1、NetAppxDataONTAP8.2ArchiveandComplianceManagementGuideFor7-ModeNetApp, Inc.495 East JaVa Drive Sunnyvale, CA 94089 U.S.Part number: 215-07975_A0May 2013Telephone:+1(408)822-60Fax:+1(408)822-4501Supporttelephone:+1(888)463-8277Web:Feedback:doccommentsContentsWhatSnapLockis9HowSnapLockworks9Hardwarepl
2、atformsSUPportedforSnapLock10LicensingSnapLockfunctionality10EnablingtheSnapLockfunctionality11SnapLockandAutoSupportmessages11WhatComplianceClockis12WhatsystemConiplianceClockis12WhatvolumeComplianceClockis12InitializingthesystemComplianceCIock13ViewingthesystemCompIianceClockandvolumeComplianceClo
3、cktime13UpgradeconsiderationsforComplianceClock14HowthevolumeComplianceClockimpactsSnapLockoperations15OperationsthatmightaffectvolumeComplianceClocktime15CreatingSnapLockvolumes16CreatingSnapLocktraditionalvolumes16CreatingSnapLockaggregatesandtheirflexiblevolumes17SnapLockCompliancewriteverificati
4、onoption18UsingtheSnapLockCompliancewriteverificationoption18WhataWORMfileis19HowtomanageWORMdata20TransitioningdatatotheWORMstate20DeterminingtheWORMstatusofafile21ExtendingtheretentiondateofaWORMfile22WhattheWORMappendfileis23CreatingaWORMappendfile23Whatretentionperiodis25HowtheSnapLockvolumerete
5、ntionperiodworks26Viewingtheretentionperiodofavolume26Whattheminimumretentionperiodis27Settingtheminimumretentionperiod28Whatthemaximumretentionperiodis28Settingthemaximumretentionperiod29Whatthedefaultretentionperiodis29Settingthedefaultretentionperiod30CommittingfilestoWORMstateautomatically31HowS
6、napLockautocommitfeatureworks31Settingtheautocommitperiod31DisplayingtheautocommitperiodofaSnapLockvolume34Whattheprivilegeddeletefeatureis35Howprivilegeddeleteworks35Limitationsoftheprivilegeddeletefunctionality36Ensuringsecureconnectiontothestoragesystem37Enablingprivilegeddeletefunctionality37Dis
7、ablingordisallowingprivilegeddeletefunctionality38DeletingaWORMfileusingprivilegeddelete38Howprivilegeddeleteaffectsmirroringinteractions39Considerationswhenusingtheprivilegeddeletefeature40WhatSnapLockloggingis41TypesofSnapLocklogfiles4lWhattheSnapLocklogfilecontains42AdvantagesofSnapLocklogging45L
8、imitationsofSnapLocklogging46AssigningaSnapLocklogvolume46Howarchivingalogfileworks47Archivinglogfiles47FindingthestatusoftheSnapLocklogfile48UpgradeandrevertconsiderationsforSnapLocklogging49HowDataONTAPtracksthefilesonSnapLockvolumes50DestroyingaSnapLockvolume50Destroyingaggregates50HowSnapLockuse
9、sfingerprints52Howafingerprintiscalculated52Inputparametersforthefingerprintoperation53Calculatingthefingerprintofafile53Outputparametersforthefingerprintoperation54SnapLockinteractionwithavFilerunit57CreatingtherootofavFilerunitfromaSnapLockvolumetoanon-SnapLockvolume571.imitationsofvFilerunitsonSn
10、apLockvolumes58SnapLockinteractionwithHAconfiguration59SnapLockinteractionwithMetroCIuster60SnapLockinteractionwithFIexCIonevolumes61ProtectingyourSnapLockvolumeswithSnapMirror62SnapLockqtreeSnapMirrorresynchronizationrestrictions62Whatthedumpfileis63ExtractingfilesfromthedumpfileafteraqtrccSnapMirr
11、orrcsynchronization63Howtosetancnd-to-cndSnapLockCompliancevolumeSnapMirrorrelationship64LimitationsoftheSnapMirrorrelationship64CreatingavolumeSnapMirrorrelationshipforaFlexVolvolume65CreatingavolumeSnapMirrorrelationshipforatraditionalvolume66TheSnapLockforSnapVauItfeature-secureSnapVauItdestinati
12、on68GuidelinesforusingtheSnapLockforSnapVauItfeature69Aspectsofcapacityplanning70GuidelinesforestimatingSnapVaultsecondarystoragesystemvolumesize70Estimatingthelogvolumesize71HowtosetupSnapVauItbackups72ConfiguringaprimarystoragesystemforSnapVault72ConfiguringaSnapVaultsecondarystoragesystem73Schedu
