SCA Book

From SEPsesam
Jump to: navigation, search
This page contains changes which are not marked for translation.

Draft.png WORK IN PROGRESS
This page is a draft. Treat the information on this page with caution as it may be incomplete.

Contents

Part I: Introduction

Imprint

Any form of reproduction, duplication or distribution of the contents, in part or in whole, is allowed only with the express written permission of SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to provide accurate and correct information. However, the information in the SEP sesam user documentation is subject to change without notice due to continuous product development. SEP AG cannot guarantee the accuracy of the explanation and shall not be liable for the use of the provided information and product implementation.

SEP sesam and SEP-related modules are trademarks of SEP AG. All other trademarks used at this site are the property of their respective owners.

SEP sesam Release Versions

Release Version Release date Release notes Specific extension versions End of support
5.0.0.9 Jaglion V2,
SP1
5.0.0.9,
5.0.0.9 SP1
June 30, 2022 Release Notes 5.0.0 Jaglion V2 & SP1
5.0.0 Jaglion 5.0.0.4 SP1
***
5.0.0.4
***
5.0.0.3
March 28, 2022
***
February 28, 2022
***
December 29, 2021
Release Notes 5.0.0 Jaglion
4.4.3 Beefalo V2 4.4.3.86
***
4.4.3.84 SP2
***
4.4.3.84 SP1
***
4.4.3.79-.84
July 5, 2021
***
December 16, 2020
***
October 14, 2020
***
May 11, 2020 - August 3, 2020
4.4.3.86 Beefalo V2 Release
***
Beefalo V2 Service Packs Releases (SP1 and SP2)
***
Release Notes 4.4.3 Beefalo V2
4.4.3 Beefalo 4.4.3.70-.72 July 25, 2019 Release Notes 4.4.3 Beefalo
4.4.3 Grolar 4.4.3.60-.64 July 23, 2018 - October 29, 2018 Release Notes 4.4.3 Grolar October 2021
4.4.3 Tigon V2 4.4.3.48 December 5, 2017 Release Notes 4.4.3 Tigon V2 December 2020
4.4.3 Tigon V1 4.4.3.42 August 10, 2017 Release Notes 4.4.3 Tigon September 2020
4.4.3 4.4.3.22-.29 September 21, 2016 - April 4, 2017 Release Notes 4.4.3 January 2020
4.4.2 4.4.2.66-.88 August 6, 2015 - April 27, 2016 Release Notes 4.4.2 January 2020
4.4.1 4.4.1.14-.48 July 16, 2014 - March 11, 2015 Release Notes 4.4.1 January 2020
4.2.2 4.2.2.1-.40 June 25, 2013 - August 4, 2014 Release Notes 4.2.2 September 2016
4.2.1 4.2.1.5-.41 July 16, 2012 - January 18, 2013 Release Notes 4.2.1 December 2014
4.0.5 4.0.5.26, 4.0.5.28 February 24, 2012 Release Notes 4.0.5 July 2013
4.0.3 4.0.3.30 July 13, 2011 / September 29, 2011 Release Notes 4.0.3 July 2013
4.0.2 4.0.2.13, 4.0.2.30 June 2011 Release Notes 4.0.2 July 2013
4.0.1 4.0.1.19 November 2010 / May 2011 Release Notes 4.0.1 July 2013
3.6 3.6.4.x October 2009 / August 2010 Release Notes 3.6 June 2012
3.4 3.4.1.x August 2008 / October 2009 Release Notes 3.4 December 2010
3.0 3.0.1.xx 2006/2007 Release Notes 3.0 December 2009

Part II: Architecture Overview

SEP sesam Requirements

For smooth installation of SEP sesam backup software in the network, name resolution must work properly. Specify a fully qualified name for each SEP sesam component, e.g., every server and client in network.

When finding a client, the operating system (Windows or Linux) first checks the hosts file for name resolution. Next, the configured DNS server is checked. If the DNS server is misconfigured or missing, the hosts file must be set up correctly to provide DNS. You have to enter the names and addresses of all SEP sesam components: SEP sesam Server, backup clients and machines running the graphical user interface (GUI). You must not remove or modify any existing entry of localhost in your hosts file. For details, see How to check DNS configuration.

A DNS server is preferred over entries in the hosts files of all devices. A DNS server allows a system-wide solution. All SEP sesam components must have their names and IP addresses (reverse lookup) added to the DNS server.

PostgresSQL/64-bit

  • On 64-bit Linux, FreeBSD and Solaris PostgresSQL is used as the SEP sesam database.
  • When SEP sesam is installed on MS Windows, the SQLite database was automatically installed up to version 4.4.3 Beefalo V2. As of version 5.0.0 Jaglion, you can choose to install a PostgreSQL database that is included in the SEP sesam installer (or use the SQLite database that does not require a server to be set up and is used with SEP sesam by default). For details, see Installation on Microsoft Windows.
  • When SEP sesam is installed on a 64-bit Unix operating system, PostgresSQL has to be installed before the SEP sesam Server to enable the DB instance to be set up for use.

.NET

On MS Windows, .Net Framework 4 is required for SEP sesam Server installation.

Antivirus software

Deactivate or remove the antivirus software before installing SEP sesam components on each computer. Failure to disable active antivirus software may result in a failed, corrupt or incomplete installation. If antivirus software is installed, it is strongly recommended to turn off any on-demand scanning while a backup is running. For more details, see What effect does an antivirus scanner have on SEP sesam.

Hardware Requirements

The following are the hardware requirements for the SEP sesam Server, RDS or SEP sesam Client. They are similar for both servers, SEP sesam Server and RDS, except for the required space on the file system for the SEP sesam database, which is not necessary for RDS.

  • The hardware requirements for the SEP sesam components represent the common requirements. Additional amount of RAM/CPU may be required for bigger Si3 data stores. For details, see Si3 Deduplication Hardware Requirements.
  • (Windows only) Make sure that you are using CPUs with supported AVX versions (AVX, AVX2, or AVX-512) and FMA3 (Fused Multiply-Add 3-operand Form) or FMA4 (Fused Multiply-Add 4-operand Form) to prevent the Sesam Transfer Protocol Server (STPD) from automatically disabling the HTTPS port. This happens when the CPU instructions are missing due to unsupported AVX. Consequently, the TLS key and certificate cannot be created. For a list of supported AVX versions, see Advanced Vector Extensions.
Requirements SEP sesam Server Standard edition SEP sesam Advanced Server edition SEP sesam Premium Server edition SEP sesam Enterprise Server SEP sesam Client
Memory (without Si3 deduplication) 8 GB RAM Minimum 16 GB RAM 32 GB RAM Minimum 64 GB RAM 2 GB (recommended 4 GB)
Memory (with Si3 deduplication) Minimum 16 GB RAM Minimum 32 GB RAM 64 GB RAM Minimum 128 GB RAM Minimum 4 GB
Core (without Si3 deduplication) 1x CPU with 4 cores (≥ 2,4 GHz) 1x CPU with 8 cores (≥ 2,4 GHz) Minimum 1x CPU with 8 cores (≥ 2,4 GHz) Minimum 2x CPUs with 4 cores (≥ 2,4 GHz) -
Core (with Si3 deduplication) 1x CPU with 6 cores (≥ 2,6 GHz) 2x CPUs with 8 cores (≥ 2,6 GHz) 2x CPUs with minimum 8 cores (≥ 2,6 GHz) Minimum 2x CPUs with 8 cores (≥ 2,6 GHz) -
Minimum hard disk space for SEP sesam metadata 100 GB 300 GB 500 GB 500 GB 4 GB (for all client data)
No. of backup clients Up to 15 Recommended up to 50 Recommended up to 150 Recommended for more than 150 -

Si3 Deduplication Hardware Requirements

  • For the minimum Si3 hardware requirements that apply to the SEP sesam Si3 deduplication server, see the above requirements list. Keep in mind that these requirements represent the demand for deduplication only. In addition, the amount of memory for the operating system and other services should be taken into account.
  • For details on the required Java version, see Java Compatibility Matrix. Si3/Si3-NG is not mandatory, so there is no dependency rule for it in the RPM/DEB packages.
  • When estimating the maximum size of a deduplication store, you have to ensure that there is enough space available for dedup trash, otherwise the deduplication store will run out of space. You should calculate the required disk space based on a representative sample of your full backup and add the additional storage space equal to approximately 50% of the representative full backup.

Disk attachment and protocols

Si3/Si3-NG supports all types of direct-attached disk storage, such as serial attached SCSI (SAS), Serial ATA (SATA), and Fibre Channel (FC)/LUN.

Performance tip

Applies to Windows only: SEP AG recommends using the High performance power plan to increase the performance of your backup. Note that Windows sets all computers to the Balanced power plan by default and you must manually switch to the High Performance power plan. This way, your Windows computer will use more power, but the systems with Si3 will always operate at the highest performance level.

  • From the Start menu, go to Control Panel -> System and Security -> Power Options and change the setting to High performance.

Restriction

To avoid problems resulting from the combination of excessively large Si3 deduplication stores and inefficient hardware, the maximum initial Si3/Si3-NG deduplication store size is limited to 40 TB. If you would need to increase this limit, contact SEP support.

This limitation applies to the creation of a new Si3/Si3-NG deduplication store in the GUI.

Information sign.png Note
It is recommended to run Si3 deduplication (SEP sesam Server or RDS) on the physical host. It is also possible to run it on a virtual machine. In this case, take into account that deduplication consumes a lot of server resources for reading, processing and writing the deduplicated data, as well as for some other deduplication tasks such as housekeeping and various checks. These tasks require a large amount of IO and a large amount of memory. Si3 performance can be affected by other virtual machines running on the same host. Therefore, if you are running Si3 on a VM, you should be aware of possible bottlenecks and shortcomings.

Required additional amount of RAM and CPU cores

Memory requirements are dependent on the number of concurrent streams and expected workload. The following tables show the recommended minimum additional amount of RAM and CPU cores for a Si3/Si3-NG data store to ensure good performance. The TB value corresponds to the capacity of the Si3/Si3-NG data store.

Information sign.png Note
These requirements relate solely to the need for deduplication. In addition, you should consider the amount of memory for the operating system and other services.
Si3/Si3-NG data store capacity (check initial size limit) RAM
<20 TB at least 16 GiB
20-40 TB at least 32 GiB

The following table shows the number of CPU cores required for a Si3/Si3-NG data store. The TB value is the amount of data backed up (before deduplication)!

Backed up data (before dedup) CPU cores Note
10 TB 4
20 TB 4
40 TB 8
Note

This is the minimum amount to ensure good performance. Depending on the number of concurrent streams, more cores may be needed.


Java Compatibility Matrix

Java version SEP sesam version
Java 17 5.0.0.9 Jaglion V2
OpenJDK 11 LTS 4.4.3 Beefalo, 5.0.0 Jaglion Note1
Java 11 4.4.3 Beefalo, 5.0.0 Jaglion Note1
Java 10 is not supported!
X
Java 9 is not supported!
X
Java 8 ≥ patch level 111 (both Windows and Linux) 4.4.3 Grolar; 4.4.3 Beefalo, 5.0.0 Jaglion Note1
Java 8 (at least patch level 111) ≥ JRE 1.8.0_111 (required for Linux) v. ≥ 4.4.3 Tigon V2
Java 8 (required for Windows) v. ≥ 4.4.3
Java 7 (all OS except Windows) 4.4.3 Note2
Java 7 4.4.2
Java 6 4.2.1 & 4.2.2
Note1
  • Java 1.8 (≥ 1.8.0_111) is only accepted if it is already installed and the computer does not have a 4K display.
  • 5.0.0.9 Jaglion V2 is the last version of SEP sesam that supports Java 1.8.

Note2

SEP sesam versions 4.4.3 until 4.4.3 Tigon V1 running on non-Windows platform require Java 7, however, SEP sesam uses JavaFX for its web dashboard and user-defined schedules features. If you want to have all the 4.4.3 features available, you need OpenJFX package or Oracle®'s Java 8 (already includes JavaFX) on your SEP sesam GUI client.

Directory layout

SEP sesam always creates two directory structures during installation – one for static data and one for variable data. Both structures can be either in the same main directory or in two different directories. On Unix, the installation directories are represented in the file /etc/sesam2000.ini.

SEP sesam directory aliases

Directory aliases are used to refer to the specified paths in the default SEP sesam directory structure.

<SESAM_BIN>
Refers to the part of the directory structure of a Linux package installation in which the unchangeable files (e.g., binaries) are stored. Path /opt/sesam can not be selected during installation.
<SESAM_VAR>
Refers to the part of the directory structure of a Linux package installation in which the variable files (e.g., configuration and log files) are stored. Path /var/opt/sesam/var is not arbitrary during installation.
<SESAM_ROOT>
Refers to the install location of the SEP sesam file structure for a Linux tarball or a Windows installation. This means that both tarball and Windows installations show <SESAM_BIN> and <SESAM_VAR> on the same location in the file system (referred to as <SESAM_ROOT> here). The install directory must be specified during a tarball installation (default path is /opt/sesam) and also during Windows installation (default path is C:\Program Files\SEPsesam).

SESAM_BIN directory

This directory contains all unchanged files, such as programs, templates, etc. The following directory structure is created during SEP sesam installation:

What Where
Database components

SESAM_BIN/bin/db

GUI components

SESAM_BIN/bin/gui

Dedupe components

SESAM_BIN/bin/sds

Server components

SESAM_BIN/bin/sesam

Communication components

SESAM_BIN/bin/sms

Templates incl. raw versions for first installation SESAM_BIN/skel
Templates for programmable interfaces SESAM_BIN/skel/templates

SESAM_VAR directory

This directory contains all changeable data, such as SEP sesam database, protocols and log files. The following directory structure is created during setup:

What
Where
Database

SESAM_VAR/db[_pg]

SEP sesam database backup

SESAM_VAR/db[_pg]/backup

Configuration files

SESAM_VAR/ini

SSH keys for control communication

SESAM_VAR/ini/sm_ssh

SSL certificates for data transfer

SESAM_VAR/ini/ssl

Notification and metadata logs

SESAM_VAR/lis

Main directory for log files

SESAM_VAR/log

Logs of the Pre- and Post- jobs

SESAM_VAR/prepost

Status and daily logs

SESAM_VAR/prot

Media action logs

SESAM_VAR/prot/media

SEP sesam interface logs

SESAM_VAR/prot/notification

Restore logs

SESAM_VAR/prot/restore

Temporary files for transient storage

SESAM_VAR/tmp

Temporary files for longer storage

SESAM_VAR/work

Mountpoint for VMware and other single item restore tasks

SESAM_VAR/work/mnt

Example

 C:\Program Files\SEPsesam

Sample directory structure

The following is common SEP sesam directory layout after an RPM or DEB installation on Linux. The programs are located in /opt/sesam, the files are in /var/opt/sesam:

 barometrix:~ # find /opt/sesam/ /var/opt/sesam/ -type d
 /opt/sesam/
 /opt/sesam/bin
 /opt/sesam/bin/db
 /opt/sesam/bin/gui
 /opt/sesam/bin/gui/html
 /opt/sesam/bin/sesam
 /opt/sesam/bin/sms
 /opt/sesam/skel
 /opt/sesam/skel/db
 /opt/sesam/skel/templates
 ###
 /var/opt/sesam/
 /var/opt/sesam/var
 /var/opt/sesam/var/ini
 /var/opt/sesam/var/ini/root
 /var/opt/sesam/var/log
 /var/opt/sesam/var/log/db
 /var/opt/sesam/var/log/lgc
 /var/opt/sesam/var/log/sms
 /var/opt/sesam/var/tmp
 /var/opt/sesam/var/work
 /var/opt/sesam/var/work/smslis
 /var/opt/sesam/var/work/info
 /var/opt/sesam/var/work/ctl
 /var/opt/sesam/var/work/sem
 /var/opt/sesam/var/times
 /var/opt/sesam/var/lis
 /var/opt/sesam/var/not
 /var/opt/sesam/var/qm
 /var/opt/sesam/var/glbv
 /var/opt/sesam/var/prepost
 /var/opt/sesam/var/prot
 /var/opt/sesam/var/sel
 /var/opt/sesam/var/db
 barometrix:~ #                      
 /opt/sesam/bin
 /var/opt/sesam

The /var/ini directory contains the following initialization files:

sm.ini
sm_java.policy
sms.ini
odbc.ini
debug.ini
sm_lic.ini
stpd.ini

Part III: SEP sesam Installation and Configuration

Licensing

SEP provides a flexible approach to the licensing of hybrid SEP sesam backup solutions that simplifies procurement and meets the specific needs of various organisations.

SEP sesam licenses fall into one of the following broad categories:

Component-based licensing

SEP's component-based licensing model begins with the main Backup Server (SEP sesam Server), Remote Device Servers (media agents), clients and databases or groupware agents. Expansion modules are customised to suit the existing environment and the license can be adjusted when extensions are added or the data protection environment is restructured.

In complex environments (data zones) where the average amount of backup data per client is greater than 250 GB, the classic component-based licensing model will likely be the more economical solution.

The concept behind this model is to license only what the customer actually uses.

Capacity-based licensing

SEP also provides capacity-based licensing models that offer convenient and flexible licensing for continually changing environments.

SEP sesam's volume licensing model is primarily aimed at large and dynamic security environments in which numerous different database or groupware applications are used. Rental licenses are based on volume and provide maximum flexibility with minimal management effort at no additional cost. This license is ideal for large installations, without depreciation expense.

This model gives customers access to most features and functionality and the only relevant factor is the amount of data backed up. Customers are therefore able to customise their backup solutions to suit their specific financial blueprint and infrastructure.

SEP licensing models

For more information on SEP licensing models and available licenses, contact SEP sesam sales.

SEP volume perpetual licensing

The SEP volume licensing model is based on front side data volume size. In addition, a further delineation is set depending on the types and sophistication of databases in use (Level 2 and/or Level 3). The licenses are perpetual and maintenance is included within the first 12 months. After the subscription period, SEP sesam save sets can be further used for restores, however, backing up data is no longer possible.

Calculating front-side capacity

All SEP sesam capacity-based licenses are calculated by how much original, source-side data is protected (front-side TB). This equates roughly to the sum of all files, databases and hypervisor snapshots of the clients to be backed up. In practice, this means that the maximum volume of all backup jobs (normally the biggest FULL) is calculated, provided that it is stored on any SEP sesam media (retention policy). The original data is cumulated before deduplication or compression.

SEP subscription licensing

SEP sesam subscriptions are purchased per year, based on data volume per front-side terabyte and depend on the utilisation of SEP database agents. Maintenance is included in any subscription time frame. Subscriptions are licensed for a period of 12 months and include full maintenance.

After the subscription period, SEP sesam save sets can be further used for restores, however, backing up data is no longer possible.

SEP classic perpetual licensing

The SEP sesam classic model provides item-based, perpetual licenses that are individually tailored to a customer's needs. Licensing is modular and scalable, expansions of any license components such as database and groupware agents can be carried out at any time. Maintenance is included within the first 12 months.

SAP Business One Edition

SEP sesam SAP Hana Business One Edition is licensed per number of SAP Business One users. SAP Business One Edition basic license covers the backup of up to 10 SAP Hana Business One users. SAP Hana Business One Edition is recommended for companies with up to 25 SAP users. SEP classic licenses can be added at any time. The complete SAP portfolio can be licensed with a SEP sesam volume or classic license.

SEP maintenance

All SEP sesam Backup Server licenses for volume models, classic models and SAP Business One Edition include maintenance of 12 months. SEP maintenance consists of software updates (incl. the latest features, patches and bugfixes) or renewal services and technical support. Extensions (at first purchase or later) are always adopted to the runtime of an existing SEP sesam Backup Server environment and include a maximum maintenance validity of 12 months. Excluded are consulting services, such as analysis of the data to be backed up, infrastructure analysis, determination of the target state, creation of a solution concept, and installation service.

VM Essential Edition

The SEP sesam VM Essential Edition is licensed according to the installed sockets. A maximum of 6 sockets can be used in one license environment. VM Essential (Plus) Edition VMware and Essential (Plus) Edition Hyper-V can be mixed. Note that it is not possible to combine VM Essential and VM Essential Plus Editions.

It is also not possible to extend the functionality, however, a conversion into the volume license model is possible.

Managed Service Provider

The SEP MSP license model is suitable for managed service providers and data center operators who use SEP sesam for offering their customers Backup as a Service (BaaS). On the basis of long-term contracts with various service levels, you get a complete full-service package.

Licensing is based on TB data volume (front-side capacity), which is divided into service classes for database usage (level 2 and level 3).

Offers, order confirmations and invoices are made on a monthly basis.

The SEP sesam MSP maintenance consists of the software upgrade, update service and the SEP sesam 2nd and 3rd level support. Excluded are consulting services, such as analysis of the data to be backed up, analysis of the infrastructure, determination of the target state, creation of a solution concept, and the installation service. During the maintenance period, customers can download patches and bug fixes as well as the latest SEP sesam versions.

After the first qualified error analysis, the SEP is available to the MSP for 2nd and 3rd level support via the SEP hotline (+49 (0) 700 737 787 767 8) from Monday to Sunday (0 a. m. - midnight). For details on current support information, contact SEP sesam sales: sales@sep.de.

Also available are SEP CAPS (SEP Cloud App Protection Service) licenses for cloud-2-cloud backups and restores of SaaS applications such as Microsoft Office 365, Dynamics 365, G Suite, and Salesforce.

The data volume of the backed up items is limited to 1 TB per user (Exchange Online 50 GB) but can be divided among all users as desired. There are no costs for uploading/downloading data and also inactive users (excluded from the backup) are not billed.

License administration

Requirements

To create an application-specific license, you will need the following information about the SEP sesam backup server:

  • Host name
  • IP address
  • Delivery note number
  • Hardware platform (i386, x86, PPC, ia64, ...)

The SEP sesam Server name and IP address can be found in the SEP sesam GUI menu bar: Help -> License Info or by using the keyboard shortcut ALT + L.

Information about the delivery note number and the hardware platform can be accessed on the Linux console with the command:

uname -i 

or the Windows command line with the command:

set 

and on Windows 2003 also with

systeminfo

Send this information to sales@sep.de. If you have any questions during the 30 day installation support, please refer to SEP sesam sales.

Information sign.png Note
After installing SEP sesam, all functions are available without limitation for 30 days. Seven days before the end of the temporary license, you will be reminded of the upcoming license renewal. After the 30-day time limit has passed, the software’s backup functions are blocked. However, restores up to that point are still possible.

Entering a license

Licenses are usually sent as attachments by email. The attachment contains the license file, which you must enter into the SEP sesam Server.

  • extract the file sm_lic.zip on the target machine
  • copy the file sm_lic.ini to <SESAM_ROOT>/var/ini

To determine the correct host name and IP address for your SEP sesam license, follow these simple instructions:

  • In the SEP sesam GUI menu bar, select Help -> License Info.
  • UNIX command line:
 #> source <SESAM_ROOT>/var/ini/sesam2000.profile 
 #> sm_info c  
  • Windows command line:

> <SESAM_ROOT>\var\ini\sm_prof

> sm_info c

Information sign.png Note
Before entering a new license, make a backup copy of your existing license. If there are any problems with the new license, you can restore your working state with the original license at any time.

Changing an existing license

If the IP address or the server name of the backup server is changed, you have to transfer a SEP sesam Server license. This includes adjusting the existing server license to match the changed server name and/or new IP address.

Send the old and new license information to SEP AG (by email to sales@sep.de) to ensure that there were no errors during the transfer and to notify the contact person.

The transferred license is sent by email within the warranty's response time. New versions of the existing license and service documentation are created and the customer center is updated.

The license transfer is free of charge for customers with an existing SEP upgrade contract.

License and service documentation

In addition to the license file, which is sent digitally (usually by email), the customer also receives license certificates for the purchased modules and an upgrade/support card (if they opted for an upgrade or support contract).

The documentation contains a summary of all relevant information (IP address, server name, license details, run time and reaction times) and is sent by regular mail or as a PDF document by email.

Licensing FAQs

How do I order a new licence?

To obtain a license, contact SEP sesam sales at SEP contact page or sales@sep.de and provide the following information:

  • host name of the SEP sesam Server
  • IP address of the SEP sesam Server

To determine which specific names are used by SEP sesam (for example, if more than one network card is installed on the server), go to Help -> License Info in the SEP sesam GUI menu bar and check the details. Licenses are available immediately after your purchase or renewal is completed and will be sent to you by email.

License Info displays all licensed components which are currently in use. It also shows you the number of clients and modules needed by your configuration if your SEP sesam Server is currently running in trial mode.

Information sign.png Note
Some features require a special license, for example, SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro. SEP sesam licenses are issued on the basis of the size and requirements of your environment, so make sure that you are aware of feature/application specific licensing. For details on newly introduced licenses, see SEP sesam Exchange Recovery Pro license and SEP sesam SharePoint Recovery Pro license.


License info Beefalo V2.jpg

How do I activate a license?

You can activate licenses easily by importing the license in the SEP sesam GUI. Note that the SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro extensions require special licences and specific activation steps, as described in the section Activating special licenses.

Activating licenses in the SEP sesam GUI

After you have received your SEP sesam license by email, proceed as follows:

  1. From the SEP sesam GUI menu bar -> Help, select License Info. The SEP sesam License Info window appears.
  2. Click the button Import New License. A new window opens prompting you to paste a valid license file.
  3. Copy a valid license file sm_lic.ini and paste it from the clipboard or use the file manager to browse and select the required license as .ini or .zip file.
  4. Click Apply to enable the license.
  5. License info import Beefalo V2.jpg

SEP Tip.png Tip
The License Info also enables you to check the expiration date and to upgrade your license. All licensed components currently in use are displayed.

If the program displays any errors (for instance, in the host name or IP address), email the SEP sesam License Info to SEP sesam sales by clicking the Send as Mail button. Clicking the button opens an email with the license information loaded. Address the message to sales@sep.de and send it.

Activating special licenses

To activate the special licenses, such as SEP sesam Exchange Recovery Pro or SEP sesam SharePoint Recovery Pro, proceed as follows:

  1. Go to Start -> All Programs -> SEP sesam Exchange Recovery Pro or Start -> All Programs -> SEP sesam SharePoint Recovery Pro and open the extension. A License file not installed message appears.
  2. Click the License info button and import the license.ini file.

Both, SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro extensions require specific installation and configuration. For details on these procedures, see SEP sesam Exchange Recovery Pro and SEP sesam SharePoint Recovery Pro.

How do I obtain the community version?

The SEP sesam community version is available to the general public for private use on Microsoft Windows and Linux. Please note that the software, manuals, licensing and terms from SEP AG and SEP Software Inc remain unchanged.

During the installation of a SEP sesam demo version (available at SEP Download Center), a community license file is created automatically. This file must be copied to the license file location after the 30-day trial period is over.

The file sm_lic.ini.com can be found at <SESAM_ROOT>/skel. Copy the file to <SESAM_ROOT>/var/ini and rename it to sm_lic.ini.

If you want to check the license status, go to Help -> License Info.

Technical support is not provided for the SEP sesam community version and it cannot be upgraded. Visit the SEP Forum or search SEP Wiki for help.

Why does the W008-License TCPIP address not match the local address 127.0.0.2?

This problem usually occurs on SLES-based Linux systems. Check the file /etc/hosts and change the relevant entry for the loopback address "127.0.0.2" or remove it from the /etc/hosts file entirely.

About Installation and Update

Overview

SEP sesam hybrid backup is the ideal data backup solution for heterogeneous IT infrastructures. It supports an extensive portfolio of virtualization platforms, operating systems, databases, and applications as well as provides protection for cloud environments; for details, see SEP sesam OS and Database Support Matrix. SEP sesam software and extensions are available at SEP Download Center. SEP sesam software requires a license.

Licensing

SEP sesam requires a paid license after the trial period expires. SEP sesam provides various licenses and editions that you can combine according to your needs to implement optimized backup. Some features require additional licenses. For details, see Licensing.

Essential modules

The essential modules of each SEP sesam environment are: SEP sesam Server, SEP sesam GUI, SEP sesam Remote Device Server (RDS), and SEP sesam Client(s). Each module is installed separately. The SEP sesam environment is managed centrally by the SEP sesam GUI.

Additional modules/extensions

SEP sesam also provides additional modules and functionality that enable consistent backup of databases (Oracle, MS SQL, IBM DB2, Informix SAP R/3, etc.), applications (such as SAP), groupware systems, virtualization environments, and cloud-to-cloud backup. Some of these extensions are already part of a Client package, and some require a separate license in order to function. Check the SEP sesam OS and Database Support Matrix to learn what is supported on each of the platforms. For a list of all supported extensions and their configuration, see Extensions.

Installation requirements and procedure

Once you have determined how you want to set up your SEP sesam environment, you can install the required components. Make sure that the hardware and software requirements are met before configuring SEP sesam environment. For details, see SEP sesam Requirements.

The installation procedure depends on the platform on which you are installing a SEP sesam package:

Note that when Si3 deduplication is used, Java is required on all systems that serve as SEP sesam Server, SEP sesam GUI client or SEP sesam Remote Device Server (RDS). For details, see Installing and Managing Java.

Component compatibility

SEP sesam Server and GUI client have to work with the same GUI. This means that whenever you update the SEP sesam Server, GUI update is required. SEP sesam prompts for GUI update when the server is updated.

Updates

After you have installed and configured your SEP sesam components according to your environment, SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. During this period, you can download bug fixes, patches, service packs, and the latest SEP sesam version(s) if you have a valid license.

  • Installing either Windows or Linux-specific distributions is pretty straightforward. For Linux systems, SEP provides special service pack executables that ease the installation of service packs and patches; see Applying Service Packs on Linux.
  • Updating SEP sesam extensions, e.g., BSR Pro for Windows, is done automatically during the SEP sesam update process.
SEP Tip.png Tip
SEP generally recommends upgrading the SEP sesam Server and Client components to the latest version during the regular upgrade process. For the complete list of releases, see SEP sesam release versions.

SEP may request that you install a particular update (i.e. fix, patch, or service pack) to resolve a specific problem. To get instantly notified about SEP sesam vulnerabilities and updates, click to subscribe to the SEP sesam RSS feed.

Updating methods and settings

There are a number of options available for updating SEP sesam software.

Install/Update options in GUI (available in newer version of SEP sesam – v. ≥ 4.4.3 Beefalo)
You can set up your server to automatically check, download and install updates or decide to do it manually, you can update all clients within the location at once or select to update only OS-specific clients (Windows/Linux update), you can exclude a particular client from being updated, etc. For details, see Updating SEP sesam.
CLI command sm_update_client (available in newer version of SEP sesam – v. ≥ 4.4.3 Beefalo)
You can perform all of the mentioned options above by using sm_update_client. The sm_update_client command implements all the features of the sm_update_client, as well as the previously used sm_remote_installer and sm_config_client commands that have been deprecated. For details, see Updating SEP sesam Using CLI.
Information sign.png Note
Updating SEP sesam is version-related hence some of the update options may not be available in earlier versions. If you are running a version ≤ 4.4.3 Grolar, see 4 4 3:Updating SEP sesam in earlier versions.

SEP sesam release cycle

Approximate release frequency of SEP sesam software is once a year for a major release, followed by a minor SEP sesam version which includes all preceding fixes and also introduces new features and functionality.

SEP sesam provides service pack executables that ease the installation of service packs and patches. Service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. Download and installation of service packs are pretty straightforward on Windows and Linux; for the latter, SEP provides special service pack executables that ease the installation of service packs and patches, see Applying Service Packs on Linux.

SEP sesam Quick Install Guide

The complete SEP sesam environment consists of different modules, which can be combined as needed to implement an optimized backup. The nodules interact with each other via SEP API,s which are also used for interaction with other software.

Essential modules

The essential modules of any SEP sesam environment are: SEP sesam Server, SEP sesam GUI, SEP sesam Remote Device Server (RDS), and SEP sesam Client(s). Each module is installed separately. The SEP sesam environment is managed centrally by the SEP sesam GUI.

Additional modules

SEP sesam also provides additional modules and functionality that enable consistent backup of databases (Oracle, MS SQL, IBM DB2, Informix SAP R/3, etc.), applications (such as SAP), groupware systems, and virtualization environments. Some of these extensions are already part of a Client package, others require a separate license to work. For details on licenses, see Licensing.

General requirements

Use the following checklist before installing SEP sesam to ensure a successful installation.

  • Check the latest Release Notes and look for important installation information.
  • Ensure that the target computer is running a supported version of Windows or Linux with the latest updates. Check the SEP sesam OS and Database Support Matrix for details. For a list of all supported extensions and their configuration, see Extensions.
  • The SEP sesam GUI requires a screen resolution of at least 1920x1080 (full HD). In order to adjust SEP sesam for HiDPI displays, make sure that you use the relevant Java version. To adjust your SEP sesam for high-resolution display, refer to HiDPI Display Support.
  • SEP sesam uses name resolution for communication between server and client. You should test the DNS name resolution by simply sending a ping (with long and short name) from the server to the client and back. For details on DNS resolution check, see How to check DNS configuration.
  • Make sure that all SCSI devices used are recognised by the operating system on which you install SEP sesam. SEP sesam checks the storage devices connected to the SCSI bus during installation and adds their data to the database. SEP sesam can only see devices that are recognised by the operating system.
  • It is recommended to disable the firewall to avoid problems during the SEP sesam installation. Once SEP sesam is installed, you can enable the firewall with exceptions for the SEP sesam services.
  • For details on the SEP sesam default ports, see List of Ports Used by SEP sesam.
  • Check the Windows or Linux specific requirements.
Information sign.png Note
Once you have determined how you want to set up your SEP sesam environment, you can install the necessary components. Note that the installation procedure depends on the platform on which you are installing a SEP sesam package and that Java is required on all systems that serve as SEP sesam Server, SEP sesam GUI Client or SEP sesam Remote Device Server (RDS) when Si3 deduplication is used. For details, see Installing and Managing Java.

After you have installed and configured your SEP sesam components according to your environment, SEP sesam provides free updates from previous versions of SEP sesam to new versions and new features within the maintenance period. During this period you can download patches and bug fixes as well as the latest SEP sesam versions, provided you have a valid license. For details, see Updating SEP sesam.


Microsoft Windows installation

Prerequisites

  • Before you start with SEP sesam installation, check the general requirements above.
  • Make sure you are logged in as the local administrator or domain administrator.
  • For remote access via remote desktop connection (RDC), the RDC administrator needs the same access rights as the local administrator.
  • To install any of the SEP sesam components (SEP sesam Server, RDS, Client or GUI), you need an installation file, which you can download from https://download.sep.de/windows/. Make sure you download the correct file for your processor type.
    • The .Net Framework 4 is required for the SEP sesam Server installation and can be deselected for all other SEP sesam components during installation.
  • A SEP sesam Server (including the GUI) and the GUI installation require a Java Runtime Environment (JRE) installed on the system, see Installing and Managing Java and check Java versions.
Information sign.png Note
SEP sesam RDS does not have its own installation package. To install RDS, use the SEP sesam Server package.

Installation

SEP sesam provides four installation packages: SEP sesam Client, SEP sesam GUI, SEP sesam RDS and SEP sesam Server (contains the Client and GUI components). In the following installation example, we use the SEP sesam Server installation package.

  1. Locate the download folder where you saved the SEP sesam installation package and double-click the sesam-srv-<Version_ID>-windows.x<SysType>.exe file to start the installation. Select your installation language and click Next.
  2. Agree to the license agreement and click Next again.
  3. Choose whether you want the SEP sesam services to run under the Standard system account or a Custom user account. It is recommended to give the SEP sesam Server services a Domain user account belonging to the Domain admins and Local administrators groups. After you have selected a user account, click Next. Install-account.jpg
  4. Select an installation directory for the program files (including the folders <SESAM_ROOT>\bin and <SESAM_ROOT>\skel) and the application data (including the folder <SESAM_ROOT>\var. This folder requires considerable storage space if you are installing a server). Click Next. Install-directory.jpg
  5. In the next window, select which of the four SEP sesam components you want to install (SEP sesam Server, SEP sesam Remote Device, SEP sesam GUI or SEP sesam Client). You can also select additional features, such as SEP sesam BSR Pro or PostgreSQL.
    Information sign.png Note
    • SEP sesam recommends using PostgreSQL for complex enterprise environments with many tasks, high performance expectations (due to PostgreSQL's ability to support multiple concurrent writers and read/write at fast speeds), and security and authentication requirements.
    • Upgrading from SQLite to PostgreSQL is currently not supported, except with the help of SEP support.
  6. Install-components.jpg

    SEP Tip.png Tip
    The SEP sesam Server package already includes all other components. If you install a Remote Device Server (RDS), you can also include a GUI. If you install a GUI, you can also include the Client.
  7. After you have selected a component, click Next.
  8. Depending on which components you install, proceed accordingly:
    • If you are installing the SEP sesam Server, click Install and then Finish to complete the installation.
    • If you are installing the SEP sesam RDS, the SEP sesam GUI or the SEP sesam Client, enter the name of the SEP sesam Server (in the example below, the name of the server is Informatix).
    Information sign.png Note
    You must enter the hostname and not the IP address of the SEP sesam Server. The server name may not contain underscores.

    Install-hostname.jpg

  9. Click Next. The firewall information dialog is for informational purposes only. Take note of the information and click OK. Click Install to install the selected SEP sesam component and then click Finish to complete the installation.

If you have problems or questions about the installation, also see FAQ: Installation and configuration.

Linux

SEP sesam provides RPM packages for the most common Linux distributions (for example, SuSE and RedHat) and DEB files for Debian Linux distributions. The latter run on most Debian-based distributions, such as Ubuntu. For details on SUSE- and RedHat-based distributions, see RPM Repository. For more information on Debian packages, see Debian Repository.

Prerequisites

SEP sesam Server installation

SLES-based distributions

SLES includes the standard tool zypper, which is common for package management. With this tool packages can be installed (and uninstalled) via the command line. Before you install any of the SEP sesam components (e.g., Server, Client or GUI), make sure you have properly configured the RPM repository for SLES-based distributions. For details, see RPM Repository.

The SEP sesam Server package includes all dependencies needed for the standard SEP sesam Server installation. For details on the supported SLES versions, see SEP sesam OS and Database Support Matrix.

On SLES12 it is recommended to install the required Java packages before installing SEP sesam Server to avoid possible installation errors. Use the following command sequence:

zypper install java-11-openjdk

To install or update the SEP sesam Server, use the following command:

# zypper install sesam_srv<version.OS.system_type>
SEP Tip.png Tip
To perform a simple update without adjusting the dependencies of the installed SEP sesam version, e.g., on SLES11, you can use the command rpm -Uvh (only recommended for advanced administrators!). Alternatively, update the server with the above zypper command.
RHEL/CentOS-based distributions

All RHEL- and CentOS-based distributions include the standard yum tool, which is common for package management. This tool can be used to install (and uninstall) packages from the command line. Before you install any of the SEP sesam components (e.g., Server, Client or GUI), make sure you have properly configured the RPM repository for RHEL-based distributions. For details, see RPM Repository.

The SEP sesam Server package includes all dependencies needed for the standard SEP sesam Server installation. For details on the supported RHEL/CentOS-based versions, see SEP sesam OS and Database Support Matrix.

To install the SEP sesam Server, use the following command:

# yum install sesam_srv<version.OS.system_type>
Information sign.png Note
On RHEL, the SEP sesam installation changes the permissions of /var/run/postgresql to grant PostgreSQL access rights to SEP sesam users.
Debian-based distributions

The Debian-based distribution (Debian/Ubuntu/UCS) includes the standard tool apt-get which is common for package management. With this tool packages can be installed (and uninstalled) via the command line. Before you install any of the SEP sesam components (e.g., Server, Client or GUI), make sure that you have properly configured the Debian repository. For details, see Debian Repository.

The SEP sesam Server package includes all dependencies needed for the standard SEP sesam Server installation. For details on the supported Debian-based versions, see SEP sesam OS and Database Support Matrix.

To install the SEP sesam Server, use the following command:

root@hostname#: apt-get install sesam-srv

Use the following command to install *.deb files:

dpkg -i sesam-srv<version.system_type>.deb
Information sign.png Note
Installing SEP sesam on Debian and Ubuntu requires additional steps. For details, see Debian Repository.

SEP sesam Client installation

Information sign.png Note
As the SEP sesam GUI already contains the client components, the SEP sesam Client package cannot be installed in addition to the GUI.

To install the SEP sesam Client, select the download folder where you have saved the SEP sesam Client installation package.

  • For SLES-based distributions, use the following command:
  • # zypper install sesam_cli<version.OS.system_type>
    
  • For RHEL (Red Hat Enterprise Linux), use the following command:
  • # yum install sesam_cli<version.OS.system_type>
    
  • For Debian-based distributions, use the following command:
  • root@hostname#: apt-get install sesam-cli
    

    Use the following command to install *.deb files:

    dpkg -i sesam-cli<version.system_type>.deb
    
    Information sign.png Note
    Installing SEP sesam on Debian and Ubuntu requires additional steps. For details, see Debian Repository.

Run the following command on the SEP sesam Client to grant access rights to the SEP sesam Server and allow it to contact and back up the client:

/opt/sesam/bin/sesam/sm_setup set_client <SEP sesam Server Name>

If you have problems or questions about the installation, see FAQ: Installation and configuration.

SEP sesam GUI installation

The SEP sesam GUI package is intended for managing the SEP sesam Server from another computer.
Note: As the GUI component is already included in the SEP sesam Server package, it cannot be installed additionally on the SEP sesam Server.

To install the SEP sesam GUI, select the download folder where you have saved the SEP sesam GUI installation package.

  • For SLES-based distributions, use the following command:
  • # zypper install sesam_gui<version.OS.system_type>
    
  • For RHEL (Red Hat Enterprise Linux), use the following command:
  • # yum install sesam_gui<version.OS.system_type>
    
  • For Debian-based distributions, use the following command:
  • root@hostname#: apt-get install sesam-gui
    

    Use the following command to install *.deb files:

    dpkg -i sesam-gui<version.system_type>.deb
    
    Information sign.png Note
    Installing SEP sesam on Debian and Ubuntu requires additional steps. For details, see Debian Repository.

On KDE and Gnome, the installation creates a link on the root user's desktop to start the GUI. This link must point to the correct SEP sesam Server. Open the link properties and add the following parameter to the command line:

-S <SEP sesam Server Name>

If you have problems or questions about the installation, see FAQ: Installation and configuration.

To start the SEP sesam GUI, use the following command:

/opt/sesam/bin/gui/sesam_gui -S <hostname_backup_server>

AIX

For information on supported AIX versions and AIX-related available components, see SEP sesam OS and Database Support Matrix.

Prerequisites

  • Before you start with SEP sesam installation, check the general requirements above.
  • Make sure you are logged in as the root user.
  • The installation of the SEP sesam component for AIX (either the SEP sesam Client or the Remote Tape Server can be installed, depending on availability) requires special RPM packages to be installed using the standard RPM package manager (part of the AIX standard installation). You can download the SEP sesam RPM packages from https://download.sep.de/aix/7/ and the required prerequisites from: http://www.oss4aix.org/download/ (openssl and readline) and copy them to the AIX system to /tmp/rpm-packages/. Then install the package via RPM:
  • cd /tmp/rpm-packages/
    rpm -i *
    
  • Information sign.png Note
    For AIX version 7.02, the following folder must be created for sm_ssh to work:
    mkdir  -p /opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/4.8.3/
    
  • The SEP sesam GUI requires Java Runtime Environment to be installed on the system. For details on the required Java version, see the Java Compatibility Matrix.

SEP sesam Remote Tape Server or Client installation

  1. Download the relevant SEP sesam package from https://download.sep.de/aix/7/ and copy it to the /tmp directory on your AIX system. The following example shows the installation of the sesam_rts package. The procedure for installing the SEP sesam Client is slightly different; the name of the package is substituted with sesam_cli.
  2. Unzip the archive by using the following commands:
     gunzip sesam-rts-<version>-aix_powerpc.tgz
     tar -xvf sesam-rts-<version>-aix_powerpc.tar

    A new directory sesam_rts_<version> is created:

     # tar -xvf sesam-rts-4.4.2.58-aix_powerpc.tar 
     x sesam_rts_4.4.2.58
     x sesam_rts_4.4.2.58/aix_rts.4.4.2.58.tgz, 22440192 bytes, 43829 media blocks.
     x sesam_rts_4.4.2.58/sm_setup, 2168068 bytes, 4235 media blocks.
  3. Change to the unzipped directory
    cd sesam_rts_<version>
  4. Execute the setup executable sm_setup as root user:
     # cd sesam_rts_<version>
     # ./sm_setup
  5. Follow the wizard and select the relevant components you want to install, tapeserver or client, respectively:
     # ./sm_setup
     Found 1 valid archive(s): 'aix_rts.4.4.2.58.tgz,'.
     What do you want to install? (tapeserver,client)
     tapeserver
  6. Set the installation directory; the recommended location for installing sesam is /opt/sesam. Make sure that there is at least 10 GB of free disk space available. Optionally, choose another installation directory that has enough free space:
     In which directory do you want to install (If not existing it will be created): 
     /opt/sesam/
     In which directory do you want to install (Read-Write): 
     /opt/sesam/
  7. Specify the SEP sesam Server hostname in your environment; you must provide the DNS hostname of your backup server. The DNS Server must be correctly resolved on the AIX system. For details, see How to check DNS configuration.
     To which SEP sesam Server should be connected?
     backupserver.hostname

Once you specify all the required information, the SEP sesam software installation and configuration start. If you have problems starting the SEP sesam services, check the Troubleshooting Guide.

Mac OS X

Prerequisites

  • Make sure you are logged in as a local administrator or domain administrator.
  • If you want to install a GUI, the Java Runtime Environment must be installed on the system. For details on the required Java version, see the Java Compatibility Matrix.

Steps

SEP sesam does not provide a dedicated MAC OS package. You should download the latest SEP sesam Linux GUI package from https://download.sep.de/linux/repositories/debian/pool/main/s/sesam-gui/, copy it to your MAC system and extract it with the command:

 ar x <sesam-gui_4.4.3-xx.lenny_i386.deb> && tar xfz data.tar.gz

Copy the extracted directory to your program files directory; then use the <SESAM_BIN>/gui directory:

/opt/sesam/bin/gui/sesam_gui -S <hostname_backup_server>

Or, if your backup server is a Linux system, you can connect via the command line (X must be enabled) and start the GUI:

/opt/sesam/bin/gui/sesam_gui -S <hostname_backup_server>  

The SEP sesam for Mac OS X supports standard file backups with ACLs. Disaster recovery is not supported! If you have problems or questions about the installation, see FAQ: Installation and configuration.

Univention UCS

For the list of supported Univention UCS versions and available SEP sesam components for UCS, check SEP sesam OS and Database Support Matrix.

Prerequisites

Installing SEP sesam on UCS

You can install SEP sesam on UCS by using any of the following options:

Option 1: Installing via the Univention App Center (only the SEP sesam Server and Client)
  1. Open the Univention Management Console in your browser.
  2. Go to Software -> App Center.
  3. Search for SEP sesam.
  4. Install either SEP sesam Server or SEP sesam Client.
Option 2: Installing via the SEP Debian Repository
  1. Open a terminal session as root user.
  2. Enable Univention unmaintained repositories with the following command (this enables the UCS system to install the dependencies for SEP sesam):
    ucr set repository/online/unmaintained=yes
  3. Add the SEP Debian Repository as described in Debian Repository:
    • UCS 4.2 is based on Debian 8 Jessie.
    • UCS 4.3 is based on Debian 9 Stretch.
  4. Update the repositories by using:
    apt update
  5. Install the SEP sesam package via apt: For example, to install the SEP sesam Server package, use
    apt install sesam-srv

    Other options are listed here: Debian Repository.

Option 3: Installing manually
  1. Open a terminal session as root user.
  2. Enable Univention unmaintained repositories with the following command (this enables the UCS system to install the dependencies for SEP sesam):
    ucr set repository/online/unmaintained=yes
  3. Download the desired installation package from the SEP Download Center.
    • UCS 4.2 is based on Debian 8 Jessie.
    • UCS 4.3 is based on Debian 9 Stretch.
  4. Update the repositories by using:
    apt update
  5. Install the SEP sesam package via apt:
    apt install /path/to/downloadedpackage

Configuring UCS firewall

By default, the Univention firewall is included in all UCS installations, with all incoming ports blocked. You have to enable access to certain ports for SEP sesam to work.

