovery options modify.jpg

  • Under the Optional data source selection, you can select your preferred media pool, drive, used media|barcode, and interface from the drop-down lists.
  • Advanced options optional data.jpg

  • An additional set of options is available under the Options for restore: You can specify the EOL parameter for restore (how long (in days) the restore task will be kept), enable/disable a generation restore, and decide whether any pre- or post script should be applied for the restore task, see Pre/Post options.
    In case of a VMware restore, you can also set the transport hierarchy (if you have not modified the transport mode before under the Virtualization restore options); for details, see Selecting the best VMware transport mode for your environment.
  • VMs restore options.jpg

You can view the status of your restore jobs by using SEP sesam Web UI (Monitoring -> Restores) or SEP sesam GUI (Main Selection -> Job State -> Restores). For details, see Monitoring and Reporting.


Part XVI: SEP sesam Command Line Interface

SEP sesam CLI

Overview

The SEP sesam command line interface (CLI) is a utility that provides an alternate way of executing SEP sesam commands in UNIX and Windows environments. SEP sesam command line interface provides two CLI components: administration utility SEP sesam CLI and client utility SBC CLI. The latter is used to back up and restore data locally on the host.

SEP sesam CLI administration utility provides all of the functions available via SEP sesam graphical management interface and also additional CLI commands that are not available in the GUI. Note that different commands can be available depending on your SEP sesam license.

SEP sesam CLI commands can be used to install and configure a SEP sesam environment automatically without a GUI. They enable administrators to access SEP sesam database and manage the whole SEP sesam environment, for example, to install, configure and manage SEP sesam Servers and Clients centrally without a GUI. Every CLI command (except a native SQL statement) checks and follows the internal structure and dependencies of the SEP sesam database.

Features

  • Automatic configuration of SEP sesam environments after installation (e.g., on implementation)
  • Change the SEP sesam configuration without using the SEP sesam GUI
  • Script-based mass installation and configuration (e.g., provider environment)
  • Operate tests for installation and configuration in SEP sesam environments
  • Get SEP sesam status, log and version information
  • Determine SEP sesam object information for further use in other programs

Running CLI commands

You must have SEP sesam administrator privileges to run SEP sesam CLI commands and use the command prompt as an administrator. All commands are run from the <SESAM_ROOT>/bin/sesam/ directory. If you want to execute SEP sesam commands globally (and not from the actual run directory), set the SEP sesam profile as described in What happens when I set a profile?.

Understanding the command structure

The SEP sesam general syntax for a CLI command is:

sm_cmd <command> [–option] [<object>] [[–<parameter>] <value>]

where the following information is provided for each command

  • sm_cmd: A command line tool that invokes the command line interface.
  • Usage: The actual syntax of the command, including the arguments.
  • Description: A brief summary of what the command does.
  • Arguments: The definition of options used in the command.
  • Example: Example of the command usage of the specified command and its options.

Command conventions

The parameters for a command are order-dependent and might include required and optional values or keyword choices, depending on how the information is bracketed. Required parameters are marked with an asterisk (*). An example is provided below.

| vertical bar
Separates the choices between two or more options or arguments.
[ ] square brackets
Indicate optional values.
< > angle brackets
Indicate that the enclosed element is mandatory.
Example:
sm_cmd <get|list|add|modify|backup|remove|restart> taskevent [OPTIONS...]

One of the actions bracketed with < > symbols, in this case <get|list|add|modify|backup|remove|restart>, is required, while the [OPTIONS...] are enclosed with [ ] symbols, therefore the information requested is optional. The following options are available for our sample taskevent command.

OPTIONS:
    -@ [param]     follow up (command to be run after the event completes)
    -G [ID]        task group
    -S [ID]        name of the interface
    -Z [number]    stop task if it runs longer than (e.g. 8:00 means that the task is automatically stopped after 8 hours)
    -d [ID]        drive number
    -j [ID]        backup task
    -l [param]     backup level (C = Copy, F = Full, D = Differential, I = Incremental)
    -m [ID]        media pool
    -s [0|1]       source-side deduplication

Let's say that we want to run a backup event for a backup task named win-cli_c_drive and use the target media pool (to which the data will be backed up) MP_disk_week. The command would look like this:

sm_cmd backup taskevent -j win-cli_c_drive -m MP_disk_week

Getting help

To list all available options, use the main help sm_cmd help. To show help for specific object, use sm_cmd help <object>, for example, sm_cmd help client.