13、lingSnapVaultupdatebackupsontheprimarystoragesystem74SchedulingSnapVaultupdatebackupsontheSnapVaultsecondarystoragesystem75SchedulingSnapVaultupdatebackupsontheSnapVaultprimaryandsecondarystoragesystemschedules75GuidelinesforschedulingSnapVaulttransfers76ManagementofWORMSnapshotcopiesbyusingSnapVauI
14、t77HowretentionofSnapshotcopiesworksonSnapLockvolumes77HowSnapshotcopiesarenamedonSnapLockvolumes77RetentionperiodforWORMSnapshotcopiescreatedbySnapVault78DefaultSnapVaultsettingsfortheWORMSnapshotcopiesretentionperiod78SpecifyingretentionperiodforWORMSnapshotcopies78ExtendingtheretentionperiodofWOR
15、MSnapshotcopies79ListingSnapshotcopiesontheWORMvolume80ListingSnapshotcopiesandretentiondates80DeletingexpiredWORMSnapshotcopies81Howtoretainmorethan255SnapVaultSnapshotcopies82HowtocreateanewvolumetoretainmoreSnapshotcopies82AdvantagesofcloningSnapshotcopies82AdvantagesofcopyingSnapshotcopies83Crea
16、tinganewvolumeforretainingSnapshotcopies83Verifyingthestateoftheoldvolume83RemovingtheSnapVaultschedulesfortheoldvolume85Creatingavolumeclonetoanewvolume85CopyingtheappropriateSnapshotcopytoanewvolume86Checkingorsettingtheretentionperiodonthenewvolume87Checkingvolumeoptionsonthenewvolume87Restarting
17、allSnapVaultrelationshipsinthenewvolume88ReconfiguringtheSnapVaultschedulesinthenewvolume88EnsuringthemigrationofSnapshotcopies89StoppingallSnapVaultrelationshipsintheoldvolume89BackupofthelogvolumescreatedbytheSnapLockforSnapVaultfeature90ProtectingalogvolumeoftheSnapLockforSnapVauItfeature90Failin
18、govertothestandbysystem90Reestablishingstandbyprotection90HowtoresynchronizeabrokenSnapVaultrelationship91TurningSnapVaultoff91ManagementofSnapVauItlogfiles92RegulatorycomplianceandSnapVaultlogfiles92HowSnapVaultmaintainscompliance92Operationslogfile92Files-transferredlogfiles93Configuringthelogvolu
19、mesoftheSnapLockforSnapVaultfeature93Wherethelogfilesarekept94Whatfiles-transferredlogfilescontain94Typesoflogentriesrecorded95Logentryformat95Howlogentriesarecreated96HowtoprovidebackupandstandbyprotectionusingSnapMirror98SettingupbackupandstandbyprotectionforSnapVauIt99Reestablishingbackupandstand
20、byprotectionforSnapVault99Returningtotheoriginalbackupandstandbyconfiguration1001.imitationstocompliancebackupandstandbyservice100HowtomanageSnapLockthroughDataONTAPAPIs102WhatONTAPIis103SettingupaclienttouseONTAPIcalls104BenefitsofusingtheDataONTAPAPIsuite107ListofSnapLockAPIs108VoIume-Create108fil
21、e-get-snaplock-retention-time109file-get-snaplock-retention-time-list-infb-max109file-set-snaplock-retention-time109file-snaplock-retcntion-time-list-infb109snaplock-get-log-volume109snaplock-get-options109snaplock-log-archive110snaplock-log-status-list-infb110snaplock-privileged-delete-filc110snapl
22、ock-set-log-volume110snaplock-set-options110file-get-fingerprint110snaplock-get-system-compliance-clock111snaplock-get-volume-compliance-clock111Whattheextendeddaterangemechanismis112SettingfilestoWORMstatefromanapplication113UsingSnapLockvolumedefaultstosetretentionperiod115UsingtheSnapLockautocomm
23、itfeaturefromanapplication116HowtoimplementSrl叩LOCkfeaturesthroughDataONTAPAPIs.117UsingtheSnapLockprivilegeddeletefeaturefromanapplication.118UsingtheSnapLockloggingfeaturefromanapplication119Whatevent-basedretentionis120Whatlegalholdis121Implementationofevent-basedretentionandthelegalholdfeatureus
24、ingSnapLock122Implementingevent-basedretentionandlegalhold123Deletingarecordusingtheprivilegeddeletefeature125ExamplesforsettingafiletoWORMstateusinganapplication126ExamplesforsettingtheSnapLockvolumedefaults129Examplesforsettingtheautocommitfeatureandtimeintervals130Examplesforcreatingacompliancead