Information sign.png Note
Installing a SEP sesam App Center package automatically opens the required ports for SEP sesam, except for Si3 Replication and REST API.
Disable UCS firewall

You may consider disabling the UCS firewall completely by setting the Univention Configuration Registry variable security/packetfilter/disabled to true:

ucr set security/packetfilter/disabled=yes
service univention-firewall restart
Use SEP sesam with enabled UCS firewall

Check the list of required ports for SEP sesam: List of Ports Used by SEP sesam.

To open a port or a range of ports, use the following commands:

ucr set security/packetfilter/tcp/portnumber_or_portrange/all=ACCEPT
service univention-firewall restart

Client firewall settings

If you want to back up a client behind a firewall using STPD, you have to specify an open port range in the client's STPD Options as follows:

  • Open SEP sesam client Properties and switch to the Options tab. If you have installed a client from the App Center, the port range is 11002-11007.

For more information on client configuration, see Configuring Clients.

Updates

After you have installed and configured your SEP sesam components according to your environment, SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. During this period, you can download bug fixes, patches, service packs, and the latest SEP sesam version(s) if you have a valid license.

  • Installing either Windows or Linux-specific distributions is pretty straightforward. For Linux systems, SEP provides special service pack executables that ease the installation of service packs and patches; see Applying Service Packs on Linux.
  • Updating SEP sesam extensions, e.g., BSR Pro for Windows, is done automatically during the SEP sesam update process.
SEP Tip.png Tip
SEP generally recommends upgrading the SEP sesam Server and Client components to the latest version during the regular upgrade process. For the complete list of releases, see SEP sesam release versions.

Update SEP sesam.png

SEP may ask you to install a specific update (i.e. fix, patch or service pack) to address a specific issue. To get instantly notified about SEP sesam vulnerabilities and updates, click to subscribe to the SEP sesam RSS feed.

Updating methods and settings

There are a number of options available for updating SEP sesam software.

Install/Update options in GUI
You can set up your server to automatically check, download and install updates or decide to do it manually, you can update all clients within the location at once or select to update only OS-specific clients (Windows/Linux update), you can exclude a particular client from being updated, etc. For details, see Updating SEP sesam.
CLI command sm_update_client
You can perform all of the mentioned options above by using sm_update_client. The sm_update_client command implements all the features of the sm_update_client, as well as the previously used sm_remote_installer and sm_config_client commands that have been deprecated. For details, see Updating SEP sesam Using CLI.

SEP sesam release cycle

Approximate release frequency of the SEP sesam software is once a year for a major release, followed by a minor SEP sesam release which includes all preceding fixes and also introduces new features and functionality.

SEP sesam provides executable service packs that ease the installation of service packs and patches. Service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. Download and installation of service packs are pretty straightforward on Windows and Linux; for the latter, SEP provides special service pack executables that ease the installation of service packs and patches, see Applying Service Packs on Linux.

Remote Installation of Windows Clients

As of Beefalo V2, you can remotely install any SEP sesam package (Client, RDS, etc.) from your SEP sesam Windows Server to any Windows system by using SEP sesam GUI (once your Windows clients are added to SEP sesam environment). You may prefer to use a command line to install SEP sesam remotely. In this case, use the sm_update_client install command as described in Updating SEP sesam Using CLI as the previously used sm_remote_install command is now deprecated.

Step 1: Enable Update mode

After you have installed SEP sesam Windows Server, you can install any SEP sesam package on your Windows clients (Client, RDS, etc.) by using SEP sesam GUI Topology or Clients view. The displayed status details and the options available from the right-click menu in the Topology or Clients view depend on the selected Update mode option. The Install SEP sesam option is only available if your update mode is set up to enable the install/update feature.

By default, SEP sesam does not check, download and install updates. You can change your update mode in SEP sesam menu bar -> Configuration -> Defaults -> click the tab Install/Update and select one of the modes that enable the automatic check function. For details, see Setting preferred update mode.

Step 2: Install SEP sesam remotely

  1. Once you have set the update mode that allows SEP sesam to check for installation and update packages, from Main Selection -> Topology or Clients, right-click the selected Windows client to perform individual installation, then select Install SEP sesam.
  2. Install SEP sesam Beefalo V2.jpg

  3. A new window opens where you have to specify the following:
    • User: Specify the name of the domain or local admin user account that has installation and backup rights; the latter are required when using the option Run SEP sesam service as given user (see below).
    • Password: Enter the password for the specified local or domain administrator account.
    • Sesam package: Choose the package that you want to install: SEP sesam Client, SEP sesam Remote Device (RDS), or SEP sesam GUI. For each package, you can select to install additional extensions or features by selecting the relevant check box below: install SEP sesam Client with BSR, SEP sesam RDS with BSR and/or GUI, and SEP sesam GUI with BSR and/or Client.
    • Run SEP sesam service as given user: If you are installing Exchange DB or Hyper-V cluster, select this option and run the service under the admin account that has the backup rights (see the first option).
    • Force installation: If you want the installation to be performed in any case, even if a previous version exists or the version is identical or some warnings are encountered during the process, select this option.
  4. Win Client-install SEP sesam dialog.jpg

Hovering over a client displays information about the installation status.

Applying Service Packs on Linux

SEP sesam provides special service pack executables for Linux systems that ease the installation of service packs and patches. A service pack is cumulative and contains all released fixes for the corresponding SEP sesam version.

The service packs are available for the following components:

Downloading SEP sesam service pack

All service packs are available at the download portal: https://download.sep.de/servicepacks/

To download the service pack for SEP sesam specific version for Linux, go to https://download.sep.de/servicepacks/<version>/<release_version_number>/linux/, for example, https://download.sep.de/servicepacks/4.4.3/4.4.3.84/linux/.

In the version-specific directory you will find service packs for all supported Linux distributions. The service packs are provided as executable files, named in the following manner:

sesam_patch_srv-<version>_<distribution>_<architecture>-<sesam-version>.sh

The following example shows a SEP sesam service pack for Debian Jessie on x64:

root@system:~# wget "https://download.sep.de/servicepacks/4.4.3/4.4.3.61/linux/sesam_patch_srv-c325b58_jessie_amd64-4.4.3.61.sh"

Installing SEP sesam service pack

Information sign.png Note
  • All commands have to be executed as root user or as an administrative user with the sudo command prefixed.
  • SEP sesam service pack installation will not check for running SEP sesam operations. Applying a patch while some SEP sesam operations are still running, for example backup or migration, will stop all running operations!

After downloading the relevant service pack for your operating system, you must make the downloaded service pack executable:

root@system: ~ # chmod +x sesam_patch_srv-b50baae_sles12_x86_64-4.4.3.25.sh

Then you can continue with the installation:

root@system: ~ # ./sesam_patch_srv-b50baae_sles12_x86_64-4.4.3.25.sh 
Verifying archive integrity... All good.
Uncompressing SEP sesam service pack    37% 

Checking Access State

You can use the Check Access State option to make sure that you have access to your SEP sesam Client(s).

To determine whether the client is accessible, that is, to verify that the SEP sesam software is present on the client, the network connection works and hence the client is reachable from the SEP sesam Server, proceed as follows:

From the SEP sesam GUI

  1. In the SEP sesam GUI -> Main Selection -> Topology, right-click the target SEP sesam Client.
  2. Select Check Access State and click Yes.
  3. Check access state.png

Note that availability of the update/install options depends on your selected update mode. If the Update mode is set to Turn off (hide from all users) the option Check Access state is not visible.

In the background the command for checking the access state (see the section below), will be executed asynchronously.

From the SEP sesam Server command line

Execute the following command on SEP sesam Server console:

sm_update_client check_client -C r -c <client_name> -m SMSSH

where the option -C r means that remote access of the client should be checked and -m SMSSH means that ssh should be used to check the connection.

Checking the results in the SEP sesam GUI

You can check the results in Topology in the column Access State, Last Access and Last sesam Message.

SEP Tip.png Tip
If the Topology columns are not visible, right-click a column header and select the option Column Visibility. Then simply select the relevant check boxes to set up which columns will be displayed.

Updating SEP sesam

Overview

Once you have set up your SEP sesam environment, SEP sesam provides free updates from previous to new versions and features of SEP sesam within the maintenance period. During this period, you can download bug fixes, patches, service packs, and the latest SEP sesam version(s) if you have a valid license. You always have to update the SEP sesam Server first before updating the client software.

Manual and auto update

The SEP sesam software update feature provides an easy way to control your updates. It can be used to either automatically or manually check for and install updates. The following options are available for updating the SEP sesam software.

  • You can set your preferred update mode in GUI Install/Update as explained in the section Setting the preferred update mode. Depending on your selected mode, the displayed status details and the options available from the right-click menu in the Topology or Clients view may vary, see below Checking the update status.
  • Alternatively, you can use the CLI sm_update_client command, as described in Updating SEP sesam Using CLI.
  • You can also update your clients manually by copying the required package to the client and update directly on the client.

Update process

The SEP sesam software update functionality is designed to check the SEP sesam versions currently in use against the latest versions available from SEP and propose updates when a newer version is available. The process can handle everything needed to update the SEP sesam environment, including installing service packs for SEP sesam Server, SEP sesam Server UI update and clients update. Make sure that you always update the SEP sesam Server first and then the client machines.

The process of auto updating SEP sesam consist of the following:

  1. First, the index.txt file is checked to get the list of all available packages at SEP sesam repository.
  2. The file index.txt contains the list of all available packages. It is normally downloaded from the SEP Download Center. If you want to update your clients with the locally stored packages (e.g. if your SEP sesam Server has no access to the internet), you have to provide the index.txt file to the update manager manually, as described in Use custom package source. In case more than one package in the index.txt matches a given client, the update routine will always take the last match in the file.

  3. Depending on the selected update mode, SEP sesam packages may be downloaded and installed automatically or manually later by the administrator. Software packages can be downloaded from SEP Download Center.
Information sign.png Note
The automatic creation of the index file takes place only once. The file is created when you enable a local folder as package source (you normally do this only once). Then all packages in this folder are added to the index file (and only the files that are present in the folder).

If you decide to stick to manual updates, you can download and install the relevant Windows- or Linux-specific distribution, as described in SEP sesam Quick Install Guide. For Linux systems, SEP provides special service pack (SP) executables that ease the installation of service packs and patches. Installing on Windows is easy; simply download the executable file for your version of SEP sesam and install it. On Linux, however, you must make the SP executable after downloading it. For details, see Applying Service Packs on Linux. SEP sesam software packages can be downloaded from SEP Download Center.

Setting preferred update mode

You can set your update mode in SEP sesam menu bar -> Configuration -> Defaults -> click the tab Install/Update. The displayed status details and the options available from the right-click menu in the Topology or Clients depend on the selected update mode. By default, SEP sesam does not check, download and install updates.

Defaults install BeefaloV2.jpg

The following options are available:

  • Turn off (hide from all users): If selected, the install and update feature is not shown in the GUI. No install/update options are visible for any of the users, not even the administrator until this mode is switched on.
  • Do not check or install automatically (default): If selected, updates are not checked, downloaded nor installed when a new version is available.
  • Check automatically, but install manually: If selected, updates are checked by using index.txt to get the list of all available packages, but you have to download and install them manually.
  • SEP Tip.png Tip
    To start the download and update process in the background, select Update client from the context menu (Topology -> client -> right-click -> Update client).
  • Check, download and install automatically: If selected, updates are automatically checked, downloaded and installed, based on SEP sesam NEWDAY when a new version is available from the SEP Download Center. This option may not be recommended depending on the configuration of your SEP sesam environment and its activity.
  • Information sign.png Note
    This option is available only in advanced UI mode (formerly expert GUI mode). To use the option Check, download and install automatically, make sure your UI mode is set to advanced. For details, see Selecting UI mode.

Use custom SEP sesam package source

By selecting this option, you can update your SEP sesam Clients by using a SEP sesam custom package source which may be stored locally, on the network drive, or is available at the specified URL. The advantage of using a custom package is that you have full control over the version that is getting installed.

For this, you have to browse for or specify the full path (a file system location) to the index.txt file for the specified custom package. How you specify the path depends on the file location and your OS, see examples below.

Generating index.txt

If the index.txt does not yet exist in the selected folder, it will be created automatically by SEP sesam, taking into account only the files in the specified directory (without subdirectories). This only happens when you activate the custom package source for the first time.

If the index.txt already exists, you have to recreate the file manually to get the list of relative paths of all available packages on your SEP sesam Server. You have to recreate the index.txt file each time you have downloaded a new package version to your custom source folder. To create the index.txt file, open the command prompt and navigate to the directory with your downloaded packages. Depending on your operating system and the location of the packages, run the following command:

Windows

cd C:\temp\sesam_download
dir /B >index.txt

Linux/UNIX

cd /tmp/sesam_download
find . -name "*sesam*" -printf "%P %k %TY-%Tm-%Td %TH:%TM:%TM \n" >index.txt 

Specifying path to the index file

  • The package and index.txt are located in the local directory, e.g., in the directory <TEMP>/sesam_download/index.txt. On Windows, specify the path to the index file as:
  • file:///C:\temp\sesam_download
    

    On Linux:

    file:////tmp/sesam_download
    
    Information sign.png Note
    You have to use the syntax file:, followed by /// or //// and the path to the index file. On Windows, these first 3 forward slashes are mandatory, then also a backslash is allowed. On Linux, specify the path with 4 forward slashes: ////!
    .
  • The package and index.txt are on a network share, e.g., on Windows: <win_share>\users\admin\sesam\4.4.3
  • file:\\<win_share>\users\admin\sesam\4.4.3
    

    On Linux: <linux_share>/users/admin/sesam/4.4.3_beta

    file://<linux_share>/users/admin/sesam/4.4.3
    
  • To load the SEP sesam packages from the custom URL, simply enter the URL. For example, to install SEP sesam beta packages enter the SEP sesam beta download repository where the file index.txt is located:
  • http://beta.sep.de/
    
SEP Tip.png Tip
The latest index.txt file with all available packages can be retrieved from the SEP Download Center.

Checking update status

You can enable the automatic check for updates in the Defaults -> Install/Update menu or you can check the update status manually by using the right-click menu -> option Check Update State. The availability of the latter option depends on your selected update mode, see above Setting preferred update mode.

Topology and Clients view – right-click menu

Topology-right click menu Beefalo V2.jpg

Changed view with bigger icons

Clients view-hover over Beefalo V2.jpg

A message that a client is up to date is shown when there are no available updates (shown below in green frame). If an update is available, a yellow arrow will appear on the client (shown below in yellow frame). For more details on status icons, see Client status icons.

Client state-update.jpg

Performing mass update

You can simultaneously update all clients in the same location or update only the Linux or Windows clients that belong to the selected location. The mass update will update all existing clients in the selected location according to your selected option (all, all Linux or all Windows) except for the SEP sesam Server.

Information sign.png Note
You always have to update the SEP sesam Server first before updating the client software. For details on how to update the server, see the section SEP sesam Server update.

For example, you may have a location that contains both, Windows and Linux clients and you only want to update the Linux clients. In this case, select your target location, right-click it and select Update all Linux Clients. The right-click update menu options are available in the Topology and Clients view if your update mode is not set to Turn off (hide from all users); for details, see Setting preferred update mode above.

Client update-all.jpg

Installing SEP sesam Service Pack

You can install SEP Sesam service packs by using the Update Client context menu. In the update message window, you can select the option Install SEP sesam client service pack (if available) and the service pack will be installed in addition to the new packages.

  • If you check the update status and there is only a service pack available, the client is marked with New version available. Performing the update with service pack installation will install the service pack.
  • SEP sesam service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. SEP sesam sends notifications via RSS feeds to alert administrators of important issues affecting your SEP sesam environment, such as the availability of a service pack, the notification of the error, or the announcement of a new release. These notifications can be accessed in the Notification Center in the upper right corner of the GUI and Web UI.

SP install en.png

SEP sesam Server update

SEP sesam Server cannot be automatically updated. It can only be updated manually by copying/downloading the required package to your SEP sesam Server and then executing it manually.

However, there are two special update options available in the GUI exclusively for the SEP sesam Server : Install UI Server Service Pack (a GUI SP for server) and Install Service Pack.

  • SEP sesam service packs are cumulative and contain all released bug fixes for the corresponding SEP sesam version. SEP sesam sends notifications via RSS feeds to alert administrators of important issues affecting your SEP sesam environment, such as the availability of a service pack, the notification of the error, or the announcement of a new release. These notifications can be accessed in the Notification Center in the upper right corner of the GUI and Web UI.
Information sign.png Note
Whenever you update the server, you also have to update the GUI client because the GUI client and the SEP sesam Server have to work with the same GUI.

Client server-update.jpeg

Verifying updates

You can easily check whether your update was successful by checking the log files or the client status in the Topology or Clients view, if you have enabled either of the following two modes: Check automatically, but install manually or Check, download and install automatically (see above Setting preferred update mode).

If you have selected the Turn off update mode and you want to check if the update was successful, proceed as follows:

  1. Check the connection between a GUI client and the SEP sesam Server. The connection should work.
  2. Open the SEP sesam GUI and from the menu bar select Help -> About SEP sesam. Both, SEP sesam GUI client and SEP sesam GUI Server must have the same build versions.
  3. About SEP sesam Beefalo V2.jpg


How to check DNS configuration

Overview

Certain problems can occur when configuring new clients in SEP sesam if the DNS server is incorrectly configured or missing. SEP sesam needs a correct DNS to work and will not work with just an IP address. All DNS names must be correctly resolved (forward and reverse DNS lookup).

If the DNS server is missing, you will have to use the hosts file of the client and backup server to make systems available via a DNS name. The hosts file can be found in the following locations:

Linux
/etc/hosts
Windows
C:\Windows\system32\drivers\etc\hosts
Information sign.png Note
The hostname of the SEP sesam server may not include an underscore "_" sign. For hostname restrictions, see Restrictions on valid host names.

Tools for checking DNS resolution

Several tools are available to check DNS resolution. However, SEP recommends the use of sm_setup check_resolution.

sm_setup check_resolution (recommended)

The SEP sesam sm_setup tool is part of the SEP sesam Client and Server installation and can be used from the command line to resolve DNS names. Before using this tool, you need to set up a SEP sesam profile as described in FAQ: What happens when I set up a profile?

SEP recommends that you run this command on the backup server AND on the client with the same arguments. It is important that the client and the backup server are resolved correctly.

Syntax
Client:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver
Client:~ # sm_setup check_resolution client
Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client


Backupserver:~ # sm_setup check_resolution client
' Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client

Backupserver:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver


The returned addresses and hostnames must match. If the reverse resolve returns an official name that is different from the name specified on the command line, problems will occur when backing up the client (see Common error messages).

nslookup (Windows and Linux)

The nslookup tool is a network administration command-line tool for querying the DNS to obtain a hostname or IP address.

It is useful for troubleshooting DNS issues, but not for full hostname resolution as it ignores the hosts file. SEP sesam resolves its hostnames via the "common library function" and first uses the hostname specified in the hosts file of the system. By default, nslookup translates a domain name to an IP address (or vice versa).

Use the nslookup command to check that the name resolution is correct: forward with and without FQDN as well as reverse. Check on the SEP sesam Server AND on the SEP sesam Client. If DNS is not used and the verification done via the etc/hosts file, use ping to check individual clients.

Syntax
       nslookup {client}
       nslookup {IP-Address of client}                         # important reverse lookup
       nslookup {SEPsesam Server name}
       nslookup {IP-Address of SEPsesam Server}                # important reverse lookup

Example: check mysesam name resolution and reverse lookup:

     #>nslookup mysesam
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1
     #>nslookup 192.168.1.1
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1

host (Linux only)

The host command can also be used to resolve a hostname into an IP address and vice versa. It defaults to the name server configured in /etc/resolv.conf but can also be used with a DNS server as an additional argument. It will query the DNS server of the system first.

Syntax
Client:~ # host backupserver
                     backupserver.sep.de has address 172.16.1.146

Client:~ # host 172.16.1.146
                     146.1.16.172.in-addr.arpa domain name pointer backupserver.sep.de

ping

ping is a network administration software utility used to test the reachability of a destination device on an IP network via ICMP echo request. It is not a suitable tool for checking DNS resolution and will not always be 100% correct. Although ping resolves an IP address, it is not strictly a name server lookup tool and may return a potentially outdated cached result.

In addition, it is not possible to correctly reverse resolve DNS names. For more details, see the ping description on Wikipedia.

Common error messages

The following common error messages indicate that there is a problem with your name resolution:

CLIENT_HOSTNAME: Login to stpd from <CLIENT_HOSTNAME> to <SESAM_SERVER_HOSTNAME> incorrect.
Login incorrect. Client resolves his IP address [X.X.X.X] to [RANDOM_HOSTNAME], but server resolves it to [X.X.X.X]. Please adjust your name resolution.  (0)

In this case, check your name resolution (DNS or etc/hosts file). The SEP sesam Server and the SEP sesam Client must be reachable with or without FQDN and should be able to resolve each other and also themselves correctly, including reverse lookup.

If you have changed an entry in your DNS configuration, but Windows still reports a wrong hostname/IP, try running ipconfig /flushdns as administrator.

Uninstalling SEP sesam

A complete SEP sesam environment consists of different components (SEP sesam Server, SEP sesam Client, etc.) or modules, which can be installed and combined according to your needs to implement optimized backup. If any SEP sesam component has to be removed from a system, for example, after a failed installation or if the current installation is corrupted, it is important to follow the correct uninstallation procedure. This procedure is operating system dependent.

Typically, uninstalling a SEP sesam package would remove all related files, however, in some scenarios, you may have to troubleshoot uninstallation issues or take extra steps, as described in Troubleshooting external components – BSR Pro.

Uninstalling SEP sesam on Windows

There are three different ways to uninstall SEP sesam components on Windows:

  1. Double-click the installed MSI or SEP sesam package, click Continue, select Remove and click Next to uninstall the SEP sesam from your system completely.
  2. Open Control Panel -> Add or remove programs or Programs and Features (depending on OS) and select the relevant SEP sesam component. Then click Uninstall.
  3. SEP Tip.png Tip
    After a successful and complete uninstall, the keys listed below (see registry entries) should no longer exist. If any of the listed keys is still present, it can be deleted manually as described in the next procedure.
  4. If the procedures above cannot be successfully applied, you have to manually remove the SEP sesam installation.
  5. Information sign.png Note
    The following steps describe how to modify the registry. If you modify the registry incorrectly, serious problems might occur. If you are not sure about what you are doing, we recommend that you contact SEP support at support@sep.de for assistance.
    1. In the Command Prompt, execute C:\Program Files\SEPsesam\bin\sesam\sm_main stop.
    2. Open the Task Manager and search for processes beginning with sm_ or with sm_main; if any running processes are found, terminate them.
    3. In the Start menu/Search box, type regedit and click Enter. The Windows Registry Editor window opens.
    4. Delete the registry entries:
    5. HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\7737007073521AA...
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7737007073521AA...
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F92326AFAEF5DA...
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sm_main
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SEP sesam BSR Pro
      
    6. Delete directories C:\Program Files\SEPsesam and C:\ProgramData\SEPsesam\....

Uninstalling SEP sesam on Linux

The uninstallation procedure on Linux depends on the installation type (RPM, DEB, etc.). For details on different installation types, see Linux Quick Install Guide.

Uninstalling tar archive (TGZ)

First, you have to make sure that your SEP sesam component was installed from a tar archive. Then uninstall SEP sesam with the command:

/opt/sesam/bin/sesam/sm_setup delete

Uninstalling RPM package

If you are uninstalling the Linux installation with RPM, use the following commands. The first command identifies the package name and the second command removes the SEP sesam Server from the system:

smsrv:~ # rpm -qa | grep sesam
sesam_srv-4.4.3-64.sles11
smsrv:~ #
smsrv:~ # rpm -e sesam_srv-4.4.3-64.sles11
smsrv:~ #
Information sign.png Note
You can use the same procedure for uninstalling other SEP sesam components.

Uninstalling debian package

If uninstalling the Linux installation with dpkg, use the following commands. The first command identifies the package name and the second command removes the SEP sesam Server from the system:

smsrv:~ # dpkg -l | grep sesam 
ii  sesam-srv   4.4.3-64.stretch~pg   amd64   SEP sesam server for Linux
smsrv:~ #
smsrv:~ # dpkg -r sesam-srv
smsrv:~ #

Uninstalling SEP sesam manually

If the procedures described above are not possible, the following steps are required to manually remove the SEP sesam installation:

SEP Warning.png Warning
Incorrectly performing the following steps can result in database corruption and loss of data. If you are not sure about what you are doing, we recommend that you contact SEP support at support@sep.de for assistance.
  1. Stop all SEP sesam services with the command:
  2.  systemctl stop sepsesam.service (Distributions with SYSTEMD start system)
    /etc/init.d/sesam stop (Distributions with INIT start system)
    /opt/sesam/bin/sesam/sm_main stop
    /opt/sesam/bin/sesam/sm_shutdown
    
  3. SEP sesam processes that are still running are identified with ps fax | grep sm_. If the output looks similar to the following, then the stop command was not successful. If just a few processes remain, only these are displayed.
  4. smsrv:~ # ps fax | grep sm_
    4433 ? S 0:00 /opt/sesam/bin/sesam/sm_qm_main
    4449 ? S 0:00 \_ /bin/sh /opt/sesam/bin/db/sm_db_main
    4464 ? S 0:00 \_ /opt/sesam/bin/sms/sm_passd
    4476 ? S 0:00 \_ /opt/sesam/bin/sms/sm_stpd_main
    4489 ? S 0:00 \_ /opt/sesam/bin/sesam/sm_ctrld_main
    4519 ? S 0:00 \_ /opt/sesam/bin/sesam/sm_sepuler -d
    4597 ? S 0:00 \_ /bin/sh /opt/sesam/bin/sesam/sm_rmi_main
    4760 ? Sl 0:01 | \_ java -classpath /opt/sesam/bin/gui//sm_rmigui.jar -
    Djava.rmi.server.hostname=smsrv -Djava.security.policy=/var/opt/sesam/var/ini//
    sm_java.policy de.sep.sesam.gui.server.GUIServer -c11401 -D11401 -rde
    5136 ? S 0:00 \_ /opt/sesam/bin/sms/sm_sms_main
    5138 ? S 0:00 | \_ sm_data_server 0 MAIN
    5141 ? S 0:00 | | \_ sm_data_server 0 ADMIN
    5142 ? S 0:00 | | \_ sm_data_server 0 KILLADMIN
    5143 ? S 0:00 | | \_ sm_data_server 0 DATA
    5144 ? S 0:00 | | \_ sm_data_server 0 DATA
    5145 ? S 0:00 | | \_ sm_data_server 0 DATA
    5162 ? S 0:00 | | \_ sm_data_server 0 DATA
    5163 ? S 0:00 | | \_ sm_data_server 0 DATA
    5164 ? S 0:00 | | \_ sm_data_server 0 DATA
    5165 ? S 0:00 | | \_ sm_data_server 0 DATA
    5166 ? S 0:00 | | \_ sm_data_server 0 DATA
    5187 ? S 0:00 | | \_ sm_data_server 0 DATA
    5188 ? S 0:00 | | \_ sm_data_server 0 TAPE
    ...
    
  5. Remove all running processes from the system. The following list shows how to shut down the SEP sesam main process at first. If this does not work, you have to terminate the remaining processes with kill <PID>. If this does not work either, then you have to use the hammer method to remove these processes from the system.
    • killall /opt/sesam/bin/sesam/sm_qm_main command tries to terminate all processes that depend on sm_qm_main.
    • kill 4433 command tries to terminate the process sm_qm_main (see a process list above).
    • kill -9 4433 command is the hammer method and removes the process out of the system.
  6. SEP sesam configuration files are removed from the etc directory:
  7. smsrv:~ # rm -v /etc/*sesam*
    removed ‘/etc/sesam2000.ini’
    removed ‘/etc/sesam_cmdusers.allow’
    
  8. Remove the start scripts from the Linux system:
  9. chkconfig -d sesam (INIT)
    rm /etc/init.d/sesam (INIT)
    systemctl disable sepsesam.service (SYSTEMD)
    rm /lib/systemd/system/sepsesam.service (SYSTEMD)
    
  10. Remove the SEP sesam directory:
  11. rm -rf /opt/sesam
    rm -rf /var/opt/sesam
    
  12. Remove a database entry from the package database:
  13. Suse and RedHat
    rpm -e --justdb sesam_srv-4.4.3-64.sles11
    
    Debian
    dpkg --purge sesam-srv
    

Troubleshooting external components – BSR Pro

Any incorrect uninstallation could leave invalid registry entries behind. In the case of SEP sesam, uninstallation may fail and leave behind external component files or packages, such as SEP sesam BSR Pro. As the uninstaller information is typically corrupted after a failed uninstallation, you have to get rid of any potentially harmful registry leftovers to ensure normal operation of SEP sesam. There are two possible ways to deal with failed uninstallation leftovers.

  1. The best way to uninstall these components is to use the installer; you should first reinstall BSR Pro in order to repair it, and only then uninstall it again.
  2. SEP Tip.png Tip
    After a successful and complete uninstall of the BSR Pro component, the keys listed below (see registry entries) should no longer exist. If any of the listed keys is still present, it can be deleted manually as described in the next procedure.
  3. If the procedure above cannot be successfully applied, you have to manually remove the BSR Pro installation.
  4. Information sign.png Note
    The following steps describe how to modify the registry. If you modify the registry incorrectly, serious problems might occur. If you are not sure about what you are doing, we recommend that you contact SEP support at support@sep.de for assistance.
    1. In the Start menu/Search box, type regedit and click Enter. The Windows Registry Editor window opens.
    2. Delete the registry entries:
    3. HKEY_LOCAL_MACHINE\SOFTWARE\O&O\O&O DiskImage
      HKEY_LOCAL_MACHINE\SOFTWARE\O&O\O&O LiveUpdate\SEP sesam BSR Pro
      


Part IV: SEP sesam Processes and Commands

SEP sesam Processes

Overview

The following list introduces SEP sesam processes that are required for uninterrupted operation of the SEP sesam Server. You can use different commands to check the functionality of the individual processes. For example, you can use the command sm_main status to see if all daemons are running. You can also check the status of the SEP sesam processes in the GUI (Main Selection -> Monitoring -> Processes).

Note that antivirus programs may disrupt network communication and cause SEP sesam processes, such as backup and replication, to fail. One program that is known to cause SEP sesam processes to terminate is Sophos Firewall with IPS (Intrusion Prevention System) enabled. Make sure that there are no antivirus, firewall, IDS or IPS programs preventing interaction with SEP sesam.

Daemon summary

Use the command sm_main status to quickly check if all relevant daemons are running on a computer where SEP sesam is installed or if one is missing. As an additional information you can see the general version of SEP sesam and when the individual sub processes were (re)started.

Windows
C:\Program Files\SEPsesam\bin\sesam>sm_main status
2019-04-30 19:01:34: $Id: 30e8e5a23e (HEAD -> v4_4_3_4, tag: v_4_4_3_64, tag: v4_4_3_4_build, origin/v4_4_3_4) 2018-10-22 10:30:29 +0200 $
2019-04-30 19:01:34: VERSION='server,4.4.3.64,20190319141846'
2019-04-30 19:01:34: sm_main[5588]
2019-04-30 19:01:34: Arguments: sm_main status
2019-04-30 19:01:34: Daemons: ['qm', 'passd', 'sms', 'stpd', 'ctrl', 'sshd', 'sepuler', 'rmi']
2019-04-30 19:01:34: qm         [  2884]: online
2019-04-30 19:01:34: Found job:   2    passd                 0      4076 2019-03-19 14:27:37
2019-04-30 19:01:34: passd      [  4076]: online
2019-04-30 19:01:34: Found job: 1788    sms                   0      7692 2019-04-30 08:00:18
2019-04-30 19:01:34: sms        [  7692]: online
2019-04-30 19:01:34: Found job:   4    stpd                  0      4016 2019-03-19 14:27:37
2019-04-30 19:01:34: stpd       [  4016]: online
2019-04-30 19:01:34: Found job:   5    ctrl                  0      2420 2019-03-19 14:27:38
2019-04-30 19:01:34: ctrl       [  2420]: online
2019-04-30 19:01:34: Found job:   6    sshd                  0      2260 2019-03-19 14:27:38
2019-04-30 19:01:34: sshd       [  2260]: online
2019-04-30 19:01:34: Found job:   7    sepuler               0      3676 2019-03-19 14:27:39
2019-04-30 19:01:34: sepuler    [  3676]: online
2019-04-30 19:01:34: Found job:   8    rmi                   0      7976 2019-03-19 14:27:39
2019-04-30 19:01:34: rmi        [  7976]: online
2019-04-30 19:01:34: Found job:  39    sds-11                0      6796 2019-04-30 11:42:17
2019-04-30 19:01:34: sds-11     [  6796]: online
STATUS=SUCCESS MSG=All daemons online
Linux/Unix
backupsrv:/opt/sesam/bin/sesam # ./sm_main status
2019-04-30 18:58:06: $Id: 30e8e5a (HEAD, tag: v_4_4_3_64, tag: v4_4_3_4_build, origin/v4_4_3_4, v4_4_3_4) 2018-10-22 10:30:29 +0200 rev:48355
2019-04-30 18:58:06: VERSION='server,4.4.3.64,20181024102619'
2019-04-30 18:58:06: sm_main[21443]
2019-04-30 18:58:06: Arguments: ./sm_main status
2019-04-30 18:58:06: Found SDS configuration file: "/var/opt/sesam/var/ini/stpd_conf/Si3-Store_2.ini"
2019-04-30 18:58:06: ATTENTION: Java options for SDS set in sm.ini to: -Xms10080M -Xmx10080M
2019-04-30 18:58:06: Daemons: ['qm', 'db', 'passd', 'sms', 'stpd', 'ctrl', 'sshd', 'sepuler', 'rmi', 'ui', 'sds-2']
2019-04-30 18:58:06: qm         [  4126]: online
2019-04-30 18:58:06: Found job:   2    db                    0      4137 2019-01-14 20:21:08
2019-04-30 18:58:06: Check DB service. Retry: 1
2019-04-30 18:58:06: db         [  4137]: online
2019-04-30 18:58:06: Found job:   3    passd                 0      4316 2019-01-14 20:21:15
2019-04-30 18:58:06: passd      [  4316]: online
2019-04-30 18:58:06: Found job:  15    sms                   0      6102 2019-01-14 20:21:37
2019-04-30 18:58:06: sms        [  6102]: online
2019-04-30 18:58:06: Found job:   5    stpd                  0      4332 2019-01-14 20:21:15
2019-04-30 18:58:06: stpd       [  4332]: online
2019-04-30 18:58:06: Found job:   6    ctrl                  0      4339 2019-01-14 20:21:16
2019-04-30 18:58:06: ctrl       [  4339]: online
2019-04-30 18:58:06: sshd               : unused
2019-04-30 18:58:07: Found job: 25068    sepuler               0      5849 2019-03-27 17:13:23
2019-04-30 18:58:07: sepuler    [  5849]: online
2019-04-30 18:58:07: Found job: 29267    rmi                   0     18503 2019-04-26 18:23:24
2019-04-30 18:58:07: rmi        [ 18503]: online
2019-04-30 18:58:07: ui                 : unused
2019-04-30 18:58:07: Found job: 29268    sds-2                 0     18618 2019-04-26 18:23:25
2019-04-30 18:58:07: sds-2      [ 18618]: online
STATUS=SUCCESS MSG=All daemons online

Description of the SEP sesam processes

sm_qm_main

This is the main process of the SEP sesam process structure. All other SEP sesam processes derive from it. The queue manager follows all individual drive queues. This process has to run on SEP sesam Server, SEP sesam RDS and SEP sesam Client.

Windows

The sm_qm_main process is associated with the service SEP Sesam visible in the Windows services list.

On Windows, all processes can be found in the Task Manager or on the command line as a tree view.

C:\Program Files\SEPsesam\bin\sesam>sm_list -t | findstr sm_
    sm_qm_main.exe (2884)
      sm_passd.exe (4076)
      sm_stpd_main.exe (4016)
      sm_ctrld_main.exe (2420)
      sm_sshd.exe (2260)
      sm_sepuler.exe (3676)
      sm_java.exe (7976)
      sm_sms_watch.exe (4556)
      sm_sms_watch.exe (4740)
      sm_sms_watch.exe (5464)
      sm_sms_watch.exe (4408)
      sm_sms_watch.exe (7024)
      sm_sms_main.exe (7692)
        sm_data_server.exe (2432)
        sm_data_server.exe (1320)
  sm_javaw.exe (3700)
  sm_list.exe (3832)

C:\Program Files\SEPsesam\bin\sesam>sm_kill list | findstr sm_
 2884  (0x0B44)    "C:\Program Files\SEPsesam\bin\sesam\sm_qm_main.exe"
 4076  (0x0FEC)    "C:\Program Files\SEPsesam\bin\sms\sm_passd.exe" -D
 4016  (0x0FB0)    "C:\Program Files\SEPsesam\bin\sms\sm_stpd_main.exe" -D
 2420  (0x0974)    "C:\Program Files\SEPsesam\bin\sesam\sm_ctrld_main.exe" -D
 2260  (0x08D4)    "C:\Program Files\SEPsesam\bin\sesam\sm_sshd.exe" -D
 3676  (0x0E5C)    "C:\Program Files\SEPsesam\bin\sesam\sm_sepuler.exe" -D
 7976  (0x1F28)    "C:\Program Files\SEPsesam\bin\sesam\sm_java.exe" server -ren
 6140  (0x17FC)    "C:\Program Files\Java\jre1.8.0_111\bin\java" -classpath "C:\Program Files\SEPsesam\bin\gui\sm_ui.jar" -Djava.rmi.server.hostname=backupsrv -Dsep.sesam.config="C:\ProgramData\SEPsesam\var\ini\sm.ini" -Djava.security.policy="C:\ProgramData\SEPsesam\var\ini\sm_java.policy" de.sep.sesam.gui.server.GUIServer -ren
 4556  (0x11CC)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 0
 4740  (0x1284)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 4
 5464  (0x1558)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 11
 4408  (0x1138)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 13
 7024  (0x1B70)    "C:\Program Files\SEPsesam\bin\sesam\sm_sms_watch.exe" 14
 3700  (0x0E74)    "C:\Program Files\SEPsesam\bin\sesam\sm_javaw.exe" client -uAdministrator -Sbackupsrv -lwindows -p11401 -P local -v2 -ren
 4832  (0x12E0)    "C:\Program Files\Java\jre1.8.0_111\bin\javaw.exe" -Djava.io.tmpdir="C:\Users\ADMINI~1\AppData\Local\Temp\2" "-splash:C:\Program Files\SEPsesam\bin\gui\splash\splash.png" -classpath "C:\Program Files\SEPsesam\bin\gui\sm_ui.jar" de.sep.sesam.gui.client.Frame -uAdministrator -Sbackupsrv -lwindows -p11401 -P local -v2 -ren
 7692  (0x1E0C)    "C:\Program Files\SEPsesam\bin\sms\sm_sms_main.exe" -D
 2432  (0x0980)    sm_data_server.exe 2
 1320  (0x0528)    sm_data_server.exe 3
 3776  (0x0EC0)    C:\Windows\system32\cmd.exe  /K "C:\ProgramData\SEPsesam\var\ini\sm_prof.bat"
 5624  (0x15F8)    sm_kill  list
Linux/Unix

On modern Linux this process is associated with systemd unit "sepsesam.service". On systems with SysV-style init this process gets called by the init script /etc/init.d/sesam.
Use the commands pstree and ps to search for it's sub-processes.

backupsrv:/opt/sesam/bin/sesam # pstree | grep sm_
     |-sm_qm_main-+-java---98*[{java}]
     |            |-sm_ctrld_main
     |            |-sm_passd
     |            |-sm_postgres---su---postmaster---10*[postmaster]
     |            |-sm_restore
     |            |-sm_rmi_main---java---91*[{java}]
     |            |-sm_sepuler
     |            |-sm_sms_main
     |            |-4*[sm_sms_watch]
     |            `-sm_stpd_main-+-sm_stpd_utl_mai
     |                           `-4*[{sm_stpd_main}]
backupsrv:/opt/sesam/bin/sesam # ps -ef | grep sm_
root      4126     1  0 Jan14 ?        02:09:17 /opt/sesam/bin/sesam/sm_qm_main
root      4137  4126  0 Jan14 ?        00:00:00 /bin/sh /opt/sesam/bin/sesam/sm_postgres
root      4316  4126  0 Jan14 ?        00:00:00 /opt/sesam/bin/sms/sm_passd
root      4332  4126  0 Jan14 ?        17:22:30 /opt/sesam/bin/sms/sm_stpd_main
root      4339  4126  0 Jan14 ?        00:00:00 /opt/sesam/bin/sesam/sm_ctrld_main
root      4348  4332  0 Jan14 ?        00:05:51 /opt/sesam/bin/sms//sm_stpd_utl_main 0
root      4647  4126  0 Jan14 ?        00:06:00 /opt/sesam/bin/sesam/sm_sms_watch 0
root      5849  4126  0 Mar27 ?        00:21:02 /opt/sesam/bin/sesam/sm_sepuler -d
root      6102  4126  0 Jan14 ?        00:00:00 /opt/sesam/bin/sms/sm_sms_main
root      6253  4126  0 Jan14 ?        16:09:58 /opt/sesam/bin/sesam/sm_sms_watch 2
root      6404  4126  0 Jan14 ?        00:56:51 /opt/sesam/bin/sesam/sm_sms_watch 3
root     13106  4126  0 Jan18 ?        00:33:41 /opt/sesam/bin/sesam/sm_sms_watch 1
root     15092 22052  0 18:25 pts/0    00:00:00 grep --color=auto sm_
root     18503  4126  0 Apr26 ?        00:00:00 /bin/sh /opt/sesam/bin/sesam/sm_rmi_main
root     18618  4126 24 Apr26 ?        23:04:29 /opt/sesam/bin/sesam/java -Xmx5004M -XX:MaxDirectMemorySize=5204M -Xms10080M -Xmx10080M -classpath /opt/sesam/bin/sds/i2dedup-server.jar -Dlogback.configurationFile=/var/opt/sesam/var/ini/sm_sdslog.xml -Dgv_rw_stpd=/var/opt/sesam/var/log/sms -Ddrive_num=2 -Dconfig.inifile=/var/opt/sesam/var/ini/stpd_conf/Si3-Store_2.ini i2.dedup.streaming.BinaryProtocolServer start
root     18759 18503  8 Apr26 ?        07:46:53 java -classpath /opt/sesam/bin/gui//sm_ui.jar -Dsep.sesam.config=/var/opt/sesam/var/ini/sm.ini -Djava.rmi.server.hostname=backupsrv.sep.de -Dfile.encoding=UTF-8 -Djava.security.policy=/var/opt/sesam/var/ini//sm_java.policy de.sep.sesam.gui.server.GUIServer -p11401 -ren
root     29964  4126  5 17:06 ?        00:04:31 /opt/sesam/bin/sesam/sm_restore -I 20190430170610436@3Hc_4aCsINJ -r backupsrv_all-20190430_170610 -S backupsrv.sep.de -d 3

sm_ctrld_main

Via control daemon it is possible to execute SEP sesam commands on the SEP sesam Client. This daemon listens on TCP port 11301. For example, if the SEP sesam Server sends the command sm_ctrlc -l root <backup_client> sbc -b -s @/tmp/test.sav /etc, then a backup job of the /etc directory is started on the client. Backed up data is saved in the file test.sav in the client's local /tmp directory. This process has to run on the SEP sesam RDS and SEP sesam Clients.

sm_sshd

SEP sesam provides an SSH tunnel for secure control communication. If a new backup client gets installed, the SM_SSH daemon will be automatically listen on TCP port 11322. Over time, the encrypted SSH communication replaces the old unencrypted control communication. You can start a test backup on a Linux client with the following command:

sm_ssh <backup_client> sbc -b -s @/tmp/test.sav /etc

This process has to run on the SEP sesam RDS and SEP sesam Clients.

postmaster (Linux only)

This is a database server which administers SEP sesam database. This process has to run on SEP sesam Server.

sm_passd

This is an authentication daemon for the Sesam Transfer Protocol Daemon (STPD – a service that requests the backup data from the SMS Server and manages the data flow between the SEP sesam Server and a client) via name resolution. This process has to run on SEP sesam Server and RDS. If source-side deduplication should be used this process also has to run on SEP sesam Client.

sm_rmi_main

This is the GUI server which is the interface between a GUI client and SEP sesam kernel module (like database, logfiles, etc.). It listens on TCP port 11401. This process has to run on the SEP sesam Server in order to access its database.

sm_sepuler

SEPuler is a permanently active background routine (daemon), constantly searching for events to be executed. When SEPuler finds a scheduled task or manually triggered event, the execution of the corresponding program is initiated. This process has to run on SEP sesam Server. For details, see SEPuler - an event calendar.

sm_sms_main

This is the main process of SMS (Sesam multiplex stream service) and it's the parent process for all sm_data_server processes. This process has to run on SEP sesam Server and RDS.

sm_data_server

The data server processes receive the individual data streams of the backup tasks and then transfer them multiplexed to the storage device (tape or disk). This process has to run on SEP sesam Server and RDS.

sm_stpd_main

The Sesam Transfer Protocol Daemon (STPD) waits for the data which is delivered via network from clients during a backup. It listens on TCP ports 11000 (HTTP), 11001 (FTP) and 11443 (HTTPS) for transfer of backup data. This process has to run on SEP sesam Server and RDS. If source-side deduplication should be used this process also has to run on SEP sesam Client.

sds

This is the SEP sesam deduplication engine. It depends on Java for the execution.


How to start and stop SEP sesam

Overview

After the installation, the SEP sesam software will start automatically. You can use the command sm_main status to see if all processes are running. You can start and stop the SEP sesam services manually by using the commands below.

Start/stop SEP sesam on Windows

One central SEP sesam service is running on Windows systems. It is called SEP Sesam and is running under the system account of the Windows operating system. This service starts all other required services.

Start
  • using the Windows services control panel
  • in Windows Task Manager using the Services tab
  • on CMD or Powershell: net start sm_main
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_main start
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_startup -f
Stop
  • using the Windows services control panel
  • in Windows Task Manager using the Services tab
  • on CMD or Powershell: net stop sm_main
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_main stop
  • on CMD or Powershell: <SESAM_BIN>\bin\sesam\sm_shutdown -f

Start/stop SEP sesam on Linux

One central SEP sesam service is running on Linux systems that controls all other SEP sesam services. SEP sesam services are always running under the Linux root user account. Depending on the Linux distribution, the following commands can be used:

Start
  • in the Linux shell: /etc/init.d/sesam start (distrib. with INIT start system)
  • in the Linux shell: systemctl start sepsesam.service (distrib. with SYSTEMD start system)
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_main start
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_startup
Stop
  • in the Linux shell: /etc/init.d/sesam stop (distrib. with INIT start system)
  • in the Linux shell: systemctl stop sepsesam.service (distrib. with SYSTEMD start system)
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_main stop
  • in the Linux shell: <SESAM_BIN>/bin/sesam/sm_shutdown


How to check DNS configuration

Overview

Certain problems can occur when configuring new clients in SEP sesam if the DNS server is incorrectly configured or missing. SEP sesam needs a correct DNS to work and will not work with just an IP address. All DNS names must be correctly resolved (forward and reverse DNS lookup).

If the DNS server is missing, you will have to use the hosts file of the client and backup server to make systems available via a DNS name. The hosts file can be found in the following locations:

Linux
/etc/hosts
Windows
C:\Windows\system32\drivers\etc\hosts
Information sign.png Note
The hostname of the SEP sesam server may not include an underscore "_" sign. For hostname restrictions, see Restrictions on valid host names.

Tools for checking DNS resolution

Several tools are available to check DNS resolution. However, SEP recommends the use of sm_setup check_resolution.

sm_setup check_resolution (recommended)

The SEP sesam sm_setup tool is part of the SEP sesam Client and Server installation and can be used from the command line to resolve DNS names. Before using this tool, you need to set up a SEP sesam profile as described in FAQ: What happens when I set up a profile?

SEP recommends that you run this command on the backup server AND on the client with the same arguments. It is important that the client and the backup server are resolved correctly.

