HPE StoreOnce: Immutability with v12


Userlevel 7
Badge +12
  • On the path to Greatness
  • 1273 comments

With the newest release V12, Veeam Backup & Replication is now capable of implementing immutability with HPE StoreOnce Catalyst stores. HPE calls this ‘Independent Software Vendor (ISV) Controlled Data Immutability (ISV-DI)’. With this post I want to quickly describe the requirements and configuration steps.

Requirements

There are some requirements, that need to be met in order to use immutability with StoreOnce systems.

  • you need to have a Gen4 StoreOnce system with at least firmware 4.3.2
  • you need to configure Dual Authorization
  • Maximum ISV Controlled Data Retention needs to be set to 365000 in the StoreOnce Catalyst Store
  • you need to use forward incremental backup jobs and/or enable GFS for Backup Copy Jobs
  • → For more information check the helpcenter

Enable Dual Authorization

With Dual Authorization certain tasks on a StoreOnce require a second factor before they’re executed. This second factor isn’t a OTP token or something similar but rather a second user/password which you need to approve the task. In regards to immutability, Dual Authorization prevents disabling immutability or deleting the whole Catalyst store.

It’s very critical to store the credentials for this security user at a safe place, or even better only offline.

If you haven’t configured Dual Authorization, you won’t be able to configure immutability in the Veeam Console and might see the following error:

 

Also the StoreOnce dashboard will give you a hint, that Dual Authorization is disabled.

So, before you start with anything else, enable Dual Authorization (if necessary). This can be done during the initial deployment:

 

 

If you upgraded from an earlier firmware or haven’t configured Dual Authorization at the initial deployment, you need to do 2 steps.

First create a new user with the SecurityOfficer role.

 

Next go to ‘Dual Authorization’ and click the 3 dots, choose ‘Configure Dual Authorization’ and enable it.

 

 

To finalize this step, login with the newly created security officer, go to Dual Authorization and approve the request.

 

Configure Maximum ISV Controlled Data Retention

When creating a new Catalyst Store, go to the Security Settings and set the ‘Maximum ISV Controlled Data Retention’ to ‘365000’.

This can also be done for existing Catalyst Stores if you edit the store. Just keep in mind that after setting the value, you will need to approve it again with the Security Officer.

 

Add Catalyst Store to Veeam

To finalize the configuration, add the Catalyst Store to Veeam and configure the immutability as required.

 

 

 

You can also enable immutability on existing stores but this will only affect new backup chains.

Update 17.03.2023: The current or a new backup chain will be made immutable. All closed backup chains won't be protected.

 

Conclusion

The configuration of immutability for StoreOnce Catalyst stores isn’t complicated and the setting should be enabled in every environment. Afterwards backups cannot easily be deleted, either by accident or by an attacker.

From a security perspective you should consider the following points, which affect the effectiveness of the solution:

  • keep the Security Officer’s credentials secret
    • an attacker will be able to circumvent the immutability if he gets access to those credentials
    • I would even go as far and say that you print them out and stick them physically on the StoreOnce
  • keep the iLO Interface secure or even disconnected: all StoreOnce security measurements won’t help if someone physically wipes the device remotely via iLO
  • monitor the immutability setting in Veeam: If an attacker can’t delete your backups, he might just alter or completely disable immutability in Veeam

13 comments

Userlevel 7
Badge +20

Nice to see with v12 that more vendors are progressing to immutability for their storage. 👍

Userlevel 7
Badge +7

thanks for the detailed info @regnor 

My “to play with” list since V12 launch keeps growing and growing!

cheers-

Userlevel 7
Badge +6

Great blog, thank you!

Userlevel 7
Badge +6

I don’t live in the HPE world very much, so it’s nice to see what is offered there.  This looks pretty cool, and I’m glad to see more immutability options!

Userlevel 7
Badge +12

@dloseke Absolutely. In my opionion, if you rely on deduplication appliances for long term storage, immutability is a must.

Userlevel 1
Badge

Hi @regnor,

Thank you for the guide!
Can we please double check that? “You can also enable immutability on existing stores but this will only affect new backup chains.” 
When going through: https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=120

  • If you increase the immutability period in repository settings, a new value will be applied for all log backup files created after the last successful image-level VM backup or physical machine backup. If you decrease the immutability period, a new value will be applied only for the next log backup files.

That would mean the immutability would be set also on the already existing backup chains.

Thanks a lot for looking at it! 

Userlevel 7
Badge +12

@aedam Is your question on the StoreOnce or on the hardened repository? The article is about the later one.

But my wording my be wrong anyway as the current backup chain indeed will be immutable. What I wanted to say is, that existing backups/GFS restore points won’t get immutable. I’m planing to write a part 2 where I will do some tests and see how it behaves.

Note that if you enable immutability and Veeam Backup & Replication does not start a new backup chain and still continues the chain, the whole backup chain is marked as immutable. Once you disable immutability, newly created backups are not marked as immutable.

https://helpcenter.veeam.com/docs/backup/vsphere/storeonce_supported_features.html?ver=120#immutability

Userlevel 1
Badge

@regnor thank you for the reply and the link - thats exactly what I needed.

I just wanted to clarify as to what will happen to the existing backup chains on the store after we enable the immutability. I was kind of hoping for the same behavior as the hardened repository, thats why I linked that one, but after reading the article I wasnt sure whether I need to create an AF or not, as you said “this will only affect new backup chains”, so I wanted to clarify that.

Not sure if thats just me, who got confused by this, anyway thanks a lot for clarification :) 

Userlevel 7
Badge +12

@aedam I posted part 2 in the community where I look at the scenario of enabling immutability for existing backups and adjust the time frame.

I will also correct the sentence regarding the existing backup chains in this post. Thanks for making me aware of this 😊

Why does this value need to be set to that specific value?

 

  • Maximum ISV Controlled Data Retention needs to be set to 365000 in the StoreOnce Catalyst Store
Userlevel 7
Badge +12

Why does this value need to be set to that specific value?

 

  • Maximum ISV Controlled Data Retention needs to be set to 365000 in the StoreOnce Catalyst Store

This requirement comes from Veeam. 365000 is probably the maximum you can set on the StoreOnce. So this ensures that you can configure any possible value in your Veeam repository.

Store once immutable functionality will support for Veeam for SAP HANA plugins ?

Userlevel 7
Badge +20

Store once immutable functionality will support for Veeam for SAP HANA plugins ?

According to this page as long as you set up access for the user account configuring the plugin you should have access to the repository for Storeonce - Configuring Plug-in for SAP HANA - Veeam Plug-ins for Enterprise Applications

IMPORTANT

  • The used account must have access to Veeam backup repositories that you plan to use.
  • Encryption must be disabled on the repository.

Otherwise, the repositories will not be listed as available. To learn how to configure access and encryption settings on repositories, see Access and Encryption Settings on Repositories.

Comment