25、ministrator131ExamplesforsettingaSnapLocklogvolume133Examplesforenablingtheprivilegeddeletefeature134Examplesforperformingaprivilegeddelete135Copyrightinformation136Trademarkinformation137Howtosendyourcomments138Index139WhatSnaDLOCkisSnapLockisanalternativetothetraditionalopticalwriteonce,readmany(W
26、ORM)data.SnapLockisusedforthestorageofread-onlyWORMdata.SnapLockisalicense-based,disk-based,open-protocolfeaturethatworkswithapplicationsoftwaretoadministernon-rewritablestorageofdata.TheprimaryobjectiveofthisDataONTAPfeatureistoprovidestorage-enforcedWORMandretentionftnctionalitybyusingopenfileprot
27、ocolssuchasCIFSandNFS.SnapLockcanbedeployedforprotectingdatainstrictregulatoryenvironmentsinsuchawaythateventhestorageadministratorisconsideredanuntrustedparty.SnapLockprovidesspecialpurposevolumesinwhichfilescanbestoredandcommittedtoanonerasable,non-rcwritablestateeitherforeverorforadesignatedreten
28、tionperiod.SnapLockallowsthisretentiontobeperformedatthegranularityofindividualfilesthroughstandardopenfileprotocolssuchasCIFSandNFS.HowSnapLockworksTheWORMdataonSnapLockvolumesisadministeredinthesamewayasdataonregular(nonWORM)volumes.SnapLockvolumesoperateinWORMmodeandsupportstandardfilesystemseman
29、tics.YoucancreatedataonaSnapLockvolumeandcommitittotheWORMstatebytransitioningthefilefromawritablestatetoaread-onlystate.Markinganactivewritablefileasread-onlyonaSnapLockvolumecommitsthedatatoWORM.WhenafileiscommittedtoWORM,itcannotbealteredordeletedbyapplications,users,oradministratorsuntilthefiler
30、etentiondateisreached.TheexceptionisinSnapLockEnterprisevolumes,whereyoucandeleteafilebeforeitreachestheretentiondatebyusingtheprivilegeddeletefeature.ThedatathatiscommittedtotheWORMstateonaSnapLockvolumecannotbechangedordeletedbeforeitsretentiondate.However,youcanchangeordeletetheemptydirectoriesan
31、dfilesthatarenotcommittedtoaWORMstate.Directoriesdonotbehaveanydifferentlythantheywouldonregularvolumes,withtheexceptionthattheycannotberenamedormovedoncecreated.ItisarequirementforregulatorycompliancethatWORMdatabenotonlynon-erasableandnon-rewritable,butitmustalsobelockeddowninthesamelocationatwhic
32、hitwascreated.InthecaseofWORMimplementation,thismeansthatthedirectorypathtoWORMfilesmustbelockeddownandshouldneverchange.InDataONTAP7.0andlater,WORMfilescanbedeletedaftertheirretentiondateshavebeenreached.TheretentiondateonaWORMfileissetwhenthefileiscommittedtotheWORMstate,butitcanbeextendedatanytim
33、e.TheretentionperiodcanneverbeshortenedforanyWORMfile.HardwareplatformssupportedforSnapLockSnapLockisexclusivelyalicensedfeatureofDataONTAPandissupportedonalmostallNetApphardwareplatfns.V-SeriessupportsSnapLockEnterpriseonbothnativeandthird-partystorage,however,SnapLockComplianceissupportedonlyonnat
34、ivedisks.1.icensingSnapLockfunctionalityYoumustlicenseSnapLockCompliance,SnapLockEnterprise,orbothbeforeyoucanusetheSnapLockfeature.Afterinstallingthelicense,youneedtoenablethem.BeforeyoubeginYoumustensurethatStorageEncryptionfunctionalityisnotenabledonthestoragesystem.StorageEncryptionisnotsupporte
35、dwithSnapLock.IfStorageEncryptionisenabledonastoragesystem,youcannotusetheSnapLockfunctionality.IfaSnapLocklicenseisinstalledonthestoragesystem,StorageEncryptionfunctionalitywillbeunavailable.AboutthistaskSnapLockdoesnotsupportsolid-statedrive(SSD)aggregates.Steps1. CheckiftheSnapLocklicensesexiston