Syntax
Client:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver
Client:~ # sm_setup check_resolution client
Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client


Backupserver:~ # sm_setup check_resolution client
' Calling getaddrinfo with 'client'

        Official name: client.sep.de
        IPv4 Address #1: 172.16.1.145

Calling getnameinfo for IP Address #1 '172.16.1.145'

        Official name: client.sep.de
        Alternate name: client

Backupserver:~ # sm_setup check_resolution backupserver
Calling getaddrinfo with 'backupserver'

        Official name: backupserver.sep.de
        IPv4 Address #1: 172.16.1.146

Calling getnameinfo for IP Address #1 '172.16.1.146'

        Official name: backupserver.sep.de
        Alternate name: backupserver


The returned addresses and hostnames must match. If the reverse resolve returns an official name that is different from the name specified on the command line, problems will occur when backing up the client (see Common error messages).

nslookup (Windows and Linux)

The nslookup tool is a network administration command-line tool for querying the DNS to obtain a hostname or IP address.

It is useful for troubleshooting DNS issues, but not for full hostname resolution as it ignores the hosts file. SEP sesam resolves its hostnames via the "common library function" and first uses the hostname specified in the hosts file of the system. By default, nslookup translates a domain name to an IP address (or vice versa).

Use the nslookup command to check that the name resolution is correct: forward with and without FQDN as well as reverse. Check on the SEP sesam Server AND on the SEP sesam Client. If DNS is not used and the verification done via the etc/hosts file, use ping to check individual clients.

Syntax
       nslookup {client}
       nslookup {IP-Address of client}                         # important reverse lookup
       nslookup {SEPsesam Server name}
       nslookup {IP-Address of SEPsesam Server}                # important reverse lookup

Example: check mysesam name resolution and reverse lookup:

     #>nslookup mysesam
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1
     #>nslookup 192.168.1.1
     Server:   dns.domaine.de
     Address:  192.168.1.254
     Name:     mysesam.domaine.de
     Address:  192.168.1.1

host (Linux only)

The host command can also be used to resolve a hostname into an IP address and vice versa. It defaults to the name server configured in /etc/resolv.conf but can also be used with a DNS server as an additional argument. It will query the DNS server of the system first.

Syntax
Client:~ # host backupserver
                     backupserver.sep.de has address 172.16.1.146

Client:~ # host 172.16.1.146
                     146.1.16.172.in-addr.arpa domain name pointer backupserver.sep.de

ping

ping is a network administration software utility used to test the reachability of a destination device on an IP network via ICMP echo request. It is not a suitable tool for checking DNS resolution and will not always be 100% correct. Although ping resolves an IP address, it is not strictly a name server lookup tool and may return a potentially outdated cached result.

In addition, it is not possible to correctly reverse resolve DNS names. For more details, see the ping description on Wikipedia.

Common error messages

The following common error messages indicate that there is a problem with your name resolution:

CLIENT_HOSTNAME: Login to stpd from <CLIENT_HOSTNAME> to <SESAM_SERVER_HOSTNAME> incorrect.
Login incorrect. Client resolves his IP address [X.X.X.X] to [RANDOM_HOSTNAME], but server resolves it to [X.X.X.X]. Please adjust your name resolution.  (0)

In this case, check your name resolution (DNS or etc/hosts file). The SEP sesam Server and the SEP sesam Client must be reachable with or without FQDN and should be able to resolve each other and also themselves correctly, including reverse lookup.

If you have changed an entry in your DNS configuration, but Windows still reports a wrong hostname/IP, try running ipconfig /flushdns as administrator.


Part V: Using Storage Devices

Configuring Loaders and Drives

Overview

A loader (also called tape library or autoloader) is a device that consists of drive(s), a magazine with slots for tape cartridges and a robotic mechanism that moves media between the slots and drives. In SEP sesam there is no dependency to use specific manufacturers' devices or device types; you can check the list of supported hardware at Supported Storage Hardware.

SEP sesam can detect and automatically configure storage hardware in your environment if the hardware is supported and recognized by the operating system (it must be listed in the OS device manager), where the SEP sesam Server or Remote Device Server is installed.

During SEP sesam Server installation, SEP sesam checks the SCSI API of the operating system for connected storage devices and puts accessible device files (SCSI address) into the SEP sesam database. This auto-detection works for most devices, but for certain types of loaders the connection between loader and drives cannot be recognized automatically. You have to manually verify and configure such devices. You also have to manually configure any backup device that is connected after SEP sesam installation. Note that the procedure differs depending on your operating system (Linux or Windows).

Automatically detected storage devices

SEP sesam displays automatically detected backup devices in GUI: Main selection -> Components -> Loaders. All detected loaders are displayed; you only need to select a loader to review its properties, and then click OK to confirm the loader configuration.

SEP Tip.png Tip
It is recommended that SEP sesam auto-configures backup devices, but even for the automatically configured backup devices you should enable persistent naming and check their configuration to configure them as required and avoid errors in SEP sesam operation. See sections Enabling persistent naming for tape devices and Using slu topology for detecting devices.

Preparing loaders and drives

Preparation of storage devices is based on the following general sequence. Note that this sequence might differ for specific devices and might require some additional steps.

  1. Connect a storage device to SEP sesam Server or SEP sesam Remote Device Server (RDS). Follow the configuration instructions specified by the device vendor or the operating system.
  2. Install the latest vendor driver for the tape drives, and also the latest driver for the loader. Note that during SEP sesam Server installation SEP sesam will check the SCSI API of the operating system for connected storage devices and enter working device files (SCSI address) into SEP sesam database automatically. Typically, this auto-detection will work for most devices, but there are some exceptions that need manual verification and configuration of the server operating system to allow device discovery.
  3. Restart the system to ensure that connected storage devices become known to the system.
  4. Check your device vendor documentation for any additional steps that may have to be performed.

Manually configuring loaders and drives

Checking hardware configuration on Windows

If your loader is detected by SEP sesam automatically, you can skip this step. If you have to add it manually to your Windows system, you must ensure that the hardware is recognized correctly by the operating system in the Windows Device Manager.

  1. Open Windows Device Manager and check that the selected hardware is present and recognized, as shown in the example below.
  2. Device Manager Changer known.jpg
    If it is not recognized, it will be shown with a status Unknown Medium Changer as in the following example.
    Device Manager Changer.jpg
    If it is shown as unknown, right-click it and select Update Driver Software to open the Update Driver Software-Unknown Medium Changer window. Then select or download and install the appropriate driver.

    Information sign.png Note
    A wrong driver (or no driver at all) is a common cause of errors. Identify the hardware manufacturer and download the correct driver from their support website to ensure proper configuration of your hardware device. For more information, check the documentation provided by the hardware manufacturer.
  3. In the Device Manager window, also check that the tape drives have a Tape Symbolic Name displayed.

Enabling persistent naming for tape devices

Persistent naming or binding is an option that enforces file names for loaders and tape drives, thus making them persist across reboots of the operating system. Without this feature the SCSI addresses may be changed during reboots, especially in environments with several tape libraries attached to a server, and the operating system might mix the SCSI addresses between different loaders and library tape drives. Consequently, SEP sesam may have problems accessing devices, such as unloading incorrect drives, read/open errors, volume errors, lost connections ...

Persistent naming means using symbolic names for loaders, tape drives in autoloaders and tape libraries, as well as for single tape drives. These names stay unique during server reboots, regardless of the order in which the operating system discovers the tape hardware. For example, while Tape0 is a logical name that could change during system restart, the persistent name Tape2147483644 is unique and will not change.

Configuration of persistent naming depends on the used driver. Once OS is configured for persistence naming, update SEP sesam configuration with the help of slu topology.

Information sign.png Note
Persistent naming is not part of SEP sesam as each hardware vendor handles it differently. If you need any assistance, consult your respective OS and hardware vendor support. The following information are only for reference and are not meant to replace the official vendor documentation.
Configuring persistent naming on Windows

To enable persistent bindings of symbolic tape and library names, you have to modify the registry key. Make sure that you have a valid SEP sesam and operating system backup before proceeding!

Standard Windows drivers
For standard Windows drivers, proceed as follows:
  1. Open Registry Editor: use Start and type regedit.
  2. Locate and select the following registry subkey:
  3. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Tape
    
  4. From the Edit menu, select New and then DWORD Value.
  5. Type Persistence and then press ENTER.
  6. Right-click the Persistence registry entry, then click Modify.
  7. Type 1 in the Value data box, and then click OK.
  8. Close Registry Editor and restart the computer.

When you set the Persistence registry entry to 1, symbolic names become persistent. For example, if your tape drive has the name \\.\\tape1, this name is reserved for use by that device even after your server reboots.

IBM drivers
For IBM drivers, proceed as follows:
  1. Go to
  2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ibmtp2k<x>  
    

    where the value <x> in ibmtp2k specifies the Windows Server version, for example, ibmtp2k8 for Windows Server 2008, ibmtp2k12 for Windows 2012, and ibmtp2k16 for Windows 2016, respectively.

  3. Add DWORD:PersistentNaming=1.
  4. Close Registry Editor and ensure that AutoRun is set to 0 for the driver prior to rebooting; for details, see official Microsoft documentation, e.g., Windows Server 2003 cannot perform backup jobs to tape devices on a storage area network or refer to the article Disable Autorun/Autoplay.
  5. Restart the computer.

For more details, see IBM article Configuring drives with persistent naming with IBM devices on Windows.

HP LTO drivers
For HP LTO drivers, follow the procedure as provided by data-protector.org:
  1. Make sure that you have installed the required HP tape drivers.
  2. Copy the following code and insert it into text editor, then save the content as .reg file.
    • Tape drives:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hplto]
    "AutoRun"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Tape]
    "Persistence"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
    "Start"=dword:00000004
    • Changer:

    If you have more than one medium changer include the following two lines as well:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MChgr]
    "Persistence"=dword:00000001
  3. Execute the .reg file and reboot the Windows system.
Configuring persistent naming on Linux

Device persistence on Linux is based on preconfigured udev rules. These rules create aliases in the device filesystem in /dev/tape.

Once the persistent naming is configured, you have to identify the WWN of the device and its name. This is because after each reboot on Linux, if you have, for example, two tape drives: /dev/nst0 (typically, the automatically assigned name for the first tape drive on Linux) and /dev/nst1 (the second tape drive), they may be switched around. The device name of a loader may also be changed after reboot. For example, a loader is currently recognized as /dev/sg9, but after reboot its name is changed to /dev/sg6. Changing the device name(s) after each reboot makes it impossible for SEP sesam to recognize the devices without adjustment, causing automated backup processing to fail.

To correctly identify the persistent names of devices on Linux, use the slu scan command and then the /dev/tape/by-id, as shown in the example below.

For example, the slu scan output is as follows:

ID=9:0:9:0    Tape:    STK      T10000B          0105 (/dev/nst4)
ID=9:0:10:0   Tape:    STK      T10000B          0105 (/dev/nst5)
ID=9:0:11:0   Tape:    STK      T10000B          0105 (/dev/nst6)
ID=9:0:12:0   Tape:    STK      T10000B          0105 (/dev/nst7)
ID=9:0:0:0    Loader:  STK      L700             0105 (/dev/sg17)
ID=9:0:8:0    Loader:  STK      L80              0105 (/dev/sg18) 

The output of ls -l /dev/tape/by-id/ shows the following:

total 0
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab000900 -> ../../st4
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab000900-nst -> ../../nst4
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab001000 -> ../../st5
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab001000-nst -> ../../nst5
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab001100 -> ../../st6
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab001100-nst -> ../../nst6
lrwxrwxrwx 1 root root  9 Dec 14 11:17 scsi-350223344ab001200 -> ../../st7
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-350223344ab001200-nst -> ../../nst7
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-SSTK_L700_XYZZY_A -> ../../sg17
lrwxrwxrwx 1 root root 10 Dec 14 11:17 scsi-SSTK_L80_XYZZY_B -> ../../sg18

In our example, by using /dev/tape/by-id/scsi-350223344ab000900-nst instead of /dev/nst4 for the particular drive, the device name will automatically use the correct nst device even after reboot. The same is true for loader names, for example, /dev/tape/by-id/scsi-SSTK_L80_XYZZY_B should be used instead of /dev/sg18.

Information sign.png Note
Make sure that you use the non-rewind device name nst, in the above example scsi-350223344ab000900-nst, and not the auto rewind version st. If you specify auto rewind version st, a rewind command will be issued to the tape drive and the tape will be positioned at the beginning at the tape. When accessing a non-rewind tape device nst, a rewind command is not issued.

For more details, refer to your hardware manufacturer documentation; for example, IBM article Configuring drives with persistent naming for IBM devices on Linux.

Using slu topology for detecting devices

After persistent naming is configured, you have to identify the name of the loader(s) and tape drives and their connection to the SEP sesam internal number of the drive (this drive number is set automatically by SEP sesam) to properly configure devices on the SEP sesam Server.

slu topology is a SEP sesam SCSI loader utility that provides information about the loaders and drives connected to the system; it also shows their relation which is required to identify unique IDs of tape drives and configure them by using SEP sesam GUI.

  1. To be able to run the SEP sesam commands globally, you must set up a profile as described in FAQ: What happens when I set a profile?
  2. To list all attached SCSI devices, run slu topology:
  3. <SESAM_BIN>/sesam/slu topology
    

    If the devices are properly connected, you should get the output similar to the one shown below.

    Slu topology output.png

  4. By examining the output you are able to determine the correct names of loaders and tape drives; in the latter case, you can also determine the connection between the drive name and the drive number sequence. Each tape drive is listed in a separate line with its name (Tapexxx) and its relation to the pre-set drive number in the loader; this pre-set drive number is the last in the line and specifies the number of the tape drive in the loader as referenced by SEP sesam. SEP sesam assigns a number to each tape drive, starting with 0 (0: the first tape drive in the loader; 1: the second tape drive in the loader ...). The equivalent GUI field is named the Drive No. in loader.
  5. For example, from the above output you can read the following characteristics that are required for (re-)configuration of loaders and drives in GUI:

    Loader: HP 	 MSL6000 Series 3G3ALRT572VN (Changer0)
            Drive: HP      Ultrium 4-SCSI  HU18111L60 (Tape2147483644) (adr=480) 0
            Drive: HP      Ultrium 4-SCSI  HU18111L66 (Tape2147483643) (adr=481) 1
            Drive: HP      Ultrium 4-SCSI  HU18141PP1 (Tape2147483645) (adr=483) 3
    

    In our example, the tape drive with the persistent name Tape2147483644 relates to drive number 0 (the first tape drive in the loader). You enter the unique tape drive name, e.g., Tape2147483644, when (re)configuring your backup hardware in GUI.

  6. You can also check the number of slots in the loader. SEP sesam numbers the slots from 0 to the number of cartridges in the loader.
  7. Loader setup 04en.JPG

    In our example, the loader has 56 slots (0–55) and a port slot which is not configured in SEP sesam.

Now you have all required information to manually (re-)configure your storage hardware.

(Re-)Configuring loaders and drives in SEP sesam GUI

These steps differ slightly if you are manually configuring a new device or re-configuring an already existing device. If you are re-configuring an existing device, select it from the list of Loaders and double-click to open the properties and review them, as described in the following steps. Then proceed with re-configuration of drives.

Manually configuring a new loader
  1. If you are configuring a new device, in SEP sesam GUI from the Main selection select Components then Loaders. Click New Loader.
  2. In the New Loader window, enter its properties which you can read from the output of:
  3. <SESAM_BIN>/sesam/slu topology
    

    Slu topology output-loader.png
    Check the output to see if the devices are used correctly by SEP sesam and detect the available SCSI addresses. For details, see above section Using slu topology for detecting devices.

    • Device name: SCSI device filename of the loader. In our Windows example, this is Changer0. On Linux systems it would be, for example, /dev/sg2.
    • Device server: SEP sesam Server or Remote Device Server (RDS) to which the loader is connected. In small environments, the loader or disk array is usually installed directly on the SEP sesam Server. More complex backup environments use RDS instead.
    • Type: The device type, e.g., LTO4.
    • Ctrl : Make sure that DIR_SLU is selected. This is applicable for all loaders which are connected by SAS/iSCSI/FC to the SEP sesam Server or RDS, and provide a robotic control of tape media. (Other options are DIR_VIRT which defines a virtual loader, DIR_DISK which enables controlling a pool of several hard disks, and DIR_ACSLS which defines an ACSLS loader.)
    • Slots: Number of slots in the loader.
    • Ports: Number of mail slots in the loader.
    • Barcode: Depending on whether the loader has a barcode reader or not, select yes or no.
    • Auto unload function: Almost all autoloaders and tape libraries allow explicit commands to transport tapes to and from the loader mechanism. It is strongly recommended to disable Auto unload function by setting it to No and allow the manufacturer's drive settings to perform as designed.

    Example of a configured loader

    Loaders Beefalo V2.jpg

Creating or re-configuring drives
  1. From the Components, select Drives. In SEP sesam, every drive has to be a member of a drive group. If you have not yet created a drive group, you have to create it now: click the New Drive Group button and enter the name of the new drive group, e.g., Tape_Drives.
  2. SEP Tip.png Tip
    It is recommended to group all drives that belong to the same loader in the same drive group.
  3. Select the drive group for which you want to (re-)configure the drives, e.g., Tape Drives, and create new drives by clicking New Drive or select existing drives for which you enforced the persistent naming and you have to reconfigure.
  4. In the New Drive window/Drive properties, the following fields are available:
    • Drive number: Number is automatically assigned by SEP sesam; you can change it if you are creating a new drive.
    • Drive name: Optionally, enter a description, e.g., logical identifier of a drive.
    • Drive type: Select the drive type from the drop-down list of existing drives (LTO, DLT, SLR, etc.)
    • Loader: If the drive belongs to the loader, select 1. If it is a single tape drive, select No loader option. (Number 0 defines the virtual loader.) As of 4.4.3 Beefalo V2, you can also select ACSLS, see Configuring ACSLS-Managed Libraries.
    • Drive no. in loader: Check the information you got by using slu topology:
    • For example, for the Drive no. in loader with the value 0 you would enter the related persistent name of the drive into the field Device (non-rewinding).
    • Device server: The name of the server or RDS to which the drive is connected. The drop-down list displays all available hosts.
    • Drive group: Is already selected, based on your previous choice when starting with drive configuration.
    • Device (non-rewinding): Based on slu topology output, you have to match the drive's persistent name with the drive number. In our example, for the Drive no. in loader with the value 0 you would insert the persistent drive name Tape2147483644. For details on checking the output, see above section Using slu topology for detecting devices.
    • Configure drives-persistent name Beefalo V2.jpg

    • Device Block Size: As of v. 4.4.3 Beefalo V2, it is possible to change the default write density for tapes to achieve better tape performance by using the Device Block Size option. See Setting device block size.
    • Tape in drive: If a medium is loaded into the drive, SEP sesam label is displayed.
    • Information: If indicated, the messages from the drive hardware are displayed.
    • Max. channels: The number of simultaneous backups that can be operated through drives.
    • Encryption capable: For already configured drives, it shows whether they are encryption capable. The field is shaded for new drives. Note that SEP sesam provides native support for managing LTO-based encryption; the LTO encryption of tape drives can be enabled on a media pool level. For details, see LTO Encryption.
  5. Click OK to (re-)configure the drive.
  6. Repeat the procedure for each drive by entering its persistent name.

Configuring a Data Store

Note that the procedures introduced in this article only apply to the configuration of the Path data store. For the configuration of other data store types, refer to the relevant documentation (see links under Data store types below).

What is a data store

A data store is a device type used used to write savesets directly to one or more configured storage locations – into the file system. SEP sesam uses a data store instead of a conventional media pool to define the storage repository. Data is still primarily backed up to a media pool, however, a data store is used underneath to save data to dynamically managed data areas, including disk backups.

SEP sesam can contain multiple data stores of different types and sizes depending on the type of data being backed up, the backup technique, and on the storage location (a local disk, virtualized storage device, storage appliances, etc.).

Data store types

The following data store types are supported:

You can also configure a data store to back up to and from CIFS share. For details, see How to use CIFS share (NAS) as a data store and how to back up data from a CIFS share.

Configuration procedure

Note that the procedures introduced in this article only apply to configuration of the Path data store. For the configuration of other data store types, refer to the relevant documentation (see links in the section Data store types).

  1. In the Main selection -> Components, click Data stores to display the data store contents frame.
  2. From the Data stores menu, select New data store. A New data store dialog is displayed.
  3. Data store new create Beefalo.jpg

    Segment Data Store

  4. Under the Data store properties in the Name field, enter a meaningful name for the data store.
  5. From the Store type drop-down list, select Path. Skip the Messages section, which is used by SEP sesam to display the last executed action.
  6. Information sign.png Note
    When configuring any other store type other than Path, e.g., Si3 deduplication store, HPE StoreOnce or HPE Cloud Bank Store, you should be aware of the requirements and recommendations before you start using these special data store types. For details, see Configuring Si3 Deduplication Store, Configuring Si3 NG Deduplication Store, NetApp Snap Store, HPE StoreOnce, and HPE Cloud Bank Store, respectively.

    Segment Drive Parameter

  7. Make sure that the option Create drive for data store is checked under the Drive parameter properties. The predefined value for the drive is automatically added to the Drive number field.
  8. Enable the option Create second drive.
  9. SEP Tip.png Tip
    It is recommended to use the option Create second drive. Without this option, SEP sesam can only allocate one drive for either reading or writing, running one job at a time on the same drive. If you use the additional drive for restore, you can perform a backup on the first drive and restore your data from the second drive at the same time. You can also add a third drive for migration.
    • Note that for each additional drive intended for restore or migration, the access mode must be set to read in the Drive properties.
    • If you use additional drives, all backup jobs must be configured to use the drive designated for backup. You specify the drive number for a backup job as described in Creating a Backup Event.
    • If you use the additional drive for migration, you have to specify the dedicated drive as described in Creating a Migration Task.
    • You can configure the number of streams per drive. For example, you can limit the number of parallel backups to 5, but use a higher number of concurrent streams for migration.
  10. From the Device server drop-down list, select the device server for your data store. Note that the default device server is always the SEP sesam Server itself. Other available device servers in the drop-down list are additional SEP sesam Remote Device Servers (RDS).
  11. In the Path field, enter the location of your data store or use the Browse button to select the relevant folder and click OK.
  12. Data store new path Beefalo.jpg
    When using the Browse button to select the folder, the New data store information window appears with predefined recommended values for your data store size. Click OK to confirm the selected location and recommended size values. You can modify your data store size later under the Size properties (see step 12). For details on calculating the size, see How do I calculate the data store capacity.

    Recommended values data store Beefalo.jpg

  13. The option This drive uses data deduplication technology ... is only available for the default data store type Path. Select this check box only if deduplication is enabled on the selected drive. In this case, the projected amount of storage available for backups will also include the deduplication factor.
  14. Under Drive group properties, select Create new drive group if you want to create a new group or Use existing drive group to add a drive to one of the configured groups available in the drop-down list.
  15. The predefined number of channels is already displayed in the Max. channels drop-down list. The number of available channels depends on your SEP sesam Server package. For example, if a license supports 5 concurrent streams, 5 backup processes can run simultaneously. For details on SEP sesam licenses, see Licensing.
  16. Segment Size

  17. Under the Size properties, the predefined recommended values for your data store size are already displayed. If not, enter the following values manually.
    • Capacity: The size (in GB/GiB) of the partition for backups.
    • High watermark: The value (in GB/GiB) for the high watermark (HWM). This is upper value for the used disk space on the data store. When this value is reached, the status of a datastore changes from OK to Warning, but backups continue to be performed.
    For details on what to consider when specifying the size, see How do I calculate the data store capacity.
  18. Segment (read-only) Disk Space Usage

    The Disk space usage properties are used by SEP sesam to report the following:

    • Used: Total used space (Gib/Tib) on the partition.
    • Total: Maximum available space (Gib/Tib) on the partition as reported by the operating system.
    • Free: Available disk space (Gib/Tib) for SEP sesam.
    • Deduplication rate: If applicable. The deduplication ratio is depicted as ratio:1. For more details, see Space reduction ratio and percent.
  19. Click OK to configure your data store. You will be prompted to create a new media pool for it immediately. If you answer No, you have to create the media pool later and your configuration is complete. If you answer Yes, a new media pool dialog is displayed.
  20. Creating a media pool

  21. Enter a name for the media pool, select a drive group and set the Retention time in days. The retention time is a media pool related parameter that specifies the number of days, for which the media from the pool are protected from writing, thus preserving the backed up data and keeping it available for restore (see Automatic Retention (EOL) Management). Once the retention period has expired, the media are writable again. For details configuring a media pool, see Configuring media pools for data stores.
  22. Data store new media pool Beefalo.jpg


Once you have set up your backup strategy, you can back up your data to your new media pool. You can start a configured backup task immediately or schedule it to run after you create a schedule and link a backup event with it. For details, see Creating a Schedule and Creating a Backup Event.

If you want to start the backup task immediately, right-click the name of the backup task and click Immediate start. Note that you only need to select the appropriate media pool that relates to your data store and click Start.

Monitoring data store status

You can view the status of your data store in the GUI by double-clicking the data store. You can also check the status in SEP sesam Web UI. The data store status overview provides detailed information about consistency, utilization, sanity status, size, disk space usage as well as related media pools, media and drives, dependencies, data size before/after deduplication (if applicable), etc.

If the size of the actually used (filled) storage space is larger than the configured capacity on the data store (data store size overflow), the utilization color changes to red.

Web UI data store Jaglion.jpg

Clicking the name of a data store display its properties. Use the tabs Media Pools, Media, Drives (configured media pools/media), Dependencies, Savesets (overview of savesets), Actions (media-related events), Detailed Status and Storage Utilization (data store utilization) for more useful details.

SEP Tip.png Tip
Click the Dependencies tab to see the diagram of all dependencies of the datastore and Drives - RDS (first tab) or the datastore and Media Pools - Drive Groups - Drives - RDS (second tab). Hovering the cursor over the diagram shows a tooltip with details for each object.

Web UI data store dependencies Jaglion.jpg

Configuring Si3 Deduplication Store

SEP sesam v. 5.0.0 Jaglion has introduced a new generation Si3 data store: Si3 NG. It offers significantly increased performance for backup, restore and migration, as well as direct backup to S3, resulting in improved performance, scaling and resource savings.

  • The new Si3 NG can detect duplicate data fragments, optimizing the recovery process.
  • When configuring deduplication, you should consider the performance factors of deduplication. These include infrastructure (storage types), network speed, storage disk set up, achievable deduplication ratio, etc. For details, see Deduplication.
  • The new immutable storage feature (introduced in Jaglion V2) is also based on Si3 NG store (set up on a dedicated Linux server). SiS is SEP Immutable Storage, based on the File Protection Service (FPS), which scans the file system and sets the immutable bit for all new objects. This means that all data stored in SiS is marked immutable at the time of storage. Even with full admin access to the SEP sesam backup server, attackers cannot delete, modify, or encrypt data stored on SiS. For details, see SEP Immutable Storage – SiS.

Seeding Si3 deduplication store is currently not supported (see the Si3 and Si3 NG comparison section below).

How to upgrade from the old Si3 to the new Si3 NG?

SEP sesam does not support a direct upgrade from the old Si3 to Si3 NG. However, to use the new Si3 NG you can:

  • Back up all data again to the newly configured Si3 NG deduplication store.
  • You can create a replication job to replicate from the Si3 to the Si3 NG store. Replication reads all data from the source-side store on the source-side RDS and sends it to the target store using the source-side deduplication function. For details, see the section Replicating from Si3 to Si3 NG.
SEP Tip.png Tip
You can also configure a new Si3 NG and an old Si3 in parallel on the same host by enabling the key enable_gui_allow_multi_dedup.

Deduplication types

SEP sesam provides target-based (Si3T) and source-based deduplication (Si3S). For details on the deduplication concept and recommendations, see Deduplication.

  • Both Si3T and Si3S require a configured Si3 deduplication store.
  • In general, only one Si3 or Si3 NG deduplication store can be configured on a server. There is only one exception to this rule: You can use the enable_gui_allow_multi_dedup key to configure both Si3 deduplication store types on the same backup server or RDS to perform a smooth upgrade from Si3 to Si3 NG.
  • A valid licence is required for each Si3 NG deduplication store.
  • You can also configure an Si3 NG deduplication store via a command line. For details, see Configuring and Administering Si3 Deduplication Store with CLI.

SEP sesam support for S3-compatible cloud and Blob storage

With SEP sesam Si3 NG, you can back up your data directly to the S3 cloud and to Azure Blob storage (≥ Jaglion V2). As S3 is an open API standard and AWS Simple Storage Service is a sample implementation of the standard, SEP sesam Si3 NG can also be used with other S3-compatible cloud implementations. The configuration and management of Si3 NG in an S3-compatible cloud implementation is similar to the example shown in Backup to S3 Cloud Storage and must follow the same process and rules provided for using Si3 NG with S3. For more details, see Backup to S3 Cloud Storage. For the list of supported object storage, see the support matrix.

Updating Si3 NG on S3 from 5.0.0.4 to the new version

If you use Si3 NG on S3 and update from 5.0.0.4 to the new version, the structure of the existing stores will change as the structure of Si3 NG on S3 is automatically recreated (this includes recreating the index after the renaming). Example:

  • The S3 bucket is called seps3, the Si3 NG deduplication store name is newNG. The S3 structure with version 5.0.0.4 of NG is: seps3/pages; seps3/pages-trash; seps3/objects-trash.
  • When updating to the next version of NG, the structure changes to: seps3/newNG/pages; seps3/newNG/pages-trash; seps3/newNG/objects-trash. During this renaming, the Si3 NG service is not available.

Prerequisites

  • For the minimum Si3 hardware requirements that apply to SEP sesam Si3 deduplication server, see Hardware requirements.
  • For details on the required Java version, see Java Compatibility Matrix. Si3 NG is not mandatory, so there is no dependency rule for it in the RPM/DEB packages.
  • When estimating the maximum size of a deduplication store, you have to ensure that there is enough space available for dedup trash, otherwise the deduplication store will run out of space. You should calculate the required disk space based on a representative sample of your full backup and add the additional storage space equal to approximately 50% of the representative full backup.

Required additional amount of RAM

The following table shows the required additional amount of RAM for the Si3-NG data store. The TB value corresponds to the capacity of the Si3-NG data store.

Information sign.png Note
These requirements relate solely to the need for deduplication. In addition to these requirements, the amount of memory for the operating system and other services should be taken into account.
Si3-NG data store capacity (check initial size limit) RAM
<20 TB 16 GiB
20-40 TB 32 GiB

You can use the following command (from the admin command line) to find out how much RAM is needed at what capacity of Si3 NG. Note that you need to set the sesam profile to run the command: sm_dedup_interface -T dedup2 propose jvmconfig <Si3-CAPACITY>

Required additional amount of CPU cores

The following table shows the number of CPU cores required for a Si3 NG data store. The TB value is the amount of data backed up (before deduplication)!

Backed up data (before dedup) CPU cores
10 TB 4
20 TB 4
40 TB 8

Performance tip

Applies to Windows only: SEP AG recommends using the High performance power plan to increase the performance of your backup. Note that Windows sets all computers to the Balanced power plan by default and you must manually switch to the High Performance power plan. This way, your Windows computer will use more power, but the systems with Si3 NG will always operate at the highest performance level.

  • From the Start menu, go to Control Panel -> System and Security -> Power Options and change the setting to High performance.

Restriction

To avoid problems resulting from the combination of excessively large Si3 deduplication stores and inefficient hardware, the maximum initial Si3/Si3-NG deduplication store size is currently limited to 40 TB. Please contact SEP sesam support if your specific requirements are different.

This limitation applies to the creation of a new Si3 NG deduplication store in the GUI.

Information sign.png Note
It is recommended to run Si3 deduplication (SEP sesam Server or RDS) on the physical host. It is also possible to run it on a virtual machine. In this case, take into account that deduplication consumes a lot of server resources for reading, processing and writing the deduplicated data, as well as for some other deduplication tasks such as housekeeping and various checks. These tasks require a large amount of IO and a large amount of memory. Si3 performance can be affected by other VMs running on the same host. Therefore, if you are running Si3 on a VM, you should be aware of possible bottlenecks and shortcomings.

Configuration procedure

The SEP sesam data store is a disk based storage that allows savesets (backed-up data) to be backed up directly to configured storage locations, including S3 cloud storage and Azure. Note that configuration procedure for the latter differs from the one described below. For details, see Backup to S3 Cloud Storage and Backup to Azure Storage.

Enable Si3 NG setup on the same host

To make the upgrade from Si3 to Si3 NG smoother, you can configure a new Si3 NG and an old Si3 on the same backup server or RDS by using the enable_gui_allow_multi_dedup key.

  1. Open the global settings in the GUI: In the menu bar, click Configuration -> Defaults -> Settings.
  2. Set the key value of enable_gui_allow_multi_dedup to 1.
  3. Si3 key.jpg


Configure Si3 NG

SEP Si3 target deduplication is easy to configure and ready to use by selecting the Si3 NG deduplication data store type.

Information sign.png Note
Si3 NG store can also be used to back up your data directly to S3 cloud or Azure. In this case, the configuration is slightly different depending on the type of storage cloud. For more information, see Backup to S3 Cloud Storage and Backup to Azure Storage.
  1. In the Main selection -> Components, click Data Stores to display the data store contents frame.
  2. From the Data Stores menu, select New Data Store. A New Data Store dialog appears.
  3. Under Data store properties, enter a meaningful name for the Si3 NG deduplication store in the Name field. Entering the name also creates the name of the drive group for your Si3 deduplication store in the Create new drive group field.
  4. From the Store type drop-down list, select SEP Si3 NG Deduplication Store.
  5. Si3 NG Jaglion 01.jpg

  6. Ensure that the Create drive option is enabled under the Drive parameter properties. The predefined value for the drive is automatically entered in the Drive number field.
  7. It is recommended to also activate the option Create second drive. Without this option, SEP sesam can only assign one drive for either reading or writing, with one job on the same drive at a time. If you use the additional dedicated drive for restore, you can perform a backup on the first drive and restore your data from the second drive simultaneously. You can also add a third drive for migration. (See section Drive access mode.)

  8. The name in the Create new drive group is already created. You can change it by simply entering a new name.
  9. The predefined number of channels is already available in the Max. channels drop-down list. The number of available channels depends on your SEP sesam Server package. For details on licensing, see Licensing.
  10. From the Device server drop-down list, select the device server for your data store.
  11. In the Path field, enter the location of your data store or use the Browse button to select it. Click OK.
    If you use the Browse button, the New Data Store information window appears with predefined recommended values for the size of your Si3 NG deduplication store. Click OK to confirm the selected location and recommended size values. You can change the size of your Si3 NG deduplication store later under Size properties (see section Size properties).
  12. Si3 NG Jaglion 02.jpg

After configuring the Si3 deduplication store, configure the media pools first then set up your backup strategy. Make sure to test your newly created Si3 NG store by running a test backup on it.

Run a test backup on Si3 NG

  1. Create a new backup task: In the Main Selection -> Tasks -> By clients, select your RDS client and then click New Backup Task. Configure your backup task and save it. For details, see Creating a Backup Task.
  2. Test the backup on the newly created Si3 NG store: From the menu bar, select Activities -> Immediate start -> Backup. In the Immediate start: Backup dialog, select the previously created media pool for Si3 NG as the target media pool for the backup. Click Start and check if your backup was successful by viewing the status of your backup job in the GUI (Monitoring -> Last Backup State or Job State -> Backups) or SEP sesam Web UI – Last backup state.

Now you can create different backup tasks to apply deduplication and enable the best possible scenarios for efficient backup in different environments. For details on how to select your deduplication method, see Deduplication. For details on how to configure a backup job, see Standard Backup Procedure.

Replicating from Si3 to Si3 NG

As SEP sesam does not support a direct upgrade from the old Si3 to the new Si3 NG, you can create a replication task to replicate from Si3 to the Si3 NG store. Replication reads all data from the source-side store on the source-side RDS and sends it to the target store using the source-side deduplication function. Once your new Si3 NG is set up, you should configure regular replication from one NG to another NG.

Configure a replication task

To configure a replication from Si3 to Si3 NG, proceed as follows.

  1. Create a replication task: In the Main selection -> Tasks -> Replication Tasks, click New Replication Task. The New Replication Task window is displayed.
  2. In the Name field, enter a name for the replication task, e.g., Si3-2-Si3NG.
  3. Enter the following information under Parameters:
    • Media pool
      • Pool: Select the name of the source media pool of the Si3 deduplication store from which the data will be replicated.
      • Drive: Select the drive number of the drive to be used to read the data.
      • Interface: Optionally, specify the network interface of the RDS to be used for data transfer.
    • Destination
      • Pool: Select the name of the target media pool you previously created for the new Si3 NG and to which the data will be replicated.
      • Drive: Select the drive number of the drive that will be used to write the data.
      • Interface: Optionally, enter the network interface of the RDS to be used for data transfer, e.g., the name of the RDS.
    • Leave the Relative backup date (From) set to -99,999 and To set to 0.
    • In the drop-down list based on, the Sesam days option is selected by default.
    • Replication task-si3ng.jpg


  4. Click Save to save your replication task.

After you have configured a replication task, start replication as follows.

Start replication

Note that any initial replication requires a large amount of CPU, network bandwidth and time to complete successfully.

Start replication manually as follows:

  1. In the GUI menu, select Activities -> Immediate start -> Replication.
  2. In the Immediate Start: Replication window, from the Task name drop-down list select the replication task you created earlier, e.g., Si3-2-Si3NG, and click Start.

To ensure that the replication is successful, check its status:

  • Via the GUI: Go to the Main Selection -> Job state -> and look for your replication task in the first column Migration Task.
  • Via the Web UI: Open Web UI and from the left menu select Replications. For details, see SEP sesam Web UI.

Checking the properties and modifying your Si3 NG deduplication store

You can view the properties of your Si3 deduplication by double-clicking the corresponding Si3 NG deduplication store.

Drive options

You can modify existing and set additional drive options by double-clicking the first drive. In the Drive Properties window, you can browse the path for the data store and set the access mode for data store drives.

Drive access mode
  • read/write (default): Allows to perform read operations (e.g., restore or use a drive as the source of a migration) and write operations (e.g., backup or using a drive as the target of a migration). As the write operations can occupy the drive for a while, consider using certain drives for write operations only and setting up the other drive(s) for read operations only.
  • read: Only read operations, e.g., for restore or as the source of a migration, are allowed. It is recommended to set up additional drives in read mode to allow uninterrupted processing of tasks, such as restore.
  • write: Only write operations, e.g., for backup or as the target of a migration, are allowed. The use of drives in write mode is recommended when these drives are used in combination with additional drives that are only used in read mode.

The first drive in the list has an additional OS Access tab where you can specify the credentials (user name and password) required to access the configured drive path. Use DOMAIN\USER format for domain accounts or HOST\USER for local accounts.

Si3 NG data encryption

To configure Si3 NG data encryption, you have to create a security password file for deduplication:
Main selection -> Components -> click Data Stores -> select your Si3 NG deduplication store and double-click it, then double-click the first drive of your Si3 NG deduplication store.
In the Encryption password field, specify the encryption password and repeat it.

Si3 NG drive-encryption Jaglion.jpg

For details, see Encrypting Si3 NG Deduplication Store.

Si3 NG deduplication store size properties

To change data store size properties, go to Main selection -> Components -> click Data Stores -> select your Si3 NG deduplication store and double-click it. Then under Size properties specify or modify the following:

  • Capacity: Specify the size (in GiB) of the partition for backups.
  • High watermark: Specify the value (in GiB) for the high watermark (HWM). The HWM defines the upper value for the used storage space. When this value is reached, the status of a datastore changes from OK to Warning, but backups continue to be performed. Make sure that you provide enough storage space for your backed up data.
  • Si3 repair area: Specify the value (in GiB) for the Si3 repair area. The Si3 repair area (subdirectory trash) defines the space for Si3 files that were identified by a garbage collection job and are no longer used. These files are still kept in the repair area to allow for a possible repair of Si3 in case of structural problems (which may be caused by a file system error or an operating system crash). The files in the repair area are automatically removed after the specified period of time (SEP sesam default: 4 days) or when the disk usage threshold is reached. The Si3 repair function is disabled when the value is set to 0.
  • Information sign.png Note
    The Si3 repair area for managing the disk space allocated for Si3 files is available only in advanced UI mode (formerly expert GUI mode). To see the Si3 repair area field, make sure your UI mode is set to advanced. For details, see Selecting UI mode.

The Disk space usage properties are used by SEP sesam to report the following:

  • Used: Total used space (in GiB) on the partition.
  • Total: Maximum available space (in GiB) on the partition as reported by the operating system.
  • Free: Available disk space (in GiB) for SEP sesam.
  • Deduplication rate: Deduplication takes place as soon as the backup process has started. SEP sesam analyses blocks of data and determines whether the data is unique or has already been copied to the Si3 NG data store. Only single instances of unique data are sent to the data store and replace each deduplicated file with a stub file. The deduplication ratio indicates the extent of data reduction achieved by Si3 deduplication, i.e. the ratio between the protected capacity and the actual physical capacity stored. A ratio of 10:1 means that 10 times more data is protected than the physical capacity needed to store it. The deduplication ratio depends greatly on the deduplication method used (si3T or Si3S), the type of data, the backup level used (the deduplication ratio is higher when there are copy and full backups and when there is a larger amount of data), etc. For details, see Deduplication.

Monitoring deduplication status

You can view the status of your of your Si3 deduplication in the GUI (Si3 deduplication store properties -> Si3 State tab) or SEP sesam Web UI. The data store status overview provides detailed information about consistency, utilization, sanity status, size, disk space usage as well as related media pools, media and drives, dependencies, data size before/after deduplication, etc. Si3 NG-datastore Jaglion web status details.jpg

Information sign.png Note
If fsck (file system consistency check) detects irregularity in the Si3 file system, the affected pages and chunks are recorded in the recovery.log. The Si3 deduplication store in GUI and Web UI is marked red and the Si3 purge is no longer executed. The purge is stopped to prevent the files in the Si3 repair area to be deleted as they may be required to repair Si3 in case of problems. Once the errors are fixed and the recovery.log is empty, the Si3 NG data store is no longer marked red and the Si3 purge is working again.

Comparison of Si3 and Si3 NG

SEP sesam v. 5.0.0 Jaglion has introduced a new generation Si3 deduplication store: Si3 NG. Si3 NG offers significantly higher performance for backup, restore and migration, as well as backup to S3 cloud and backup to Azure, the new immutable storage feature SiS, resulting in improved performance, scaling, and resource savings.

Function Si3 Si3 NG
Si3 backup YesY YesY
Si3 deduplication (source-side and target-side) YesY YesY
Si3 replication: local to remote store Notea YesY Si3 to Si3 YesY Si3 to Si3 NG; Si3 NG to Si3 NG
Si3 replication: to S3 cloud YesY YesY (provides more powerful features for backing up directly to the cloud, see the next two lines)
Backup to S3 Cloud Storage YesY YesY
Backup to Azure Storage YesY YesY (as of Jaglion V2)
SiS (SEP Immutable Storage) YesY YesY (as of Jaglion V2)
Si3 restore YesY YesY
Si3 encryption YesY YesY (as of Jaglion V2)
Seeding Si3 deduplication store Noteb YesY YesY
Usage of tachometer YesY YesY
Notea

*SEP sesam does not support a direct upgrade from the old Si3 to Si3 NG. However, to use the new Si3 NG you can:

  • Back up all data again to the newly configured Si3 NG deduplication store.
  • After configuring a new Si3 NG, you can also create a replication job to replicate from the Si3 to the Si3 NG store. Replication reads all the data from the source-side store on the source-side RDS and sends it to the target store using the source-side deduplication function. For details, see Replicating from Si3 to Si3 NG.
  • You can also configure a new Si3 NG and an old Si3 in parallel on the same host by enabling the key enable_gui_allow_multi_dedup.
Noteb

The Initial Seed feature does not work in v. 5.0.0 Jaglion, but you can use it in earlier SEP sesam versions.

Configuring a Media Pool

A media pool is a group of media of the same type that you use for backups. How you configure a media pool depends on the type of the used storage device. With loaders, you set up a media pool to be used for backups directly to tapes. For backing up to disks (disk storage), you have to set up a data store first, but still create a dedicated media pool(s) for it.

Once a media pool is configured, SEP sesam automatically labels each medium with a unique media label during initialization. The media labels are stored in the SEP sesam database. The labels consist of the pool name and a 5-digit number assigned by SEP sesam within the pool.

Media pools are the basis for building a backup strategy. Each media pool represents a set of media intended for a specific purpose. For example, media pools can be created and managed for workdays, weekends, specific locations, specific types, databases, etc. You can have different types of media pools for different types of backup data, backup sources (e.g., file backup, DB backup) or drive types.

It is possible to configure special GFS media pools for storing data on tape according to the GFS (Grandfather-Father-Son) retention strategy. For details, see GFS Backup Retention Strategy.

Note that the Options tab for configuring a special set of options to allow sharing of media across media pools is only available when configuring media pools for tape media, as described in the following section.

Configuring media pools for tape media

After you configure your backup hardware and create a new drive group, you have to create a new media pool and assign it to the drive group that contains your newly created drives. With loaders, you can configure a media pool that will be used for backing up directly to tapes. How you set up your backup strategy depends on the data that is being backed up. Typically, you would create at least three media pools. For details on setting up loaders and drives, see Configuring Loaders and Drives.

Steps

  1. From Main Selection -> Media Pools, click New Media Pool. The New Media Pool window appears.
  2. In the Media Pool window, specify the required fields:
  3. Media pool tape Beefalo V2.jpg

    • Name: Enter the name of a media pool, for example, MP_tape_day (for daily backups), MP_tape_week (for weekly backups), etc.
    • Description: Optionally, add the description of the pool.
    • Drive group: From the drop-down list of all available drive groups, select the relevant drive group to which a media pool will be attached (e.g, Tape_Drives, RDS_LTO_Dives, etc.). For details on the drive groups, see Drives.
    • Retention time [days]: Specify the retention time for the media pool. The retention time starts with the date a saveset is written to the media and lasts for the period defined by the media pool retention time (in days). The expiry date of the retention time is the EOL of the saveset. When a saveset is stored on a tape, every stored saveset has its own saveset EOL. However, the expiry date of the tape corresponds to the maximum retention time (the longest EOL) identified on it. For details, see tape media EOL.
    • Set media pool inactive: You can deactivate a media pool so that it is no longer available.
    • Information sign.png Note
      In the case of a clone media pool, the option Set media pool inactive controls not only whether a media pool is available for use, but consequently whether the upload – synchronization with the S3 Cloud is performed. If you deactivate a clone media pool by selecting the option Set media pool inactive, the data is no longer synchronized with the S3 Cloud. For details, see Configuring replication to S3 Cloud.
  4. The readability check allows you to check the readability of the data on the tape and its structure and to ensure that the backup sets on the tape are recorded in the database and vice versa. Click the Readability Check tab and use the following options to specify the settings:
  5. Media pool readability Beefalo V2.jpg

    • Readability check limit [days]: By default, the value is 0 (zero) and the readability check is switched off. If you set a number > 0 , a tape is checked after the specified number of days and marked with the status Readability check needed. Note that the readability check can only be applied if the media EOL has not yet expired. It is not applicable to EOL-free media. For details, see Configuring a Readability Check.
    • Expiration of read check overdue [days]: Specify the number of days after which a readability check is overdue. This calculation is based on the readability check limit [days] and the value of expiration overdue.
    • Repeat rate for readability check [times]: If you select Unlimited, the media is checked according to the specified frequency. If you set Execute, the check is repeated as many times as specified.
    Information sign.png Note
    To perform the readability check, you have to set up a schedule and link a media event to it. When creating a media event, you have to select the readability check option and a media pool for your event. For details, see Configuring a Readability Check.
  6. Click OK.
Tab Options

Once you have created a media pool, you can set additional options. The Options tab is available in the media pool properties (Main Selection -> Media Pools -> double-click a media pool) and allows you to set up a media strategy and configure the sharing of media between media pools. This is useful when media from the target pool are not available for backup and another set of media can be used.