Common action commands

The action command is used to perform an action or retrieve information/status about the resource. Most SEP sesam CLI resources have the following action commands:

get
The get command retrieves information about the resource or the operation that is currently defined.
list
The list command returns a list of objects for the specified resource. If the optional <object_name_or_id> is also specified, then the results are filtered by that value.
add
The add command creates a new object or event. If the optional <object_name_or_id> is also specified, then the objects are created according to the specified value.
modify
The modify command changes an existing resource based on the specified object options.
remove
The remove command deletes the specified object.

Before you begin

SEP sesam CLI is a very powerful command-line tool. You should be aware of its implications on your entire environment before you start using it.

Recommendations for using the SEP sesam CLI

  • SEP sesam's optional command line commands change the SEP sesam database directly. Therefore all command line entries should be checked and verified!
  • SEP sesam executes the commands immediately the <Enter>/<Return> key is pressed, which means that entries cannot be corrected, as is the case with the SEP Sesam GUI. It is extremely important that you are familiar with CLI and use it cautiously in order not to cause a system failure of the backup environment. Note that an erroneous entry can lead to complete data loss or other damage to the database. Such mistakes can void the warranty of your SEP sesam licensing agreement.
Information sign.png Note
Before you start scripting with the SEP sesam CLI, you should familiarize yourself with the SEP sesam environment. Read the SEP sesam documentation carefully and work on the SEP sesam installation and configuration to understand how the SEP sesam objects work together.

SEP sesam CLI usage

Command Description
sm_cmd <get|list|add|modify|remove|send> account Create and administer email accounts.
sm_cmd <get|list|remove|check> acl List or delete access control list (ACL).
sm_cmd list allevent List all SEP sesam events.
sm_cmd list allresult List all results within the specified time period.
sm_cmd backup Start the backup task or the backups of the task group.
sm_cmd clear cache Clear the entire server cach.
sm_cmd <get|list|add|modify|remove> calendar Create and administer calendars.
sm_cmd <get|list|add|modify|remove> calendarevent Create and administer calendar events.
sm_cmd <download|show> calendarsheet Display or download calendar information.
sm_cmd <get|list|add|modify|remove|dir> client Create and administer clients.
sm_cmd <get|list|add|modify|start|remove> command Create and administer commands.
sm_cmd <get|list|add|modify|remove> commandevent Create and administer command events.
sm_cmd <get|list|add|modify|enable|disable|link|unlink|remove> credential Configure and administer credentials.
sm_cmd <download|show> current Display or download the current drive information.
sm_cmd <get|list|add|modify|remove> datastore Create and administer data stores.
sm_cmd <get|list|add|modify|remove> default Configure and administer default keys.
sm_cmd dir <argument> List all specified clients, elements, VMs, etc.
sm_cmd <get|list|add|modify|remove|start|mount|dismount|unload> drive Create and administer drives.
sm_cmd <get|list|add|modify|remove> drivegroup Create and administer drive groups.
sm_cmd <get|list|add|modify|remove> group Create and administer user groups.
sm_cmd <get|list|add|remove> interface Create and administer interfaces.
sm_cmd start inventory Start archive adjustment.
sm_cmd <show|update|report> license Check the SEP sesam license information and update the license.
sm_cmd <get|list|add|modify|remove|load|unload|import|export> loader Create and administer loaders.
sm_cmd <get|list|add|modify|remove> loaderdevice Create and administer loader devices.
sm_cmd <get|list|add|modify|remove> location Create and administer locations.
sm_cmd <download|show|list> log Monitor and download log files from the server.
sm_cmd <get|list|add|modify|remove> media Create and administer storage media.
sm_cmd <get|list|add|modify|remove> mediapool Create and administer media pools.
sm_cmd <get|list|add|modify|start|init|remove> mediapoolevent Create and administer media events.
sm_cmd migrate Start a migration immediately.
sm_cmd <get|list|add|modify|remove|start> migration Create and administer migration events.
sm_cmd <get|list|add|modify|remove> migrationtask Create and administer migration tasks.
sm_cmd <get|list|add|modify|start|remove> newdayevent Create and administer NEWDAY events.
sm_cmd <get|list|add|modify> notification Create and modify notifications.
sm_cmd <get|list> opersystem List a specific OS or all operating systems.
sm_cmd render Renders the specified template.
sm_cmd <list|restart> Check and restart backups/migrations.
sm_cmd <get|list|add|modify|restore|start|remove> restoreevent Create and administer restore events.
sm_cmd <get|list|add|modify|start|remove> restoretask Create and administer restore tasks.
sm_cmd <get|list> result Monitor the results according to set filters (e.g., clients, tasks).
sm_cmd <dir> saveset Browse a saveset.
sm_cmd <get|list|add|modify|rename|remove|start> schedule Configure and administer schedules.
sm_cmd <download|show> services Monitor and download different files or logs.
sm_cmd list session List all active sessions.
sm_cmd start <task|restore|migration|command> Start an event.
sm_cmd start report Create a customized report.
sm_cmd <get|list|add|modify|start|remove> task Create and administer tasks.
sm_cmd <get|list|add|modify|backup|remove|restart> taskevent Create and administer task events.
sm_cmd add taskgen Generate tasks according to the specified task type.
sm_cmd <get|list|add|modify|start|remove> taskgroup Create and administer task groups.
sm_cmd <get|list|add|modify|remove> taskgrouprelation Create and administer task group relations.
sm_cmd <download|list> update Monitor and download JAR (.jar) updates.
sm_cmd <get|list|add|modify|remove|reset> user Create and administer users.
sm_cmd show version Display SEP sesam Server and Client package version.
sm_cmd <resetcbt|check|generate|list> vsphere Reset CBT, monitor vSphere environment and generate vSphere task group.