36、thestoragesystembyenteringthefollowingcommand:license2. InstallalicenseforSnapLockCompliance,SnapLockEnterprise,orbothbyusingthelicenseaddcommand.TousetheSnapLockCompliancefeature,enterthefollowingcommand:licenseaddsnaplock_licenseToinstalltheSnapLockEnterprisefeature,enterthefollowingcommand:licens
37、eaddsnaplock_enterpriseAfteryoufinishEnabletheSnapLocklicense.RelatedtasksEnablingtheSnapLockfunctionalityonpage11EnablingtheSnapLockfunctionalityAfterinstallingtheSnapLocklicense,youmustalsoenablethefunctionality.BeforeyoubeginYoumusthavelicensedtheSnapLockCompliance,SnapLockEnterpriseorboththefunc
38、tionalities.AboutthistaskNote:IfyourstoragesystemcontainsSnapLocklicenseandyouupgradetoDataONTAP8.2,theSnapLockfunctionalitywillbeenabledbydefault.Steps1. Dependingonyourrequirement,completeoneofthefollowingsteps:If you want to.Enable the SnapLock Enterprise functionalityDisable the SnapLock Enterpr
39、ise functionalityEnterthefollowingcommand.optionslicensed_feature.snaplock_enterprise.enableonoptionslicensed_feature.snaplock_enterprise.enableoff2. Dependingonyourrequirement,completeoneofthefollowingsteps:If you want to.Enable the SnapLock Compliance functionalityDisable the SnapLock Compliance f
40、unctionalityEnterthefollowingcommand.optionslicensed_feature.snaplock.enableonoptionslicensed_feature.snaplock.enableoffAfteryoufinishInitializethesystemComplianceClock.SnapLockandAutoSupportmessagesIfyouenabletheAutoSupportfeature,thestoragesystemsendsAutoSupportmessagestotechnicalsupport.AutoSuppo
41、rtmessagesincludeevent,log-leveldescriptions,SnapLockvolumestateandoptions.TheAutoSupportmessagesalsocontainthesystemComplianceClocktime,thevolumeCompIianceClocktimeofalltheSnapLockvolumes,andtheexpirydateofallvolumesonthestoragesystem.Note:AutoSupportmessagesdonotincludeoptionssuchasaprivilegeddele
42、tesetting.ToknowmoreabouttheAutoSupportmessages,seetheDataONTAPSystemAdministrationGuidefor7-Mode.WhatCompIianceCIockisComplianceClockisasecuretimebasethatpreventscompliantdatafrombeingtamperedwith.ComplianceClockmakesitimpossibletoprematurelymodifyordeletedatabyalteringsystemclock.StartingwithDataO
43、NTAP8.1,therearetwotypesofComplianceClockvolumeComplianceClockandsystemComplianceClock.ThesetwotypesofComplianceClockminimizetheComplianceClocklagandenabletheexpiryofWORMfileswithextendedretention.RelatedconceptsWhattheextendeddaterangemechanismisonpage112WhatsystemCompIianceCIockisAsystemCompliance
44、Clockisasecuretimebaseforeachstoragesystem.ThesystemComplianceClockprovidestheinitialvalueforvolumeComplianceClockwhenanewSnapLockvolumeiscreated.ThesystemComplianceClockconfigurationisusedasareferencetimeforupdatingthevolumeComplianceClock.WhatvolumeCompIianceCIockisThevolumeComplianceClockisatime-
45、basedsecurityfeatureforeachvolume.ThevolumeComplianceClockisusedtodeterminetheexpirydateofWORMfilesandSnapshotcopiesinaSnapLockvolume.ThevolumeComplianceClockisinitializedautomaticallyduringthecreationofanewSnapLockvolume.WhenanewSnapLockvolumeiscreated,thevolumeComplianceClockgetsitsinitialtimefrom
46、thesystemCompIianceClocktime.Since,eachSnapLockvolumemaintainsitsownvolumeComplianceClockvalue;therefore,achangeintheComplianceClockvalueofonevolumedoesnotaffecttheComplianceClockofanyothervolume.HowvolumeCompIianceCIockinteractswiththesystemCompIianceCIockThevolumeCompIianceClockobtainsitsstartingv
47、aluefronthesystemComplianceClocktimewhenanewvolumeiscreated.Therefore,acontinuousassociationismaintainedbetweenthevolumeComplianceClockandsystemComplianceClock.ThisassociationminimizestheinstancesofComplianceClocklag.InitializingthesystemCompIianceCIockYoumustinitializethesystemComplianceClocktocreateSnapLockvolumes.Duringinitialization,thesystemCompIia
免费区 