  • May use empty, foreign media: SEP sesam will use unknown or blank tapes for the backup if no tapes are available in the respective pool.
  • May use EOL free media: SEP sesam may use EOL-free media other than the requested one in a single tape drive (without loader).
  • May use SPARE media: You have to configure a SPARE_ media pool (see the following section) and then you can enable the SPARE media option. This way, SEP sesam automatically uses the media from the SPARE pool if no tapes are available in the target media pool. For details, see Spare Pools.
  • May use media from another pool: SEP sesam used available tapes from other media pools if no tapes are available in the target media pool.
  • Another media pool may use media from this pool: A media pool that runs out of its own tapes can use the available tapes from this media pool.
  • If the data on the tapes is no longer needed, the metadata on the tape media in the media pools can be removed:

  • Delete all metadata from tape media when the tape becomes EOL free: Data on tapes can only be deleted when their EOL has expired. If you activate this option, the metadata of tapes that are no longer write-protected will be deleted.
  • Delete all metadata and re-initialize tape: If you activate this option, all metadata of the tape media is deleted and the tape is initialized (provided the tape is available to SEP sesam) by loading the tape into a drive and physically erasing it, thus removing access to all existing data on the tape.

Media pool-options.jpg

For more details on tape-related operations, see Tape Management.

Configuring spare pools

You configure a spare pool in the same way as any other media pool, except for the name of the pool - SPARE_. The name of the spare pool must follow the rule to use SPARE_ as the naming convention. This way, SEP sesam is able to identify this pool as a spare pool.

Once your spare media pool is created, open its properties: Main Selection -> Media Pools -> double-click the spare media pool you created, switch to the Options tab and check the option Another media pool may use media from this pool. This means that any media pool that runs out of its own tapes can use the available tapes from this media pool.

Media pool-spare.jpg

Configuring media pools for data stores

With data stores, you configure media pools that are used for backing up to disks (disk storage). You must first configure a data store and then create a dedicated media pool for it. For details on how to configure a data store, see Configuring a Data Store.

Steps

  1. When you configure your data store, you are prompted to configure a media pool immediately. You can also configure a media pool later from the data store properties -> click Create Media Pool, or from Main Selection -> Media Pools, click New Media Pool. The New Media Pool window is displayed.
  2. Media pool data store Beefalo V2.jpg

  3. Name: Enter the name of a media pool, e.g. DS_day (for daily backups), DS_week (for weekly backups), etc.
  4. Description: Optionally, add the description of the pool.
  5. Drive group: From the drop-down list of all available drive groups, select the relevant drive group to which a media pool will be attached (e.g, dg_datastore01). For details on the drive groups, see Drives.
  6. Retention time [days]: Specify the retention time for the media pool. The retention time for the media pool is specified in days and defines how long the data on the media remains protected. The retention time starts on the date a saveset is written to the media and lasts for the period defined by the media pool retention time (in days). The expiry date of the retention time is the EOL of the saveset. After the protection expires, the saveset is deleted while purge is running on the data store and the memory space is released. For details, see EOL (retention) types.
  7. Information sign.png Note
    If you are using SEP Si3 deduplication store (does not apply to a new generation SEP Si3 NG deduplication store!) and want to replicate to S3 Cloud, you have to create an additional clone media pool by selecting Clone as the media pool type. For details, see S3 Cloud Replication.
  8. Click OK.

Monitoring data stores and configured media pools

You can check which media pools are configured with a data store in the GUI or via SEP sesam Web UI.

Data store properties in the Web UI

You can access the Web UI in one of the following ways:

  • via the GUI: by clicking the Dashboard icon in the toolbar or via the menu bar -> Activities -> Dashboard or via Main Selection -> Monitoring -> Dashboard
  • by entering the following address in the browser bar:

http://[sesamserver]:11401/sep/ui
or
https://[sesamserver]:11401/sep/ui.

  1. In the left menu, select Data stores and then click the name of the data store to display its properties.
  2. Click the tab Media Pools, Media, Drives to check the configured media pools/media.
  3. DS media pools-media-drives.jpg

  4. Use the Dependencies tab to view the diagram of all dependencies of the datastore and Drives - RDS (first tab) or the datastore and Media Pools - Drive Groups - Drives - RDS (second tab). Hovering the cursor over the diagram shows a tooltip with details for each object.
  5. DS dependencies-media pool.jpg


Data store properties in the GUI

Open the data store properties: from Main Selection -> Data Stores -> double-click the selected data store -> select the Media tab. Click the media pool in the list to display its properties.

DS properties media tab.jpg


Part VI: Authentication

About Authentication and Authorization

Overview

SEP sesam operations, such as backup and restore, can only be performed by users who have the appropriate permissions. SEP sesam v. 5.0.0 authentication concept - which is used to grant and restrict access to SEP sesam Server(s) and specific objects - has changed. Now only a user with Superuser privileges can configure authentication and attach permissions (ACLs) to created users.

Authentication is a two-step process. First, the identity of a user accessing a SEP sesam Server is authenticated by verifying the user credentials (username and password). After successful authentication SEP sesam checks if the authenticated user has the appropriate permissions to access a specific resource or operation within the SEP sesam Server.

Authorization is implemented through permissions based on the user type that defines the connection to the SEP sesam Server and the available GUI objects. Additionally, custom user roles can be set by configuring ACLs by a user with Superuser privileges.

Authentication methods

After the initial installation of SEP sesam, no users are configured except the Superuser. SEP sesam provides several authentication methods that are mutually exclusive (and may be version dependent): database-based authentication, which is simply called authentication, and policy-based authentication. By default, policy-based authentication is active. Note that only one authentication method can be active at a time.

Information sign.png Note
You can bypass authentication for local server for all users by setting the parameter localFullAccess in the <SESAM_ROOT>/var/ini/sm.ini file to true as described in the section below.

Database-based authentication

It allows Superusers to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the appropriate user group.

You can use LDAP/AD authentication in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP/AD directory. If LDAP/AD authentication is enabled in SEP sesam and users are correctly mapped, they can log in to SEP sesam according to their entry in the LDAP/AD directory and user mapping information. For details, see Configuring LDAP/AD Authentication.

If database-based authentication is enabled, users can also authenticate with a signed certificate by simply selecting a (signed) certificate at login instead of entering a password. Note that a signed certificate can only be used for internal groups, while users from external authentication sources (LDAP/AD) can only be authenticated with a password. For details, see Configuring Certificate-Based Authentication.

The assigned user group (based on user type) determines the actions that the group members can perform. The database-based authentication can be enabled from GUI by activating authentication under the Configuration ‐> Permission Management. This is the only way to set the password for the Superuser (Administrator).

When database-based authentication is enabled, the authEnabled parameter in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server is set to true. For details on database-based permissions, see Configuring Database-Based Authentication.

Policy-based authentication

Policy-based authentication represents a traditional approach to managing user's privileges. SEP sesam GUI is based on Java and uses the sm_java.policy file to grant the required permissions. The policy file is located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

For policy-based authentication, the permissions are assigned to the user/host combination in the sm_java.policy file. You can also grant users the required permissions by using GUI: Main Selection -> Configuration ‐> User Permissions. For details on policy-based permissions, see Configuring Policy-Based Authentication.

Configuring localFullAccess in sm.ini

localFullAccess determines whether a user logged to the SEP sesam Server is allowed to use SEP sesam CLI and GUI without any authentication. If set to true, authentication is not required. If set to false, the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in.

If database-based authentication is enabled, the flag localFullAccess is automatically set to false. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in <SESAM_ROOT>/var/ini/ssl.

Information sign.png Note
  • On Unix, only the system root user can access this directory and use the command line without authentication.
  • On Windows, use Windows User Account Control (UAC) to restrict access to the certificate file.

How to change the localFullAccess flag

  1. Locate the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server (where <SESAM_ROOT> is the pathname of the SEP sesam home directory). Open the sm.ini file using a text editor and set the flag for the localFullAccess parameter to true.
  2. Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The sm.ini file is preserved when you upgrade your SEP sesam Server.

Implementing authentication and authorization

After enabling the appropriate authentication method (database-based or policy-based authentication as described above), perform the following steps to manage users and implement authentication and authorization:

  1. Create new users.
  2. Add users to groups.
  3. Assign user types (roles) to the new users.
  4. In addition to user roles (and permissions based on the user type), there are several user permissions (ACLs) that you can set (assign to a role) to control access to specific resources or operations.

Authentication and authorization concept.png

Managing users

Once authentication is enabled, you can create new users and add them to groups (Superuser, Admin, Backup, Restore, or Operator). When selecting a user type (role), it represents a specific role in SEP sesam with associated permissions (e.g. Superuser has full control over SEP sesam). The permissions based on the selected user type (default permissions) control access to SEP sesam Server, a specific resource, operation, and available UI options.

Note that the procedure for managing users differs depending on the authentication method selected, so you must ensure that you follow the appropriate procedure:

Attaching user permissions

In addition to the default permissions (described above) based on the selected user type, you can also set custom user roles by configuring ACLs if you have Superuser privileges. For more details on permissions, see User Roles and Permissions.

ACLs allow you to configure permissions for each user or group with fine-grained access rights for locations, clients, backup tasks (or groups), media pools, and schedules. For example, if you assign the Restore user permission to a specific backup task, that user can start the task-specific backup. For more information, see Using Access Control Lists.

Troubleshooting

If you have problems logging in after updating to 5.0.0, see Troubleshooting Authentication.

Configuring LDAP/AD Authentication

Overview

SEP sesam can be configured to use LDAP (Lightweight Directory Access Protocol) authentication in combination with database-based authentication. This allows SEP sesam to authenticate users against an external LDAP directory (Active Directory, OpenLDAP, NetIQ eDirectory, etc.) in addition to its own database authentication. It provides integration of user and password management together with SEP sesam permissions or access rights granted according to the assigned user types.

  • Note that setting up LDAP/AD with SEP sesam requires in-depth knowledge of LDAP administration.
  • SEP sesam Active Directory authentication method is not compatible with Azure AD.

How it works

When LDAP authentication sources are configured, the login sequence to SEP sesam is as follows:

  • A user logs in to SEP sesam by entering the appropriate credentials (user name and password).
  • The user name and password are checked against the internal SEP sesam user database.
  • Then the user name and password are checked against the first source in the list. If the user name and password do not match any record, the second/third, etc. source is checked until the first match is found. Then a source directory is queried for user group membership.
  • The groups returned by the directory are compared with the configured external groups in the SEP sesam database. If a user is a member of several groups, he/she can have the permissions of more than one group. In this case, the user is logged in as a member of the group with the highest privileges.
  • Access to SEP sesam is denied if the user is not found, if the user is found but the credentials do not match, or if a user is not a member of a configured authorization group.
Information sign.png Note
  • When SEP sesam authenticates against LDAP, this may result in slower SEP sesam login performance as the LDAP server requires time to establish a network connection and retrieve the data.
  • The login process stops after the first user name match. If there are users with the same login name in different sources, only the first matching user user can log in.

You can enable an SSL connection to your LDAP/AD server to secure LDAP for authentication by importing a public certificate from certificate authorities (CAs) that sign your LDAP server certificate to the Java KeyStore on the SEP sesam Server. For details, see Securing the LDAP connection with LDAPS.

Disabling LDAP/AD sources does not remove your existing LDAP settings. It only disables the SEP sesam integration with that particular LDAP/AD source. You can reenable LDAP/AD authentication at any time by selecting the Enable check box in front of the source definition.

Requirements

  • LDAP or AD user accounts that you intend to use for authentication must already exist within your corporate LDAP/AD before you configure authentication with SEP sesam. The LDAP/AD service must be running (for example, Active Directory, OpenLDAP, NetIQ eDirectory, etc.).
  • SEP sesam Server must have globally enabled authentication. You can set the relevant parameters in the sm.ini file, i.e.
  • [UI] 
    …………….
    authEnabled=true 
    auth.db.enabled=true 
    auth.ldap.enabled=true 
    auth.ldap.autocreate=true 
    auth.ad.enabled=true 
    auth.ad.autocreate=true 
    …………….
    

    and activate authentication in the SEP sesam GUI, see Configuring Database-Based Authentication.

  • For the LDAP directory, a user within the respective LDAP tree must have the rights to read the attributes of your LDAP groups.
Information sign.png Note
The SEP sesam Active Directory authentication method is not compatible with Azure AD.

Configuring LDAP authentication

By integrating LDAP and SEP sesam authentication, SEP sesam internal groups are mapped to groups in the LDAP service tree. Members of the LDAP groups are assigned SEP sesam access rights depending on the user type (Admin, Operator, Backup (v. ≥ 5.0.0 Jaglion) or Restore, for details see User Roles and Permissions). SEP sesam then authenticates the users according to both, its own database and against the external LDAP directory.

Configuring LDAP authentication is a two-step process:

  1. Ask your LDAP administrator which LDAP attributes are used for the login name and member value in the LDAP groups or identify the values yourself.
  2. In the SEP sesam GUI, configure an LDAP authentication source and add your LDAP groups to SEP sesam external groups.

OpenLDAP configuration

Step 1: Identify the LDAP parameters and values

  1. In the LDAP browser, enter the DNS name/IP address of your LDAP server, for example, sles11-nfs.jge.home.
  2. Create a (service) user within your LDAP tree or use an existing user with Read permission to the member attribute of groups to ensure that the specified account can read the group memberships of all User accounts in the directory.
  3. OpenLDAP LDAP browser.jpg

  4. Define a container (LDAP tree level) where your groups reside. For example, the base for groups are ou=group,dc=jge,dc=home.
  5. OpenLDAP groups.jpg

  6. Specify the group names; you can use sepadmin, sepoperators and/or seprestore.
  7. Identify all LDAP containers with existing users that will be granted access to SEP sesam.
  8. Identify the unique identifier of your users, for example, ee, jge.

LDAP summary for OpenLDAP example

LDAP server: 					      sles11-nfs.jge.home
LDAP user with read rights of the member attribute:       cn=Administrator,dc=jge,dc=home
LDAP group container/base:			      ou=group,dc=jge,dc=home
LDAP group to be used:                        sepadmin, sepoperators, seprestore
LDAP user container(s)/base(s):		              ou=people,dc=jge,dc=home
LDAP unique identifier:			              uid

Step 2: Configure the LDAP authentication in the GUI

  1. Make sure that database authentication is enabled, as described in Configuring Database-Based Authentication. Then from the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
  2. Switch to the Sources tab and click the + (plus) button to add a new authentication source.
  3. LDAP new source en.png

  4. In the Authentication Configuration window, select LDAP as a Source Type and specify the values that you have already investigated for OpenLDAP:
    • URL: Specify the LDAP URL for the source directory server instance.
    • User Search Base: Set the pattern which will be used to supply a Distinguished Name (DN) for the user. The pattern name should be related to the root DN. The {0} placeholder will contain the user name.
    • Manager DN: Specify the Distinguished Name (DN) of the service user, which will be used to log in to and request data from the directory service.
    • Password: Define the password used for login to the directory service.
    • The Group base and Group filter options are available only in advanced UI mode (formerly expert GUI mode). To use these options, make sure your UI mode is set to advanced, as described in Selecting UI mode.

    You can also change the SEP sesam permission configuration by changing the URL to ldaps://<ldap server name>:636/. For details on how to secure LDAP for authentication, see LDAP with eDirectory example.

    Click OK.

    LDAP new source filled en.png

  5. Switch to the External Groups tab and click Create New for each external group you want to map to SEP sesam groups: select ADMIN, OPERATOR, BACKUP (v. ≥ 5.0.0 Jaglion) or RESTORE.
    Click OK to map your external LDAP groups to the SEP sesam internal groups. Access to SEP sesam is denied if the LDAP user is not a member of one of the configured authorization groups.
  6. LDAP new external group filled admin en.png

(Micro Focus) NetIQ eDirectory configuration

Step 1: Identify LDAP parameters and values

  1. Log in to iManager as an administrator.
  2. Enter the DNS name/IP address of your eDirectory LDAP server, for example, oes15-srv1.sep.de.
  3. Create a (service) user within your eDirectory tree or use an existing user that has the permission to read users' group.
  4. Define the container where your groups will reside.
  5. IManager.jpg

  6. Specify the group names; you can use sepadmingroup, sepoperatorgroup, sepbackupgroup (v. ≥ 5.0.0 Jaglion), seprestoregroup.
  7. Identify all eDirectory LDAP containers with existing users who will have access to SEP sesam.
  8. EDirectory container.jpg

  9. Identify the unique identifier of your users.
  10. EDirectory identifier.jpg

LDAP summary for eDirectory example:

LDAP server:					        oes15-srv1.sep.de
LDAP user with read rights of the member attribute:	        cn=Admin,o=sep
LDAP group container/base:		                ou=groups,o=sep
LDAP group to be used:			        sepadmingroup, sepoperatorgroup, seprestoregroup						
LDAP user container(s)/base(s):			        ou=users,o=sep; ou=it,o=sep; ou=gurus,ou=it,o=sep							
LDAP unique identifier:				        cn

Step 2: Configure the LDAP authentication in the GUI

  1. Make sure that database authentication is enabled, as described in Configuring Database-Based Authentication. Then from the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
  2. Switch to the Sources tab and click the + (plus) button to add an authentication source.
  3. In the Authentication Configuration window, select LDAP as the Source Type and specify the values you have already investigated for eDirectory:
    • URL: Specify the LDAP URL that will be used to connect to the directory service.
    • User Search Base: Set the pattern to be used to provide a Distinguished Name (DN) for the user. The pattern name should be related to the root DN. The {0} placeholder will contain the user name.
    • Manager DN: Specify the Distinguished Name (DN) which will be used to log in to the directory service.
    • Password: Define the password used for login to the directory service.
    • The Group base and Group filter options are available only in advanced UI mode (formerly expert GUI mode). To use these options, make sure your UI mode is set to advanced, as described in Selecting UI mode.

    You can also change the SEP sesam permission configuration by changing the URL to ldaps://<ldap server name>:636/. For details on how to secure LDAP for authentication, see LDAP with eDirectory example.

    Click OK.

    EDir new source filled 01 en.png
    Create an authentication source for each LDAP container where your (SEP sesam) users exist. In our example, there are four different LDAP containers (eDirectory contexts) with users.

    EDir new source ready en.png

  4. Switch to the External Groups tab and click Create for each external group you want to map to SEP sesam groups: select ADMIN, OPERATOR, BACKUP (v. ≥ 5.0.0 Jaglion) or RESTORE.
    Click OK to map your external LDAP group to the SEP sesam internal groups. Then repeat the process for each external group you want to map. You can configure any number of groups. Access to SEP sesam is denied if the LDAP user is not a member of one of the configured authorization groups.
  5. EDir new external group filled admin en.png

Univention UCS OpenLDAP configuration

Step 1: Identify the LDAP parameters and values

Use an LDAP browser and identify all required values. Univention UCS uses a non-standard port for LDAP.

In the following example, the attribute of the groups for members is uniqueMember.

LDAP summary for UCS OpenLDAP example:

LDAP server:			                           majestix.sep.de
LDAP port:	                                           7636
LDAP user with read rights of the member attribute:            uid=ldapreader,cn=users,dc=sep,dc=de
LDAP group container/base:		                   cn=groups,dc=sep,dc=de
LDAP group to be used:			           grp-technik
LDAP user container(s)/base(s):			           ou=2_1_2_consulting,ou=2_1_it,ou=2_user,ou=hk,dc=sep,dc=de							
LDAP unique identifier:				           uid
LDAP attribute for group members:                          uniqueMember 

Step 2: Configure LDAP authentication in the GUI

The configuration procedure is the same as for OpenLDAP or eDirectory, described above.

For example, in the source configuration the LDAP connection is secured by LDAPS, as shown in the following screenshot:

UCS new source filled en.png

Configuring Active Directory (AD) authentication

Information sign.png Note
The SEP sesam Active Directory authentication method is not compatible with Azure AD.

The integration of Active Directory with SEP sesam allows you to use user information from the Active Directory server for authentication on SEP sesam. Once the prerequisites are met, the actual configuration is simple: the first step is to identify your Active Directory containers for user lookup and the AD group names to use. Then configure the AD authentication in the SEP sesam GUI using these values.

The queries for the users go through the AD tree, starting from the defined level down. This means that you can define the base DN at the highest level and the query will search for the user throughout the AD tree. This can be a time-consuming process based on the first match policy; once a match is found, any other possible match is skipped.

SEP sesam then authenticates users against both, its own database and the external AD directory.

Step 1: Identify Active Directory parameters and values

  1. Create a new AD group on the domain controller or use an existing AD group. In our example, we use the AD groups named SEPADMIN and SEPOPERATOR.
  2. AD group names.png

  3. Identify the container(s) where your users reside. In our example, all users exist in OU=Users,OU=MyCompany,DC=ad16,DC=local and in OU=Admin-Users,OU=MyCompany,DC=ad16,DC=local. We want to set the search base DN to enable only the users in these OUs access to SEP sesam.
  4. AD User base DN 01 en.png

  5. Identify the domain extension of the User logon name that a user logs on with. This is especially important in multi-domain environments.
  6. AD User domain.png

Example: LDAP summary for Active Directory:

LDAP server:					   ad16-1-dc.sep.de
AD User Domain extension:                          ad16.local
LDAP group container/base:                         cn=groups,dc=sep,dc=de
LDAP group to be used:                     grp-technik 
LDAP user container(s)/base(s):                    ou=2_1_2_consulting,ou=2_1_it,ou=2_user,ou=hk,dc=sep,dc=de

Step 2: Configure AD authentication in the GUI

  1. Make sure that database authentication is enabled, as described in Configuring Database-Based Authentication. Then from the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
  2. Switch to the Sources tab and click the + (plus) button to add a new authentication source. In the Authentication Configuration window, select AD as the Source Type and specify the required values that you configured earlier, i.e., URL, Domain and User Search Base DN values.
  3. AD new source filled 01 en.png
    Then repeat the process for each AD source you want to add. In our example, two AD sources were added to SEP sesam.

    AD new source ready en.png

  4. Switch to the External Groups tab and click Create new for each external AD group you want to map to SEP sesam groups: select ADMIN, OPERATOR, BACKUP (v. ≥ 5.0.0 Jaglion) or RESTORE.
  5. Click OK to map your external AD group to the SEP sesam internal groups. You can configure any number of groups. Access to SEP sesam is denied if a user is not a member one of the configured groups.

    AD new external group filled admin en.png

Managing authentication

The following tips can help you configure and manage your LDAP/AD authentication in combination with SEP sesam:

  • It is possible to mix different authentication sources.
  • The first source is always a SEP sesam internal database.
  • The order of all following authentication sources is determined by the order in the SEP sesam GUI (Permission Management -> tab Sources).
  • You can change the order of the authentication sources by selecting the source entry and moving the rows up and down with the arrows at the bottom of the panel.
  • Auth source sort order en.png

  • You can enable or disable each source by checking the check box in the column Enabled.
  • Auth source enable disable en.png

  • Every user that has logged in is displayed in the SEP sesam GUI: Permission Management -> tab Users.
  • AD and LDAP users are greyed out as it is not possible to manipulate them; the values displayed are for information only.
  • Auth user view en.png

  • AD/LDAP users cannot log in without a working LDAP/AD connection as these users are not valid user objects in the SEP sesam database.

Securing the LDAP connection with LDAPS

SEP sesam uses a Java framework for authentication. As SEP sesam is only a user of the Java virtual machine, you must ensure that the data traffic is secured and that a secure connection is used. This procedure is not part of the SEP sesam configuration. Therefore, the provided steps in this section serve for reference only and are subject to change. Make sure to read your vendor documentation for the most up-to-date steps and further details.

  1. Ask your PKI/Root CA administrator for the public certificate of the Root CA, which is used to sign the certificate of your LDAP server.
  2. Import the public certificate to the Java KeyStore of the Java VM used by the SEP sesam Server by using a Java keytool.
  3. Change the LDAP source protocol in the SEP sesam GUI (Permission Management -> tab Sources) from ldap to ldaps and add the relevant LDAP port.
  4. Restart the RMI service on the SEP Sesam Server by using the following command:
  5. sm_main restart rmi
    

For detailed information on how to export the Root CA certificate, check the documentation of your Root CA, e.g., Microsoft Certificate Services, Micro Focus eDirectory CA, OpenLDAP, etc.

To import a certificate into the Java KeyStore, use the Java keytool (part of every Java installation). Another way to manage this type of certificate is to use a third party utility for Windows, such as KeyStore Explorer.

Example of securing LDAP with eDirectory

With SEP sesam it is possible to secure LDAP for authentication, however, SEP sesam has to trust the certificate of the LDAP server. You have to import the public certificate of the certification authority (CAs) to the Java KeyStore, which signs your LDAP server certificate. Note that eDirectory works with self-signed certificates (eDirectory tree CA).

The following example shows the SEP sesam Linux Server (SLES). To use a secure LDAP connection, you need to export the eDirectory Root CA certificate. Then you have to import it into the Java KeyStore of the SEP sesam Server.

Information sign.png Note
After exporting and importing the public certificate, you may need to restart the SEP sesam Server to get it working properly again.

Step 1: Exporting a public certificate from root ca

Note that iManager must have the latest Micro Focus certificate server plugin and access to work properly.

  1. Launch and log in to iManager.
  2. Select eDirectory Administration -> Modify Object.
  3. Then select Modify object.
  4. Use the magnifying glass to navigate to the container where the <Tree Name> CA object resides and select it. Click OK.
  5. Switch to the Certificates tab.
  6. Select the Self Signed Certificate check box and click Validate.
  7. Select the Self Signed Certificate check box again and click Export.
  8. Clear the Export private key check box and click Next.
  9. Select Save the exported certificate. Note that you can select either File in binary DER format or File in Base64 format.
  10. Save the file and give your certificate a meaningful name that uniquely identifies it, for example, SelfSignCert.der.
  11. Click Close and then OK to export your public certificate.

After the certificate is exported, copy it to the SEP sesam Server.

Step 2: Importing a public certificate into Java KeyStore

If you want to import your certificate into Java KeyStore, you first have to identify (as the root user) the keystore for your Java version by using a command:

find / -iname 'cacerts'
/usr/java/jre1.8.0_144/lib/security/cacerts
/usr/java/jre1.7.0_40/lib/security/cacerts 

As shown in the example above, SEP sesam uses Java 1.8, so the corresponding keystore for this version is /usr/java/jre1.8.0_144/lib/security/cacerts.

The following example shows how to import a public certificate on a Linux server. After the certificate has been exported, it must be visible on the Linux server. Copy the certificate to your SEP Sesam server.

Procedure:

  1. Open a terminal prompt and switch to the root user (hint command: su).
  2. In the terminal prompt, enter keytool and press Enter.
  3. SEP Tip.png Tip
    This should only show a list of commands and options. It only serves to check whether the keytool application is in the path. If not, you should add the Java bin directory to the PATH variable to start the keytool application.
  4. Import the public certificate (for example, SelfSignedCert.b64) into the Java CA KeyStore by using the following command:
  5. keytool -import -alias < ldap server dns name> -keystore <path to Java CA keystore> -file <certificate file> 
    

    Example:

    keytool -import -alias ldap.allnet.com -keystore 
    /etc/alternatives/java_sdk/jre/lib/security/cacerts -file /home/admin/SelfSignedCert.b64 
    
    Information sign.png Note
    You will find the Java CA KeyStore file, normally called cacerts, in the <java sdk/jdk>/jre/lib/security directory. It is possible that when the Java code is updated, a cacerts is backed up and replaced by a new version that does not yet contain the manually imported certificate. In this case, the LDAP authentication on the SEP sesam Server is no longer executed.
  6. When prompted for a password, enter changeit.
  7. Accept the certificate import by answering yes and close the terminal prompt.

The certificate has been imported into the keystore and the SEP sesam Server can use SSL for its LDAP authentication.

Command examples
  • In the keytool application, check that the certificate has been properly imported by using the -list command (keytool -list -keystore <keystore filename>).
/usr/java/jre1.8.0_144/bin/keytool -list -keystore /usr/java/jre1.8.0_144/lib/security/cacerts | grep oes15

When prompted for the password, enter changeit.

Output example

Keystore-Kennwort eingeben:  
oes15tree, 07.05.2018, trustedCertEntry,
  • You can check access to the keystore.
/usr/java/jre1.8.0_144/bin/keytool -list -keystore /usr/java/jre1.8.0_144/lib/security/cacerts 

Output example

Keystore-Kennwort eingeben:  

 Keystore-Typ: JKS
 Keystore-Provider: SUN

 Keystore enthält 105 Einträge

 verisignclass2g2ca [jdk], 25.08.2016, trustedCertEntry, 
 Zertifikat-Fingerprint (SHA1): 
 B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 digicertassuredidg3 [jdk], 25.08.2016, trustedCertEntry,
 Zertifikat-Fingerprint (SHA1): 
 F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89
 ….............
  • You can import the CA public certificate (exported from eDirectory) from /tmp/, the file name is oes15tree_public_cert.der.
/usr/java/jre1.8.0_144/bin/keytool -import -alias oes15tree -keystore  /usr/java/jre1.8.0_144/lib/security/cacerts -file 
/tmp/oes15tree_public_cert.der

Output example

Keystore-Kennwort eingeben:  
 Eigentümer: O=OES15TREE, OU=Organizational CA
 Aussteller: O=OES15TREE, OU=Organizational CA
 Seriennummer: 21c14e16e79e3e28b6e89a3fbda8091477857741cdbf48bc44d12f70a0a0202060dfa50
 Gültig von: Tue Dec 01 11:12:27 CET 2015 bis: Sun Nov 30 11:12:27 CET 2025
 Zertifikat-Fingerprints:
         MD5:  41:48:73:BD:1C:59:C3:C1:5E:00:6D:11:6B:F4:A2:C7
         SHA1: 49:CB:2B:D5:2C:0B:11:2B:31:00:66:08:0E:CC:F4:D4:9F:61:3E:27
         SHA256: 01:61:BA:80:A1:67:6D:C7:15:9C:01:E5:24:F6:5B:BB:20:90:64:6D:95:A8:56:B2:32:37:CA:23:EF:D5:E6:BB
         Signaturalgorithmusname: SHA1withRSA
         Version: 3

 Erweiterungen: 

 #1: ObjectId: 2.16.840.1.113719.1.9.4.1 Criticality=false
 0000: 30 82 01 B7 04 02 01 00   01 01 FF 13 1D 4E 6F 76  0............Nov
 0010: 65 6C 6C 20 53 65 63 75   72 69 74 79 20 41 74 74  ell Security Att
 0020: 72 69 62 75 74 65 28 74   6D 29 16 43 68 74 74 70  ribute(tm).Chttp
 0030: 3A 2F 2F 64 65 76 65 6C   6F 70 65 72 2E 6E 6F 76  ://developer.nov
 0040: 65 6C 6C 2E 63 6F 6D 2F   72 65 70 6F 73 69 74 6F  ell.com/reposito
 0050: 72 79 2F 61 74 74 72 69   62 75 74 65 73 2F 63 65  ry/attributes/ce
 0060: 72 74 61 74 74 72 73 5F   76 31 30 2E 68 74 6D 30  rtattrs_v10.htm0
 0070: 82 01 48 A0 1A 01 01 00   30 08 30 06 02 01 01 02  ..H.....0.0.....
 0080: 01 46 30 08 30 06 02 01   01 02 01 0A 02 01 69 A1  .F0.0.........i.
 0090: 1A 01 01 00 30 08 30 06   02 01 01 02 01 00 30 08  ....0.0.......0.
 00A0: 30 06 02 01 01 02 01 00   02 01 00 A2 06 02 01 18  0...............
 00B0: 01 01 FF A3 82 01 04 A0   58 02 01 02 02 02 00 FF  ........X.......
 00C0: 02 01 00 03 0D 00 80 00   00 00 00 00 00 00 00 00  ................
 00D0: 00 00 03 09 00 80 00 00   00 00 00 00 00 30 18 30  .............0.0
 00E0: 10 02 01 00 02 08 7F FF   FF FF FF FF FF FF 01 01  ................
 00F0: 00 02 04 06 F0 DF 48 30   18 30 10 02 01 00 02 08  ......H0.0......
 0100: 7F FF FF FF FF FF FF FF   01 01 00 02 04 06 F0 DF  ................
 0110: 48 A1 58 02 01 02 02 02   00 FF 02 01 00 03 0D 00  H.X.............
 0120: 40 00 00 00 00 00 00 00   00 00 00 00 03 09 00 40  @..............@
 0130: 00 00 00 00 00 00 00 30   18 30 10 02 01 00 02 08  .......0.0......
 0140: 7F FF FF FF FF FF FF FF   01 01 00 02 04 14 E1 6E  ...............n
 0150: 79 30 18 30 10 02 01 00   02 08 7F FF FF FF FF FF  y0.0............
 0160: FF FF 01 01 00 02 04 14   E1 6E 79 A2 4E 30 4C 02  .........ny.N0L.
 0170: 01 02 02 02 00 FF 02 01   00 03 0D 00 80 FF FF FF  ................
 0180: FF FF FF FF FF FF FF FF   03 09 00 80 FF FF FF FF  ................
 0190: FF FF FF 30 12 30 10 02   01 00 02 08 7F FF FF FF  ...0.0..........
 01A0: FF FF FF FF 01 01 FF 30   12 30 10 02 01 00 02 08  .......0.0......
 01B0: 7F FF FF FF FF FF FF FF   01 01 FF                 ...........


 #2: ObjectId: 2.5.29.35 Criticality=false
 AuthorityKeyIdentifier [
 KeyIdentifier [
 0000: D3 91 1B 7E 38 C8 A1 05   62 61 22 03 8E 38 AD 12  ....8...ba"..8..
 0010: 6F 43 00 B6                                        oC..
 ]
 ]

 #3: ObjectId: 2.5.29.19 Criticality=false
   CA:true
   PathLen:2147483647
 ]

 #4: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
  Key_CertSign
  Crl_Sign
] 

 #5: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: D3 91 1B 7E 38 C8 A1 05   62 61 22 03 8E 38 AD 12  ....8...ba"..8..
 0010: 6F 43 00 B6                                        oC..
 ]
 ]

 Diesem Zertifikat vertrauen? [Nein]:  Ja
 Zertifikat wurde Keystore hinzugefügt

Checking if LDAP with eDirectory works properly

If you have problems with authentication, check that LDAP is working properly with eDirectory.

  1. Open iManager and enable LDAP trace.
  2. Enable LDAP trace.jpg

  3. On the shell or in iMonitor, use ndstrace and enable only LDAP trace.
  4. LDAP trace output.jpg

  5. Log in to SEP sesam GUI as a user from a mapped group with the correct eDirectory password. In our example for eDirectory, a configured user is sepadmin from the group ou=it,o=sep.

Output example for ndstrace (successfull)

New TLS connection 0x13ae5880 from 192.168.x.x:58610, monitor = 0xcc357700, index = 488
Monitor 0xcc357700 initiating TLS handshake on connection 0x13ae5880
DoTLSHandshake on connection 0x13ae5880
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x13ae5880
DoBind on connection 0x13ae5880
Bind name:cn=sepadmin,ou=users,o=sep, version:3, authentication:simple
Failed to resolve full context on connection 0x13ae5880, err = no such entry (-601)
Failed to authenticate full context on connection 0x13ae5880, err = no such entry (-601)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x13ae5880
Monitor 0xcc357700 found connection 0x13ae5880 ending TLS session
DoTLSShutdown on connection 0x13ae5880
Monitor 0xcc357700 found connection 0x13ae5880 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x13ae5880
Server closing connection 0x13ae5880, socket error = -5871
Connection 0x13ae5880 closed
New TLS connection 0x13ae5880 from 192.168.x.x:58612, monitor = 0xcc357700, index = 488
Monitor 0xcc357700 initiating TLS handshake on connection 0x13ae5880
DoTLSHandshake on connection 0x13ae5880
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x13ae5880
DoBind on connection 0x13ae5880
Bind name:cn=sepadmin,ou=it,o=sep, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x13ae5880
DoSearch on connection 0x13ae5880
Search request:
        base: "cn=sepadmin,ou=it,o=sep"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        no attributes
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
Empty attribute list implies all user attributes
Sending search result entry "cn=sepadmin,ou=it,o=sep" to connection 0x13ae5880
Sending operation result 0:"":"" to connection 0x13ae5880
DoUnbind on connection 0x13ae5880
Connection 0x13ae5880 closed
New TLS connection 0x13ae5880 from 192.168.x.x:58613, monitor = 0xcc357700, index = 488
Monitor 0xcc357700 initiating TLS handshake on connection 0x13ae5880
DoTLSHandshake on connection 0x13ae5880
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x13ae5880
DoBind on connection 0x13ae5880
Bind name:cn=ldapuser,o=sep, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x13ae5880
DoSearch on connection 0x13ae5880
Search request:
        base: "ou=groups,o=sep"
        scope:2  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(member=cn=sepadmin,ou=it,o=sep)"
        attribute: "cn"
        attribute: "objectClass"
        attribute: "javaSerializedData"
        attribute: "javaClassName"
        attribute: "javaFactory"
        attribute: "javaCodeBase"
        attribute: "javaReferenceAddress"
        attribute: "javaClassNames"
        attribute: "javaRemoteLocation"
 nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
 Sending search result entry "cn=seprestoregroup,ou=groups,o=sep" to connection 0x13ae5880
 Sending search result entry "cn=sepoperatorgroup,ou=groups,o=sep" to connection 0x13ae5880
 Sending search result entry "cn=sepadmingroup,ou=groups,o=sep" to connection 0x13ae5880
 Sending operation result 0:"":"" to connection 0x13ae5880
 DoUnbind on connection 0x13ae5880
 Connection 0x13ae5880 closed

Output example for ndstrace (unsuccessfull, wrong password)

New TLS connection 0x167e9180 from 192.168.1.11:59405, monitor = 0xcc357700, index = 485
Monitor 0xcc357700 initiating TLS handshake on connection 0x167e9180
DoTLSHandshake on connection 0x167e9180
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x167e9180
DoBind on connection 0x167e9180
Bind name:cn=sepadmin,ou=users,o=sep, version:3, authentication:simple
Failed to resolve full context on connection 0x167e9180, err = no such entry (-601)
Failed to authenticate full context on connection 0x167e9180, err = no such entry (-601)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 ending TLS session
DoTLSShutdown on connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x167e9180
Server closing connection 0x167e9180, socket error = -5871
Connection 0x167e9180 closed
New TLS connection 0x167e9180 from 192.168.1.11:59408, monitor = 0xcc357700, index = 485
Monitor 0xcc357700 initiating TLS handshake on connection 0x167e9180
DoTLSHandshake on connection 0x167e9180
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x167e9180
DoBind on connection 0x167e9180
Bind name:cn=sepadmin,ou=it,o=sep, version:3, authentication:simple
Failed to authenticate local on connection 0x167e9180, err = failed authentication (-669)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 ending TLS session
DoTLSShutdown on connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x167e9180
Server closing connection 0x167e9180, socket error = -5871
Connection 0x167e9180 closed
New TLS connection 0x167e9180 from 192.168.1.11:59409, monitor = 0xcc357700, index = 485
Monitor 0xcc357700 initiating TLS handshake on connection 0x167e9180
DoTLSHandshake on connection 0x167e9180
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x167e9180
DoBind on connection 0x167e9180
Bind name:cn=sepadmin,ou=gurus,ou=it,o=sep, version:3, authentication:simple
Failed to resolve full context on connection 0x167e9180, err = no such entry (-601)
Failed to authenticate full context on connection 0x167e9180, err = no such entry (-601)
Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 ending TLS session
DoTLSShutdown on connection 0x167e9180
Monitor 0xcc357700 found connection 0x167e9180 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xcc357700 initiating close for connection 0x167e9180
Server closing connection 0x167e9180, socket error = -5871
Connection 0x167e9180 closed


Configuring Database-Based Authentication

Overview

SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication which can be combined with Lightweight Directory Access Protocol (LDAP) or/and Active Directory. Only one method (policy-based or database-based authentication) can be active at a time. By default, policy-based authentication is active.

Activating database-based authentication has to be done via the GUI to set the superuser/admin password. Note that superuser has replaced the former admin role with SEP sesam version 5.0.0 Jaglion.
After restarting SEP sesam GUI Server and Client, the superuser/admin (depending on the version) can configure default user access rights that are based on predefined user type.

SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.

  • Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned exclusively to the Administrator user when database-based authentication is activated. If policy-based authentication is enabled, this user type with superuser rights is assigned to the Administrator, root and sesam users.
  • Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
  • Operator: Operators can monitor the whole environment.
  • Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are also allowed to start backups and restores.
  • Restore: Restore users can access the GUI objects granted by ACLs. They are only allowed to start standard restores.

Which GUI components are displayed depends on the user type. For details, see Available interface options according to user type.

As of v. 5.0.0 Jaglion, it is also possible to authenticate users with a signed certificate instead of a user password if database-based authentication is enabled. For step-by-step procedure, see Configuring Certificate-Based Authentication.

Prerequisite

  • Make sure that reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.

Activating database-based authentication in the GUI

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management.
  2. Click Activate Authentication. Set up the password for the Administrator user; note that this is the only way to set the administrator's password.
  3. Authentication activate Beefalo V2.jpg

  4. After activating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
  5. Authentication restart Beefalo V2.jpg

  6. LDAP/AD authentication is enabled by default. For details on how to configure LDAP/AD authentication, see Configuring LDAP/AD Authentication.
  7. You have to log in to configure users and add them to the selected group. The way you need to log in depends on the version. In v. ≥ 5.0.0 Jaglion log in as Administrator with the user type superuser. In earlier versions, log in with the administrator user type. The following user types are available: Administrators, Operators, Backup users (≥ 5.0.0 Jaglion), Restore users.
  8. You can create your own subgroups (e.g., SUB_ADMIN) to grant users more specific roles. Under the Groups tab, click Create New to configure a new subgroup. The Sub Group window opens.
  9. Specify a group name and from the drop-down list select the relevant role to be applied to the whole group: Administrator, Operator, Backup (in v. ≥ 5.0.0 Jaglion), or Restore. For more details, see User Roles and Permissions.
  10. Authentication sub group Jaglion.jpg

    Information sign.png Note
    If you want to combine LDAP/AD, you have to use the external groups. Add the group from LDAP/AD and select the Based on group option to map to this particular SEP sesam group; see Configuring LDAP authentication in the GUI.
  11. Under the Users tab, click Create New to configure a new user. The Create User window opens.
  12. Enter a name (e.g., mustermann) and a password and assign the user to the relevant group, for example, RESTORE.
  13. Authentication create user Jaglion.jpg

  14. A user can be a member of one or more groups. Under the Groups tab, double-click the relevant group and (de)select the users to assign them to or remove them from the respective group.
  15. Permission management groups Beefalo V2.jpg

  16. Now you can configure ACLs (access control lists) to specify which users or groups are granted access to location (group of clients) or a specific client. As of v. 5.0.0 Jaglion, you can also configure ACLs for backup tasks, media pools and schedules. For details, see Using Access Control Lists.
Information sign.png Note
When activating database-based authentication via GUI, parameter authEnabled is changed to true in the sm.ini file. Setting the flag to false enables policy-based authentication and deactivates database-based authentication.

Resetting user password

To reset the password of another user, you must have superuser/admin privileges. Resetting a password is a two-step process: The superuser/admin has to reset the password in the command line by using the sm_cmd command and then use the newly generated password to be able to change the password in the Permission Management in GUI.

Resetting the password in the command line

To reset a user password, log in to SEP sesam Server console and enter the following command:

sm_cmd reset user <ID or name>

The output of the above command is shown in the example.

Example:
In this example, the user name is mustermann.

sm_cmd reset user mustermann
C:\Program Files\SEPsesam\bin\sesam>sm_cmd reset user mustermann
bouryper39

Changing password in the GUI

After resetting a user password with the sm_cmd reset user command, you can change the password for the respective user in the Permission Management in the GUI by using the automatically generated password from the command output. Note that only a superuser/admin user has sufficient permissions to use the Permission Management and configure users.

  1. From the menu bar select Configuration ‐> Permission Management. The Permission Management window opens.
  2. Select the user for which you want to reset the password and click Change. In our example, the user is named mustermann.
  3. Permission management Beefalo V2.jpg

  4. In the Change User window, click Change Password.
  5. Change user Beefalo V2.jpg

  6. The Change Password window opens. Enter the password you obtained by resetting a password in the command line (in our example bouryper39), enter a new password and click OK.
  7. Change password Beefalo V2.jpg

Deactivating database-based authentication

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management -> tab Activation.
  2. Click Deactivate Authentication.
  3. After deactivating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
  4. Now policy-based authentication is enabled and the flag authEnabled is set to false in the sm.ini file.


Part VII: SEP sesam Backup

About Backup

Overview

SEP sesam is a highly efficient enterprise backup solution for heterogeneous environments that enables reliable backup and restore of various operating systems, applications and emails, databases and virtual platforms.

SEP sesam backup is a process whereby file system and application data specified by a backup task is copied and stored in a highly secure manner from primary storage to secondary storage that can be located virtually anywhere, i.e. onsite/offsite, on disc or tape, at a physical location, at a remote location or in a cloud.

Protection of heterogeneous environments

SEP sesam is designed for heterogeneous environments and provides backup and restore of various applications, databases and VMs.

  • Multi-hypervisor support: Citrix (XCP-ng/XenServer), Hyper-V, KVM/QEMU, OpenNebula, RHV, OLVM, VMware, Proxmox VE, Nutanix AHV
  • Databases: Oracle, SAP, MS SQL, IBM DB2, Informix, SAP ERP with MaxDB, MySQL/MariaDB, PostgreSQL
  • Support for Novell Netware, VMS etc.
  • Systems also for dissimilar hardware
  • SEP CAPS (Cloud App Protection Service): Microsoft 365, G Suite, Salesforce, Dynamics 365, ownCloud
Supported task types

SEP sesam supports heterogeneous computing environments (Windows, UNIX, VMS or NetWare) and provides preset task types, such as common file system backup (type Path), Exchange, MySQL, SAP HANA, etc., as well as task types for virtual environments that enable image-level backups and single-file restore (SFR).

Backup features
  • SEP sesam operations, such as backup and restore, can only be performed by users who have the appropriate permissions. Only a user with Superuser privileges can configure authentication.
  • Backup to tape, disk and cloud storage to implement the best possible backup strategy for your environment.
  • To simplify backup of multiple VMs, you can automate the backup process by automatically generating tasks for VMs and creating clients for VMs.

Backup levels

SEP sesam provides four different backup levels: full, differential, incremental and copy. The backup level is specified when creating a backup event in the Main Selection -> Scheduling -> Schedules -> New Backup Event.

The following backup levels are available:

A FULL backup always copies all data specified by the backup task, regardless of whether it has been changed or not. A saveset created as FULL is the basic saveset for subsequent DIFF or INCR savesets. While the backup time of a full backup can be significant, restore is fast and simple since only one backup saveset is required. Information about the backup status is stored in the SEP sesam database. Note that the archive bits are not deleted on Windows systems. If you want to force-reset of the archive bits, you can enter the command -o clear_archive in the backup options.

A DIFF (differential) backup saves only data which was created or changed after the last FULL saveset had been created (of the same task). A differential backup is faster than a full backup, however, to restore the whole data source, first the saveset of the full backup has to be restored followed by restore of the DIFF saveset. For this, SEP sesam provides generation restore that enables browsing for and selecting for restore all generations of backed up files since the last full backup.

An INCR (incremental) backup saves only data which was created or changed after the last backup (FULL, DIFF or INCR) of the same task. This is the fastest backup method and requires the least storage space. Restoring from incremental backups is the slowest, because it requires all related savesets to be copied back – the saveset of the last full backup as well as all INC backups. You should consider the advantages of time and resources when planning your backup strategy. A combination of FULL backups stored to tape drives, and DIFF or INC backups stored to virtual disk media is a common method.

A COPY backup is a full backup that has no influence on following differential (DIFF) or incremental (INCR) backups. For the treatment of archive bits, see FULL backup above. COPY backup is usually used for additional full backups, e.g., monthly backups, or backups for archiving, i.e. removal from storage.

Information sign.png Note
In case no initial FULL backup exists, differential (DIFF) or incremental (INCR) backups are automatically performed as FULL backups.

Backup procedure

The standard backup procedure applies to file systems and application data and may differ from the backup procedures for SEP sesam extensions, which might involve additional tasks or include other options. As special methods are used to back up such data, make sure to use the backup procedure specific to the data you want to back up. For details on the supported extensions, their features and backup procedures, see SEP sesam Extensions and the SEP sesam OS and Database Support Matrix.