SBC CLI

Overview

SEP sesam provides both, GUI and CLI interfaces to manage SEP sesam environment (CLI) or individual client (SBC). SEP sesam command line interface provides two CLI components: administration utility SEP sesam CLI and client utility SBC CLI.

  • SEP sesam CLI provides an alternate way of managing SEP sesam environment. CLI commands enables administrators to access SEP sesam database and manage the whole SEP sesam environment, for example, to install, configure and manage SEP sesam servers and clients centrally without a GUI. For details, see SEP sesam CLI.
  • SBC CLI is used to back up and restore data locally on the host. SEP sesam SBC (sesam backup client) is a component that collects and consolidates the backup data on the client system, and delivers it to STPD. During a restore, SBC receives the required data and restores it to the target system. SBC CLI enables users to control, backup and restore the SEP sesam client (SBC module) directly and independently from other SEP sesam modules.

Command conventions

The parameters for a command are order-dependent and might include mandatory and optional values, or keyword choices.

| vertical bar
Separates the choices between two or more options or arguments.
[ ] square brackets
Indicate optional values.
< > angle brackets
Indicate that the enclosed element is mandatory.

SBC CLI usage

sbc -b|r|g|p|k|h [-a <DB_options>][-C <control_host>] [-d <device>]
                [-f <list_source>] [-F <data_format>] [-i <saveset_info>]
                [-j <job_name>] [-l <level>] [-L <control_target>]
                [-n <segment>[:<offset>:<size>]] [-o {options}]
                [-O <STOR/RETR_direct>] [-P <PID>] [-R <restore_target>]
                [-s <saveset_spec>] [-S <storage_node>] [-t <tape_spec>]
                [-T <since_time>] [-x <exclude_regexp>] [-X <exclude_list>]
                [-v 0|1|2|3|4|5|6]

Commands

There are six main commands that define what action can be performed by SBC. Another set of options can be used to further define the way the command is performed. The main commands are:

sbc -b|r|g|p|k|h

-b (backup)

Backup uses space delimited arguments to specify what will be backed up. These arguments may contain full item names or file patterns.

-b <backup_source1> [<backup_source2> ...] |

-r (restore)

Restore uses space delimited arguments to specify what will be restored. These arguments may contain full item names or file patterns. See also Restore from tape via SBC without a valid SEP sesam database.

-r <restore_source1> [<restore_source2> ...] |

-g (get)

Get operation switch transfers the specified file from SEP sesam Server work directory to local directory. File is received as is, without any formatting. If local file is not specified, the remote file name is used.