The standard backup procedure involves the following steps:

  1. Creating a backup task by selecting the data to be backed up
  2. Creating a backup schedule by specifying when you want to back up your data
  3. Creating a backup event by selecting where and how to back up your data

For details, see Standard Backup Procedure.

Automated backup

SEP sesam introduces a powerful scheduling service called SEPuler that constantly checks for backup, restore and other predefined tasks scheduled for execution. When such tasks are found, SEPuler initiates the execution of the event. To prevent possible task conflicts and efficiently manage the tasks in the execution queue, SEP sesam uses event priorities.

Backups can be scheduled for automatic execution or started manually. For more information, see Creating a Schedule and Creating a Custom Calendar.

Backing up multiple VMs can be simplified by automating the backup process. This means that tasks can be created automatically for VMs associated to the same host. It is also possible to automatically create clients for VMs to which the generated tasks and ACLs can be assigned. For more information, see Automating the Backup Process.

Parallel backups

The SEP sesam multi-streaming technology enables extremely fast, simultaneous backups from multiple data sources on one drive. This is called Sesam Multiplex Stream (SMS).

The data from the different streams is split into packets, each packet is given an identifier and copied to the backup media. The data of a certain stream is not contiguously positioned on the media, but interrupted by packets of other streams. The identification marker of the packets enables SMS to restore the initial stream during reading.

SMS is able to split savesets across several media that still have some free space left (indicated by the media properties parameter EOM – End of Media).

The maximum number of parallel streams that can be used during the backup to the backup drive is set in the Drive properties by the parameter Max. channels (see Drives). The number of available data streams depends on the type of Server license, e.g., ONE provides 1 backup stream, etc. See Licensing for more details.

Encryption

SEP sesam provides data encryption types on different levels:

Backup with VSS on Windows

Microsoft Volume Shadow Copy Service (VSS) is a Windows service for backing up running applications. VSS coordinates with other VSS-aware applications and services to create a shadow copy or snapshot of data for backup purposes. VSS uses a copy-on-write snapshot and allocates a small amount of temporary space to it. Once the snapshot is completed, the temporary storage space is released.

Backup with VSS is enabled by default for the file system task type Path. All other task types, e.g., System state, already use the required VSS Writer by default. However, a specific Writer can be manually excluded from the backup if it is not needed for the current backup task (e.g., exclude a Hyper-V Writer because there is another task dedicated to backing up a Hyper-V system). For more details on SEP sesam VSS, see SEP sesam Volume Shadow Copy Service (VSS) for Windows.

NDMP backup

SEP sesam enables you to protect and manage your storage file servers by providing support for Network Data Management Protocol. NDMP is a common protocol for backing up and restoring data on storage devices that do not support the installation of a backup agent. It ensures interoperability between NAS file servers and SEP sesam, and is used as an interface that enables SEP sesam to back up different NAS appliances and copy this data to a SEP sesam Server or Remote Device Server (RDS). SEP sesam supports version 4 of the NDMP protocol.

For details, see NDMP Backup. For a list of supported NAS appliances, see the support matrix. For details on backing up NetApp NFS volumes via NFS, see NetApp Volume Backup.

HSM-aware backup for Windows

Hierarchical Storage Management (HSM) is a method for reducing data storage costs and facilitating data management tasks. HSM-aware backup for Windows is an integral part of the SEP sesam package. It provides efficient backup of data on Windows systems that is managed by HSM. SEP sesam as an HSM-aware solution recognises the reparse tags in stub files and does not trigger a recall of the original files, but performs a backup of the placeholder files without retrieving their contents. For more details, see HSM-aware Backup for Windows.

Support for NTFS Alternate Data Streams (ADS) for Windows

Alternate Data Streams (ADS) are backed up by default when backing up an NTFS file system. They are automatically restored to any ADS-aware system. ADS are backed up by default, but can be excluded from the backup via a special option in the backup task properties.

ADS are a unique data-hiding feature of NTFS file systems. A file in NTFS consists of the unnamed data stream where the data is actually contained and of alternate data streams that can store additional metadata. Applications may use ADS to store file attributes. For details, see Support for NTFS alternate data streams (ADS) for Windows.

Support for Linux sparse files

SEP sesam provides support for Linux sparse files to prevent running out of disk space during restore. For details on how SEP sesam handles sparse files and what options are available, see Support for Sparse Files.

SEP sesam Logical Volume Manager (LVM) for Linux

SEP sesam uses LVM (Logical Volume Manager) snapshots to perform consistent backups of open files on Linux distributions. LVM snapshots allow a frozen copy of the file system to be backed up without taking the "live" volume offline during the backup.

LVM snapshots only work with partitions created with LVM. For more details, see SEP sesam LVM for Linux.

Configuring SESAM_BACKUP

To prepare for a possible breakdown of the SEP sesam Server, you need to perform a self-backup of the SEP sesam installation. This means that you have to configure at least one backup task named SESAM_BACKUP. This backs up the configuration files of SEP sesam, the var directory including all listings, the log files, the database and the INI-files. See Configuration Files.

To ensure consistent configuration after restoring from backup, this backup should be run daily, either in COPY or FULL mode. For details, see the section Preparing for Disaster Recovery.

Also, a disaster interface must be properly configured to support the disaster recovery process: sm_disaster (Linux) or sm_disaster.cmd/sm_disaster.ps1 (Windows). The disaster interface sends an email with a description of the disaster recovery process and an attachment that contains the SEP sesam bootstrap database with all the important data for disaster recovery. For details on how to activate this interface, see the section Preparing for Disaster Recovery.

The self-backup procedure consists of the following:

  • When the SEP sesam self-backup starts (SESAM_BACKUP), the entire SEP sesam database is exported to the path <SESAM_ROOT>/var/<db>[_pg]/backup. The export files have names like sesam_db_20121223-20121224060003.sql.gz and are backed up to a predefined media pool. It is recommended that you configure a SEP sesam DR-dedicated media pool for storing all your SEP disaster recovery savesets.
  • Each time SESAM_BACKUP is run, a bootstrap file of the SEP sesam database (for example, sesam_bootstrap_db_[datetime].sql.gz) is exported to the <SESAM_ROOT>/var/db[_pg]/backup directory. This file contains the SEP sesam configuration and the data history of the SEP sesam self-backups of the last 30 days.
  • sm_disaster copies the content of input arguments (DISASTER or SESAM_BACKUP) from the SEP sesam Server to predefined locations on another computer (emails, copies of files, etc.). Information about the last disaster backup from SEP sesam is also stored.
  • Finally, an email with a brief description of the recovery and the bootstrap file as an attachment is sent regularly to the email address you configured. The bootstrap export is used exclusively for SEP sesam disaster recovery, so you should save any version of this file in a safe place.

To fully utilize the disaster recovery functionality and ensure that all disaster-relevant information is generated and sent, the following steps must be performed:

  1. The backup task SESAM_BACKUP is normally configured after the installation of a SEP sesam Server. So it should already exist. If this is not the case, you have to configure it:
    Open the GUI and select in the Main selection -> Tasks -> By Clients -> your SEP sesam Server -> New Backup Task. The name of the backup task must be SESAM_BACKUP. It normally includes the directories <SESAM_ROOT>/var and <SESAM_ROOT>/bin/sesam and excludes the directories work and log. Click OK to save the task.
  2. SEP sesam backup task Beefalo V2.jpg

    SEP Tip.png Tip
    Disaster recovery is performed with log level 0. If required, you can set a higher log level for the restore in the properties of the backup task SESAM_BACKUP -> Options tab -> Restore options field. For details, see Setting log level on a per-task basis in GUI.
  3. Once your disaster recovery task is configured, set up a backup schedule (GUI -> Scheduling -> Schedules). The SEP sesam backup should run at a time when no other activities are running in the SEP sesam environment. It is recommended to run this task every day. For details on scheduling, see Creating a Schedule.
  4. Create an event to associate with the schedule. Select the backup level COPY. It is recommended that you select a disaster recovery dedicated media pool for storing all your disaster recovery savesets. For general information about creating a backup event, see Creating a Backup Event.
  5. Activate the inteface sm_disaster: From the SEP sesam GUI menu, select Configuration -> Interfaces -> Disaster Interface. A window with the interface script is displayed.
  6. Activate disaster interface Beefalo V2.jpg

  7. Click Save to confirm the dialog. The file sm_disaster is read and stored in the directory <SESAM_ROOT>/bin/sesam.
    Tip: After installing SEP sesam, the file sm_disaster (Linux) or sm_disaster.cmd/sm_disaster.ps1 (Windows) is located in the directory <SESAM_ROOT>/skel/templates/. Alternatively, you can activate the disaster interface by copying sm_disaster from <SESAM_ROOT>/skel/templates to <SESAM_ROOT>/bin/sesam.
    Information sign.png Note
    The sm_disaster file has been completely redesigned for SEP sesam version 4.4.2. If your SEP sesam Server version is 4.4.2 or lower, you must replace the sm_disaster file after updating to SEP sesam Server 4.4.2:
    • Windows: The MSI Installer will ask you if you want to overwrite the existing interface. Choose <yes> to overwrite the existing interface. Alternatively, copy <SESAM_BIN>/skel/templates/sm_disaster.ps1 to <SESAM_BIN>/bin/sesam/sm_disaster.ps1.
    • Linux: Copy <SESAM_BIN>/skel/templates/sm_disaster to <SESAM_BIN>/bin/sesam/sm_disaster to get the latest version of the disaster interface.
  8. Configure the SEP sesam email for the sesam account so that the interface sends messages after self-backup: From the GUI menu, select Configuration -> Email Settings -> New. An Email Account window is displayed.
    • In the Account field, type the name sesam (it must be lowercase).
    • Optionally, enter the name in the Customer field.
    • Enter the name of the sender (the name of the respective SEP sesam Server).
    • Enter the name or IP address of the outgoing mail server in the SMTP server field.
    • In the SMTP user field, enter the user name for the SMTP server. If the SMTP user name is not specified, the SMTP server probably does not require authorization.
    • If the mail server requires authentication, enter the password in the Password field.
    • Optionally, specify the SMTP port.
    • In the Recipient field, enter the address of the recipient of the DR notification emails. This is usually the address of the backup administrator.
    • Optionally, you can specify additional recipients in the CC and BCC fields.
    Create e-mail account Beefalo V2.jpg

Creating Exclude List

For each backup, you can back up only selected files, files that match a specific pattern, and exclude specific files, file types or directories from backups.

Some files are only temporary, while others are permanently in use. These files should either be excluded from the normal backup or backed up in a special way. For example, you may not want to back up temporary (.tmp) files, read-only files, or files from specific directories (e.g., the download directory). SEP sesam provides a number of ways to set exclusions:

Exclude list in the GUI

When creating a backup task, you specify the source for your backup and define any files or patterns you want to exclude from the backup. Note that if the number of files to be excluded from the backup exceeds the allowed length for the exclude list, you should set up the exclusion as described in the section Create a custom exclude list on the client. Such a custom exclude list (e.g., -X C:/sesam/exclude_list.txt) takes precedence over any exclude list set in the GUI.

  1. From Main Selection -> Tasks -> By Clients, select your client and click New Backup Task. The New Backup Task window opens.
  2. Specify the Source. If you want to back up individual files, you can either browse for directories and files to include in the backup or enter their names followed by a comma (C:/Program Files/SEPsesam/var/db,C:\Users\AA\Documents\references). If you want to back up the entire file system, enter all as the source. If you only want to back up files that match a specific pattern, use the include list instead. Note that if you select the source by browsing, the task type and task name are set automatically. If you enter the source manually, you have to enter the task name and select relevant task type.
  3. In the Exclude list, specify the files or folders you do not want to back up in one of the following ways:
    Exclude using the browse button
    The easiest way to exclude specific files or folders from the backup is to use the large browse button (next to the fields Source and Exclude list) and select the source for the exclusion in the Client File View window. In our example, we have excluded logs and program files from the backup, as shown in the screenshot below.
    Basic exclude list Beefalo V2.jpg
    Add files, file types or regular expressions in the Exclude list editor
    In the Exclude list editor, you can specify exclusions using regular expressions. On Windows, you can also use the option Pattern exclude, but on Linux it is only possible to exclude using regular expressions (RegExp exclude).
    Add the exclusion patterns one after the other, followed by a comma. For example, if you want to back up the source /usr but skip the *.tmp and old*.c files and all old* directories, add the following pattern in the editor: \.tmp$, /old.*\.c$, /old.*/$
    Information sign.png Note
    When creating exclude lists with regex, pay attention to which SEP sesam version you are using. As of ≥ Jaglion V2 SP1 it is possible to use separate excludes for files and directories, which can help in creating more selective excludes.
    • If exclude ends with a trailing slash "/$" (e.g. .tmp/$), it is recognized as a regex for directory exclusion.
    • If there is no trailing slash "/" (e.g. .tmp) at the end, it is recognized as a regex for file exclusion.


    Exclude list Beefalo V2.jpg

    Click OK.

For more examples of exclusions using regular expression patterns, see Examples for Excluding Matched Patterns.

Information sign.png Note
Exclude using regular expressions is the default setting, but you can change it to use the file pattern (?,*) instead of regexp by modifying the configuration file <SESAM_VAR>/var/ini/sm.ini on the SEP sesam Client. In the config file sm.ini change the entry
EXCLUDE_MATCH= REGEXP to EXCLUDE_MATCH= PATTERN.

Create a custom exclude list on the client

You can specify a custom exclude list of items to be skipped during backup by creating a special file on SEP sesam Client. Typically, you would create a separate exclude file if the number of files or directories to be excluded for backup exceeds the allowed length for the exclude list (max. 1024 characters). Such a user-defined exclusion list takes precedence over an exclude list specified in the GUI (the latter is ignored if both are specified).

A custom exclude list must be a text file that is created on the SEP sesam Client on which the backup will be executed. The syntax for exclude entries is platform/OS dependent, see:

Once you have created the exclude file, for example exclude_list.txt, enter it in the backup task properties as follows:

Create or open the backup task, select the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the specified file in the form:

-X C:/sesam/exclude_list.txt 

Exclude list on Linux

Create the exclude file on the client in the directory /etc/sesam, for example /etc/sesam/exclude_list.txt. The following rules apply:

  • Each file or directory you want to exclude from the backup must be specified on a separate line (one entry per line).
  • Wildcards are not supported.
  • The exclusion entries have to be set up using regular expression syntax.

This is an example of the exclude_list.txt on Linux:

 \./tmp$
 \./home/John Doe/videos.zip$
 \./home/John Doe/Business Documents/YearEnd Closing for business year 2006$

Exclude list on Windows

Create the exclude file on the client in the directory C:\Program Files\SEPsesam\var\ini, for example exclude_list.txt. The following rules apply:

  • Use only / (slash) in the exclude file and NOT \ (backslash).
  • Each file or directory you want to exclude from the backup must be specified in a separate line (one entry per line). This also applies to paths that contain spaces.


This is an example of the exclude_list.txt file on Windows:

D:/DOWNLOAD
D:/PREKITS
D:/Dev
D:/kit_2_3_1_7
D:/kit_2_3_1_5
D:/knoppix
D:/ACHIM
D:/gui

Exclude list for Micro Focus OES (formerly Novell OES)

Create the exclude file on the client in the directory /etc/sesam, for example /etc/sesam/exclude_list.txt. The following rules apply:

  • Each file or directory you want to exclude from the backup must be specified in a separate line (one entry per line).
  • Use only the pattern format for exclude.
  • Wildcards are allowed in the file or directory entries.
  • A folder to be excluded must end with a / (slash).


This is an example of the exclude_list.txt file:

/media/nss/VOL1/tmp/
/media/nss/VOL1/USR/*/Notes/Workspace/
/media/nss/VOL1/data/do_not_backup.txt

For example, /media/nss/VOL1 is set as the source in the backup task. This means that all of VOL1 will be backed up, except for the items in the exclusion file specified by the following entry in the backup task properties -> Options tab -> Backup options (previously Save options) field:

 -X /etc/sesam/exclude_list.txt

SEP sesam will exclude all files and directories from the backup that are listed in the file.

Creating a special file nosbc to permanently exclude a directory

You can permanently exclude a directory from all backups on the client by creating a special file in the directory itself – this file is called .nosbc on Unix or nosbc on Windows. By creating such a file in the directory, the directory will not be backed up, even if it is included in the specified source.

This behavior can be switched off for a specific backup task by entering the -o noexcl switch in the backup task properties, tab Options -> Backup options.

Using sm.ini to completely exclude files from backups on the client

You can use the central SEP sesam config file sm.ini to specify the files on the client that should never be backed up. The advantage of this method is that you can exclude files or directories from all backups performed on the respective client.

The default location of the sm.ini file is <SESAM_ROOT>\var\ini\sm.ini.

To define the exclusions for the client, open the sm.ini file and under the parameter SBC_EXCLUDE enter one parameter per line.

  • On Linux, use regular expressions to define the exclusions in sm.ini. Note that as of ≥ Jaglion V2 SP1, it is possible to use separate excludes for files and directories.
    • If exclude ends with a trailing slash "/$" (e.g. .tmp/$), it is recognized as a directory exclude regex.
    • If there is no trailing slash "/" (e.g. .tmp) at the end, it is recognized as a file exclude regex.}}
    The following example shows the pattern for excluding the directories /dev, /mnt and /media from backup for versions ≤ Jaglion V2. For versions newer than Jaglion V2, a directory to be excluded must end with a / (trailing slash).
  • [SBC_EXCLUDE]
    ExcludePattern1=\./mnt$
    ExcludePattern2=\./dev$
    ExcludePattern3=\./media$
    
    Information sign.png Note
    The ExcludePattern900 and higher exclude parameters are used for SEP sesam specific exclusion patterns. To define your own exclusion patterns, use the parameters ExcludePattern1 to ExcludePattern899.
  • On Windows, use file patterns to define the exclusions in sm.ini. This allows you to exclude files that match the specified names or paths (note that <file_name> can also contain wildcard characters, e.g., * and ?).

Enforcing Full Backup

SEP sesam offers different types of backup, called backup levels, which allow you to define the level of data that is copied from the source to the destination. There are four different backup levels in SEP sesam: full, differential, incremental, and copy. The backup level is specified when creating a backup event in the Main Selection -> Scheduling -> Schedules -> New Backup Event.

Incremental and differential backups are typically used to reduce storage space as they only save the data created or changed after the last FULL backup (DIFF backup) or after the last backup (INCR backup) – whether FULL, DIFF or INCR – of the same task. A saveset created as FULL is the base saveset for all subsequent DIFF or INCR savesets, therefore you have to perform FULL backups regularly to ensure that you can at any point revert to the previous versions.

For example, a INCR backup that was taken after the third INCR after FULL, requires the FULL, the first, the second, and the third INCR to allow a full restore. If a saveset is missing from the backup chain, you will not be able to recover your data to a specific point in time.

Regardless of the backup level specified in the backup event, a backup may run as FULL (or DIFF) if one of the following conditions – explicit (option Enforce FULL) or implicit (ensure a valid backup chain) – is triggered.

  1. By enabling the Enforce FULL option when creating INCR and DIFF backup events, you can ensure that a FULL backup is run within the specified interval; see section Enabling the Enforce FULL option in the GUI.
  2. SEP sesam has a built-in mechanism to ensure that your chain of backup savesets has always the last full backup available. It automatically maintains control over the dependencies between savesets and provides dependency-based automatic retention. For details, see the section Conditions for performing a FULL backup instead of a DIFF/INCR.

Enabling the Enforce FULL option in the GUI

For details on creating a backup event, see Creating a Backup Event. This section only provides information related to the option Enforce FULL.

  1. From Main Selection -> Scheduling -> Schedules, right-click the schedule for which you want to create a new event, then click New Backup Event. If you have already created a backup event, select the relevant schedule and then double-click the backup event to open its properties. The Parameter dialog opens automatically.
  2. Under Object, select the task for which you are creating this backup event from the drop-down list.
  3. Under Parameter, set the Backup level: select DIFF or INCR. You should consider the advantages of each backup level (regarding time and resources required to store and restore your data) when planning your backup strategy.
  4. Information sign.png Note
    If no initial FULL backup exists, differential (DIFF) or incremental (INCR) backups are automatically performed as FULL backups.
  5. Once your backup level is set to DIFF or INCR, you can enable the Enforce FULL option. This option ensures that a FULL backup is performed within the specified interval. For example, setting the number to 7 will enforce a full backup every seven days instead of an incremental or differential backup if the scheduled full backup fails. This ensures that a full backup is always performed within the specified time interval, in our example, once a week. You should consider the advantages and disadvantages of enforced full backup frequency, as it is slower than other backup levels and requires the most storage space.
    If the value is set to 0, the system checks whether the last FULL backup was successful or run with warning each time a backup is performed. If the last FULL backup was terminated or run with error, the DIFF/INCR backup to be started is automatically executed as FULL backup.
  6. Bck enforce full.jpg

Conditions for performing a FULL backup instead of a DIFF/INCR

In addition to the option Enforce FULL, which can be activated manually in the GUI (see section above), there are also specific circumstances that will automatically trigger a full backup. SEP sesam performs a FULL backup instead of a DIFF/INCR when the following happens:

copy_reformat_lis failed
For example, if *.lis files cannot be transferred from RDS to SEP sesam Server. *.lis files contain information about the backup's unique files; once the backup is finished, these files have to be copied from RDS to the SEP sesam SESAM_VAR/lis directory as this data is needed for a selective restore.
The previous backup chain (FULL–DIFF–INCR) is not complete
For example, if the EOL of a saveset is gone or a saveset is missing, SEP sesam will enforce a FULL backup. For more details on retention behavior and the different EOL parameters, see Automatic Retention (EOL) Management.
DIFF/INCR backup has failed, FULL may be enforced for some specific task types
This behavior depends on the task type. A failed DIFF/INCR may enforce FULL for IBM Domino (LotusNotes), IMAP, Exchange, GroupWise, KOPANO, Citrix XEN, and Hyper-V, while a failed INCR (transaction log backup) may enforce DIFF (cumulative) for MS SQL Server and SAP_ASE.
A subtype of a VMware backup task was changed after a FULL backup
For example, if a VMware FULL backup used the Backup as Image option (enabled by default, subtype "_IMG"), it performed a FULL raw backup of VMDK without CBT. If the subtype was changed manually, this may break the backup chain. Therefore SEP sesam enforces a full backup to create a new initial full backup saveset that is unchanged and can act as the base for subsequent differential and incremental backups. For details on the available backup options, check VMware backup.
Exchange Server validating backup integrity by using CHKSGFILES
CHKSGFILES is used to verify the data before performing a backup to ensure that the databases to be backed up are not corrupted. If sm_reformat_lis fails for DIFF/INCR (*.lis files were not retrieved/read), the next run of a backup job is FULL.
A backup task is renamed or copied
SEP sesam must be able to recognize the renamed or copied backup task as a new backup task and not as a continuation of the previously renamed task. Therefore such a newly created task is automatically executed as FULL.

Backup on the Remote Device Server

Generally speaking, all data of the clients in the Chemnitz location (backed up onto media in the media pool PoolChemnitz) is only moving on the net segment of that particular site. Therefore, no data is transported to the SEP sesam Server over WAN.

To test this, set up a test backup task in the SEP sesam GUI (Main Selection -> Tasks -> By Clients-> New Backup Task) that will perform a quick self-backup of the SEP sesam RDS (directory /etc) to the storage mounted on RDS. For details, see Creating a Backup Task.
RDS bck task.jpg
Once you have configured a test backup, start it:

  1. In the Main Selection -> Tasks -> By Clients, right-click the test backup task and select Immediate Start.
  2. In the Immediate Start:Backup window, select the Media pool referring to the data store you have previously configured on RDS, in our example, PoolChemnitz and click Start.
  3. SEP Tip.png Tip
    You can view the status of your backup jobs in the SEP sesam GUI -> Main Selection -> Last Backup State. As of 4.4.3 Beefalo V2, you can also check the details of your backups online by using new Web UI. For details, see SEP sesam Web UI.

    RDS immediate start Beefalo V2.jpg
    You can also schedule your test backup. For details, see Creating a Schedule.

Now your RDS is configured and ready to use.

Information sign.png Note
Make sure that you follow the general recommendations and configure required exclusions with your antivirus product as well as ensure that the antivirus scans are not scheduled during backup operations.


Part VIII: Scheduling

Creating a Custom Calendar

SEP sesam provides flexible scheduling features to customize how and when your events are processed. By using the User defined option of a schedule, you can create a calendar that is customized according to your country- or company-specific requirements.

For example, you can define a calendar with specific days on which you want to perform special job executions, such as backup and migration. It also provides the ability to define specific dates on which the scheduled jobs are prevented from running, allowing you to set up a custom calendar of public holiday dates for each year and linking events with blocking date to it to stop scheduled jobs from running during holidays.

Schedule-user defined Beefalo V2.jpg

You can create as many custom calendars as you need. A custom calendar can be defined for a limited period of time, e.g., for one year if the holidays and other specific dates are entered only for the next year, for several years, or for an unlimited time.

When creating a calendar, you can change the month or year in a calendar by clicking the single arrow (at the top/right corner of the calendar) for selecting a month or the double arrow for selecting a year.

After entering a calendar name and saving a calendar, you can switch to a calendar table view by selecting the Table View option. This view provides an overview of all your events, i.e., event start/end date and whether the event is active or not. You can add a new event by clicking the Add Event button (below the Events table). You can also modify and delete an existing event by double-clicking it (or selecting it and clicking Change Event/Delete Event button).

Note that you can simply modify, import, export, and delete your custom calendar, as described in the section Managing custom calendars.

Setting up a custom calendar

To create a custom calendar with dates on which you want to run additional jobs or prevent scheduled jobs from running, proceed as follows:

  1. From Main Selection -> Scheduling -> Schedules, click New schedule. The New Schedule window appears.
  2. The Execution is enabled by default. If you select the Execution off option, all events that are linked to this schedule will be deactivated.
  3. Specify the start time for the schedule in the Start field. By default, the current date is already entered. In the next field, specify the start time, e.g., 18.30. The schedule will be activated after the specified date and time. If you want your schedule to be valid only for a limited period of time, use the Expiration date option.
  4. Custom calendar dialog 01 Beefalo V2.jpg

  5. In the table providing selection of different time parameters tabs (Once, Daily, Weekly, Monthly, Yearly, User Defined), click the User Defined tab and then click the New button below the Calendar name field. The New Calendar dialog is displayed.
  6. Custom calendar dialog 02 Beefalo V2.jpg

  7. In the Name field, enter the name for your custom calendar. You can either add calendar events by single-clicking the days you want to include in your calendar or by double-clicking the desired date to open the Change event dialog. In the Change event dialog you can write a description in the Event field, expand the date range to several days, and choose the start and end time of the event. Deselecting the Active check box will deactivate the calendar event. Click OK to add the calendar event to the calendar.
  8. Calendar event Beefalo V2.jpg

  9. After adding all calendar events needed for the calendar, save your custom calendar by clicking the Create Calendar button.
  10. Under Advanced settings you can further refine your schedule.
    • To define the maximum allowed startup time (the amount of time an event can be in the queue), specify the startup time in days and/or hours in the Start time frame field. The actual event startup depends on the processor load of the system. At the starting time of the event, every event is forwarded into the queue, where it might wait until jobs with a higher priority are finished. For jobs with the same priority, the FIFO rule (first in, first out) applies. If the event cannot be executed within this specified time frame, it will not be executed at all.
    • You can also specify the time frame for the event to be repeated. Select the Repeat task check box and then specify the repetition cycle to repeat the event every n hours or minutes. Use the For a duration of field to specify the duration of the repeated event in days and/or hours.
    • To specify the time frame after which the scheduled event will be cancelled, select the check box in front of the option Stop task if runs longer than and set the amount of time (days and/or hours) after the event's scheduled start time at which the event will be cancelled.
    • Select the Expiration date check box if you want your schedule to be valid only for a limited period of time, e.g., until the end of the year. Then specify the date of schedule suspension. The schedule will be deleted after the Expiration date criterion is met. By default, this option is disabled and the schedule will be repeated in perpetuity.
  11. Click OK to save the schedule.

You can access all your configured schedules and events under Scheduling in the Main selection pane. Depending on the purpose of creating an event for a custom calendar, select one of the following procedures:

> Create an event for running additional jobs on specified dates

> Create an event to prevent scheduled jobs from running on specified dates

For general details on how to create the SEP sesam events, see Schedules Overview.

Create an event for running additional jobs on specified dates

You have to create the event(s) you want to run on the dates set by your newly created schedule:

  1. Select the schedule and right-click it. Then select the event type you want to add, for example backup, and click New Backup Event.
  2. Under Sequence control, set up the Priority of your event. SEPuler always executes the schedules with the highest priority first. The default priority level is 1, which is the lowest priority (the highest priority is 99). The only exception are schedules with priority 0, which override all other priorities and are always executed. For details, see event priorities.
  3. Under Object, select the task or task group to which you want to link this event. Then click OK to save the event.
  4. Add event to schedule 01.jpg

Create an event to prevent scheduled jobs from running on specified dates

You have to create the event(s) you want to prevent from running on the dates set by your newly created schedule:

  1. Select the schedule and right-click it. Then select the event type you want to add, for example backup, and click New Backup Event.
  2. Under Sequence control, set up the Priority of your exclude event. SEPuler always executes the schedules with the highest priority first. The default priority level is 1, which is the lowest priority (the highest priority is 99). The only exception are schedules with priority 0, which override all other priorities and are always executed. For details, see event priorities. Then select the Blocking date check box. Make sure that this option is used together with a high priority that prevails over priority of the event you want to block.
    Information sign.png Note
    A Blocking date option is used to prevent the activation of certain events on specific days (e.g., end of year, holidays) or to prevent the execution of other jobs related to the same object only within the specified hours. For details on the latter, see Special Schedules.
  3. Under Object, select the task or task group to which you want to link this event. Then click OK to save the event.
  4. Add event to schedule 02 Beefalo V2.jpg

Managing custom calendars

You can modify, import, export, and delete your SEP sesam calendar(s). You can only manage one calendar at the time.

  1. From Main Selection -> Scheduling -> Schedules, double-click the calendar-related schedule, e.g., bank_holidays.
  2. In the table providing selection of different time parameters tabs (Once, Daily, etc.), click the User Defined tab.
  3. From the Calendar Name drop-down list, select the target calendar. Depending on what you want to do with it, select one of the following options:
    • Change: Enables you to modify an existing calendar or change its specific events. The procedure is the same as when you create a new calendar, see above section Setting up a custom calendar.
    • Delete: Delete the calendar. If the calendar is still being used by another schedule, you will receive a message.
    • Import: Enables you to add an existing online calendar (iCalendar) to your SEP sesam custom calendars by importing it. This way you can easily add country's or region's holidays (that are already defined in some other online calendar) to your list of calendars without having to manually create each holiday/event. To import the calendar, in the file browser select the .ics calendar file that contains the events you want to import and click Open. Note that it may take some time to load the imported calendar.
    • Export: Enables you to use the SEP sesam calendar by other applications, such as Google and Apple Calendar. To export the calendar, in the file browser select the directory where you want to save your exported calendar. Optionally, change the name of your exported file. By default, a calendar is exported as an .ics file. You can also copy all events from one SEP sesam calendar to another by exporting and then importing a calendar.
    • Custom calendar options.jpg


Special Schedules

SEP sesam establishes schedules as a framework to which you link different events, such as backup, migration, replication, etc. A schedule defines the recurrence of an event and can be executed in minutes, hours, days, months or years. All schedules and related jobs are configured and run in the time zone of the SEP sesam Server. For more details on scheduling concepts, see SEPuler – an event calendar.

SEP sesam also provides options to prevent activation of individual events on certain days, such as holidays, and at certain hours:

  1. SEP sesam scheduling includes the User defined option, which allows you to quickly and easily create a custom calendar where you can specify the dates on which you want to run additional jobs or prevent certain jobs from running. For details, see Creating a Custom Calendar.
  2. Once your custom calendar is set up, create the desired event for it. Use the option Blocking date in the Event properties to prevent a job from being run. Such an event is called a blocking event: any type of event with a higher priority that obstructs another event of the same type and prevents it from being activated. It can be specified to prevent the activation of a certain event on certain days or hours. The latter example is shown below. For general information on configuring a schedule and linking an event to it, see Standard Backup Procedure, steps 2 and 3.

Configuring a blocking event only for the specified hours

A blocking event is created during the configuration of an event or later in the event properties. It is used to prevent the activation of certain events on specific days (e.g., end of year, holidays). It can also be configured to prevent the execution of other jobs related to the same object only within the specified hours.

Information sign.png Note
  • By default, a blocking event suppresses any job with the same task name on the relevant (SEP sesam backup day) day, regardless of whether it is scheduled to be run before, during or after the blocking event.

If you want to set the blocking event to apply only within the specified hours, you must perform some special steps. If you are configuring a blocking event that applies to an entire SEP sesam backup day (default), see Creating an Event.

To enable the blocking event within the specified hours, the SEP sesam database table defaults must contain an entry suppress_with_timerange with the value yes. Without this entry the blocking event prevents related jobs from being activated for the entire sesam day!

  1. Set a SEP sesam profile as described in FAQ: What happens when I set a profile.
  2. Once you set the profile, add the following to the SEP sesam database via the command line:
  3. sm_db "INSERT INTO defaults (key,user_name,value) VALUES ('suppress_with_timerange','sesam','yes');"
    
  4. The following scenario assumes that you have already defined an hourly-scheduled backup for ORACLE with the command event Oracle all and event priority 1 (default). Now you want to disallow execution from noon till 2 pm. To do this, you need to create another schedule, e.g., block_ORACLE_1200-1400. For details, see Creating a Schedule. In this schedule you set the recurrence as:
    • weekly execution, from Monday to Friday
    • starting time 12:00, duration 2 hours
  5. Blocking schedule execution Beefalo V2.jpg

  6. You need to link your newly created schedule, in our example block_ORACLE_1200-1400, to the same command event as mentioned above, e.g., Oracle_all (right-click the schedule and select New Command Event). Browse for the existing event (e.g., Oracle_all) and set the priority to a higher value. Note that this event's priority must be higher than the priority of the linked event. Then enable the Blocking date option.
  7. Blocking schedule execution params Beefalo V2.jpg


If you want to use this function with a regular backup job, keep in mind that the blocking event must refer to the same task name as the backup event.


Part IX: SEP sesam Operation in the Network

Backup over an alternate network

Your license must first be modified to match the new server name and/or IP address. Send the original license, the new server name, and the IP address to info@sep.de.

When you receive the new license information, you can change the SEP sesam Server name using sm_setup.

  1. Set the SEP sesam profile and enter the following command:
  2. sm_setup change_servername <mynewserver>
    
  3. After executing the command, check the interfaces of the renamed SEP sesam Server: Main selection -> Components -> Clients -> double-click the server (Client) to open its properties. In the Interfaces field, manually remove the old interfaces and enter the new interfaces for http and https.
  4. RDS interfaces.jpg

Configuring SSL Secured Communication for SEP sesam Backup Network

SEP sesam uses SSL (Secure Sockets Layer) protocol to authenticate identities, encrypt and securely transfer data. SSL requires certificates to authenticate clients and establish a secure and trusted communication channel between SBC (sesam backup client) and STPD (sesam Transfer Protocol Server), thus preventing unauthorized access from clients to STPD. SEP sesam backup environment is protected with self-signed certificates, based on OpenSSL. SEP sesam does not provide certificates by default; they have to be created by an administrator and copied to clients and RDSs in the backup network.

  1. Create self-signed root Certificate Authority (CA) on the SEP sesam Server
  2. Create server and client certificates on the SEP sesam Server and copy them to server and clients
  3. Generate and copy server certificate for each RDS
  4. Edit configuration file on each client and server or RDS
  5. In case a client certificate cannot be trusted anymore, revoke the certificate.
  6. Call a function on SEP sesam Server to get authorization.

Directory structure for the SSL certificates

The following directory structure is used for storing the SSL certificates and related parameters:

What

Where

SEP sesam configuration files: sm.ini and stpd.ini

/var/opt/sesam/var/ini

Root SSL certificate and master key: rootCA.pem and rootCA.key

/var/opt/sesam/var/ini/ca

Generated client certificate and key: client.pem and client.key

/var/opt/sesam/var/ini/x.509

Generated server certificate and key: server.pem and server.key

/var/opt/sesam/var/ini/ssl

Steps

Creating self-signed root Certificate Authority (CA) on the SEP sesam Server

  1. On the SEP sesam Server, remove any old self-generated SSL keys from
  2. /var/opt/sesam/var/ini/ssl
    
  3. Then create directories /ca and /x.509 to store your keys and certificates.
  4. /var/opt/sesam/var/ini/ca
    /var/opt/sesam/var/ini/x.509
    
  5. To create the root certificate, run the sm_ssl_cert ca command line utility as shown:
  6.  /opt/sesam/bin/sms/sm_ssl_cert ca 
    

In the folder /var/opt/sesam/var/ini/ca, the process creates two files:

  • A master key, also known as rootCA.key; keep this key private as it is needed for generation of new server and client certificates and is the basis of trust for all your certificates.
  • Information sign.png Note
    After generating server and client keys, you should remove the rootCA.key from the server and keep it in a safe place.
  • A root SSL certificate rootCA.pem; it is used to verify existing server and client certificates. Make sure that the root CA has a long expiry date. Once it is expired, all certificates signed by it become invalid. This certificate must be present on all clients connecting to servers signed with the CA certificate.

Once you have created the CA certificate and key, you can create and sign certificates.

Creating server and client certificates on the SEP sesam Server

  1. First, you have to create the server certificate on the SEP sesam Server:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<hostname>
    

    where <hostname> must be the same as the name specified in the interface settings in GUI (Main Selection -> Components -> Topology -> Clients, <server_name> -> field Interfaces).

    You can also use the IP address for <hostname> or use an * (asterisk) in the hostname, e.g., *.serverdomain.com or 192.168.1.*. Multiple server or domain names must be separated by a comma, e.g.:

    /opt/sesam/bin/sms/sm_ssl_cert server --common-name=myserver,myserver.domain.com
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/ssl:

    server.pem 
    server.key
    
  3. For each server, copy the files as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509
  4. Then, create the client certificate on the SEP sesam Server:
  5. /opt/sesam/bin/sms/sm_ssl_cert client 
    

    Optionally, you can create client.pem/client key with unique subject field by using:

    /opt/sesam/bin/sms/sm_ssl_cert client --oid={options}
    

    {options}: comma separated list of

       C:{country_name}             - country name
      CN:{common_name}              - common name
      DQ:{dn_qualifier}             - dn qualifier
      GN:{given_name}               - given name
      GQ:{generation_qualifier}     - generation qualifier
       I:{initials}                 - initials of some or all of an individual's names, but not the surname(s)
       L:{locality_name}            - locality name
       N:{name}                     - name
       O:{organization_name}:       - organization name
      OU:{organizational_unit_name} - organization unit name
       P:{pseudonym}                - pseudonym
      PC:{postalcode}               - postalcode
       S:{surname}                  - surname
       T:{title}                    - title
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/x.509:

    client.pem 
    client.key 
    
  6. For each client, copy the files to it as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509

Generating and copying server certificates for each RDS

If you want your RDSs to have its own server certificate, you have to generate server certificate for each RDS. In this case, the SEP sesam Server and every RDS have its own server certificate signed with the same self-signed root CA. This configuration allows to back up a client either to SEP sesam Server or any RDS.

  1. To generate server certificate for each RDS, run the following command:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<RDS_hostname> --path=<RDS_server_certificate_path>
    
  3. Copy the generated server.pem and server.key files from <RDS_server_certificate_path> to each RDS into the folder /var/opt/sesam/var/ini/ssl.
  4. Copy rootCA.pem to each RDS into the folder /var/opt/sesam/var/ini/ca.
Information sign.png Note
All generation is performed only on server.

Edit configuration file on each client and server or RDS

On SEP sesam Client
  1. Locate the /var/opt/sesam/var/ini/sm.ini file on the SEP sesam Client. Open the sm.ini file using a text editor and set the following:
  2. [SBC_SSL]
    SBC_CLIENT_SSL_AUTH=1   #For client-side verification
    SBC_SSL_SERVER_VERIFY=1 #For server-side verification
    
  3. Once you have changed the settings, save your changes and restart the client for the changes to take effect.
On SEP sesam Server or RDS
  1. Locate the /var/opt/sesam/var/ini/stpd.ini file on the SEP sesam Server. Open the stpd.ini file using a text editor and set the following:
  2. [STPD_Server]
    STPD_HTTPS_USE_CLIENT_CERT=2 #Possible values: 0: Do not validate
                                                   1: Validate but show warning 
                                                   2: Validate and show error
    
  3. Once you have changed the settings, save your changes and restart the server for the changes to take effect.

Revoking client certificate

If a client certificate cannot be trusted anymore (e.g., it was leaked), then it is important to invalidate the client certificate. In case the certificate was leaked and malicious clients are using the certificate, then the server needs a way to identify the invalid certificate and prohibit clients connecting with this certificate. One option is to use Certificate Revocation Lists (CRLs). CRLs are a list of all invalid certificates.

To add client certificate (client.pem) into CRL, proceed as follows:

  1. Create directories:
  2. /var/opt/sesam/var/ini/revoked
    
  3. Create Certificate Revocation Lists (CRLs) on the server:
  4. /opt/sesam/bin/sms/sm_ssl_cert revoke --certificate="/var/opt/sesam/var/ini/x.509/client.pem"
    
    Information sign.png Note
    Certificate Revocation Lists creation works only on Linux. Looks like the problem on Windows is old (probably own build/configured) version of GnuTLS lib. To create CRL file on Windows, you have to download GnuTLS from the ftp gnutls.
    Two files will be created in /var/opt/sesam/var/ini/revoked:
    crt
    certs.pem
    
  5. In case of RDS configuration, copy also to RDS PC:
  6. crt ==> /var/opt/sesam/var/ini/revoked
    
Example

If a client with revoked certificate tries to connect to a server:

2016-08-30 18:05:01: sbc-3536: Info:     # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 #
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-30 18:05:01: sbc-3500: Info:     Verify SSL Server Cert: 1
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: URL: https://SEP-RDSWin10:11443
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: SSL integrity check enabled
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: SSL client authentication is enabled
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: BSACreateObject: Error:  GNUTLS_CERT_REVOKED
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: new connection
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: Call connection callback
20160830 18:05:01.710 [3428] SSLConnectionCb:: Starting SSL connection
20160830 18:05:01.710 [3428] SSL mode. Checking for client certificate
20160830 18:05:01.731 [3428] SSL error: Error:  GNUTLS_CERT_REVOKED

At the same time the other client with other client.pem/client.key tries to connect to a server:

2016-08-30 18:06:33: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 #
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  URL: https://SEP-RDSWin10:11443
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-30 18:06:33: sbc-3007: Info:    Operation successful.

Useful commands

curl -X "PUT" -F file=@c:\windows\system32\drivers\etc\hosts -H "XBSA-USER:SESAM_SECURE_AUTHENTICATION" -H  "XBSA-PASS:" \
-H "XBSA-TYPE:I" -H "XBSA-CWD:." -H "XBSA-STOR:TestBak.bak" -H "XBSA-QUIT" https://aoseredchuk-PC:11443 \
--key "c:\Program Files\SEPsesam\var\ini\x.509\client.key" --cacert "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \
--cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" --ipv4 --tlsv1.0 --verbose
openssl s_client -connect aoseredchuk-PC:11443 -CAfile "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \
-cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -key "c:\Program Files\SEPsesam\var\ini\x.509\client.key"
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" -noout -text
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -noout -text

Certificate testing

Test with correct certificates

Clients authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:00:45: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:00:46: sbc-3007: Info:    Operation successful.
Server authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:34:50: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
...
2016-08-29 15:34:52: sbc-3007: Info:    Operation successful.
Double authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:13: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:01:13: sbc-3007: Info:    Operation successful.

Test with wrong client.key/pem certificates

Clients authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:59: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:59: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:01:59: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:59: sbc-3005: Info:    Closing saveset.
2016-08-29 15:01:59: sbc-3310: Info:    Checksum (adler32): 1. (test)
2016-08-29 15:01:59: sbc-3052: Info:    Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test)
2016-08-29 15:01:59: sbc-1156: Error:   Operation failed!
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: new connection
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: Call connection callback
20160829 15:01:59.879 [16340] SSLConnectionCb:: Starting SSL connection
20160829 15:01:59.879 [16340] SSL mode. Checking for client certificate
20160829 15:01:59.880 [16340] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Server authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:33:05: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
...
2016-08-29 15:33:07: sbc-3007: Info:    Operation successful.
Double authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:46: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:01:47: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:47: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:01:47: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:47: sbc-3005: Info:    Closing saveset.
2016-08-29 15:01:47: sbc-3310: Info:    Checksum (adler32): 1. (test)
2016-08-29 15:01:47: sbc-3052: Info:    Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test)
2016-08-29 15:01:47: sbc-1156: Error:   Operation failed!
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: new connection
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: Call connection callback
20160829 15:01:46.987 [18740] SSLConnectionCb:: Starting SSL connection
20160829 15:01:46.988 [18740] SSL mode. Checking for client certificate
20160829 15:01:46.989 [18740] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

Test with wrong rootCA.pem certificates

Clients authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:28:21: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:28:26: sbc-3007: Info:    Operation successful.
Server authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:48:54: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
2016-08-29 15:48:57: sbc-3502: Info:    XBSA:  BSACreateObject: Client SSL certificate is missing or invalid
2016-08-29 15:48:57: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:48:57: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: new connection
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: Call connection callback
20160829 15:48:54.801 [2808] SSLConnectionCb:: Starting SSL connection
20160829 15:48:56.218 [2808] SSL mode. Checking for client certificate
20160829 15:48:57.028 [2808] SSL error: Client SSL certificate is missing or invalid
Double authentication: [successful]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:49:56: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:50:03: sbc-3007: Info:    Operation successful.

Test with wrong rootCA.pem and client.key/pem certificates

Clients authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:44:50: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:44:53: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:44:50.877 [18796] ConnectionHandlerCb:: new connection
20160829 15:44:50.878 [18796] ConnectionHandlerCb:: Call connection callback
20160829 15:44:50.878 [18796] SSLConnectionCb:: Starting SSL connection
20160829 15:44:52.451 [18796] SSL mode. Checking for client certificate
20160829 15:44:53.158 [18796] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Server authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:42:36: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
2016-08-29 15:42:39: sbc-3502: Info:    XBSA:  BSACreateObject: Client SSL certificate is missing or invalid
2016-08-29 15:42:39: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:42:39: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:42:37.051 [11924] ConnectionHandlerCb:: new connection
20160829 15:42:37.052 [11924] ConnectionHandlerCb:: Call connection callback
20160829 15:42:37.052 [11924] SSLConnectionCb:: Starting SSL connection
20160829 15:42:38.363 [11924] SSL mode. Checking for client certificate
20160829 15:42:39.072 [11924] SSL error: Client SSL certificate is missing or invalid
Double authentication: [failed]
[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:41:39: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:41:42: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:41:42: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:41:42: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: new connection
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: Call connection callback
20160829 15:41:39.832 [0728] SSLConnectionCb:: Starting SSL connection
20160829 15:41:41.218 [0728] SSL mode. Checking for client certificate
20160829 15:41:41.927 [0728] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

List of Ports Used by SEP sesam

SEP sesam client-server communication requires certain TCP ports to be open to enable SEP sesam components to communicate with each other through a firewall. Daemons are specific to the SEP sesam Client/SEP sesam Server/RDS installation and are using different port numbers.

The required ports may be SEP sesam version-specific. As of version ≥ 4.4.3 Beefalo, SEP sesam uses fewer ports by default than in previous versions:

Ensure that all required ports are available on the system for SEP sesam daemons and are not blocked by a firewall; these ports must not be assigned to another service. If the required ports are not available, SEP sesam will not function correctly.

Additionally, you might need to open relevant network ports to ensure communication between SEP sesam Server or SEP sesam data mover and additional modules, e.g., VMware vSphere, NDMP, etc. A list of module-related ports can be found below in the section Module-related ports.

Used default ports

If a firewall is used, only the following TCP ports must be allowed for SEP sesam backup. SEP recommends SMSSH for secure control communication between SEP sesam Server and SEP sesam Clients/RDS and the HTTP protocol for data transfer from SEP sesam Client to SEP sesam device server. SMSSH and HTTP are the default protocols if no other protocol is specified in the client configuration and in the various events (backup/restore/migration etc.).

Component/Description Direction Source port Destination port Protocol Configuration in the GUI
SEP sesam Server
SMSSH: Encrypted communication to the client outbound random 11322 TCP/SSH Client properties -> Access Mode -> select SMSSH
Backup data over HTTP inbound random 11000 TCP/HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
SEP sesam Client
SMSSH: Encrypted communication to the client inbound random 11322 TCP/SSH Client properties -> Access Mode -> select SMSSH
Backup data over HTTP outbound random 11000 TCP/HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
SEP sesam Remote Device Server
SMSSH: Encrypted communication to the client inbound random 11322 TCP/SSH Client properties -> Access Mode -> select SMSSH
Backup data over HTTP inbound random 11000 TCP/HTTP Client properties -> Interfaces -> enter <http://hostname:11000>

SEP sesam complete ports list

The following is the complete list of ports used by SEP sesam. You only need to open the ports in your firewall that you use. If you decide to configure all control communication via SMSSH, you do not need to open CTRL port 11301 in the firewall.

Port numbers for SEP sesam Server

Port number Description Configuration in the GUI/Example
11301 CTRL: Unencrypted communication to client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11001 Data over FTP Client properties -> Interfaces -> enter <hostname> or <ftp://<hostname>:11001>
11000 Data over HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
11443 Data over HTTPS Client properties -> Interfaces -> enter <https://hostname:11443>
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter the port range in the STPD options
11701+drive number Replication and source-side deduplication (SDS) port For example:
  • If you replicate from dedup drive 2 (source) to RDS drive 5 (target), the port is 11703 (daemon on machine with drive 2).
  • If you replicate from dedup drive 5 (source) to RDS drive 2 (target), the port is 11706 (daemon on machine with drive 5).
11401 GUI/WEB UI (RMI) listen port
Information sign.png Note
For external backups (BSR, SAP, Informix, MaxDB ...) the client must always be able to reach the SEP sesam Server via ports 11000 (for HTTP backups), 11443 (for HTTPS backups) and 11001 (for FTP backups), and not only the RDS. This must be taken into account in the firewall rules.

Port numbers for SEP sesam Remote Device Server

Port number Description Configuration in the GUI/Example
11301 CTRL: Unencrypted communication to client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11001 Data over FTP Client properties -> Interfaces -> enter <hostname> or <ftp://hostname:11001>
11000 Data over HTTP Client properties -> Interfaces -> enter <http://hostname:11000>
11443 Data over HTTPS Client properties -> Interfaces -> enter <https://hostname:11443>
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter the port range in the STPD options
11701+drive number Replication and source-side deduplication (SDS) port For example:
  • If you replicate from dedup drive 2 (source) to RDS drive 5 (target), the port is 11703 (daemon on machine with drive 2).
  • If you replicate from dedup drive 5 (source) to RDS drive 2 (target), the port is 11706 (daemon on machine with drive 5).
Additional ports for SEP sesam Remote Device Server with GUI
- no incoming ports for GUI on RDS

Port numbers for SEP sesam Client

Port number Description Configuration in the GUI/Example
11301 CTRL: Unencrypted communication to client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to client Client properties -> Access Mode -> select SMSSH
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter the port range in the STPD options

Port numbers for SEP sesam GUI PC (not SEP sesam Server)

Port number Description Configuration in the GUI/Example
- no incoming ports to GUI PC
Additional ports for SEP sesam GUI PC with installed SEP sesam Client
11301 CTRL: Unencrypted communication to client Client properties -> Access Mode -> select CTRL
11322 SMSSH: Encrypted communication to the client Client properties -> Access Mode -> select SMSSH
11002-11007 Port range for 3 parallel data transfers via FTP Client properties -> Options tab -> Firewall Settings -> enter the port range in the STPD options

Module-related ports

The following tables show the required network ports used for communication (connection or data transfer) between SEP sesam Server or SEP sesam data mover and extra modules.

Port numbers for VMware vSphere

From To Description Port number Protocol
SEP sesam Server vSphere (vCenter/ESXi) Connection to vCenter Server or ESXi Server 443 HTTPS/TCP
SEP sesam data mover vSphere (vCenter/ESXi) Connection to vCenter Server or ESXi Server 443 HTTPS/TCP
SEP sesam data mover ESXi server Data transfer to ESXi host 902 TCP

Port numbers for Citrix XenServer

From To Description Port number Protocol
SEP sesam data mover Citrix XenServer Connection to Citrix XenServer 443 HTTPS/TCP
SEP sesam data mover Citrix XenServer Required for backups with CBT 10809 HTTPS/TCP

Port numbers for NDMP

From To Description Port number Protocol
SEP sesam data mover NDMP server Data transfer between components 1000 NDMP

Port numbers for HPE StoreOnce

From To Description Port number Protocol
SEP sesam Server HPE StoreOnce Default command port; for communication with HPE StoreOnce 9387 TCP
SEP sesam Server HPE StoreOnce Default data port; for communication with HPE StoreOnce 9388 TCP


Configuring clients in the firewall environment

<translate> If your client is behind a firewall, you have to configure the communication ports. By default, SEP sesam uses random ports specified by the operating system. However, if you want to back up a client that is behind a firewall, you need to set the ports manually. Switch to the Options tab and set the following:</translate>

  • <translate> In the Access options field, enter the port over which the client is reachable by using the -p <port_no> command (e.g., -p 17301). The default listen port for the CTRL daemon on clients is 11301 and for SMSSH is 11322.</translate>
  • <translate> Use STPD options to set up the communication port for transferring data from the backup client to the SEP sesam Server. Note that each backup running simultaneously on a client requires two ports; e.g., three simultaneous backups on the backup client use ports 11002-11007. If HTTP protocol is used for data transfer (SEP sesam Server interface is http://<SEP sesam server>:11000), TCP port 11000 is used.</translate>
  • <translate> Configuring client-options Jaglion.jpg</translate>

    Part X: SEP sesam Events

    Newday Event

    SEP sesam Newday is a predefined SEP sesam daily event that resets the backup event calendar and is managed by SEPuler. It is accessible under schedules: Main Selection -> Scheduling -> Schedules. A Newday event is used by SEP sesam to reorder its database and enable uninterrupted activity of SEP sesam processes. It must therefore never be completely disabled, otherwise it will cause SEP sesam to stop working properly. See Newday event roles. Newday is used to define a new backup day. All SEP sesam protocol and log files are created with the date of the backup day.

    If a Newday event is set to 08:00 (SEP sesam default), the backup day is defined from 8am of the current day to 8am of the next day. Backups that run after midnight – the actual date change – are given a timestamp with the date of the previous day to avoid creating backups for the same data (one saveset for day 1 and another for day 2).

    With SEP sesam Newday, all media backed up from one sesam day, e.g., from Monday 8am to Tuesday 7.59am, will have the same date. SEP sesam Newday gives system administrators the flexibility to extend backup routines to run after midnight and retain the backup date of the prior day. This is very useful when the computers that need to be backed up exceeds the time span between the end of the day and midnight.

    When checking in SEP sesam GUI, for example, backups by state, the selected/displayed date always refers to the sesam backup day with the timespan of hours defined by Newday. In the above example of a defined backup day (from 8am of the current day to 8am of the next day), 13 November would define the backup day from Monday, 13.11. from 8am, to Tuesday, 14.11. to 7.59am. Keep in mind that the backup day by default does not correspond to the calendar day.

    Information sign.png Note

    To ensure error-free execution of the SEP sesam backup environment, SEP Newday should never be completely deactivated. Switching Newday off prevents SEP sesam from reordering its database. SEP sesam will no longer be able to delete old log files and will cause the system to exceed system disk drive storage.

    Besides resetting the event calendar and setting a new backup day, Newday also performs the following:

    • Deletes files and database entries for savesets that no longer exist.
    • Finalizes the SEP sesam status and daily log files.
    • Reorganizes the SEP sesam database.
    • Advances the event calendar (SEPuler) by one day.
    • Restarts the SMS- and STPD-processes.

    Preventing Newday from cancelling running activities

    You can set a Newday behaviour to allow uninterrupted execution of SEP sesam operations. If you do not want active tasks to be cancelled during the Newday event, go to Schedules -> Newday event properties -> tab Parameter, and then select the check box All Events next to Do not cancel these activities.

    If the Newday is configured as explained above, it does not interrupt any ongoing backup when it starts, so the Newday can be set to be active at all times.

    Newday event Beefalo V2.jpg

    Preventing the sm_alarm or sm_notify interface from blocking the Newday execution

    If you use the SEP sesam email notification based on the sm_alarm and/or sm_notify interface scripts, be aware that adding some long-running actions that take a lot of time can block the execution of the sm_newday event and possibly other SEP sesam actions, such as backups.

    Starting with version 5.0.0 Jaglion, you can use the submit_notify option to let these scripts run in the background and prevent them from blocking SEP sesam actions.

    Steps

    1. From Main Selection -> Scheduling -> Schedules, double-click the Newday event.
    2. In the properties of the Newday event (tab Parameter), enter submit_notify in the Options field and click OK.
    3. Newday-submit notify.jpg


    For details on using SEP sesam email notifications and enabling interfaces, see How to Configure Mail Notification.

    Creating a Backup Event

    By creating a backup event, you select the backup level, set event priority and specify where to back up your data to. You can create an event for a specific task or for a task group. The latter enables you to trigger all the tasks in the task group with a single event.

    1. From Main Selection -> Scheduling -> Schedules, right-click the schedule for which you want to create a new event then click New Backup Event.
    2. Under the Sequence control, set up the Priority of your backup event. SEPuler always executes the schedules with the highest priority first. The default priority level is 1, which is the lowest priority (the highest priority is 99). The only exception are schedules with priority 0, which override all other priorities and are always executed. For details, see Setting Event Priorities. You can also enable Blocking date. This option should be used together with high priority for special events. If checked, events of the same type but of a lower priority will be blocked, ensuring that the backup will be processed even if other backups are scheduled for the same time.
    3. Under the Object, select the task or task group to which you want to link this event. In our example, you would link the newly created event to the task diagnostix_C.
    4. Under the Parameter, specify the Backup level:
      A FULL backup always copies all data specified by the backup task, regardless of whether it has been changed or not. A saveset created as FULL is the basic saveset for subsequent DIFF or INC savesets. While the backup time of a full backup can be significant, restore is fast and simple since only one backup saveset is required. Information about the backup status is stored in the SEP sesam database. Note that the archive bits are not deleted on Windows systems. If you want to force-reset of the archive bits, you can enter the command -o clear_archive in the backup options.
      A DIFF (differential) backup saves only data which was created or changed after the last FULL saveset had been created (of the same task). A differential backup is faster than a full backup, however, to restore the whole data source, first the saveset of the full backup has to be restored followed by restore of the DIFF saveset. For this, SEP sesam provides generation restore that enables browsing for and selecting for restore all generations of backed up files since the last full backup.
      An INC (incremental) backup saves only data which was created or changed after the last backup (FULL, DIFF or INC) of the same task. This is the fastest backup method and requires the least storage space. Restoring from incremental backups is the slowest, because it requires all related savesets to be copied back – the saveset of the last full backup as well as all INC backups. You should consider the advantages of time and resources when planning your backup strategy. A combination of FULL backups stored to tape drives, and DIFF or INC backups stored to virtual disk media is a common method.
      A COPY backup is a full backup that has no influence on following differential (DIFF) or incremental (INC) backups. For the treatment of archive bits, see FULL backup above. COPY backup is usually used for additional full backups, e.g., monthly backups, or backups for archiving, i.e. removal from storage.
      Information sign.png Note
      In case no initial FULL backup exists, differential (DIFF) or incremental (INC) backups are automatically performed as FULL backups.
      For DIFF and INC backups, you can also set the Enforce FULL option. This option ensures that a FULL backup is run within the specified interval. For example, setting the number to 7 will enforce a full backup every seven days instead of an incremental or differential backup if the planned full backup fails. This ensures that a full backup is always performed within the specified time interval, in our example, once a week. If the value is 0, the system checks whether the last FULL backup was successful or run with warning for each backup performed. If the last FULL backup was terminated or run with error, the INC/DIFF backup to be started is automatically performed as FULL backup. However, once you have decided on your backup schedule, you should consider the advantages and disadvantages of the enforced full backup frequency, as it is slower than other backup levels and has the highest storage space requirements. For details, see Enforcing Full Backup.
    5. From the Hot/Cold backup drop-down list, select the execution parameter (hot or cold backup).
    6. From the Media pool drop-down list, select the target media pool to which the data will be backed up. If you want to enable source-side deduplication, you have to select the media pool which is combined with an Si3 deduplication store backend.
      • Optionally, specify the drive number of the drive that will be used to write the data. Typically, you use this if you have configured additional drives and you want to assign a dedicated drive exclusively for backup. For details, see option Create second drive (introduced in SEP sesam 4.4.3 Tigon) in Configuring a Data Store.
      • You can also define the Interface: from the drop-down list, select another configured TCP/IP-name of the client. You can use this option to direct the data flow over a particular network connection to enable smooth execution of backups without blocking other network activities.
    7. Optionally, enable SEP Si3 source-side deduplication. This check box is only available if you have a configured Si3 deduplication store and you have previously selected the Si3-related media pool.
    8. In the Follow up field you can configure events that are triggered on the SEP sesam Server once the initial event has completed. You can set up a migration, a saveset verify and other actions to be triggered immediately after a backup or other event is completed. For details, see Follow-up events.
    9. SEP Tip.png Tip
      You can set a follow-up migration task by selecting the task from the Migration task drop-down list.

      New backup event Beefalo V2.jpg

    Monitoring backups

    You can view the status of your backup jobs in the GUI (Monitoring -> Last Backup State or Job State -> Backups) or SEP sesam Web UI. The backup status overview provides detailed information about the last run of backup jobs, including the task name, start and stop time of the last backup, backup level, data size, throughput, assigned media pool, etc.

    Creating a Media Event

    A media event can be a user-defined event or an internal event created by SEP sesam. For example, if the specified media are unavailable at the start of a backup or if the end of media (EOM) is reached during data transfer, SEP sesam creates an internal media event which determines the next media for the backup. If no other media events are configured in the schedule, only internal media events are executed.

    A user-defined media event is configured by using GUI and automatically activated by SEPuler. The following media events can be configured:

    initializing
    A process of preparing backup media for use with SEP sesam. If a medium meets the requirements (e.g., its EOL has expired and it is not write-protected – locked), it can be initialized, deleting all data contained on it and preparing it for use again. During initializing, SEP sesam assigns a new tape label for formatted media and deletes all existing content on these media. At the same time, it deletes all information about old backups from the SEP sesam system.
    readability check
    A process that checks the backup data readability. During the check the data on medium is read in blocks, and the structure of tape is checked and recorded. It also checks whether all determined backup sets on the tape are recorded in the database and vice versa. For details, see Configuring a Readability Check.
    close tape
    A process that marks the tape as full by defining EOM and closing the tape, regardless whether the tape is really full or not. Such a tape can no longer be used for storing the data.
    archive adjustment
    A process that scans media in selected loader to update SEP sesam information about the media in the loader. It is required if the media in the loader have changed, for example if new media are added. For details, see Setting up Archive Adjustment.

    Steps

    1. In the Main Selection -> Scheduling -> Schedules, select the schedule to which you want to link the event, right-click it or select New and then New Media Event. A schedule is opened with a new tab Parameter.
    2. Under the Sequence control, set up the Priority of your media event. SEPuler always executes the schedules with higher priority first. Default priority level is 1, which is the lowest priority (the highest is 99). The only exception are the schedules with priority 0, which override all other priorities and are always executed. For details, see Setting Event Priorities. You can also enable the Blocking date. This option should be used together with high priority for special events. If checked, the blocking event will block events of the same type of a lower priority, ensuring the backup to be processed in case other backups are scheduled at the same time. For details, see Blocking Events.
    3. Under the Media action, select the type of event you want to create. You can select among the following: Initialize, Readability check, Archive adjustment and Close tape.
    4. Depending on previously chosen media event, some or all of the following options may be available.
      For options Initialize, Readability check, Close tape:
      • Media pool: Select the media pool for your event.
      • Drive: Optionally, select a drive.
      • Media: Optionally, select media for the event.
      For option Archive adjustment:
      • Media pool: Select the media pool where you want to perform the archive adjustment. Note that all media are shown regardless of the pool selected.
      • Drive: Optionally, select a drive.
      • Loader: Select the loader (tape library) for which you want to synchronize its contents with the SEP sesam database.
      • First slot and Last slot: You can limit synchronization to the specified loader parts by entering the number of the first and last slot.
      • Automatic introduction: Optionally, you can select that any unknown media (without SEP sesam label) found in the tape library is automatically added to the specified media pool. If selected, specify also the Tape type option by choosing the media type for automatic new media entry from the drop-down list.
        • If you have selected Automatic introduction, under the Handling of unknown SEP sesam media, select one of the following options:
          Overwrite option will overwrite all media entered to the target media pool that are not recognized by the SEP sesam Server and assign a new media pool label to them.
          Accept without initialization enables SEP sesam to enter other SEP sesam media, e.g., from another SEP sesam Server, into the target media pool.
      • Check label on tape: Optionally, enable this if you want to scan the tape labels; every tape label is re-read and verified, while the barcode information is ignored.
      • Adjustment by barcode only: Optionally, select this if you want SEP sesam to check the barcodes of all tapes which are not in drives. This enables you to adjust the archive while the drives are in use. SEP sesam scans only the tapes which are in slots, while the tapes in the drives are not scanned.

      New media event Beefalo.jpg

    Creating a Migration Event

    The migration event is the final step in the configuration of a migration job. Creating a migration event consists of reviewing migration task parameters and (optionally) setting the event priority.

    Steps

    1. In the Main Selection -> Scheduling -> Schedules, select the schedule for which you want to create a new migration event, click New (or right-click the selected schedule) and click New Migration Event.
      Select new migration event Beefalo V2.jpg
    2. From the Task name drop-down list, select the name of the already configured migration task for which you want to create a migration job.
    3. In the Priority box, set the Priority for your migration event. SEPuler always executes the schedules with higher priority first. The default priority level is 1, which is the lowest priority (the highest is 99). The only exception are the schedules with priority 0, which override all other priorities and are always executed. For details, see event priorities. You can also enable the Blocking date. This option should be used together with the high priority for special events. When enabled, the blocking event blocks events of the same type with a lower priority, ensuring that the backup is processed if other backups are scheduled at the same time. For details, see Blocking Events.
    4. The settings under Media pool, Destination, Backup date, Backup state, Backup level, Object, and Special filter (previously Parameter and Filter) were defined when you created the selected migration task. If required, you can modify these settings. The changes are only applied to the current migration event and do not affect the values originally set in the migration task. Any changed values (as opposed to the settings in the migration task) are displayed in blue when the event is re-opened. The check box Delete after successful migration sets the saveset EOL to the actual date and time of the successful migration. The source saveset is purgeable immediately after the migration. The saveset EOL has no effect on savesets stored on tape media.
      New migration event Beefalo.jpg
    5. Click OK to save your migration event.
    SEP Tip.png Tip
    You can use the Migration task option in the backup task and event properties to select a follow-up migration task.

    Monitoring migrations

    You can view the status of your migrations jobs in the GUI (Job State -> Migrations and Replications) or SEP sesam Web UI. Migration tasks are listed by name, along with details of completion status, start and end times, and media pools used for the job.

    Creating a Command Event

    <translate> A command event enables the execution of any program on a SEP sesam Client. A user must be authorized to run the commands on a specific client. By default, only commands entered in the system directory at <SESAM_ROOT>/bin/sesam can be executed. If you want to allow starting commands in other directories, see the section Setting permission to run commands.

    In the SEP sesam GUI, you can start command events immediately or schedule the events for automatic execution.

    Steps

    To create a new command event, follow the steps below:</translate>

    1. <translate> From Main Selection -> Scheduling -> Schedules, select the schedule to which you want to add a command event. Then right-click the desired schedule and select New Command Event. The New Command Event window is displayed.</translate>
    2. <translate> Note that if you have not already configured a schedule, you must first configure it by clicking the New Schedule button in the Schedules window. For details, see Creating a Schedule.</translate>

    3. <translate> Under the Parameter tab, specify the following settings:</translate>
      • <translate> Priority: Optionally, define a priority for the command event. SEPuler always executes schedules with higher priority first. The default priority level is 1, which is the lowest priority (the highest is 99). The highest priority level is 99. The only exception is schedules with priority 0, which override all other priorities and are always executed. For details, see Event Priority.</translate>
      • <translate> Blocking date: This should be used in conjunction with high priority for special events. When this check box is selected, lower priority events of the same type are blocked, ensuring that the command event is processed if other command events are also scheduled at the same time. See Blocking Events.</translate>
      • <translate> Name: Select the name of the existing command from the drop-down list. When selected, the full command is displayed in the Preview field below.</translate>
      • {{<translate> tip</translate>|<translate> You can access the configured commands from the menu bar -> Configuration -> Command. You can define your own commands to use when creating a command event, and modify, delete, or copy the existing commands. For details, see Configuration: Commands.</translate>}}

      • <translate> Client: Select a client on which to execute the command.</translate>
      • <translate> User: Enter the user name of a user who has sufficient rights to execute the command on the client.</translate>
      • <translate> Retention time: Specify how long (in days) to retain the command event results and logs (default 30).</translate>
      • <translate> Additional Parameter: Optionally add additional parameters to the command.</translate>
      • <translate> Follow up (available in v. ≥ 5.0.0 Jaglion): Optionally use this field to configure a follow up event to be started on the SEP sesam Server once the command event has completed. For details, see Creating Follow-up Events.</translate>
      • <translate> New command event Jaglion.jpg</translate>


    4. <translate> Click OK to add your command event to a schedule. You can review your schedules and assigned events, trigger events to start immediately, or delete them by right-clicking the selected schedule/event.</translate>

    <translate>===Setting permission to run commands===

    Not every user on a specific client is authorized to run all commands. Without additional entries authorizing selected users to run certain commands, commands can only be run from the system directory <SESAM_ROOT>/bin/sesam. If a command is to be started from another directory before the regular backup is started, this must be entered/allowed on the target client.</translate>

    UNIX

    <translate> Copy the file sesam_cmdusers.allow from the directory <SESAM_ROOT>/skel to /etc on the client and modify the file. You can now enter a line for the user and the command in the format {user} {command}. If you use a wildcard (*), all commands will be executed.

    No explicit permissions are required to execute SEP sesam commands such as sm_loader.</translate>

    Windows

    <translate> To set access rights for the user and command, use the following key:</translate> \\HKLM\SOFTWARE\SEP Elektronik GmbH\sesam\CommandEvents\<translate> <user></translate>\<translate> <command></translate>

    <translate> In addition, on the client computer, the entry CTRLD_Path=ID/bin/sesam;ID/bin/sms in the file ID/var/ini/sm.ini in the section [CTRLD_Server] must be extended to include the directories in which the desired programs are located.</translate>

    1. <translate> Open the Regedit editor.</translate>
    2. <translate> Go to HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH\sesam\ and create a new key named CommandEvents. If it does not already exist, right click and select New Key.</translate>
    3. <translate> Enter <user> and then <command> with the full path information as the key.</translate>

    <translate> The available commands are:</translate>

    <translate> Command</translate> <translate> Execution</translate>
    * <translate> all commands</translate>
    cmd /c <translate> all DOS commands (dir, etc.)</translate>
    DOS command (e.g., dir) <translate> specific DOS command only (e.g., dir)</translate>
    specific command (e.g., ping) <translate> specific command only (e.g., ping)</translate>

    <translate> If there are other commands, the last command is executed. If you use a wildcard (*), all commands are executed.

    Registryentry.JPG</translate>

    <translate> Below is an example of a registry file (*.reg) that allows all command events for the administrator and the sesam user:</translate>

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH\sesam\CommandEvents\sesam\*]
    [HKEY_LOCAL_MACHINE\SOFTWARE\SEP Elektronik GmbH\sesam\CommandEvents\Administrator\*]
    

    {{<translate> note</translate>|<translate> The most common errors when setting up the desired user permissions and allowed commands are:</translate>

    • <translate> The necessary entries are not entered in the directories of the target clients, are not entered on the server, or are entered incorrectly.</translate>
    • <translate>

    Instead of entering a command as a key, it is entered as a string.</translate>}}


    Scheduling Restore

    SEP sesam enables you to configure a restore task in the GUI restore wizard or via the web Restore Assistant interface. The latter cannot be used for scheduling restore, as scheduling is only supported in the GUI interface. So a restore task can be started immediately from the GUI or web Restore Assistant, but it can only be scheduled by using the GUI Scheduling.

    For example, a selective restore can be scheduled to run at the completion of the daily backup routine, e.g., the last backed up file can be restored to a new directory to check and control the data integrity. For details on creating a restore task, see Standard Restore Procedure.

    Adding a restore task to a schedule

    Once you have created and saved your restore task, you can edit it in the Main Selection -> Tasks -> By clients, or add it to an already existing schedule.

    1. In the Main Selection -> Scheduling -> Schedules, select the schedule to which you would like to add a restore task. Right-click it and select New restore event. If you have not configured a schedule yet, you have to configure it first by clicking the New schedule button in the Schedules window. For details, see Creating a Schedule.
    2. New restore event window is displayed. You can review the selected schedule parameters by clicking the Schedule tab.
    3. Schedule tab Beefalo.jpg

    4. Switch to the Parameter tab. From the Restore task drop-down list, select the name of the restore task you want to schedule.
    5. Schedule parameter tab Beefalo.jpg

    6. Select As defined in task option if you want to run the restore exactly as defined by the task parameters using the same backup saveset. If you want to adjust the restore task, for example to use the most recent backup saveset, select the Custom option. In the latter case, you can define the following settings:
      • Relative backup day defines the time range for the savesets that are considered for restore. Negative numbers specify days in the past, while positive numbers specify days in the future. For example, a range of -7 to 0 defines that a backup saveset to restore is less than a week old.
      • From the State drop-down list you can select the condition of the backup that will be used for restore:
        • Successfully or with warnings: The backup has completed successfully or with warnings.
        • Only successful: Only backup that completed successfully without warnings will be considered for restore.
        • Only with warnings: Only backup that completed with warnings will be considered for restore.
        • Partially restorable: The backup that failed but is listed as partially restorable in the main log.
      • Backup level allows you to specify which backup level of saveset will be used for restore: C (copy backup), F (full backup), D (differential backup), I (incremental backup).
      • Selection drop-down list provides the following options for the specific backup saveset to be restored:
        • Youngest: The most recent backup in the range of the relative backup day will be used for restore.
        • Oldest: The eldest backup backup in the range of the relative backup day will be used for restore.
      • Pool restriction allows you to define that a saveset must come from the specified media pool.
    7. Under the Sequence control, you can set the restore job priority and the blocking date.
      • Priority: You can define a priority of your restore event. SEPuler always executes the schedules with higher priority first. Default priority level is 1, which is the lowest priority (the highest is 99). The only exception are the schedules with priority 0, which override all other priorities and are always executed. For details, see Setting event priorities.
      • Blocking date: This should be used together with high priority for special events. If checked, the blocking event will block events of the same type of a lower priority, ensuring the restore to be processed in case other restores are scheduled at the same time. See Blocking events.
    8. Under the Destination parameter, you can specify the target drive that will be used for restore.
    9. Click OK to add your restore task to a schedule.

    You can review your schedules and assigned events, trigger immediate start of events or delete them by right-clicking the selected schedule.


    Follow-up Events

    Overview

    As of SEP sesam version ≥ 4.4.3, you can configure follow-up events that are triggered on the SEP sesam Server once the initial event is completed. You can set up migration, saveset verify and other actions to be triggered immediately after backup or other event is completed.

    Key features

    Follow-up events allow you to start actions based on events happening on the backup server.

    The following event chains can be combined:

    • Start migration after the backup or task group is successfully completed.
    • Start single backup task or task group after the backup, task group or migration is successfully completed.
    • Start saveset verify after the backup or task group is successfully completed.

    Activating follow-up events

    To activate the follow-up events, enter the following commands in the shell/cmd.

    On Windows:

    c:\program files\sepsesam\var\ini\sm_prof.bat
    sm_glbv w gv_use_follow_up 1
    sm_db "update defaults set value='1' where key ='enable_gui_follow_up'"
    

    On Linux:

    source /var/opt/sesam/var/ini/sesam2000.profile
    sm_glbv w gv_use_follow_up 1
    sm_db "update defaults set value='1' where key ='enable_gui_follow_up'"
    

    Event-based actions are logged within:

    SESAM_INSTALL_DIR/var/log/lgc/sm_event_<date>.log
    
    Information sign.png Note
    If you need troubleshooting assistance, send this log file with a description of your issue to SEP sesam support.

    Configuring follow-up events

    A follow-up event can be configured in the backup event properties: Main Selection -> Scheduling -> Schedules -> New Backup Event. For details, see Creating a Backup Event.

    In the Follow up field, you can configure events to be started on the SEP sesam Server once the initial event is completed. With SEP sesam v. 5.0.0 Jaglion, the Follow up field is also available when configuring the command events. For details, see Creating a Command Event.

    As of version 4.4.3 Grolar, you can use Migration task option to chose a follow up migration task.

    Follow up events Beefalo V2.jpg

    Information sign.png Note
    A follow-up event is always configured for the schedule that should trigger the event.

    Testing events on the command line

    Backup events can be tested on the command line before configuration. As initial start of a backup the command line tool sm_cmd is used.

    The notation of the command has a special syntax:

    sm_cmd <cmd_command> -@ "<event_definition>"
    

    The following example shows an sm_cmd command which then automatically starts a follow-up event to back up a task group:

    sm_cmd backup -m MEDIAPOOL -j TEST_BACKUP -@ "sm_event backup task SESAM_BACKUP - -m MEDIAPOOL -"
    

    See SEP sesam Command Line Interface for details.

    Follow-up examples

    In the following examples the elements within the angle brackets < > indicate that the enclosed element is mandatory and must be appropriately replaced by parameter or actual name. Do not type the angle brackets in the command line. The follow up command must always end with a hyphen (-). If you add additional parameters to the command, they must also end with a hyphen.

    All specified tasks and migration tasks have to be configured in the GUI before the follow-up event is started. For example, first you configure a migration task and then you set up the event migrate saveset after the backup.

    Verify saveset after the backup

    Information sign.png Note
    Verifying savesets is currently only available for Path task type.

    To verify the backup, use the following command:

    sm_event verify saveset -
    

    After the backup is finished, a restore is started and data is being verified. No data is written to the target system. To view the status of your verification job, go to the Main Selection -> Job state -> Restores and check the verification status.

    Migrate or replicate saveset after the backup

    First, create a migration task or a replication task. Once the required task is created, you can set it up as a follow-up event after the backup has completed.

    The following command will start the respective migration after each completed backup task:

    sm_event migrate saveset <migration_task> -
    

    Replace <migration_task> with the actual name of the migration (or replication) task, as it is displayed in Tasks -> Migration Tasks or alternatively in Tasks -> Replication Tasks (previously Si3 Replications).

    SEP Tip.png Tip
    As of version 4.4.3 Grolar, you can use Migration task option in task event properties to chose a follow up migration task.

    Migrate savesets after all backups in the group completed

    First, create a migration task and then set it up as a follow-up event to start the migration for backup-group related savesets.

    The following command will start the respective migration after all backups that are part of the group are completed:

    sm_event migrate group <migration_task> - 
    

    Replace <migration_task> with the actual name of the migration task (or replication), as it is displayed in Tasks -> Migration Tasks or alternatively in Tasks -> Replication Tasks (previously Si3 Replications).

    Migrate saveset after the backup and delete it after successful migration

    First, create a migration task. Once the required task is created, you can set it up as a follow-up event after the backup is completed by entering the following command:

    sm_event migrate saveset <migration_task> - -r 1 -
    

    The additional option "-r 1" will be passed to the migration task and the saveset will be deleted after successful migration.

    Replace <migration_task> with the actual name of the migration task, as it is displayed in Tasks -> Migration Tasks.

    Information sign.png Note
    This follow-up event can only be used for migration, not for replication.

    Start a single backup task after the backup

    To start another backup task after the scheduled backup is finished, specify the following:

    sm_event backup task <task_name> - -m <target_pool> -
    

    Replace <task_name> with the name of the backup task and <target_pool> with the target media pool the data should be saved to.

    Start a single backup task after all backups of a task group

    To start another backup task after all backups of a scheduled task group are finished, specify the following:

    sm_cmd backup -G <task_group> -m <target_pool> -@ "sm_event backup taskgroup <task_name> - -m <target_pool> -"
    

    Replace <task_group> with the name of your task group, <target_pool> with the target media pool the data should be saved to, and <task_name> with the name of your backup task which should be started.

    Information sign.png Note
    The notation sm_event backup taskgroup ensures that all backups of the previous running task group have been completed.

    For example, the name of the task group is MY_GROUP, the name of the target pool is MY_MEDIAPOOL, and the task name is SESAM_BACKUP:

    sm_cmd backup -G MY_GROUP -m MY_MEDIAPOOL -@ "sm_event backup taskgroup SESAM_BACKUP - -m MY_MEDIAPOOL -"
    

    Start task group after the backup

    Sometimes you need to start a task group after the backup is finished:

    sm_event backup group <task_group> - -m <target_pool> -l BACKUP-LEVEL -
    

    Replace <task_group> with the name of the task group and <target_pool> with the target media pool the data should be saved to. With backup-level you can define F/C/D/I.

    Start event on special drive

    To start the target event on a different drive, specify the option -d:

    sm_event backup task <task_name> - -m <target_pool> -d <drive_num> -
    

    Send notification after backup or restore

    You can trigger a notification after the backup or restore event has finished.

    For the backup, use the following command:

    sm_event notify result <username> -
    

    For the restore, use the following command:

    sm_event notify restore <username> -
    

    In the following example, the notification is sent to the account configured as backup in Configuration -> Email Settings.

    sm_event notify result backup -
    

    For more information on e-mail configuration, see Email Settings. For details on how to send a SEP sesam daily protocol to an email account, check FAQ.

    Execute script after backup

    To execute a script after the backup is finished and pass some additional parameters, use the following command:

    sm_event execute <script_name>.sh - <some_additional_parameters> -
    

    Replace <script_name> with the name of the script and <some_additional_parameters> with the desired parameters, e.g., -s savesetID.


    Part XI: SEP sesam Log Files

    How to interpret SEP sesam's backup module's error messages?

    SEP sesam backup modules are designed to produce extended error messages which may return information from 5 layers: SBC – XBSA – FTP – SMS – operating system. SEP sesam scans the protocol files for warnings and errors after backup and restore. In the event of a warning or an error, the first identified message is printed in the summary at the end of the protocol.

    Every backup module uses the X/Open Backup Services API (XBSA) standard. SEP sesam XBSA is based on FTP implementation. The backup module connects to SEP sesam's FTPD daemon implementation – Sesam Transfer Protocol Daemon (STPD). Sesam Transfer Protocol Daemon (STPD) is a service that requests and delivers the backup data from or to the SMS Server and manages the data flow between the SEP sesam Server and a client. During a restore STPD receives the data from the SMS Server and sends it to the client, which then restores the data to the target system. Sesam Multiplex Stream (SMS) is a service that receives the backup data from STPD and writes the data to the backup media. During a restore, it reads the data from the backup media and sends it to STPD. Additionally, the SEP sesam backup client (SBC) module executes backup, migration and restore tasks. SBC collects and consolidates backup data on the client system and delivers it to STPD. A list of all SBC messages (C header file) can be found at SBC Messages.

    An error message is composed of the messages from the triggering layer up to the upper layers. If an operating system returns an error, the error code and the operating system message are added to the SEP sesam error message. Because of this, error messages can also help troubleshoot problems that are not caused by SEP sesam (for example, OS problems).

    Typical backup protocol

    The following example shows a typical backup protocol. It is composed of 4 sections: about module, operational parameters, processing, and a summary.

    2009-06-26 10:28:16: sbc-3036: Info:    # SESAM BACKUP CLIENT FOR Windows NT FILE SYSTEMS, VERSION: 3.2A17 Build
    Revision: 1.257 (x64), Released: Jun 25 2009 #
    2009-06-26 10:28:16: sbc-3063: Info:    -------------------- Operation Parameters --------------------
    2009-06-26 10:28:16: sbc-3019: Info:    OS info:          Microsoft Windows Server 2008, Build: 6001 Service Pack 1 (x64)
    2009-06-26 10:28:16: sbc-3100: Info:    Program PID:      42900
    2009-06-26 10:28:16: sbc-3030: Info:    Operation:        BACKUP, Level: COPY
    2009-06-26 10:28:16: sbc-3031: Info:    Storage Host:     qsbox3:11001,0-0:SESAM_SECURE_AUTHENTICATION:****
    2009-06-26 10:28:16: sbc-3032: Info:    Control Host:     qsbox3:11001:SESAM_SECURE_AUTHENTICATION:*
    2009-06-26 10:28:16: sbc-3040: Info:    Device:           SMS:disk1:SHARE:64
    2009-06-26 10:28:16: sbc-3064: Info:    --------------------- Operation Messages ---------------------
    2009-06-26 10:28:16: sbc-3002: Info:    Building file list from: [C:\SEPsesam\var\ini]
    2009-06-26 10:28:16: sbc-3022: Info:    Command line ["sbc" "-b" "-C" "qsbox3:11001" "-S" "qsbox3:11001" "-l" "copy" "-s"
    "SF20090626102812" "-d" "SMS:disk1" "-t" "weekly00001:1" "-j" "TEST_BACKUP" "-i" "job=TEST_BACKUP,nod=qsbox3,cmd=sbc,src=C/ /SEPsesam
    /var/ini,ptf=WNT,typ=Path,exc=" "C:/SEPsesam/var/ini" ]
    2009-06-26 10:28:16: sbc-3003: Info:    Opening saveset: SF20090626102812
    2009-06-26 10:28:18: sbc-3104: Info:    Saveset info: [SEGMENT=3]
    2009-06-26 10:28:18: sbc-3004: Info:    Begin writing to saveset...
    2009-06-26 10:28:18: sbc-3074: Info:    Backup start time [20090626102818]
    2009-06-26 10:28:18: sbc-3143: Info:    Starting with drive C:
    2009-06-26 10:28:18: sbc-3006: Info:    Saveset size: 98304 bytes. Throughput: 189.820 MB/Hour.
    2009-06-26 10:28:18: sbc-3005: Info:    Closing saveset.
    2009-06-26 10:28:18: sbc-3052: Info:    Items processed correctly: [25]. Not processed or incorrectly processed items: [0].
    2009-06-26 10:28:18: sbc-3007: Info:    Operation successful.
    2009-06-26 10:28:19: sbc-3001: Info:    Exiting.
    

    Backup error summary

    The error message summary is prefixed by a short information string. The full error message is composed as follows:

    {status}/{amount}/{saveset ID}/{SBCstart}/{message}
    

    The components of this string have the following meanings:

    {status} {amount} {saveset ID} {SBCstart} {message}

    0 - successful
    1 - warning
    2 - empty LIS
    3 - broken during backup
    C - broken before data transfer
    X - failed

    Amount of data stored on media Automatically generated saveset ID Starting time on the client Message about the error

    The following example shows a backup error summary with all 5 layers prefixed by a short information string.

    X/0/SF20060629233007/20060629232907/Error: XBSA Call BSAEndData (closing saveset) failed:
    System detected error, operation aborted. TRANSIENT or PERMANENT NEGATIVE reply:
    553 STOR Failed. 1037: Writing data block on tape failed (23): Data error (cyclic redundancy check).
    1039: Writing of Saveset Trailer failed.
    

    The amount of details provided for backup or restore is defined by the log level.

    Analyzing SEP sesam Log Files

    Analyzing SEP sesam log files is very useful to detect operations that have caused errors or malfunctions, for example, in the case of a failed backup. The log files are also used to track or audit changes to data, as described in Audit Logging.

    SEP sesam creates two protocols or log files for each backup day: the status file and the day log. An error log is the subset of the entire day log, where only error messages are recorded. The log files can be printed or sent by email. The default location (main directory) for the log files is SESAM_VAR/log. You can check the backup logs (state, day or error) in the GUI (Main Selection -> Logging -> State/Day/Error Log).

    As of 4.4.3 Beefalo V2, you can also check your system logs online by using the new Web UI. For details, see SEP sesam Web UI.

    Log files creation order during a backup

    When a scheduled backup is performed, log files are generated in a specific order. If you analyze a problem and find that the corresponding log files are missing from a certain point in time in the past, the cause of the problem is most likely positioned just before that point. An example of how a log file is generated is given below.

    1. The SEPuler creates the log file sm_sepul_event_xxx.log, for example sm_sepul_event_20181004.log.
    2. The queue manager writes the sm_qm_main_xxx.log, for example sm_qm_main_20180913.log.
    3. If the backup was able to start, a bck_*.log is created.
    4. When the backup starts, a backup .not log (notification) is created in the SEP sesam's SESAM_VAR/lis directory, e.g., smhg00_all- 20181004_001_SF20131004090011986@YlyxvqJCsHm.not.
    5. In case of optional media init, a sm_init_X_20180915.log is created. The X stands for the SEP sesam drive number.
    6. The information for monitoring drives and performance data is written in the sms log (sm_sms_watch_X_20181004.log).
    7. The files which are backed up are first written to a *.lis file (list of the backed up files and directories) and to sgm file (segment-file of the used segment markers on the used tapes) on the device server in the SESAM_VAR/work/smslis directory. Once the backup is finished, these files are copied from the device server to the SEP sesam SESAM_VAR/lis directory. This data is needed for a selective restore.

    Course of action for log file analysis

    The recommended course of action depends on the failure. For example, if a scheduled backup did not run or have failed, proceed as follows.

    Check the backup log in the GUI/Web UI

    From Main Selection -> Backups, double-click the relevant Failed backup and open the Main Log tab to check the backup log.

    As of 4.4.3 Beefalo V2, you can also check your failed backups online by using new Web UI. For details, see SEP sesam Web UI.

    Check if a media init error has occurred

    If a medium init error occurred (bck_*.log), it is the cause of a failed backup.

    Check if a backup has no log or has failed

    If the backup does not yet have a log or has failed:

    1. Check the status and daily logs in the SESAM_VAR/prot directory for events and errors at that particular time.
    2. Check if a .not log exists in the SESAM_VAR/lis directory. If not, then the possible causes for the error are as follows:
      • Client is not accessible (DNS, ping).
      • There is no media available.
      • The backup did not start yet.
    3. The process logs are stored in the SESAM_VAR/log/lgc directory. The logs should be listed chronologically in the terminal, e.g., Linux ls -lart).
      • The bck_*.log is created by the program sm_backup; naming convention: bck_<job_name>_<save_set_ID>_<sesam_day>.log. Note that unlike most other logs, the bck_*.log must be read from the beginning to find the first error message that may reveal the cause of the failure.
        • Check the license.
        • Set time range: Check if the backup is within the set time frame.
        • Alive test: Check if the client is active and reachable.
        • CHECK_MEDIUM: Check the availability of the media.
          • iGET_PREPARED_MEDIA: Check the media pool. If msg=0 appears, there is no media available.
          • GET_BACKUP_MEDIUM: The sm_sms_interface is doing something on the tape (getlabel, init, etc.). For tasks started simultaneously, search for the largest backup file that contains the log files of the executed media init.
          • In the case of tape media, the following Options may be set as described in Configuring a Media Pool. They allow you to control which media to use for a backup. For example, for devices that load media in sequential order, or if you do not want an unattended backup to fail because the specified media are not available, you can use the empty media policy.
            • empty: If this option is selected and no EOL-free media are available in the requested media pool, SEP sesam will use any suitable media for the backup – empty media and media that are unrecognized by SEP sesam.
            • spare: If this option is selected and no EOL-free media are available in the requested media pool, media from the SPARE_ pool will be used for backup.
            • other: If this option is selected and no EOL-free media are available in the requested media pool, any EOL-free media from other media pools will be used.
          • Note: The EOL defines how long the backed up data on the media remains protected after the data is written to the media (see Managing EOL). When the protection expires, SEP sesam can re-use the media for backups. You can check the life cycle of a tape in the daily log; for details on media initialization, checked the *.sms log files in the <SESAM_VAR>/log/sms directory.
        • sm_notify is delivered.
        • Use the search pattern "Cmd= sbc" to jump directly to the command given in the log that calls up the backup.
        • If the backup is started successfully, the .not log is created in the SESAM_VAR/lis directory.
        • During an active backup all log information is appended to .not log.
      • If there are problems with the media init, the errors are recorded in the sm_init_<drive>_<sesam_day>.log. If a log includes the error: all media with eol restriction, then no media are available in the requested pool. There may be further attempts to get the backup media according to the specified media pool options (see above Options.
      • If there are problems with subsequent tapes after writing the backup data until the End Of Media (EOM) is reached, they will be written in the sm_sms_watch_<drive>_<sesam_day>.log. If this log includes error: all media with eol restriction, then no media are available in the requested pool.
      • To check the communication between the client and the SEP sesam Server either over SMSSH (default, via port 11322) or over CTRL (via port 11301), look for sm_sshd_<sesam_day>.log or sm_ctrld_<PID>.lgc in the SESAM_VAR>/log/lgc directory on the client. The logs on the client are generated when the SEP sesam Server performs a task on the client, for example:
        • Execution of a backup.
        • Execution of a command.
        • Browsing the GUI file wizard (when creating a task).
      • Whenever the SEPuler finds a task that has to be executed, the operation is recorded in (sm_sepul_event_<schedule_identifier>_<sesam_day>.log). With QUE_SUBMIT a job is put into a queue; sm_backup shows that the backup is being put into the queue.
      • On a SEP sesam Server, search the log sm_sms_watch_<drive>_<sesam_day>.log from bottom upwards to check drive information. This includes:
        • Monitoring a drive. This log is generated only on a SEP sesam Server (the corresponding watch logs for drives on RDS are also located on the SEP sesam Server).
        • Data throughput of a drive.
        • The search string "‘+++ EOM"‘ shows media changes related to the end of media (tape is full). The sm_sms_interface init command:
          • STATUS=SUCCESS: Successful media initialization.
          • STATUS=IO-ERROR: There is a problem with the media or a drive. If necessary, check the SESAM_VAR>/log/messages on Linux or the event log on Windows for any hardware problems. To confirm that there is a hardware problem, check the sms log in the <SESAM_VAR>/log/sms directory.
      • The log sm_sms_watch_0_<sesam_day>.log regularly displays the process status of the sm_main processes and the processes in the sm_qm_main queues, in addition to periodically checking the available space GET_FREE_SPACE_OF_DIR.

    Tips for Backup Troubleshooting

    In the case of an unsuccessful backup, you should follow these tips:

    • Find out when the problem occurred using the day log (.prt) and the status log (.status). The day log shows the causal progression of all SEP sesam activities of the backup day. The files with a file extension ending in .prt.err contain just the error messages from the day log.
    • Display the directory files chronologically (with ls -lart on Linux).
    • Log files should be read backward from the end of file. If a backup has failed, the indication of errors and their causes may usually be found at the end of the respective log file.
    • Compare non-working and working backups:
      • Check when was the last successful backup of this task.
      • Detect the differences between not and bck logs by comparing two different backups.
      • Find out if there were any changes in the network or on the client.
    • The values of database calls in DB_ACCESS have the following explanations:
      1. result = 1: The database access is OK.
      2. msg > 0: Amount of the result > 0.
    • If the data throughput is very low and a backup is not running, it may be possible that the communication between hardware and RDS has stopped. Use netstat to check if the connection over the STP ports (11001, 11002, etc.) still exists and check if RDS is still reachable.
    • If a process attempts to write to the hardware device and hangs, using the command kill -9 on Linux will not help because the process is waiting for I/O and the kernel won't be able to stop it. The only solution is to restart the server. These processes usually only take split seconds, however, they hang if there are any hardware problems.
    • SEP sesam does not use kernel functions nor does it access the kernel while processing. All calls are only done via GLIBC (GNU C Library). The command that goes the deepest into the system is slu (SCSI Loader Utility). It accesses the SCSI interface directly. Only loader and tape mover commands are affected by this. If a backup is running, there is no direct access to the kernel or the hardware with SEP sesam. For details on command, see Using slu topology for detecting devices.