-g <remote_file> [<local_file>] |

-p (put)

Put operation switch transfers the specified file to SEP sesam Server work directory. File is sent as is, without any formatting. If remote file is not specified, the local file name is used.

-p <local_file> [<remote_file>] |

-k (kill)

Kill operation switch sends signal to the SBC process (incl. all child processes).

-k [-l 1|2|9] -s <saveset_spec>

-h (help)

Displays abbreviated usage syntax and a list of options you can use with the sbc command.

-h

Options

-a (backup type argument)

Backup type specific argument that may be passed to the underlying library. The -a <DB_options> are forwarded to the related database module , e.g., to Lotus Notes.

-a <DB_options>

-C (control host)

Specifies control host - SEP sesam Server.

-C <control_host>

-d (device)

Specifies the target/source device or directory for the operation.

-d <device>

-f (files)

Specifies the list of items to be backed up. Typically, this option is used when the number of files or directories to be included for backup exceeds allowed length for task source (SEP sesam version ≥ 4.4.3: max. 1024 characters; ≤ 4.4.2: max. 255 characters).

-f <list_source>

It is recommended to create a separate file that contains a list of selected files and directories to be backed up, one entry per line. Note that wildcards are not supported.
For example, the file C:/sesam/backup_file_list.txt includes the following entries:
/lib
/usr/share
/usr/bin/a2ps
/var/opt/sesam/var/ini

The option -f requires fully qualified file list or directory name, e.g., C:/sesam/backup_file_list.txt on Windows or -f etc/sesam/backup_file_list.txt on Linux, or the list to be located in the SESAM_BIN/bin/sesam. To enter the file in the backup task properties, create or open the backup task, select the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the specified file in the form: -f C:/sesam/backup_file_list.txt.

Information sign.png Note
The option -f behaves differently on different platforms:
  • On Windows, the -f <list_source> option overrides the backup source specified in the backup task. For example, creating a backup task with source g:\x and specifying an SBC option -f C:/sesam/backup_file_list.txt will back up only the data from the backup_file_list.txt while ignoring the directory g:\x, which was specified as a backup source.
  • On Unix/Linux both, the source and the data from the backup_file_list.txt are considered for backup. It is therefore recommended that the specified <list_source> file is specified as a source in the Source field (to be included in the backup set, for example, etc/sesam/backup_file_list.txt) and entered again with a -f switch in the Save options field: -f etc/sesam/backup_file_list.txt.
See also How do I include or exclude a large number of files for backup.

-F (format)

Data stream format (valid for backup and restore operations) can be: default mtf for Windows SBC, default cpio for UNIX SBC, or sidf or none for Novell sbc_smdr.

-F <data_format>

-i (info)

If specified, the descriptive additional information for the given save set is saved together with data during backup. Relevant only for backup, not considered for restore.

-i <saveset_info>

-j (job)

Specifies backup task name.

 -j <job_name>

-l (level)

Specifies backup or restore level type.

-l <level>

For backup, the available backup level types are: FULL, DIFF, INCR and COPY.

 "c[opy]" | "f[ull]" | "i[ncr]" | "d[iff]"

For restore, the available restore types are complete (full) restore, selective restore or list. The "l[ist]" parameter only lists the names of the incoming items in the log file.

"f[ull]" | "s[elecive]" | "l[ist]"

-n (number)

Optionally, this number can be used for restore with optional <offset> and <size> arguments to start a restore at specified offset and end when reaching the specified size (restored data size).

-n <segment_number> | -n <segment_number>[:<offset>:<size>]

-o (options)

Specifies additional options for backup and restore. You can set SBC options in the backup task properties: Click the Options tab and under the Additional call arguments (Expert options) in the Save options field, specify the required options. The available SBC options depend on the selected operation, backup type, OS and platform.