    Part XII: SEP sesam Interfaces

    Using Pre and Post Scripts

    Overview

    SEP sesam enables system administrators to perform additional actions before and/or after a backup or restore by using pre or post scripts.

    Pre backup scripts are executed before backup jobs starts to perform specific operation. Typically, they are used to create commands that will stop or start the selected programs, for example, to stop a database or antivirus service before the backup. Similarly, pre restore scripts are executed before the restore starts.

    Post backup scripts are executed when the backup session stops to perform specific tasks, such as starting a database or shutting down a computer after the backup. Post restore scripts are executed after the restore, for example, to start a database.

    Pre and post scripts are represented as one of the SEP sesam interfaces. They are configurable programs hat can be programmed with any text editor. Pre and post scripts are not provided by SEP sesam; you must create your own scripts to perform the desired actions.

    Unlike other SEP sesam interfaces, pre/post interfaces apply only to a specific client; they are created for each client individually and run only on the selected client.

    Information sign.png Note
    Configuring pre and/or post scripts is optional. The pre/post interface may affect the execution of backups or restores. When creating a script, keep in mind that a pre/post script should not take a lot of time, as it can delay a backup or restore.

    To use the pre/post script, you have to activate the relevant interface first and then create your own script.

    Configuring pre and post scripts

    SEP sesam provides several interface templates. They are located in the SEP sesam directory <SESAM_ROOT>/skel/templates. You can activate them automatically via the GUI (recommended) or manually by copying them.

    Activating interfaces via SEP sesam GUI

    1. From Configuration -> Interfaces, select the relevant interface type (Pre or Post) that you want to activate.
      Activating interfaces Beefalo V2.jpg
    2. The Edit Pre/Post Interface window opens: Select Backup or Restore interface and the client on which you want to run the script. Click OK.
      Edit pre interface Beefalo V2.jpg
    3. A new window with the Edit <name> interface script opens, allowing you to configure (insert) a specific action at the end of the script.
      Information sign.png Note
      • Before the end of the procedure either STATUS:OK or STATUS:ERROR {text} must be written to the standard output.
      • If you want to change a backup source, STATUS: messages have to include keyword BACKUP_SRC=, for example, STATUS:OK BACKUP_SRC=C:,F:/DATA. In this case, the backup will use this source instead of the source defined in a backup task.

      Pre interface Beefalo V2.jpg

      • For example, you may want to shut down a specific computer after the backup is finished. To configure this action, you have to select Post backup interface for a relevant client and add the following lines at the end of the sbc_post script:
        • For Windows
        • #=== Please insert your specific actions here ===================================== 
          echo "shutdown -s -t 120"
          shutdown -s -t 120
          rem echo STATUS:ERROR {message}
          echo STATUS:OK
          exit
          
        • For Linux:
        • echo "shutdown -h +2"
          shutdown -h +2
          
    4. This action invokes a shutdown of the computer two minutes after the backup has finished.
      • The first line shutdown ... is the message which is written to the Post log file during the backup.
      • If the post process ends with an error, the backup is completed with the Warning status.
    5. After configuring a relevant pre or post action, click Save to activate the interface on a specific client.

    When you save the template, the script is read and copied to the <SESAM_ROOT>/bin/sesam folder. Now you have to add a pre/post script to backup or restore tasks.

    For more examples of how to use pre and post scripts, see Configuring ownCloud restore.

    Manual activation of interfaces

    Alternatively, you can activate the interfaces by copying the existing templates from the SEP sesam directory <SESAM_ROOT>/skel/templates under the name:

    sbc_pre
    sbc_post
    

    into the <SESAM_ROOT>/bin/sesam directory.

    Selecting a pre/post script for backup or restore

    After configuring the desired pre/post actions, specify whether to apply a pre/post script to a specific client by adding the script to the backup or restore task.

    Selecting a pre/post script for backup

    You can select to run a pre/post script when you create a backup task or apply it to an already configured task. For details on how to create a new backup task, see Creating a Backup Task.

    1. From Main Selection-> Tasks-> By Clients, select your client and double-click it or click New Backup Task. The Properties or New Backup Task window opens. Switch to the Options tab.
      Tasks options Beefalo V2.jpg
    2. Depending on the desired action, select either Execute pre or Execute post backup and/or restore option(s):
      • Execute pre: Enable it if you want to run the pre script for this backup task.
      • Execute post: Enable it if you want to run the post script for this backup task.
      • Ignore pre error: Enable it to allow to force start the backup even if the pre script was not properly executed.
      • Ignore backup error: Enable it to allow the post script to run after a failed backup.
    3. Click OK to enable execution of the pre/post script for the selected task.

    Selecting a pre/post script for restore

    You can select to run a pre/post script when creating a restore task or apply it to an already configured task (Main Selection -> Job State -> Restores -> open Properties). For details on how to create a new restore task, see Standard Restore Procedure. In both cases, you can select to run a pre/post script under the Expert Options.

    Information sign.png Note
    The Expert Options button for specifying advanced restore options is available only in advanced UI mode (formerly expert GUI mode). To use Expert Options, make sure your UI mode is set to advanced. For details, see Selecting UI mode.
    1. In the Target Settings dialog, click Expert Options, and then select the Pre/Post tab.
      Restore pre post Beefalo.jpg
    2. Depending on the action you want to take, select either Execute pre or Execute post restore option(s):
      • Execute pre: Enable it if you want to run the pre script for this restore task.
      • Execute post: Enable it if you want to run the post script for this restore task.
      • Start restore in spite of pre error: Enable it to allow to force start the restore even if the pre script was not properly executed.
      • Start post in spite of restore error: Enable it to allow the post script to run after a failed restore.
    3. Click OK to enable execution of the pre/post script for the selected task.

    How to Configure Mail Notification

    SEP sesam email notification is based on interface scripts that has to be activated first. You can activate them via GUI or manually by copying the templates that are available in the SEP sesam directory <SESAM_ROOT>/skel/templates.

    SEP sesam interfaces require a configured email account that is used for sending the selected notifications by email.

    The following interfaces exist:

    • sm_notify: Notify is executed on the SEP sesam Server. It can be used for reporting on successfully finished events, such as backup, restore, migration, media initialization, and start/finish of a NEWDAY event.
    • sm_alarm: Alarm is executed on the SEP sesam Server to warn the system administrator when a fatal error occurs or in case of a license violation.
    • sm_disaster: This interface must be properly configured to help carry out the disaster recovery process. For details on how to prepare, see SEP sesam Server Disaster Recovery. The disaster interface sends an email describing the recovery procedure in the event of a disaster and an attachment containing the SEP sesam bootstrap database with all essential data for the disaster recovery. sm_disaster is always called after the task SESAM_BACKUP is finished.

    Configuring interfaces

    The interface templates are located in the SEP sesam directory <SESAM_ROOT>/skel/templates. You can activate them automatically via GUI or manually by copying them.

    Activating interfaces via SEP sesam GUI

    1. From Configuration -> Interfaces, select the relevant interface type (Alarm, Disaster or Notify), depending on which information you want to receive.
    2. Information sign.png Note
      The Disaster interface should always be configured to help carry out the disaster recovery process in case of a SEP sesam Server breakdown. This means that you have to configure at least one backup task with the name SESAM_BACKUP. For details, see SEP sesam Server Disaster Recovery.

      Configuration interfaces Beefalo V2.jpg

    3. Window with the interface script opens. Click Save to activate the interface.
    4. Alarm interface Beefalo V2.jpg

    Upon saving the template script is read and copied to the <SESAM_ROOT>/bin/sesam. You can customize the script according to your needs. Now you have to configure an email account to enable sending the selected notifications by email.

    Activating interfaces manually

    Alternatively, you can activate the interfaces by copying the existing templates from the SEP sesam directory <SESAM_ROOT>/skel/templates to the directory <SESAM_ROOT>/bin/sesam. You can customize the script according to your needs.

    By default, the interfaces are located in the SEP sesam <SESAM_ROOT>/skel/templates under the names:

    sm_notify
    sm_alarm
    sm_disaster
    

    Note that on Windows, all interfaces/commands have the ending .cmd or .ps1 when using Powershell. To activate the interfaces, copy the selected interfaces manually to <SESAM_ROOT>/bin/sesam.

    Information sign.png Note
    The Disaster interface should always be configured to help carry out the disaster recovery process in case of a SEP sesam Server breakdown. This means that you have to configure at least one backup task with the name SESAM_BACKUP. For details, see SEP sesam Server Disaster Recovery.

    Now you have to configure an email account to enable sending the selected notifications by email.

    Configuring email account and recipients

    1. From Configuration -> Email Settings, select Use SEP sesam mail program option and click New.
    2. Email account Beefalo V2.jpg

    3. The Email Account window opens. Use the account name sesam (the default email account) as shown in the example below, and enter the email addresses of the recipients. For details, see Email settings.
    4. Configuring email account Beefalo V2.jpg

    5. Click Send Test Email to check if your email account is configured properly, and then click OK.


    Part XIII: Managing Media

    Managing EOL

    Overview

    Data retention is the amount of time a backup is kept by SEP sesam. When you create a media pool, you set the retention time for the pool. Running respective backup tasks creates a backup chain on your backup storage consisting of a full backup, followed by differential and incremental backups, a backup metadata file, and may also include other dependent backups, such as migrated and replicated backups. Some INCR backups use CBT (changed block tracking).

    What is retention time and EOL

    Retention time specifies the time period for which backup data is protected after it is written to the media, so that the savesets are preserved and available for restore. Data retention is important to ensure that all regulations and retention schedules are met. How long you should retain data depends on the nature of your business, as well as regulatory, legal, and other requirements.

    • Retention time is set up at a media pool level and is specified in days.
    • The retention period starts from the date a saveset is written to the media (at the end time of the first backup) and thus defines the expiration date of the savesetEOL (End of Lifetime). For example, the retention time of a media pool is 30 days and the data is backed up to the media on January 1, therefore the saveset EOL is January 31. There are three different EOL types associated with object types and also depending on the storage media used; for details, see the section EOL (retention) types.
    • When the protection (EOL) expires, SEP sesam can use the media for backups again. For more details, see the section What happens when retention expires.

    SEP sesam provides automatic EOL (retention) management to ensure recoverability of the entire backup chain and protect against data loss, based on backup chain dependencies. You can also manually adjust the EOL of your data, as described in Changing Retention (EOL).

    Information sign.png Note
    EOL (retention time) refers only to backups and related migrated and replicated savesets. SEP sesam logs, readability check logs, calendar sheet entries, and restore tasks have separate retention parameters. For details, see retention periods.
    What are backup chain dependencies

    A backup chain consists of full, differential and incremental backups. Running respective backup tasks creates a backup chain on your backup storage consisting of a full backup, followed by differential and incremental backups, and, additionally, a backup metadata file. Some INCR backups use Changed Block Tracking (CBT), an incremental backup technology for virtual machines that creates faster and smaller backups.

    An FDI backup chain can contain any number of backups that each depend on other backups in the chain and can also depend on another backup in the number of backups. A backup chain can contain the first (primary) backup and one or more dependent backups, such as migrated and replicated backups.

    • A primary backup can be a backup that does not require any other backups for a successful data restore. Thus, a primary backup can be a complete backup, but a dependent backup may require additional backups for a successful data restore as it may depend on the additional backups.
    • For example, for INCR backups all previous savesets (FULL, DIFF and INCR) must be present for a successful restore.
    • If retention time is considered only from the perspective of an individual backup, it can ensure restorability of data only for that particular backup.
    • To enable full recovery of the data backed up in the backup chain, all dependent backup savesets are tracked and their retention time is managed according to their dependencies.

    Dependent backups are also classified by the respective depth of the dependent backups in the backup chain. The respective depth can be a measure of how many backups are required to complete the restore of a system, e.g. a VM, to a predetermined state.
    SEP sesam provides the saveset tree view to determine dependencies and EOL of an FDI backup chain. This view shows a data structure that relates savesets to their dependencies. You should use it before manually changing the EOL parameter to avoid breaking the backup chain. For details, see Backup Chain Dependencies.

    Example of a 14-day retention scenario
    In a typical 14-day retention scenario, the first execution of the backup job creates a full backup. This is followed by differential and incremental backups. Once the 14-day retention (EOL) is reached, the savesets are marked as EOL-free and can be purged. If the backup data is stored on tape, its protection expires when the tape media EOL expires. For example, the backup chain has the following retention: FULL on pool MONTH (retention time:32), DIFF on pool WEEK (retention time:15), and INCR on pool DAY (retention time:7). The EOL of such an FDI chain is sufficient and no retention adjustment is required.

    Automatic EOL adjustment
    However, in some cases SEP sesam automatically adjusts the EOL to retain consistency of the backed up data and keep the backup chain readily available for restore. For example, it may happen that the expiry time of some savesets has already expired, but they have not been deleted due to one or more rules of the backup chain dependencies.

    There are six main rules that lead to an adjusted EOL.

    Rules for the automatically adjusted retention time

    If the retention time is considered only from the perspective of an individual backup, it can ensure restorability of data only for that particular backup. To enable complete restore of data backed up in the backup chain, SEP sesam tracks all dependent backup savesets and manages their retention time according to their dependencies.

    For example, INCR backups require all previous savesets (FULL, DIFF and INCR) to be available for a successful restore: INCR backup taken as the third INCR after the FULL requires the FULL, the first, the second, and the third INCR to provide complete restore capability. If a saveset is missing from the backup chain, data recovery to a specific point in time is not possible. For this reason, SEP sesam maintains control over the dependencies among the individual backup savesets and provides six rules for dependency-based automatic retention.

    Rule #1: Full backups do not expire as long as dependent DIFF/INCR exist

    For example, you set a media pool retention parameter to 30 days and run a FULL backup. This FULL saveset is initially kept for 30 days, e.g., until January 31. If a subsequent INCR or DIFF saveset in the chain has a longer EOL, e.g. an expiration date of February 3, the EOL of all previous savesets, including the FULL, is adjusted to the longer expiration date.

    Rule #2: An increased EOL of a DIFF/INCR saveset results in an increased EOL of all dependent savesets

    If the EOL parameter of a DIFF or INCR saveset is increased, SEP sesam also increases the EOL of all dependent savesets (FULL and other DIFF and INCR). In this way, SEP sesam ensures that the EOL of the FULL saveset and other dependent DIFF and INCR is not shorter than the potentially modified EOL of the DIFF or INCR saveset.

    Rule #3: A decreased EOL of a DIFF/INCR saveset leads to reduced EOL of all dependent savesets

    If the EOL of a DIFF or INCR saveset is decreased, SEP sesam decreases the EOL of all dependent savesets (FULL and other DIFF and INCR).

    SEP Warning.png Warning
    If you use the Expire function to delete unneeded saveset(s) or backup set(s), SEP sesam issues a warning message, asking you to confirm your decision to expire the entire backup chain. If you allow the DIFF or INCR saveset(s) to expire, the entire backup chain will be deleted and overwritten.

    Rule #4: A too short EOL of DIFF/INC savesets leads to an increased EOL

    If the DIFF/INCR backup detects that a saveset belonging to an FDI chain has an EOL that is too short, then any subsequent DIFF/INCR backup that runs on a pool with a longer retention time will increase the EOL of the saveset from that particular pool.

    Information sign.png Note
    If the EOL of a saveset belonging to an FDI chain has already expired, it will not be extended. In this case, the next DIFF/INCR backup will be executed as FULL backup.

    Rule #5: A new or migrated DIFF/INC backup results in an adjusted EOL for dependent savesets

    When a new INCR or DIFF backup is run or an INCR or DIFF backup is migrated, SEP sesam automatically adjusts the EOL of all related savesets to preserve the backup data.

    Rule #6: The last successful backup or migration is automatically retained

    SEP sesam automatically retains the last successful backup or migration saveset if the next backup/migration fails. By extending the EOL of the last successful backup/migration, SEP sesam ensures that at least one successful backup is retained. This behavior is enabled by default and can be changed by setting the values of the corresponding keys, as described in Customizing Global Retention Policy.

    Information sign.png Note
    SEP sesam also allows you to manually adjust EOL if the default retention does not meet the requirements, but you should be careful with this option. Manually adjusted EOL overrides the EOL defined by the retention time in the media pool configuration and should only be used for special cases and exceptions. Some special rules apply to the tape media EOL, see section EOL (retention) types.

    What happens when the saveset expires

    The protection of a saveset expires when its EOL is reached. The storage space of an expired saveset is not used immediately; SEP sesam uses the GET_OLDEST policy to preserve the data on the media for as long as possible. The expired saveset can be used again if the following conditions are met:

    • As a rule, there must not be any other savesets that depend on this saveset. An expired saveset is not deleted until all sets in the backup chain that depend on it have expired and been deleted. You can override this condition by explicitly allowing the expiry date (EOL) of the entire backup chain to expire, which deletes the backup data of all related savesets.
    • If a saveset is stored on tape, the EOL of all stored savesets must have expired.
    • SEP sesam Server automatically allocates the media with the oldest EOL for re-use. The oldest medium is the medium with the oldest locked until (is backup day+ retention time) date in the media pool.

    Tracking the adjusted EOL

    In the Media view in the GUI, you can check the column Media EOL changed by that shows EOL-changes made via the automatic EOL adjustment by Backup ID/Saveset ID, as well as the EOL that the user changed manually. The modified EOL is also recorded in the main log and can be generated for audit trail purposes, see Audit Logging.

    EOL (retention) types

    Information sign.png Note
    • SEP sesam automatically adjusts the EOL to retain consistency of the backed-up data in the backup chain. A backup chain consists of full, differential and incremental backups, a backup metadata file, and may also include other dependent backups, such as migrated and replicated backups.
    • Adjusting the Backup EOL of savesets stored on tape media may affect the Media EOL of the tape. The latter may also depend on the EOL of FULL/DIFF/INCR savesets stored on other media or even in data stores.

    The EOL property can be managed for three object types:

    Saveset EOL

    The expiry date for a single saveset:
    The date the data was written to the media + the retention time of the media pool
    If a saveset is part of a backup chain, its EOL follows the rules of dependency-based retention; the EOL of a previous saveset in the chain must be the same or longer to enable complete restore of the data.

    Example

    1. Media pool retention = 30 days.
    2. A FULL backup is run -> FULL saveset is kept for 30 days (e.g., January 31 <YYYY>).
    3. If a subsequent INCR or DIFF saveset in the chain has a longer EOL (e.g., February 3 <YYYY>), the EOL of the FULL saveset (and of all preceding savesets) is adjusted to match the longer EOL (e.g., February 3).
    Extend retention
    If you manually extend the Saveset EOL and one of the savesets is part of an FDI backup chain, the EOL of the previous savesets in the chain is automatically increased. Extending the EOL of savesets stored on tape media may extend the EOL of the tape media! See below Tape media EOL.
    Shorten retention
    Shortening the Saveset EOL results in a new expiry date that applies only to the selected individual saveset.
    Expire retention (see also
    Expiring savesets, backups or tape media)
    Right-clicking the saveset -> Saveset -> Expire terminates the selected saveset(s) (which will be deleted during the next purge), unless the saveset(s) is/are part of a backup chain; in the latter case, the entire backup chain is affected.

    Backup EOL

    The expiry date for all data belonging to the same backup, including migrated and replicated savesets.

    Information sign.png Note
    How SEP sesam manages failed backups depends on its version. In v. ≥ 4.4.3 Beefalo V2, SEP sesam retains the failed backup according to the media pool retention time together with the last successful backup or migration saveset. This is the default backup retention behavior and can be changed by modifying the EOL-related keys, as described in Customize the default retention behavior for backups and migration. These keys may not be supported in earlier versions, where failed backups were automatically deleted after 3 days.

    Example

    1. The EOL of a saveset belonging to the backup chain is extended from February 3 <YYYY> to March 3 <YYYY>.
    2. All related backup data, i.e., original, migrated and replicated backups, as well as all backups in a backup chain, now have a Backup EOL set to March 3.
    Extend retention
    If you extend the Backup EOL, SEP sesam automatically increases the EOL of all dependent savesets (FULL and other DIFF and INCR).
    Shorten retention
    Shortening the Backup EOL only adjusts the EOL of the savesets that have a longer EOL than the newly set date, while the savesets with a shorter EOL are not affected (their EOL remains unchanged).
    Expire retention (see also
    Expiring savesets, backups or tape media)
    Right-clicking the saveset -> Backup -> Expire terminates all data belonging to the same backup (the entire backup chain) that will be deleted with the next purge.

    Tape media EOL

    The time until which backed up data on tape remains protected. It refers to tape media and is based on the longest EOL of all the different savesets stored on tape:
    The expiry date of the tape = maximum EOL on the tape
    A specific retention time that would apply to only one of the savesets stored on the tape cannot be set.

    The tape media EOL may also depend on dependent FULL/DIFF/INCR savesets stored on other media or even data stores.
    Only when all savesets on the tape have expired and the tape is not locked (write-protected) can the tape be used again.

    Example

    1. Tape media EOL = February 3 <YYYY>
    2. The Backup EOL of a saveset on tape is extended to March 3 <YYYY>. If this is the longest retention period of all savesets on the tape, the Media EOL (Locked until date in tape properties) is automatically extended to March 3; if not, the Media EOL of the tape remains unchanged.
    Extend retention
    Extending the Media EOL results in a new expiry date that applies to all savesets on the tape.
    Shorten retention
    Shortening the tape Media EOL applies to all savesets on the tape.
    Expire retention (see also
    Expiring savesets, backups or tape media)
    Right-click the Expire function in the Media view or the tape properties and click Expire Media. This action affects the entire tape. The metadata of the tape is removed and the tape is reinitialized (provided the tape is loaded in a drive) so that it can be used for backups again.

    Where in GUI

    You can use the GUI to modify the EOL parameter in several different ways:

    Backup & Saveset EOL
    • Job State -> Backups -> double-click a backup task -> task properties – Info 1 -> in the Storage location table: Saveset EOL
    • Components -> Media -> select the saveset and open properties -> Savesets tab -> columns Backup EOL and Saveset EOL
    • Components -> Media Pools -> select the media pool and expand it to open media -> double-click to open the media properties -> Media properties – Properties 1 -> tab Savesets: columns Backup EOL and Saveset EOL
    • Components -> Data Stores -> double-click the selected data store to open the properties -> tab Savesets: columns Backup EOL and Saveset EOL
    (Tape) Media EOL
    • Components -> Media -> select one or more tapes -> right-click and select Change Media EOL
    • Components -> Media -> select the tape to open its properties -> Locked until

    Write protection for tape media

    This special option allows you to set additional software protection for tape media. You can write-protect selected tape media by setting this option ON manually: Main Selection window -> Components -> Media -> column Write Protection (On/Off).

    This option overrides the media pool retention time and any individually adjusted EOL values and sets a permanent protection for savesets on tape. Write-protected media cannot be used until write protection is activated (the media are locked). It can be turned off manually at any time. When the media are no longer write-protected, the retention time of the media pool applies.

    Locking a backup

    You can also lock your backups in the GUI and SEP sesam Web UI to prevent them from being deleted after the retention time has expired.

    Information sign.png Note
    How SEP sesam handles locked backups that are part of the backup chain depends on the version (see Automatic Retention (EOL) Management).
    • In the current 5.0.0 Jaglion version, the lock status is automatically applied to all savesets of a backup (backup chain, migrated and replicated savesets). All backups belonging to the same chain are protected from deletion until one of them is unlocked.
    • In v. < 4.4.3 Befalo V2, the lock status was only applied to the selected backup. If you want to lock all backups of a backup chain as well as migrated and replicated backups while using some of the older SEP sesam versions, you have to lock each backup manually.
    In GUI

    There are several ways how to lock a backup in the GUI:

    • Job State -> Backups -> double-click a backup task -> task properties – Info 1 -> above the Storage location table on the right select the check box Lock state
    • Components -> Media -> select the saveset and open properties -> Savesets tab -> search for the column Locked and click the Off property, then select On
    • Components -> Media Pools -> select a media pool and expand it to open the media -> double-click to open the Media properties -> Media properties – Properties 1 -> tab Savesets: search for the column Locked and click the Off property, then select On
    • Components -> Data Stores -> double-click the selected data store to open the properties -> Savesets tab -> look for the column Locked and click the Off property, then select On

    GUI lock bck Jaglion.png

    In Web UI

    You can access the Web UI in one of the following ways:

    • via the GUI: by clicking the Dashboard icon in the toolbar or
    • under menu bar -> Activities -> Dashboard or via Main Selection -> Monitoring -> Dashboard

    or from Activities -> Restore Assistant

    • or by entering the following address in the browser bar: http://[sesamserver]:11401/sep/ui/restore/.
    Information sign.png Note
    Make sure the web UI is in advanced mode. (You can change the UI mode in the side menu under the View option at the bottom left).
    1. In Web UI, select Monitoring from the side menu to open a submenu, then go to Last backup state or Backups and click the link of the backup task you want to lock.
    2. A new view with Details is displayed. Scroll down and select the red button Lock this backup next to Lock state.

    Web UI lock bck Jaglion.jpg

    Checking and Labeling Tape Media

    Each medium, be it a tape cartridge or a virtual tape in a VTL, is given a unique label for identification. The label is written to the beginning of a medium during initialization. The media label consists of the pool name (e.g., DAY, WEEK, MONTH) and a five-digit number that is automatically assigned to the respective media of the selected pool by SEP sesam. For example, a tape in the media pool DAY is labelled as DAY00001.

    Manually identifying and relabeling tapes

    You can check a tape label using the sm_drive info <drive_no.> command or the SEP sesam GUI.

    1. To check the label using the CLI, set the SEP sesam command environment and enter the command:
    2. sm_drive info <drive_no.>
      

      In our example, check drive 1:

      sm_drive info 1
      

      Alternatively, you can also use the sm_sms_interface getlabel command which displays more information about the label (such as the creation date); for details, see FAQ: How can I determine whether a tape is a SEP sesam tape or not?

      Or, you can check the tape label using the GUI. Depending on your SEP sesam version, proceed as follows:

      • In v. < 4.4.3 Beefalo, click on Components -> Drives -> select the drive -> Drive action -> Identify label -> Start.
      • In v. ≥ 4.4.3 Beefalo, click on Components -> Loaders -> select the drive within the loader -> Drive Action -> Identify label -> Start.

      Drive-identify label Beefalo V2.jpg

    3. Then start the initialization and relabeling. This step must be done using the CLI. If you have not yet set up the SEP sesam profile, you have to create it now so that SEP sesam commands can be executed globally. For details, see What happens when I set a profile?
    4. In the command line, execute the sm_drive init command. Attention: The tape will be overwritten without warning!
    5. sm_drive init <drive_no.> <label>
      

      In our example, insert the media in drive 1 with label DAY00001. Attention: The number must contain 5 digits!

      sm_drive init 1 DAY00001
      
      For an alternative way to write a label manually on a tape, see FAQ: How can I manually write a label on a tape?

    Usage scenario

    In the standalone tape drive environment it can happen that multiple tapes are given the same label. This happens because SEP sesam uses the get_oldest strategy to preserve the data on the tapes for the longest possible time. It automatically detects the oldest EOL-free medium and designates the label of the tape to be re-used next, e.g., DAY00004. When an alternate EOL-free tape is already inserted in a single tape drive, SEP sesam checks its label and detects a label mismatch. If the EOL of the inserted tape has not yet expired, SEP sesam will not use the tape. However, if the tape is EOL-free, SEP sesam will initialize it with the original (requested) label, even if it belongs to a different media pool and has its own label, e.g., MONTH00009. In such a case, a tape from another media pool may be accidentally overwritten if it is already EOL-free. This problem occurred in SEP sesam version 4.4.3.25 and was successfully fixed.

    Resolving label conflicts

    To resolve conflicts with duplicate media labels and avoid problems with potential data loss, you have to manually identify the tape with the original label that was duplicated, insert it into the standalone drive, and relabel it with the original label of the second tape. Then you have to manually replace the stick-on label or the slide-in (insert) label (paper or card) on the front of both tapes. This way you ensure that the newly written backup data is not overwritten.

    Example: The label MONTH00009 was overwritten with the label DAY00004.

    1. Insert the tape that was originally labelled DAY00004 and re-label it to MONTH00009. For details, see above procedure.
    2. Remove the label DAY00004 from the tape and stick the mismatched label MONTH00009 on it. Then put the label DAY00004 onto the newly written tape (formerly MONTH00009).

    Configuring Removable Media

    SEP sesam allows you to configure different removable media, such as RDX drives and USB drives, as your storage device. RDX is a disk-based removable storage which is intended as a replacement of a tape storage. The RDX storage system offers reliable storage for backup, archiving, data sharing and disaster recovery. It is based on removable hard disk drives as well as solid state drives for storing large amounts of backup data.

    RDX uses SATA (hardware interface for connecting drives to the computer) to connect the removable media in the drive and the USB port with external drive or SATA with internal drive to connect to the computer. Note that WORM (Write Once Read Many) media are also available.

    To configure the RDX or USB drives, proceed as follows:

    1. Create a new RDX or USB drive group.
    2. Configure and add a new RDX or USB drive.
    3. Create a new media pool for the RDX or USB drive.
    4. If required, create a new media type.
    5. Add media to a media pool.

    Creating a new RDX or USB drive group

    You have to create a new drive group for the removable drives (RDX or USB). From the Components -> Drives, click the New Drive Group button and create a new drive group, for example, RDX or USB.

    RDX drive group Beefalo V2.jpg

    Configuring and adding a new RDX or USB drive

    Depending on your operating system, proceed to the relevant section below.

    > Linux

    > Windows

    Linux

    To enable SEP sesam to access the removable device, ensure that you have sufficient privileges with read and write access to the device file for the RDX or USB drive. By default, such access is granted only to the root user.

    The procedure differs slightly depending on which drive you want to configure, RDX or USB.

    • USB:
      Before you can configure the USB drive on Linux, you have to create a mountpoint in the Linux system:
    • mkdir /media/usbdisk
      

      Then you have to connect the USB drive to the system.

    • RDX:
      Before you can configure the RDX drive on Linux, you have to check which device name is used for the RDX drive. If you attach the RDX drive to the Linux system, most distributions will automatically mount it (e.g., in /media).
      • If this is not the case, check by the dmesg command, which device is used for the RDX drive (usually /dev/sdXY).
      • It is important that each time you change the RDX drive, it is detected with the same device name. You can detect it with the udev rule. For details, see About udev rules.
      • It is also recommended to format the inserted RDX tapes with a common Linux file system (ext3/reiserfs/xfs).

    After you have created the drive group and connected your drive to the server, add it to the drive group as follows.

    1. From the Components -> Drives, select the RDX or USB drive group and click the New Drive button. The New Drive window opens. Specify a drive name, type, and path for removable media – see device name of your drive above.
    2. Under the Drive tab, specify the following options:
      • Drive number is automatically assigned
      • Drive name: Optionally, enter a drive name, for example, Drive_7.
      • Drive type: From the drop-down list, select DISK_CHNG.
      • Loader: From the drop-down list, select No loader.
      • Device server: Select your backup server or the system to which the drive is attached.
      • Drive group: Select the relevant drive group you configured earlier (RDX or USB).
      • Path for removable media: Enter the volume name of the DISK_CHNG media with the directory.
        In our example, for the RDX drive enter /media/rdx-mountpoint
        or
        for the USB drive enter mkdir /media/usbdisk.

      RDX drive linux Beefalo V2.jpg

    3. Switch to the Options tab and proceed as follows:
      • Device path: Mount point where the media will be mounted.
      • Auto unload: Yes
      • Mount command: mount
      • Umount command: umount
      • Eject command: eject
      • Information sign.png Note
        Skip this step if the dynamic mount function should not be used for the USB drive.

        RDX drive linux options Beefalo V2.jpg

    4. Click OK to add a new drive.

    Windows

    After you have created the drive group and connected your drive to the server, add it to the drive group as follows.

    1. From the Components -> Drives, select the RDX or USB drive group and click the New Drive button. The New drive window opens.
    2. Under the Drive tab, specify the following options:
      • Drive number: will be automatically assigned
      • Drive name: Optionally, enter a drive name, for example, Drive_50.
      • Drive type: From the drop-down list, select DISK_CHNG.
      • Loader: From the drop-down list, select No Loader.
      • Device server: Select your backup server or the system to which the drive is attached.
      • Drive group: Select the relevant drive group you configured earlier (RDX or USB).
      • Path for removable media: Enter the volume name of the DISK_CHNG media with the directory. In our example, enter E:/SESAM-DISK for the RDX or USB drive.
      • RDX drive windows Beefalo V2.jpg

    3. Switch to the Options tab. Specify the drive letter for the Device path and sm_eject_media for the Eject command, as shown in the screenshot.
      RDX drive windows options Beefalo V2.jpg
    4. Click OK to add a new drive.

    Creating a new media pool for the RDX or USB drive

    After you have successfully created a drive, create a new media pool.

    From Components -> Media Pools, click the New Media Pool button. In the New Media Pool window specify the name of the pool (e.g., RDX_pool or USB_pool), select the relevant RDX or USB drive group and specify the retention time. For details, see Automatic Retention (EOL) Management.
    RDX new pool Beefalo V2.jpg

    Create a new media type (if required)

    Check under Configuration -> Media Types if there is a media type with sufficient capacity for your DISK_CHNG drive type (for example, DISK-RESERVE_1GB, DISK_5000, DISK_100000, etc.), as shown in the screenshot. Negative capacity values (e.g., DISK-RESERVE_1GB with the value -1.0) mean that the entire storage area of the medium, minus the specified size, is used.
    RDX media type Beefalo V2.jpg
    If it does not exist, create it by clicking New in the New Media Type window and specify the options as shown in the screenshot.
    RDX new media type Beefalo V2.jpg

    Adding media to a media pool

    Add your first RDX or USB media to the RDX or USB media pool. You have to repeat this step for all removable media.

    Information sign.png Note

    On Windows, the directory specified as the Path for removable media has to exist on the media before you add it to the media pool. If the directory does not exist, you CANNOT create a medium!

    From the Components -> Media Pools, right-click the previously created media pool (RDX_pool or USB_pool) and click the New Media button. In the Adding a New Media window, specify the relevant Media Pool, Drive, Type, etc., as shown in the screenshot for the RDX drive. Note that in the case of the USB disks, you have to select the Overwrite option.
    RDX add new media Beefalo V2.jpg

    Information sign.png Note
    If you are unable to add new media, check the daily log under Logging -> Day Log on the SEP sesam Server for possible errors, see Day Log. As of 4.4.3 Beefalo V2, you can also check your system logs online via the Web UI. For details, see SEP sesam Web UI.

    LTO Encryption

    LTO generation 4 and higher includes the ability for data to be encrypted by the tape drive hardware. SEP sesam provides native support for managing the LTO hardware based encryption by enabling the LTO encryption of tape drives on a media pool level.

    During the LTO encryption process the data files are taken from the server and pass through the SCSI interface to the tape drive. The tape drive then encrypts and compresses the data before it writes it (or decrypts it if reading data) to or from the tape cartridge.

    Supported drive types

    Drive type
    LTO generation
    Supported since SEP sesam version
    LTO Ultrium 7 (M8), LTO Ultrium 8 (L8) LTO 8 4.4.3.64 + SP 2019-1
    * This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 7 4.4.3.42
    * This drive type supports encryption, however it has not yet been certified with SEP sesam. LTO 6 4.4.3
    HP Ultrium 5-SCSI X64D
    (SCSI, single tape drive)
    LTO 5 4.4.2.53
    Tandberg HH Z519
    (SCSI, single tape drive)
    LTO 5 4.4.2.53
    HP Ultrium 4-SCSI B63W
    (Fiber Channel, loader)
    LTO 4 4.4.2.53
    IBM Ultrium-HH4
    (SCSI, loader)
    LTO 4 4.4.2.53
    IBM Ultrium-TD4 BBH4
    (Fiber Channel, loader/single tape drive)
    LTO 4 4.4.2.53

    Setting up the LTO encryption

    LTO encryption process consists of 4 main steps: you have to create a drive group and assign one or more drives to it which are all encryption capable (LTO generation 4 or higher). Afterwards, you need to create a dedicated media pool. The last step is to initialize the media, and only then the LTO tape is encryption ready.

    Creating a new LTO (generation 4 or higher) drive group

    Usually large auto loaders may have several internal drives, which are loaded from one magazine. All drives have to be organized into a group. Make sure to create a discrete drive group for the LTO drives of generation 4 or higher. Note that encryption will only be available if there are no older LTO drives (e.g. of generation 3) in the same group; however such a group can contain mixed LTO drives of generation 4 and higher.

    1. In the Main Selection -> Components, click Drives. The Drives contents frame is displayed.
    2. Click New Group to create a new drive group for the LTO 4 (or higher) and enter a meaningful name for it. Click OK.

    Creating a drive for the new LTO (4 or higher) drive group

    1. Right-click the newly created LTO 4 (or higher) drive group and click New Drive to assign a drive to it. SEP sesam follows the automatic drive enumeration and assigns the drive number automatically.
    2. In the Drive name field enter a meaningful name for the drive.
    3. From the Drive type drop-down list, select LTO.
    4. From the Loader drop-down list, select the relevant loader from the list of configured loaders or leave it empty in case of a single device.
    5. From the Device server drop-down list, select the client to which you want to connect the drive. The list shows all clients configured in SEP sesam.
    6. From the Drive group drop-down list, select the newly created LTO drive group.
      New LTO drive Beefalo V2.jpg
    7. In the Device (non-rewinding) field, enter the name of the relevant device. Non-rewinding means that the tape will not be rewound after backup.
      SEP Tip.png Tip
      You can get the name of the device by running the command: <SESAM_BIN>/sesam/slu topology
      (e.g. Tape0 on Windows or /dev/nst0 on Unix/Linux).

      Sample output on Linux

      ID=0000 other:   ATA      ST380013AS 
      ID=1000 other:   TOSHIBA  ODD-DVD SD-M1802
      ID=7040 Tape:    Quantum  DLT4000          D67E (/dev/nst0)
      ID=7050 Tape:    Quantum  DLT4000          D67E (/dev/nst1)
      ID=7060 Loader:  HP       C1194F           1.04 (/dev/sg4)
      STATUS=SUCCESS MSG="OK"
      
    8. Click OK to create the new drive. Once an LTO (4 or higher) drive group has drives assigned, it becomes encryption capable. To check whether your LTO drive group is encryption capable, double click it or right-click it and click Properties. If the LTO drive group is configured correctly, the message "This drive group is encryption capable" is displayed.
      Information sign.png Note
      Encryption for a drive group will only be available, if there are no older LTO drives (e.g. generation 3) in the same group; however a group can contain mixed LTO tapes of generation 4 and higher.

      Drive group encrypt enabled Beefalo V2.jpg

    Information sign.png Note
    If the drive does not demonstrate the encryption capability, make sure that application encryption is enabled on the drive. This may require a special license or can be enabled by using the drive or library management interface. Also make sure that encryption functionality of your LTO generation is already supported by SEP sesam.

    Creating a media pool for the new LTO (4 or higher) drive group

    After you have assigned one or more drives which are all encryption capable (LTO generation 4 or higher) to the drive group, you need to create a dedicated media pool and enable encryption.

    In v. ≤ 4.4.3 Grolar, the Encryption tab where you can enable encryption is available when creating a new media pool. As of v. 4.4.3 Beefalo, you first have to create a new media pool and then enable encryption in the media pool properties.

    1. In the Main Selection -> Components, click Media Pools. The Media Pools contents frame is displayed.
    2. Click New Media Pool to define a media pool for the LTO (4 or higher) drive group. The New Media Pool window is displayed.
    3. In the Name field enter a meaningful name for the media pool.
    4. From the Drive group drop-down list, select the name of your LTO (4 or higher) drive group. In v. ≤ 4.4.3 Grolar, as soon as you select the LTO drive group, a tab Encryption becomes available. From v. 4.4.3 Beefalo, a tab Encryption is available after creating a media pool in the media pool properties.
    5. In the Retention time field set the time period for which the media are locked after the initialization or the last backup, thus preserving the savesets and keeping them available for restore. The retention time is defined in days.
    6. To enable encryption, depending on your SEP sesam version, proceed as follows:
      • In v. > 4.4.3 Beefalo, click OK to create a media pool. Then double-click this media pool to open its properties. Switch to the Encryption tab and click Enable encryption.
      • In v. ≤ 4.4.3 Grolar, switch to the Encryption tab, and then click Enable encryption.
      Media pool encrypt enabled Beefalo V2.jpg
    7. Set the password for your tape encryption and re-enter it.
    8. SEP Warning.png Attention
      • Make sure to remember the password, otherwise you won't be able to change the encryption properties again or access data on tape unless the data is read directly by SEP sesam. The encryption key is stored in the SEP sesam database and is read automatically during restore. But if the tape is removed from the drive, the encryption is cleared. Such tape can still be used for backups, but the stored data can only be accessed by SEP sesam.
      • If you change the password, the updated password will take effect only after the tapes are initialized. Until then the old password is still valid.
      • The password is also required to disable encryption.

    Initializing media from single LTO drive

    To enable the LTO encryption, you have to initialize the LTO tapes, belonging to the LTO media pool. Only after the initialization the LTO tapes are ready for encryption. The LTO tapes that have been loaded before the encryption was set will be encrypted after their EOL expires. Until their EOL is valid, these LTO tapes are not writable, hence the data will be encrypted after they become EOL-free and are initialized again.

    To initialize media, go to Activities -> Immediate Start -> Media Action. Choose Media action init, select the Media Pool and the Media you want to initialize. Click OK to start the initialization of the medium. For details, see Initializing media.

    How to verify if encryption is enabled

    There are two ways to check whether encryption is enabled. You can either check each individual medium's properties or search the day log for encryption-related messages.

    Checking media properties

    In the Main Selection -> Components -> Media, look for the Encrypted column in the table. Yes means that the medium is encrypted, No means that it is not encrypted. Or, you can double-click a medium in the table to open the Properties dialog. The Encrypted field states whether the medium is encrypted or not (Yes/No).

    Media properties Beefalo V2.jpg

    Checking day log

    For each data protection operation, SEP sesam checks the drive to see if encryption is enabled. You can confirm this by checking the Day log file. For details, see Logging.

    1. In the Main Selection -> Logging, click Day Log. The Day Log contents frame is displayed.
    2. In the Search field type encrypt and press Enter. If the LTO encryption is enabled, you will see all related messages displayed. Use Next and Previous buttons to browse through all search results.
      Day log part Beefalo V2.jpg


    Information sign.png Note
    As of 4.4.3 Beefalo V2, you can also check your logs online by using new Web UI (System logs -> Day log). For details, see SEP sesam Web UI.

    If the LTO encryption is enabled, the data is encrypted before the backup starts. Note that the tape header is never encrypted, while the data itself is encrypted before it is written to the LTO tape.


    Part XIV: Monitoring & Reporting

    Monitoring, logging, reporting and notifications

    SEP sesam enables you to easily monitor your entire SEP sesam environment via the Web UI or SEP sesam GUI. Various monitoring features and real-time monitoring capabilities provide a complete overview of your environment as well as valuable insights into the KPIs of the backup and restore process to effectively manage, control, monitor and restore backups.

    ReportsReports allow you to not only check the details of all events, but also get an overview of all active jobs, next events, and different states, e.g., data store status, backups, migrations, etc. You can send these reports and log files in the form of email notifications.

    Note that the options (and operations) available after login may differ depending on the user type. Other Web UI and GUI display restrictions may depend on the custom roles with specific permissions and the UI mode.
    For details, see About Authentication and Authorization and User Roles and Permissions.

    Monitoring the SEP sesam environment

    You can monitor your SEP sesam environment via SEP sesam GUI or via Web UI.

    Note that all monitoring, reporting and notifications functionality accessible in the SEP sesam GUI is also accessible in Web UI with the advantages of being user-friendly and visually attractive, providing immediate access to Web UI from mobile browsers and being easily accessible to anyone you authorize.

    Web UI Status, Dashboard and Monitoring

    Web UI displays all important key information for your environment with a standard dashboard for easy visualization of job completion status, errors, storage usage and more, based on metrics updated in real-time.

    • You can monitor your backup infrastructure on a daily/weekly/monthly basis.
    • You can monitor the status of SEP sesam jobs, such as backups, restores, etc., under various menus:
      • Status (default start page) provides a status overview of your jobs, data stores, events, clients, etc. See Web UI: Status.
      • The Dashboard allows you to check that all your backups and restores have completed successfully and view statistics on the total size of backed up and restored data; see Web UI: Dashboard.
      • Monitoring provides a submenu with several options that allow you to check the details and status of the listed events and active jobs (backups, restores, migrations, replications, and media actions). In v. ≥ 5.0.0 Jaglion, you can also perform various actions such as running or locking backups, restarting failed jobs, starting restores, etc., if you have the appropriate permissions. For details, see Monitoring in Web UI.
    • You can expand the charts for better readability, generate reports, and filter the data.
    • For more details on Web UI and its various report widgets, see SEP sesam Web UI.
    Web UI access

    When running the SEP sesam GUI as superuser or administrator, the Web UI landing page opens by default with a link to the Web UI (and links to documentation, etc.). You can also access the online Web UI from the GUI by clicking the first icon – dashboard – in the toolbar or by selecting Dashboard in Main Selection -> Monitoring. Or simply enter the following information in the browser address bar: http://[servername]:11401/sep/ui or https://[servername]:11401/sep/ui.

    Information sign.png Note
    If you cannot access the web Restore Assistant, check that you have been given the appropriate permissions to restore.

    Monitoring in GUI

    SEP sesam GUI provides monitoring capabilities for data protection activities, performance, and resource usage. The Main Selection navigation pane (on the left side of the GUI window) is used to navigate through the components of the SEP sesam system. These include Clients, Data Stores, Loaders, Drives, Media Pools, Tasks, and Scheduling, and provide the following dedicated views for monitoring SEP sesam environment.

    Monitoring

    SEP sesam GUI Monitoring allows you to check the latest backup status and the status of SEP sesam processes, monitor drives, access the online dashboard, and check notifications (see the section Notification Center). You can search for and/or filter and export the data for reporting and analysis.

    Job State

    You can also monitor the status of SEP sesam jobs, such as backups, restores, and migrations, by expanding the GUI item Job State and selecting All results to view details on all jobs, such as the job ID, event type (backup, command, migration, restore, etc.), job status (successful or not), object (what was processed), task (its name, job's duration, start and end time), and other details.

    Clicking the sub-item (Backups, Restores, Migrations and Replications, or Media Actions) provides detailed information on the selected job. For example, Backups provides detailed information on all backup jobs, including the task name, date of the last full backup, backup level, data size, throughput, assigned media pool, etc.

    You can filter each status view to include only the tasks, status, clients, etc., that match certain criteria.

    SEP Tip.png Tip
    You can easily print or export different reports, as described in the section SEP sesam reports.

    Logging

    The Logging view in the GUI and the System logs in the Web UI are the central place to find information about what is going on in your SEP sesam environment. SEP sesam creates the following protocols or log files for each backup day: the status file – State (<date of day>.status), the Day Log (<date of day>.prt), and the Error Log (<date of day>).

    State
    This detailed status log has one line written for each backup in chronological order.
    Day Log
    All SEP sesam modules write messages with a timestamp attached to it for each backup day. Each message contains a unique code consisting of the message type (I=information, W=warning, E=error ), number, and originating module. You can filter the day log by using the time selection (the from and to date) and the search.
    Error Log
    Contains a record of the critical errors that occurred during the backup day. This log is a subset of the entire day log where only error messages are recorded.

    SEP sesam log files are used to detect operations that have caused errors or malfunctions, for example, in case of a failed backup. For details, see Analyzing SEP sesam Log Files and Tips for Backup Troubleshooting. The log files are stored on the backup server in <SESAM ROOT>/var/prot. They can be printed out or sent by email.

    If you want more information about specific events or modules, or or if you are asked by support to diagnose your specific problem, you can run SEP sesam with a higher log level than the default (0 for backup and restore). Note that increasing the log level increases the amount of information being logged and may negatively affect the performance of SEP sesam. For details, see Setting Log Level.

    Information sign.png Note
    You can also generate audit logs to record every action that was triggered by a user in the SEP sesam GUI and Web UI (e.g., triggering a restore or deleting a data store). Audit logs ensure data integrity by providing a complete track record of data-related operations, helping to increase security and compliance. For details, see Audit Logging.

    It is recommended to configure the interfaces (Alarm, Disaster and/or Notify) to automate the sending of email reports of errors and license violations, as well as log files, and to help carry out the disaster recovery process in case of a SEP sesam Server breakdown. See section Email notifications.