SBC Windows:

{options}: comma separated list of
   compress                         # with compression
   exclude_match=pattern|regexp     # exclude matching, default: pattern
   encrypt={encrypted_passwd}       # en/decrypt with encrypted passwd
   encrypt_plain={passwd}           # en/decrypt with passwd
   locale={locale like bgr_BGR}     # set locale for backup/restore_sources
   skip_acl                         # process only data (no ACL)
   skip_adat                        # skip alternate data streams
   skip_data                        # process only ACL
   skip_reparse                     # skip reparse point streams
only for backup:
   add_archive_ready                # add files with archive bit
   clear_archive                    # clear archive bit after backup
   [no_]hardlink_data_single        # handling of hardlink's data
   [no_]sparse                      # handling of sparse file data
   excl                             # exclude folders with 'nosbc' (default)
   noexcl                           # ignore 'nosbc'
   follow                           # follow reparse points
   ignore_vss_access_denied         # item not accessible: end with warnings
   skip_sbc_exclude                 # skip sm.ini [SBC_EXCLUDE] ExcludePattern#
   verify                           # verify data after backup
only for restore:
   break_on_error                   # abort after 1st error
   next                             # start from subsequent media
   overwrite                        # overwrite if file exists
   over=new, over=old               # overwrites newer/older files
   plain                            # restore plain in target dir
   tree                             # restore with subdirectories
   rename                           # rename if file exists
   show_not_processed               # log not processed item in level -v 0


SBC Linux/UNIX:

 {options}: comma separated list of
                    compress, encrypt[_plain]=[{aes}|{bf}]<passwd>
                    noacl                 # process without ACL (Trustees)
only for backup:    
                    verify                # verify data after backup
                    plain                 # do not descend into subdirectories
                    hard=defer            # defer hardlinks
                    hard=sort             # expect i-node sorted input
                    ignore_finderr        # ignore errors from sbc_find
only for restore:   
                    rename, overwrite     # rename/overwrite if file exists
                    over=new, over=old    # overwrites newer/older files
                    plain, tree           # restore plain/tree in target dir
                    next                  # start from subsequent tape

The following list provides some of the most used options. Note that some of the options might be platform/OS dependent and thus not available on all clients.

 -o <acl|noacl>

Specifies whether the ACLs will be backed up and restored.

-o over | -o over=newer|older

Specifies to overwrite existing files during restore. This command can use additional arguments to define to overwrite exiting files if the files from the save set are older OR newer than the files on disk. See also Restore from tape via SBC without a valid SEP sesam database.

-o skip_adat

Specifies to exclude ADS from backup or restore. For details, see Support for NTFS alternate data streams (ADS) for Windows.

-P (process)

Specifies a process ID number for the the kill command. If this switch is provided, a process with specified PID will be terminated.

-p <PID>

-R (restore target)

Specifies restore target directory when restoring to a new location (relocation)

 -R <restore_target>

-s (saveset)

Specifies the used save set for backup (with -b switch), restore (with -r switch) or for terminating the operation with the specified save set's name by kill operation (with -k switch).

 -s <saveset_name>

-S (storage host)

Specifies SEP sesam storage host (SEP sesam Server or RDS). See also -C.

-S <storage_node>

-t (tape)

Specifies the tape to be used for the respective operation on remote SEP sesam storage node. It is required when SESAM media server is involved. See also -d.

-t <tape_spec>

-T (time)

Specifies time: By using this switch only files created or modified after the specified time will be processed. Time format is “YYYYMMDDHHMMSS”. The -T switch has higher priority than "-l <level>" switch, therefore the backup "COPY" level type is applied to all files matching the specified time.
If specified with kill functionality, it will be used as timeout specified in seconds.

-T <time>

-x (exclude regex)

Specifies regular expression exclusions for backup. For details, see Exclude with Regular Expressions.

 -x <exclude_regexp> 

-X (exclude list)

Specifies the list of items to be excluded from backup.

-X <exclude_list>

Typically, this option is used when the number of files or directories to be excluded for backup exceeds allowed length for exclude list (max. 1024 characters). It is recommended to create a separate file containing list of regular expressions, one entry per line. Note that wildcards are not supported. The option -X requires fully qualified exclude list or directory name, e.g., C:/sesam/exclude_list.txt

To enter the exclude file in the backup task properties, create or open the backup task, select the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the specified file in the form: -X C:/sesam/exclude_list.txt. For details and other exclude methods, see Creating exclude list. See also How can I set the SBC so that the exclude list always uses the file pattern (?,*) instead of using regular expressions?

Part XVII: Appendix

SEP sesam Matrices

Cross-Platform Recovery File System Layer

Overview

Cross-platform recovery file system layer (XPRFS) is a special implementation of a virtual file system layer. It is an advanced restore feature that allows for mount and restore onto different operating systems and hardware platforms (Windows – MTF <–> Linux/Unix – cpio).