    You can check the log information of the SEP sesam Server interfaces by selecting the target interface (Alarm, Disaster or Notify) in the GUI under Main Selection -> Interfaces or in the Web UI under System logs. For details, see Logging in the GUI and System logs in the Web UI.

    Email notifications

    SEP sesam allows you to send the logging messages (daily protocol, events and errors) to an email account. This feature is based on interface scripts that have to be activated via the GUI or manually by copying the templates that are available in the SEP sesam directory <SESAM_ROOT>/skel/templates. For details, see Configuring interfaces.

    SEP sesam interfaces require a configured email account to be able to send the selected notifications by email. You can configure it from the menu bar -> Configuration -> E-mail Settings, select the Use Sesam mail program option, click New and then configure the account with the account name sesam (the default email account; lowercase). For details, see Configuring email account and recipients.

    It is recommended to configure the following interfaces to receive a daily log and notifications when certain events happen in the SEP sesam environment.

    • sm_notify: Notify is executed on the SEP sesam Server. It can be used for reporting on successfully finished and erroneous events, such as backup, restore, migration, media initialization, and start/finish of a NEWDAY event.
    • Click the right "Expand" button to view an example of a failed jobs report

      Reporting failed job.jpg

    • sm_alarm: Alarm is executed on the SEP sesam Server to warn the system administrator when a fatal error occurs or when there is a license violation.
    • sm_disaster: This interface must be properly configured to help carry out the disaster recovery process. For details on how to prepare for it, see SEP sesam Server Disaster Recovery. The disaster interface sends an email describing the recovery procedure in the event of a disaster and an attachment containing the SEP sesam bootstrap database with all essential data for disaster recovery.
    • Click the right "Expand" button to view a sample disaster log

      Disaster log.jpg

    For details on how to configure the interface scripts, see Configuring interfaces.

    SEP sesam reports

    SEP sesam reports provide various information on your backup environment. For example, you can check the status of the last backup, check which clients in your network are not configured for backup, data storage usage, and much more.

    Web UI reports

    SEP sesam Web UI provides various reports by clicking Reports in the left navigation menu of the Web UI (browser: https://[servername]:11401/sep/ui/#/server-report).

    The following reports are available as a drop-down list in the upper left corner: Available Media Report, Backup Storage Report, Clients Report, Failed Jobs Report, Jobs Overview Report, Readcheck Report, Used Media Report, License Report (MSP Unit or Volume Frontside).

    Web UI reporting.jpg

    Reports can be filtered using the date range picker or selector or by sesam_date, start_time, stop_time. For details, see SEP sesam Web UI Reports.

    You can send reports in the form of email notifications, as described in Email notifications.

    GUI reports

    Depending on what you want to check, you can define the criteria and generate various types of reports using the SEP sesam GUI, including:

    • Location reports
    • License reports
    • Client reports
    • License reports
    • All results list
    • Backups list
    • Restores list
    • Migrations and Replications list
    • Media Actions list

    You can manage GUI reports in the following ways.

    • By generating a report for each client or location: Main Selection -> Topology -> Location/Clients, right-click the client/location and then select Client/Location Report.
    • By printing or exporting reports: Use the Print or Export button in the top right corner of the content pane. You can export reports in excel or csv format.
    • Print export.jpg

    • By sending email notifications, as described in Email notifications.
    SEP Tip.png Tip
    You can change the level of reported messages for a backup or restore session by changing the log level. For details, see Setting the Log Level.

    Additionally, you can use the SEP sesam logs to check the recorded events and troubleshoot possible problems, as described above in Logging.

    Notification Center

    The Notification Center is used to dynamically send different types of messages – notifications from SEP sesam Server to all open GUIs. These messages inform the user about license violations, unconfigured interfaces, etc., and contain other important information, such as the announcement of a new release or notification of a bug. The notifications are sent via RSS feeds. You can subscribe to a SEP sesam RSS feed via your email application or web browser, see Subscribing to SEP sesam RSS feeds.

    Notifications can be accessed in the Web UI (by clicking the notification icon in the upper right corner or via the left menu -> Notifications) and in SEP sesam GUI (in the upper right corner by clicking the flag, under Monitoring -> Notification Center, or from the menu bar -> Window -> Show Notification Center). For more details, see Notifications in the Web UI and Notification Center in the GUI.


    Part XV: Web Interface

    Restore Assistant

    Copyright © SEP AG 1999-2022. All rights reserved.

    Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

    Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.0.0 Jaglion. For previous documentation version(s), check Restore Assistant in v. 4.4.3 Beefalo V2.

    Overview

    There are two ways to restore your data in SEP sesam: via GUI restore or via the web interface Restore Assistant. Although most options are the same in both restore interfaces, the web Restore Assistant is more intuitive and offers additional advanced options thus making it easy to restore your data.

    The enhanced and redesigned Restore Assistant supports new task types and features advanced restore options. It also provides simple and flexible single file restore (SFR) for almost all VMs (except Proxmox VE) if you have the appropriate permissions. For more details on SFR, see Web Single File Restore for Virtual Machines.

    Additional task types are supported with SEP sesam v. 5.0.0 Jaglion V2: NetIQ/Micro Focus eDirectory, Micro Focus iFolder, PostgreSQL and MySQL. You can perform a regular restore or write your backups to dump files (equivalent to the GUI option Write saveset into file). This actually restores the data to a single file rather than to its original location.

    Authentication required

    Only authenticated users who have been granted the appropriate permissions can access Restore Assistant and restore their data. These permissions are defined according to the user type. For details, see User Roles and Permissions.

    Restoring encrypted backups

    You can perform an online restore of data from password-protected encrypted backups. If you restore encrypted data with a password stored in the SEP sesam database, the password is automatically used for decryption during the restore. If the password is not stored in the database, you will be prompted to enter it online. In the latter case, if you do not know the password, you cannot restore an encrypted backup (it will remain locked).

    Simple and advanced web restore

    The Restore Assistant provides simple and advanced online restore features. Switching between simple and advanced mode is version-dependent, see Setting UI mode, and related to user permissions. The operations and options available after logging in may differ depending on the user type. For details, see User Roles and Permissions.

    Restore features

    Restore Assistant provides the following features:

    • You can restore:
      • Data from regular Path backups, NDMP and NSS file system Path backups.
      • Email from Kopano, Dovecot IMAP, Courier and Cyrus backups.
      • Micro Focus GroupWise, HCL Domino, MS Exchange, and MS SQL backups; for the latter two, special procedure is required. See Web Exchange Restore and Web MS SQL Restore.
      • Virtual machine backups for all supported virtual environments (VMware, Hyper-V, RHV, OLVM, Citrix Hypervisor, KVM/QEMU, OpenNebula, Proxmox VE, and Nutanix AHV).
      • Single files from almost all VMs (except Proxmox VE): VMware vSphere, Microsoft Hyper-V, Citrix Hypervisor, KVM/QEMU, Nutanix AHV, Oracle Linux Virtualization Manager (OLVM), Red Hat Virtualization (RHV), and OpenNebula. For details, see Web Single File Restore for Virtual Machines.
    • VMware sandbox restore provides improved functionality and usability of the recovery options, i.e. the use of run and execution commands of the VMware guest tools. See VMware Sandbox Restore.
    • With the flexibility to switch between simple and advanced restore modes, experienced users can fine-tune their restore.

    Accessing the Restore Assistant

    You can access the restore assisstant in one of the following ways:

    • via the GUI: by clicking the Restore Assistant icon in the toolbar or from Activities -> Restore Assistant
    • from SEP sesam Web UI: left menu -> Restore Assistant
    • or by entering the following address in the browser bar: http://[sesamserver]:11401/sep/ui/restore/.
    Information sign.png Note
    • If you cannot access the web Restore Assistant, check if you have received the appropriate permissions for online restore.
    • The operations and options available after logging in may differ depending on the user type. Other Web UI display restrictions may depend on the custom roles with specific permissions and the UI mode.
      For details, see About Authentication and Authorization and User Roles and Permissions.

    Setting UI mode

    You can easily switch from simple to advanced restore mode to refine the restore with additional options. Simple restore mode is enabled by default. Note that the simple restore options cover the most common restore cases and are the recommended method for performing a restore. The advanced options should only be used by experienced users.

    To switch from simple to advanced restore mode, enable the Advanced View option in the lower left corner.

    Restore assistant restore mode.jpg

    SEP Tip.png Tip
    In the upper menu you can change the display language (German or English). The Monitoring, Web UI, Help and Account icons (in the upper right corner) allow you to quickly check the status of all restore jobs (Monitoring -> Restores), access the SEP sesam Web UI and online help, and log in and out via Restore Assistant.

    Online restore in simple UI mode

    The available restore options in simple mode cover the most common restore cases and are the recommended method for performing a restore. The restore procedure includes selecting the savesets to restore, the restore target, etc., and provides a step-by-step restore assistant depending on the type of data to restore. Note that for more experienced users, some additional restore options are available in advanced restore mode. For details, see Online restore in advanced UI mode.

    Depending on the type of data, different procedures can be used for restore:

    Restoring path, mail, HCL Domino, and Micro Focus Groupwise backups

    The procedures for restoring path, HCL Domino, Micro Focus Groupwise, and mail (Kopano Groupware, Dovecot IMAP, Courier, and Cyrus) backups are almost identical, but some options (such as the Execution options) may vary depending on the task type selected. Note that a separate procedure applies for restoring MS Exchange and MS SQL, which is described in the articles Web Exchange Restore and Web MS SQL Restore.

    1. Open Restore Assistant in the browser.
    2. In the Start window, select appropriate task type: Files and directories, Micro Focus GroupWise, HCL Domino, Kopano Groupware, Dovecot IMAP, Courier, or Cyrus. Select the appropriate restore type and click Next.
    3. Restore assistant restore type Jaglion.jpg

    4. In the Client window, select your client. You can filter clients by name, location, or operating system. Click Next.
    5. Restore assistant client Jaglion.jpg

    6. In the Task window, select your backup task from the Task selection. A backup task defines the source data that was backed up by the client.
    7. SEP Tip.png Tip
      You can search for a file or directory by entering your search term in the Search for files or directories in all backups field.

      Under Backup selection, select the exact backup version you want to restore. You can use the calendar function in the upper right corner to set a date range for the displayed backups.
      Then select (in the lower right corner) whether you want to perform a selective or complete restore and click Next. Note that an additional step is required for a selective restore. For a complete restore, you are immediately taken to step 6 (Target tab).

      Restore assistant task Jaglion.jpg

    8. If you are performing a selective restore, select a single saveset in the Files window and click Next.
    9. The options in the Target window differ slightly depending on whether you want to restore from a path, GroupWise, HCL Domino backups, or from email backups.
    10. Restore from path, GroupWise or HCL Domino backups

      1. Select the target client for the restore.
      2. Restore assistant select target Jaglion.jpg

      3. In most cases, the Restore to original target path option is enabled by default to restore the files to the original location. Deselect this option if you want to restore your data to a new restore destination and specify a new target path; you can type or browse the path where you want to restore your data.
      4. Restore assistant target path Jaglion.jpg

      5. Under the Execution options, you can set additional restore options:
      6. Restore assistant execution options Jaglion.jpg
        Do not overwrite existing items: Files are only restored if they do not already exist on the target system.
        Create new version: Restore files under a new name.
        Overwrite existing items: If the data exists on the target server, it is replaced with the restored version.

      7. Decide how you want to restore your data (keep the original tree structure or flat):
      8. Keep original tree structure: When restoring to the original location, the Keep original tree structure option is selected by default. The directory structure of the restored files is the same as the original directory structure of the backed up data.
        Restore all items flat in the selected target directory: The backup is simply restored to a file without recreating the directory structure.
        Click Next.

      9. In the Finish window, review the summary of your restore task (restore type (based on task type, client, backup level, restore options) and click Start restore.
      10. Restore assistant finish Jaglion.jpg

      Kopano Groupware, Dovecot IMAP, Courier, or Cyrus mail restore

      Information sign.png Note
      You can also restore MS Exchange mailbox databases using SEP sesam Exchange Recovery Pro in the Restore Assistant, but the procedure is different from the mail restore procedure described below. For details, see Web Exchange Restore.
      1. Check the target client for the restore.
      2. Restore assistant select target Kopano Beefalo.jpg

      3. Under the Target mail folder and user, enter a new mail user (the option Change user to ) and/or folder (Change folder to option) if you want to restore mail(s) to a different user mailbox or folder. Skip this step to restore mails to the original location (default).
      4. Restore assistant new target Kopano Beefalo.jpg

      5. Under the Execution options, you can specify additional restore options:
      6. Do not overwrite existing folders and mails: Folders and mails are only restored if they do not already exist on the target system.
        Overwrite existing folders and mails: If the data exists on the target server, it will be replaced with the restored version.

        Information sign.png Note
        The Auto recover after restore option required for Kopano restores is enabled by default and cannot be changed.

        Click Next.
        Restore assistant execution options Kopano Jaglion.jpg

    11. In the Finish window, review the summary of your restore task (restore type (based on task type, client, backup level, restore options) and click Start restore.

    For more restore options in advanced UI mode, see Restoring path, mail, HCL Domino, and Micro Focus Groupwise backups in advanced UI mode.

    Restoring virtual machines

    If you want to restore a virtual machine (VM), you can choose what to restore from a list of VM types. The restore procedure in simple mode is almost identical for all VM types, except that additional options are available for some VM types, notably VMware with an additional step.

    Information sign.png Note
    The advanced restore options such as VMware instant recovery, VMware sandbox restore, VM single file restore, writing backups to the file system, etc. are only available in advanced UI mode.
    1. Open the Restore Assistant in the browser.
    2. In the startup window, select your target restore type: VMware vSphere, Microsoft Hyper-V, Citrix Hypervisor, KVM/QEMU, Proxmox VE, Red Hat Virtualization (RHV), OpenNebula, or Nutanix-AHV. In our example, the procedure for VMware is shown with an additional step in the Files window. Click Next.
    3. Restore assistant VM restore type Jaglion.jpg

    4. In the Virtual Machine window, under Selection of the server, select your target server.
    5. Then, under Selection of the virtual machine select the VM you want to restore. You can filter VMs by name, location, or OS.
      Click Next.
      Restore assistant select VM Jaglion.jpg

    6. In the Task window, under Task selection, select your source task. A backup task defines the source data that was backed up by the client.
    7. Under Backup selection, select the exact backup version you want to restore. You can use the calendar feature in the upper right corner to filter a date range for the displayed backups.
      Click Next. Note that an additional step is required for a VMware restore. For other VMs (Hyper-V, OpenNebula, etc.), you are immediately taken to step 6 (Target window).
      Restore assistant select VM backup Jaglion.jpg

    8. In the Files window (available for VMware VM only), under the Virtual disk (VMDK) selection enable or disable the target VM disk(s) and/or Configuration you want to restore.
    9. Click Next.
      Restore assistant select VM disk Jaglion.jpg

    10. In the Target window, under the Target selection select your target environment for restore. You can use the drop-down list to check virtual machines.
    11. Then set additional restore options under the Execution options:
      Do not overwrite an existing virtual machine: The VM is restored only if it does not already exist on the target system.
      Restore an existing virtual machine with a new name: The VM is restored with a new name.
      Overwrite an existing virtual machine: If the VM exists on the target server, it will be replaced with the restored version.
      (Do not) start virtual machine after restore: You can also define if you want to start a virtual machine after restore or not.
      Click Next.
      VMware-RA VM target Jaglion.jpg

    12. Modify or set additional restore options under the Virtualization restore options:
    13. Data mover: Select the data mover.
      Recovery options: Specify whether or not to start the VM after restore.
      Under Target options of the virtual machine from the drop-down lists select ESX server and Datastore.

      Click Next.

      VMware-RA VM options Jaglion.jpg

    14. In the last step, check the summary of your restore task (restore type (based on task type, selected backup, its date and details, restore options, etc.) and click Start restore.
    15. VMware-RA VM finish Jaglion.jpg

    Additional VM restore options are available in advanced UI mode, see Restoring VMs in advanced UI mode.

    Online restore in advanced UI mode

    For more experienced users, some additional restore options are available in advanced UI mode. In the startup window, you can select additional restore types, such as restoring backups and VMs to the file system, writing backups and VMs to dump files, restoring a single file from a VM, performing VMware sandbox restore, etc. An additional Options tab is also available for all task types.

    Restore assistant advanced start Jaglion.jpg

    As with the options in simple mode, the advanced options differ depending on the type of restore:

    Restoring path, mail, HCL Domino, and Micro Focus Groupwise backups in advanced UI mode

    The following additional restore options may be available when you restore path, mail, HCL Domino, and Micro Focus Groupwise backups in advanced UI mode:

    Information sign.png Note
    Restoring MS Exchange and MS SQL backups requires a special procedure that is described in the Web Exchange Restore and Web MS SQL Restore articles.
    • In the Start window, you can restore backups to the file system or write backups to dump files.
    • If you want to restore backups to the file system (this corresponds to the GUI option As path backup and allows you to restore your data directly to the file system without requiring any additional action), follow the procedure described in the above section Restoring path, mail, HCL Domino, and Micro Focus Groupwise backups. Note that the procedures are very similar, but some options may not be available (e.g., the Client window).

      If you want to write your backups to dump files (this corresponds to the GUI option Write saveset into file and restores the data to a single file rather than to its original location), you must specify a restore destination path in the Target window (by browsing or typing the path). Optionally, you can change the name of the dump file. If the dump file name is not specified, it is automatically generated. For step-by-step procedure, see MS SQL example Restoring MS SQL databases by writing backups to dump files.

      Restore assistant dump file Jaglion.jpg

    • Additional execution options are available when restoring Path and MS SQL backups:
      • Overwrite existing items with newer items from backup: If the data exists on the target server, it is replaced with newer items from the backup.
      • Overwrite existing items with older items from backup: If the data exists on the target server, it is replaced with older items from the backup.
      • RA advanced execution options Jaglion.jpg


    • The Options tab (available for all task types) allows you to set the following options:
    • At Optional data source selection, you can select your preferred media pool, drive, used media|barcode, and interface from the drop-down lists.

      Restore assistant options optional data Jaglion.jpg
      The Include/Exclude Filter tab allows you to specify which files or directories you want to include or exclude from the restore, for example, enter *.docx in the appropriate filter to include or exclude all MS Word *.docx files from the restore. You can use the include or exclude filter on the client side or the exclude filter on the server side. The latter is not available for complete restores.

      Advanced options filter Jaglion.jpg
      Under the Advanced restore options, you can further refine your restore:

      • Use the Log, Special Options tab to change the log level for your specific restore, see Setting Log Level. You can specify additional commands that may be useful for specific options of the sbc command. For details about the commands, see SBC CLI.
      • Advanced options log Jaglion.jpg

      • Use the Retention, Generation, Pre/Post tab if you want to specify the retention period parameter for the restore (how long (in days) the restore task is kept), enable/disable a generation restore, and specify whether to apply a pre- or post-script to the restore task, see Pre/Post options.
      • Advanced options retention Jaglion.jpg


    Restoring virtual machines in advanced UI mode

    If you enable advanced UI mode, you can set additional restore options. Advanced mode is recommended only for experienced users, as the options in the default simple mode are sufficient for most recovery cases. The following additional options are available in advanced UI mode.

    • In the Start window, you can restore virtual machines to a file system, write virtual machines to dump files, perform VM single file restore, VMware instant recovery, or VMware sandbox restore:
    • In the Options window, additional restore options are available:
      • In the case of a VMware restore, under Virtualization restore options, you can select the desired transport mode from the list of available transport modes (HOTADD, SAN, NBD, or NBDSSL); click the transport mode that appears and reorder the modes to suit your needs.
      • VMs RA virtualization options Jaglion.jpg

      • Under Target options of the virtual machine you can specify additional target options, such as network interface(s), folder, storage repository, etc. Note that the available target options depend on the selected task type (VMware, Citrix, Hyper-V, etc.).
      • VMs RA target options Jaglion.jpg

      • You can modify the Recovery options: By clicking the Edit button (in the upper right corner), you can enable/disable different recovery actions: conf, remove, start, etc., and perform VM-related checks: VM power state, VM guest tools state and VM network IP address.
      • VMs recovery options Jaglion.jpg
        To add your custom action or your check, select the template from the Actions or Checks drop-down lists or manually enter your action/check commands. To activate your custom action/check, click Save. You can easily remove any action/check by clicking the recycle bin icon.

        VMs recovery options modify Jaglion.jpg

      • Under the Optional data source selection, you can select your preferred media pool, drive, used media|barcode, and interface from the drop-down lists.
      • VM advanced options optional data Jaglion.jpg

      • An additional set of options is available under the Advanced restore options: You can specify the retention period parameter for the restore (how long (in days) the restore task will be kept), enable/disable a generation restore, and decide whether apply a pre- or post script to the restore task, see Pre/Post options.
        In the case of a VMware restore, you can also specify the transport hierarchy (if you have not previously changed the transport mode under Virtualization restore options); see Selecting the best VMware transport mode for your environment for details.
      • VMs advanced restore options Jaglion.jpg

    Monitoring restores

    You can view the status of your restore jobs by clicking the monitoring icon (second icon in the upper right corner), via SEP sesam Web UI (Monitoring -> Restores) or SEP sesam GUI (Main Selection -> Job State -> Restores). For details, see Monitoring and Reporting.

    Part XVI: SEP sesam Command Line Interface

    SEP sesam CLI

    Overview

    The SEP sesam command line interface (CLI) is a utility that provides an alternate way of executing SEP sesam commands in UNIX and Windows environments. SEP sesam command line interface provides two CLI components: administration utility SEP sesam CLI and client utility SBC CLI. The latter is used to back up and restore data locally on the host.

    SEP sesam CLI administration utility provides all of the functions available via SEP sesam graphical management interface and also additional CLI commands that are not available in the GUI. Note that different commands can be available depending on your SEP sesam license.

    SEP sesam CLI commands can be used to install and configure a SEP sesam environment automatically without a GUI. They enable administrators to access SEP sesam database and manage the whole SEP sesam environment, for example, to install, configure and manage SEP sesam Servers and Clients centrally without a GUI. Every CLI command (except a native SQL statement) checks and follows the internal structure and dependencies of the SEP sesam database.

    Features

    • Automatic configuration of SEP sesam environments after installation (e.g., on implementation)
    • Change the SEP sesam configuration without using the SEP sesam GUI
    • Script-based mass installation and configuration (e.g., provider environment)
    • Operate tests for installation and configuration in SEP sesam environments
    • Get SEP sesam status, log and version information
    • Determine SEP sesam object information for further use in other programs

    Running CLI commands

    You must have SEP sesam administrator privileges to run SEP sesam CLI commands and use the command prompt as an administrator. All commands are run from the <SESAM_ROOT>/bin/sesam/ directory. If you want to execute SEP sesam commands globally (and not from the actual run directory), set the SEP sesam profile as described in What happens when I set a profile?.

    Understanding the command structure

    The SEP sesam general syntax for a CLI command is:

    sm_cmd <command> [–option] [<object>] [[–<parameter>] <value>]
    

    where the following information is provided for each command

    • sm_cmd: A command line tool that invokes the command line interface.
    • Usage: The actual syntax of the command, including the arguments.
    • Description: A brief summary of what the command does.
    • Arguments: The definition of options used in the command.
    • Example: Example of the command usage of the specified command and its options.

    Command conventions

    The parameters for a command are order-dependent and might include required and optional values or keyword choices, depending on how the information is bracketed. Required parameters are marked with an asterisk (*). An example is provided below.

    | vertical bar
    Separates the choices between two or more options or arguments.
    [ ] square brackets
    Indicate optional values.
    < > angle brackets
    Indicate that the enclosed element is mandatory.
    Example:
    sm_cmd <get|list|add|modify|backup|remove|restart> taskevent [OPTIONS...]
    
    

    One of the actions bracketed with < > symbols, in this case <get|list|add|modify|backup|remove|restart>, is required, while the [OPTIONS...] are enclosed with [ ] symbols, therefore the information requested is optional. The following options are available for our sample taskevent command.

    OPTIONS:
        -@ [param]     follow up (command to be run after the event completes)
        -G [ID]        task group
        -S [ID]        name of the interface
        -Z [number]    stop task if it runs longer than (e.g. 8:00 means that the task is automatically stopped after 8 hours)
        -d [ID]        drive number
        -j [ID]        backup task
        -l [param]     backup level (C = Copy, F = Full, D = Differential, I = Incremental)
        -m [ID]        media pool
        -s [0|1]       source-side deduplication
    

    Let's say that we want to run a backup event for a backup task named win-cli_c_drive and use the target media pool (to which the data will be backed up) MP_disk_week. The command would look like this:

    sm_cmd backup taskevent -j win-cli_c_drive -m MP_disk_week
    
    

    Getting help

    To list all available options, use the main help sm_cmd help. To show help for specific object, use sm_cmd help <object>, for example, sm_cmd help client.

    Common action commands

    The action command is used to perform an action or retrieve information/status about the resource. Most SEP sesam CLI resources have the following action commands:

    get
    The get command retrieves information about the resource or the operation that is currently defined.
    list
    The list command returns a list of objects for the specified resource. If the optional <object_name_or_id> is also specified, then the results are filtered by that value.
    add
    The add command creates a new object or event. If the optional <object_name_or_id> is also specified, then the objects are created according to the specified value.
    modify
    The modify command changes an existing resource based on the specified object options.
    remove
    The remove command deletes the specified object.

    Before you begin

    SEP sesam CLI is a very powerful command-line tool. You should be aware of its implications on your entire environment before you start using it.

    Recommendations for using the SEP sesam CLI

    • SEP sesam's optional command line commands change the SEP sesam database directly. Therefore all command line entries should be checked and verified!
    • SEP sesam executes the commands immediately the <Enter>/<Return> key is pressed, which means that entries cannot be corrected, as is the case with the SEP Sesam GUI. It is extremely important that you are familiar with CLI and use it cautiously in order not to cause a system failure of the backup environment. Note that an erroneous entry can lead to complete data loss or other damage to the database. Such mistakes can void the warranty of your SEP sesam licensing agreement.
    Information sign.png Note
    Before you start scripting with the SEP sesam CLI, you should familiarize yourself with the SEP sesam environment. Read the SEP sesam documentation carefully and work on the SEP sesam installation and configuration to understand how the SEP sesam objects work together.

    SEP sesam CLI usage

    Command Description
    sm_cmd <get|list|add|modify|remove|send> account Create and administer email accounts.
    sm_cmd <get|list|remove|check> acl List or delete access control list (ACL).
    sm_cmd list allevent List all SEP sesam events.
    sm_cmd list allresult List all results within the specified time period.
    sm_cmd backup Start the backup task or the backups of the task group.
    sm_cmd clear cache Clear the entire server cach.
    sm_cmd <get|list|add|modify|remove> calendar Create and administer calendars.
    sm_cmd <get|list|add|modify|remove> calendarevent Create and administer calendar events.
    sm_cmd <download|show> calendarsheet Display or download calendar information.
    sm_cmd <get|list|add|modify|remove|dir> client Create and administer clients.
    sm_cmd <get|list|add|modify|start|remove> command Create and administer commands.
    sm_cmd <get|list|add|modify|remove> commandevent Create and administer command events.
    sm_cmd <get|list|add|modify|enable|disable|link|unlink|remove> credential Configure and administer credentials.
    sm_cmd <download|show> current Display or download the current drive information.
    sm_cmd <get|list|add|modify|remove> datastore Create and administer data stores.
    sm_cmd <get|list|add|modify|remove> default Configure and administer default keys.
    sm_cmd dir <argument> List all specified clients, elements, VMs, etc.
    sm_cmd <get|list|add|modify|remove|start|mount|dismount|unload> drive Create and administer drives.
    sm_cmd <get|list|add|modify|remove> drivegroup Create and administer drive groups.
    sm_cmd <get|list|add|modify|remove> group Create and administer user groups.
    sm_cmd <get|list|add|remove> interface Create and administer interfaces.
    sm_cmd start inventory Start archive adjustment.
    sm_cmd <show|update|report> license Check the SEP sesam license information and update the license.
    sm_cmd <get|list|add|modify|remove|load|unload|import|export> loader Create and administer loaders.
    sm_cmd <get|list|add|modify|remove> loaderdevice Create and administer loader devices.
    sm_cmd <get|list|add|modify|remove> location Create and administer locations.
    sm_cmd <download|show|list> log Monitor and download log files from the server.
    sm_cmd <get|list|add|modify|remove> media Create and administer storage media.
    sm_cmd <get|list|add|modify|remove> mediapool Create and administer media pools.
    sm_cmd <get|list|add|modify|start|init|remove> mediapoolevent Create and administer media events.
    sm_cmd migrate Start a migration immediately.
    sm_cmd <get|list|add|modify|remove|start> migration Create and administer migration events.
    sm_cmd <get|list|add|modify|remove> migrationtask Create and administer migration tasks.
    sm_cmd <get|list|add|modify|start|remove> newdayevent Create and administer NEWDAY events.
    sm_cmd <get|list|add|modify> notification Create and modify notifications.
    sm_cmd <get|list> opersystem List a specific OS or all operating systems.
    sm_cmd render Renders the specified template.
    sm_cmd <list|restart> Check and restart backups/migrations.
    sm_cmd <get|list|add|modify|restore|start|remove> restoreevent Create and administer restore events.
    sm_cmd <get|list|add|modify|start|remove> restoretask Create and administer restore tasks.
    sm_cmd <get|list> result Monitor the results according to set filters (e.g., clients, tasks).
    sm_cmd <dir> saveset Browse a saveset.
    sm_cmd <get|list|add|modify|rename|remove|start> schedule Configure and administer schedules.
    sm_cmd <download|show> services Monitor and download different files or logs.
    sm_cmd list session List all active sessions.
    sm_cmd start <task|restore|migration|command> Start an event.
    sm_cmd start report Create a customized report.
    sm_cmd <get|list|add|modify|start|remove> task Create and administer tasks.
    sm_cmd <get|list|add|modify|backup|remove|restart> taskevent Create and administer task events.
    sm_cmd add taskgen Generate tasks according to the specified task type.
    sm_cmd <get|list|add|modify|start|remove> taskgroup Create and administer task groups.
    sm_cmd <get|list|add|modify|remove> taskgrouprelation Create and administer task group relations.
    sm_cmd <download|list> update Monitor and download JAR (.jar) updates.
    sm_cmd <get|list|add|modify|remove|reset> user Create and administer users.
    sm_cmd show version Display SEP sesam Server and Client package version.
    sm_cmd <resetcbt|check|generate|list> vsphere Reset CBT, monitor vSphere environment and generate vSphere task group.


    SBC CLI

    Overview

    SEP sesam provides both, GUI and CLI interfaces to manage SEP sesam environment (CLI) or individual client (SBC). SEP sesam command line interface provides two CLI components: administration utility SEP sesam CLI and client utility SBC CLI.

    • SEP sesam CLI provides an alternate way of managing SEP sesam environment. CLI commands enables administrators to access SEP sesam database and manage the whole SEP sesam environment, for example, to install, configure and manage SEP sesam servers and clients centrally without a GUI. For details, see SEP sesam CLI.
    • SBC CLI is used to back up and restore data locally on the host. SEP sesam SBC (sesam backup client) is a component that collects and consolidates the backup data on the client system, and delivers it to STPD. During a restore, SBC receives the required data and restores it to the target system. SBC CLI enables users to control, backup and restore the SEP sesam client (SBC module) directly and independently from other SEP sesam modules.

    Command conventions

    The parameters for a command are order-dependent and might include mandatory and optional values, or keyword choices.

    | vertical bar
    Separates the choices between two or more options or arguments.
    [ ] square brackets
    Indicate optional values.
    < > angle brackets
    Indicate that the enclosed element is mandatory.

    SBC CLI usage

    sbc -b|r|g|p|k|h [-a <DB_options>][-C <control_host>] [-d <device>]
                    [-f <list_source>] [-F <data_format>] [-i <saveset_info>]
                    [-j <job_name>] [-l <level>] [-L <control_target>]
                    [-n <segment>[:<offset>:<size>]] [-o {options}]
                    [-O <STOR/RETR_direct>] [-P <PID>] [-R <restore_target>]
                    [-s <saveset_spec>] [-S <storage_node>] [-t <tape_spec>]
                    [-T <since_time>] [-x <exclude_regexp>] [-X <exclude_list>]
                    [-v 0|1|2|3|4|5|6]
    # Backup  #   <backup_source1> [<backup_source2> ...] |
    # Restore #   <restore_source1> [<restore_source2> ...] |
    # Get     #   <remote_file> [<local_file>] |
    # Put     #   <local_file> [<remote_file>] |
    # Kill    #   [-l 1|2|9|15] -s <saveset_spec>
    

    Commands

    There are six main commands that define what action can be performed by SBC. Another set of options can be used to further define the way the command is performed. The main commands are:

    sbc -b|r|g|p|k|h
    

    -b (backup)

    Backup uses space delimited arguments to specify what will be backed up. These arguments may contain full item names or file patterns.

    -b <backup_source1> [<backup_source2> ...] |
    

    -r (restore)

    Restore uses space delimited arguments to specify what will be restored. These arguments may contain full item names or file patterns. See also Restore from tape via SBC without a valid SEP sesam database.

    -r <restore_source1> [<restore_source2> ...] |
    

    -g (get)

    Get operation switch transfers the specified file from SEP sesam Server work directory to local directory. File is received as is, without any formatting. If local file is not specified, the remote file name is used.

    -g <remote_file> [<local_file>] |
    

    -p (put)

    Put operation switch transfers the specified file to SEP sesam Server work directory. File is sent as is, without any formatting. If remote file is not specified, the local file name is used.

    -p <local_file> [<remote_file>] |
    

    -k (kill)

    Kill operation switch sends signal to the SBC process (incl. all child processes).

    -k [-l 1|2|9] -s <saveset_spec>
    

    -h (help)

    Displays abbreviated usage syntax and a list of options you can use with the sbc command.

    -h
    

    Options

    -a (backup type argument)

    Backup type specific argument that may be passed to the underlying library. The -a <DB_options> are forwarded to the related database module , e.g., to Lotus Notes.

    -a <DB_options>
    

    -C (control host)

    Specifies control host - SEP sesam Server.

    -C <control_host>
    

    -d (device)

    Specifies the target/source device or directory for the operation.

    -d <device>
    

    -f (files)

    Specifies the list of items to be backed up. Typically, this option is used when the number of files or directories to be included for backup exceeds allowed length for task source (SEP sesam version ≥ 4.4.3: max. 1024 characters; ≤ 4.4.2: max. 255 characters).

    -f <list_source>
    

    It is recommended to create a separate file that contains a list of selected files and directories to be backed up, one entry per line. Note that wildcards are not supported.
    For example, the file C:/sesam/backup_file_list.txt includes the following entries:
    /lib
    /usr/share
    /usr/bin/a2ps
    /var/opt/sesam/var/ini

    The option -f requires fully qualified file list or directory name, e.g., C:/sesam/backup_file_list.txt on Windows or -f etc/sesam/backup_file_list.txt on Linux, or the list to be located in the SESAM_BIN/bin/sesam. To enter the file in the backup task properties, create or open the backup task, select the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the specified file in the form: -f C:/sesam/backup_file_list.txt.

    Information sign.png Note
    The option -f behaves differently on different platforms:
    • On Windows, the -f <list_source> option overrides the backup source specified in the backup task. For example, creating a backup task with source g:\x and specifying an SBC option -f C:/sesam/backup_file_list.txt will back up only the data from the backup_file_list.txt while ignoring the directory g:\x, which was specified as a backup source.
    • On Unix/Linux both, the source and the data from the backup_file_list.txt are considered for backup. It is therefore recommended that the specified <list_source> file is specified as a source in the Source field (to be included in the backup set, for example, etc/sesam/backup_file_list.txt) and entered again with a -f switch in the Save options field: -f etc/sesam/backup_file_list.txt.
    See also How do I include or exclude a large number of files for backup.

    -F (format)

    Data stream format (valid for backup and restore operations) can be: default mtf for Windows SBC, default cpio for UNIX SBC, or sidf or none for Novell sbc_smdr.

    -F <data_format>
    

    -i (info)

    If specified, the descriptive additional information for the given save set is saved together with data during backup. Relevant only for backup, not considered for restore.

    -i <saveset_info>
    

    -j (job)

    Specifies backup task name.

     -j <job_name>
    

    -l (level)

    Specifies backup or restore level type.

    -l <level>
    

    For backup, the available backup level types are: FULL, DIFF, INCR and COPY.

     "c[opy]" | "f[ull]" | "i[ncr]" | "d[iff]"
    

    For restore, the available restore types are complete (full) restore, selective restore or list. The "l[ist]" parameter only lists the names of the incoming items in the log file.

    "f[ull]" | "s[elecive]" | "l[ist]"
    

    -n (number)

    Optionally, this number can be used for restore with optional <offset> and <size> arguments to start a restore at specified offset and end when reaching the specified size (restored data size).

    -n <segment_number> | -n <segment_number>[:<offset>:<size>]
    

    -o (options)

    Specifies additional options for backup and restore. You can set SBC options in the backup task properties: Click the Options tab and under the Additional call arguments (Expert options) in the Save options field, specify the required options. The available SBC options depend on the selected operation, backup type, OS and platform.

    SBC Windows:

    {options}: comma separated list of
       compress                         # with compression
       exclude_match=pattern|regexp     # exclude matching, default: pattern
       encrypt={encrypted_passwd}       # en/decrypt with encrypted passwd
       encrypt_plain={passwd}           # en/decrypt with passwd
       locale={locale like bgr_BGR}     # set locale for backup/restore_sources
       skip_acl                         # process only data (no ACL)
       skip_adat                        # skip alternate data streams
       skip_data                        # process only ACL
       skip_shortname                   # skip short names (8.3 file names)
       skip_reparse                     # skip reparse point streams
       chksum=<1|0>                     # calculate checksum
    only for backup:
       add_archive_ready                # add files with archive bit
       clear_archive                    # clear archive bit after backup
       [no_]hardlink_data_single        # handling of hardlink's data
       [no_]sparse                      # handling of sparse file data
       excl                             # exclude folders with 'nosbc' (default)
       noexcl                           # ignore 'nosbc'
       follow                           # follow reparse points
       ignore_vss_access_denied         # item not accessible: end with warnings
       use_change_journal               # use NTFS journal on diff, inc backup
       no_use_change_journal            # DONT use NTFS journal on diff, inc backup
       force_enable_journal             # if NTFS journal disabled on volume - enable it and use next time
       skip_sbc_exclude                 # skip sm.ini [SBC_EXCLUDE] ExcludePattern#
       verify                           # verify data after backup
       bs=<1|size>                      # set cUrl upload buffer size (1 - set maximum size if supported)
    only for restore:
       break_on_error                   # abort after 1st error
       next                             # start from subsequent media
       overwrite                        # overwrite if file exists
       over=new, over=old               # overwrites newer/older files
       plain                            # restore plain in target dir
       tree                             # restore with subdirectories
       rename                           # rename if file exists
       show_not_processed               # log not processed item in level -v 0
    


    SBC Linux/UNIX:

    {options}: comma separated list of
                        compress, encrypt[_plain]=[{aes}|{bf}]<passwd>
                        noacl                 # process without ACL (Trustees)
    only for backup:    
                        verify                # verify data after backup
                        plain                 # do not descend into subdirectories
                        hard=defer            # defer hardlinks
                        hard=sort             # expect i-node sorted input
                        ignore_finderr        # ignore errors from sbc_find
                        chksum=<1|0>          # calculate checksum
                        bs=<1|size>           # set cUrl upload buffer size (1 - set maximum size if supported)
                        sparse[=origin|no]    # origin: (default) store sparse file property
                                              # no: ignore sparse file property
    only for restore:   
                        rename, overwrite     # rename/overwrite if file exists
                        over=new, over=old    # overwrites newer/older files
                        plain, tree           # restore plain/tree in target dir
                        sparse[=origin|zero|no] # origin: (default) restore sparse file by creating null byte sparse areas (>=512)
                                                # zero: restore all null byte ranges (>=512) as sparse
                                                # no: restore as non-sparse even if the original file was sparse
                        next                  # start from subsequent tape
    

    The following list provides some of the most used options. Note that some of the options might be platform/OS dependent and thus not available on all clients.

     -o <acl|noacl>
    

    Specifies whether the ACLs will be backed up and restored.

    -o over | -o over=newer|older
    

    Specifies to overwrite existing files during restore. This command can use additional arguments to define to overwrite exiting files if the files from the save set are older OR newer than the files on disk. See also Restore from tape via SBC without a valid SEP sesam database.

    -o skip_adat
    

    Specifies to exclude ADS from backup or restore. For details, see Support for NTFS alternate data streams (ADS) for Windows.

    -P (process)

    Specifies a process ID number for the the kill command. If this switch is provided, a process with specified PID will be terminated.

    -p <PID>
    

    -R (restore target)

    Specifies restore target directory when restoring to a new location (relocation)

     -R <restore_target>
    

    -s (saveset)

    Specifies the used save set for backup (with -b switch), restore (with -r switch) or for terminating the operation with the specified save set's name by kill operation (with -k switch).

     -s <saveset_name>
    

    -S (storage host)

    Specifies SEP sesam storage host (SEP sesam Server or RDS). See also -C.

    -S <storage_node>
    

    -t (tape)

    Specifies the tape to be used for the respective operation on remote SEP sesam storage node. It is required when SESAM media server is involved. See also -d.

    -t <tape_spec>
    

    -T (time)

    Specifies time: By using this switch only files created or modified after the specified time will be processed. Time format is “YYYYMMDDHHMMSS”. The -T switch has higher priority than "-l <level>" switch, therefore the backup "COPY" level type is applied to all files matching the specified time.
    If specified with kill functionality, it will be used as timeout specified in seconds.

    -T <time>
    

    -x (exclude regex)

    Specifies regular expression exclusions for backup. For details, see Exclude with Regular Expressions.

     -x <exclude_regexp> 
    

    -X (exclude list)

    Specifies the list of items to be excluded from backup.

    -X <exclude_list>
    

    Typically, this option is used when the number of files or directories to be excluded for backup exceeds allowed length for exclude list (max. 1024 characters). It is recommended to create a separate file containing list of regular expressions, one entry per line. Note that wildcards are not supported. The option -X requires fully qualified exclude list or directory name, e.g., C:/sesam/exclude_list.txt

    To enter the exclude file in the backup task properties, create or open the backup task, select the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the specified file in the form: -X C:/sesam/exclude_list.txt. For details and other exclude methods, see Creating exclude list. See also How can I set the SBC so that the exclude list always uses the file pattern (?,*) instead of using regular expressions?


    Part XVII: Appendix

    SEP sesam Matrices

Cross-Platform Recovery File System Layer

Overview

Cross-platform recovery file system layer (XPRFS) is a special implementation of a virtual file system layer. It is an advanced restore feature that allows for mount and restore onto different operating systems and hardware platforms (Windows – MTF <–> Linux/Unix – cpio).

For example, data backed up from a Linux system (cpio saveset) can be mounted on Windows RDS, and data backed up from a Windows system (MTF saveset) can be mounted on Linux/Unix RDS; note that the operating system of the restore target must be the same as the operating system of the used Remote Device Server (RDS) (for details, see Restrictions below).

XPRFS employs direct access to backed up data and allows you to access individual backed up files through a file browser, thus enabling single file restore (SFR). However, the original ownership and access settings for restored objects are not preserved when the backup is mounted; the user under which the SEP sesam service is running is effectively the owner of the restored files. For details, see Restrictions below.

XPRFS (Mount saveset option) is available for the following task types:

Task type SEP sesam version
Nutanix AHV v. ≥ 5.0.0 Jaglion
Path (file system backup) v. ≥ 4.4.3 Beefalo V2
MS SQL v. ≥ 4.4.3 Beefalo V2
NDMP v. ≥ 4.4.3 Beefalo V2
Kopano v. ≥ 4.4.3 Beefalo V2
RHV/OLVM v. ≥ 4.4.3 Beefalo V2
OLVM v. ≥ 5.0.0 Jaglion
OpenNebula v. ≥ 4.4.3 Beefalo V2
Citrix XenServer v. ≥ 4.4.3 Beefalo
KVM/QEMU v. ≥ 4.4.3 Beefalo
Hyper-V v. ≥ 4.4.3 Grolar
VMware v. ≥ 4.4.3
Exchange v. ≥ 4.4.3
SharePoint v. ≥ 4.4.2
NetApp v. ≥ 4.4.2

XPRFS advantages

One of the XPRFS main advantages is that it is no longer required to perform a complete restore of backed up data. By selecting the Mount saveset option in the restore wizard, the target saveset is mounted to the SEP sesam home directory var\tmp\mnt, e.g., C:\Program Files\SEPsesam\var\tmp\mnt\save_set_ID. The mounted saveset is instantly accessible for browsing and searching (some limitations apply, see Restrictions below).

It is recommended to use the XPRFS for restoring specific data, such as Exchange, Hyper-V and V-Sphere backups with the following major advantages:

  • Instant access to your data, such as single mailboxes.
  • Faster restore time and performance.
  • Reduced free space requirement on restore target.
  • Protection of mounted data – all data is mounted read-only, allowing you to query the saveset and preventing you from altering or damaging the data content.

XPRFS restrictions

The following restrictions apply for mounting and cross-platform recovery:

  • The guestfs-tools package has to be installed on Linux in order to access and mount the VM disk image on Linux. If the package is not installed on your SEP sesam Server or Linux RDS, it is not possible to mount VMDK and perform SFR. Refer to Installing guestfs-tools on Linux.
  • Note that mounting does not preserve the original ownership and permissions for restored objects. The owner of the mounted backup/restored data is determined by the user under which the SEP sesam service runs. Typically, on Unix/Linux this is root, while on Windows the sesam service is typically running under the LocalService account (NT AUTHORITY\LocalService; system user). Note, however, that some SEP sesam extensions (such as Exchange Recovery Pro or SharePoint Recovery Pro) require that the SEP sesam service is configured with a user account with domain administrator privileges.
  • You can mount a Windows backup to a Linux system or a Linux backup to a Windows system, but the operating system of both, the Remote Device Server (RDS) you used for mounting and of the destination restore target must be the same. For example, you can mount a Windows backup on the Linux device server, but this backup can be restored on Linux host only and vice versa: you can mount a Linux backup on the Windows device server, but this backup can then be restored on Windows host only.
  • When performing cross-platform restore, you should be aware of the data characteristics related to different platforms. For example, if you are restoring Windows data with access control list (ACL) (or alternate data streams (ADS)) to Linux, you have to be aware that ACL (and ADS) will not be preserved. Be aware that certain limitations apply whenever data is restored to another environment.

Enabling XPRFS

Prerequisites

XPRFS requires the following:

  • Single file restore (SFR) of backups from virtualization platforms, e.g. Citrix, requires the guestfs-tools package to be installed on Linux in order to access and mount VM disk image on Linux. If the package is not installed on your SEP sesam Server or Linux RDS, it is not possible to mount VMDK and perform SFR. Refer to Installing guestfs-tools on Linux.
  • A SEP sesam data store (Path, Si3 deduplication store, HPE StoreOnce, etc.) is required for instant single item recovery.

You can enable XPRFS via the SEP sesam GUI and also via the web Restore Assistant (v. ≥ 5.0.0 Jaglion). For details, see Restore Procedure in the GUI and Restore Procedure in the Restore Assistant.

Information sign.png Note
Restoring a single file is only supported in the UI mode where all options are available, i.e. in the Expert UI mode when you perform a single file restore via the GUI or in the Advanced UI mode when you use the web Restore Assistant. For details on switching the UI mode, see Setting the UI mode in the GUI and Setting the UI mode in the Restore Assistant.


Using SEP sesam REST API

The SEP sesam REST API is used for communication between the SEP sesam Clients and the SEP sesam Server and provides methods for accessing SEP sesam Server information and functionality. It contains methods for database access and higher level service functions and enables easy execution of SEP sesam operations.

The SEP sesam REST API supports the following:

  • Session-based authentication and HTTP basic authentication
  • GET and POST requests
  • JSON responses

You can access it via the following base URL:

http://<host>:<port>/sep/api/V2

SEP sesam REST API reference

The SEP sesam API documentation contains an overview of the SEP sesam REST API and information about its usage and available services.

The API documentation is version dependent. Make sure you select the correct version for your deployment.