For example, data backed up from a Linux system (cpio saveset) can be mounted on Windows RDS, and data backed up from a Windows system (MTF saveset) can be mounted on Linux/Unix RDS; note that the operating system of the restore target must be the same as the operating system of the used Remote Device Server (RDS) (for details, see Restrictions below).

XPRFS employs direct access to backed up data and allows you to access individual backed up files through a file browser, thus enabling single file restore. However, the original ownership and access settings for restored objects are not preserved when the backup is mounted; the user under which the SEP sesam service is running is effectively the owner of the restored files. For details, see Restrictions below.

XPRFS (Mount saveset option) is available for the following task types:

Task type SEP sesam version
Path (file system backup) v. ≥ 4.4.3 Beefalo V2
MS SQL v. ≥ 4.4.3 Beefalo V2
NDMP v. ≥ 4.4.3 Beefalo V2
Kopano v. ≥ 4.4.3 Beefalo V2
RHV/OLVM v. ≥ 4.4.3 Beefalo V2
OpenNebula v. ≥ 4.4.3 Beefalo V2
Citrix XenServer v. ≥ 4.4.3 Beefalo
KVM/QEMU v. ≥ 4.4.3 Beefalo
Hyper-V v. ≥ 4.4.3 Grolar
VMware v. ≥ 4.4.3
Exchange v. ≥ 4.4.3
SharePoint v. ≥ 4.4.2
NetApp v. ≥ 4.4.2

XPRFS advantages

One of the XPRFS main advantages is that it is no longer required to perform a complete restore of backed up data. By selecting the Mount saveset option in the restore wizard, the target saveset is mounted to the SEP sesam home directory var\tmp\mnt, e.g., C:\Program Files\SEPsesam\var\tmp\mnt\save_set_ID. The mounted saveset is instantly accessible for browsing and searching (some limitations apply, see Restrictions below).

It is recommended to use the XPRFS for restoring specific data, such as Exchange, Hyper-V and V-Sphere backups with the following major advantages:

  • Instant access to your data, such as single mailboxes.
  • Faster restore time and performance.
  • Reduced free space requirement on restore target.
  • Protection of mounted data – all data is mounted read-only, allowing you to query the saveset and preventing you from altering or damaging the data content.

XPRFS restrictions

The following restrictions apply for mounting and cross-platform recovery:

  • Note that mounting does not preserve the original ownership and permissions for restored objects. The owner of the mounted backup/restored data is determined by the user under which the SEP sesam service runs. Typically, on Unix/Linux this is root, while on Windows the sesam service is typically running under the LocalService account (NT AUTHORITY\LocalService; system user). Note, however, that some SEP sesam extensions (such as Exchange Recovery Pro or SharePoint Recovery Pro) require that the SEP sesam service is configured with a user account with domain administrator privileges.
  • You can mount a Windows backup to a Linux system or a Linux backup to a Windows system, but the operating system of both, the Remote Device Server (RDS) you used for mounting and of the destination restore target must be the same. For example, you can mount a Windows backup on the Linux device server, but this backup can be restored on Linux host only and vice versa: you can mount a Linux backup on the Windows device server, but this backup can then be restored on Windows host only.
  • When performing cross-platform restore, you should be aware of the data characteristics related to different platforms. For example, if you are restoring Windows data with access control list (ACL) (or alternate data streams (ADS)) to Linux, you have to be aware that ACL (and ADS) will not be preserved. Be aware that certain limitations apply whenever data is restored to another environment.

Enabling XPRFS

Prerequisites

XPRFS requires the following:

  • A SEP sesam data store Path, SEP sesam Si3 deduplication store or HPE StoreOnce is required for instant single item recovery.

To enable XPRFS, from the SEP sesam GUI menu bar select Activities -> Restore -> select saveset -> select task -> under Single file restore select Mount saveset. For details, see Standard Restore Procedure.

Information sign.png Note
As of v. 4.4.3. Beefalo, the Mount saveset option is only available in the Expert UI mode. If you run the GUI in Basic or Advanced UI mode, first change the mode to Expert, as described in Selecting UI mode.


==Using SEP sesam REST API==Using SEP sesam REST API/en