Release Notes 4.4.3 Grolar

From SEPsesam
Jump to: navigation, search

Copyright © SEP AG 1999-2018. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

What's new in SEP sesam 4.4.3 Grolar

SEP sesam new release, a hybrid Grolar, brings a fistful of features that help you enhance data protection in your environment and ease administrative tasks.

Version 4.4.3 Grolar introduces new S3 cloud storage to be able to safely store and retrieve your business data. Also new is enhanced capability to utilize NetApp hardware storage snapshots for backup.

SEP sesam no longer supports Hyper-V multiple virtual machine backup (by specifying all as a source) in one backup task. You have to configure a backup task for each virtual machine. However, you can now restore single items from Hyper-V FULL backups if the saveset is stored on a data store or Si3 deduplication store.

SEP sesam introduces changed block tracking (CBT) support for Citrix XenServer 7.3 and higher thus providing incremental backup capabilities; new backup levels are available accordingly for Citrix XenServer backups.

SEP sesam allows administrators to configure access control lists (ACLs) for locations and clients, if they are granted appropriate permissions.

Direct access recovery (DAR) is now enabled by default during NDMP backup to enable selective restore. Previous special configuration of DAR is no longer required nor supported.

With Self-Service Restore Assistant you can now restore a data from a regular Path, NDMP and NSS backups as well as email(s) from Kopano backup.

Default access mode is now changed from CTRL to SM_SSH to provide more secure communication. Note that it is strongly recommended to use the default SM_SSH instead of CTRL access mode whenever possible.

You can now exclude patterns (directories or files) from BSR image backup (BSR Pro 2.0) and activate compression. For details, see SEP sesam BSR Pro – Backup Configuration.

This release provides improved functionality for exclude processing for Windows VSS writers and for mounting savesets containing umlauts (ä, ü, ö, ...).

GUI enhancements enable you to check the Si3 deduplication store state, set your preferred GUI mode, clear the GUI cache memory, disable a particular backup task or a task group from running for a certain period of time, manage multiple drives, and set additional options.

Rythm templates can be used for customized advanced reporting. They are installed in the <SESAM_BIN>/skel/templates/rythm directory. Note, however, that such custom reports are beyond the scope of SEP sesam standard support; they require additional technical assistance provided by SEP Consulting Service.

SEP sesam Server requirements

JavaFX
JavaFX is required for the web dashboard and user-defined schedules. For details on the exact version, see Java Compatibility Matrix.
64-bit or PowerPC (PPC) architecture required
SEP sesam Server requires an operating system running on 64-bit or a PowerPC (PPC) architecture. PowerPC (PPC) is supported for several Linux distributions, see SEP sesam Support Matrix.

For details, see SEP sesam Support Matrix and SEP sesam Server hardware requirements.

Installation and upgrades

SEP sesam 4.4.3 Grolar was released on 23rd of July, 2018. Direct upgrade for versions 3.6/4.x to version 4.4.3 Grolar is supported.

Latest released versions are:

  • SEP sesam 4.4.3.64 Linux Tux.gif – released: 29th of October, 2018.
  • SEP sesam 4.4.3.64 Windows Win7.gif – released: 29th of October, 2018.
Win7.gif Windows specific

The 4.4.3 Grolar installation package on Windows also includes:

  • VMware® Virtual Disk Development Kit (VDDK) version 6.5 for Windows.
  • Callback File System® (CBFS®) version 6.1.181 from EldoS Corporation, used to create virtual file systems and disks for savesets which are stored on SEP sesam local data store or Si3 deduplication store.
Information sign.png Note
A CBFS driver is needed for the virtual file system layer (Cross Platform Recovery File System – XPRFS). The installation/update of this driver requires a reboot of your newly installed or updated Windows SEP sesam Server unless this driver is already installed with a previous SEP sesam 4.4.3.xx installation.

SEP sesam Server and Client components should be upgraded to the latest version during the upgrade process. This ensures that SEP sesam Clients are fully protected. Customers with a valid license are eligible for a free upgrade of SEP sesam to any new release for the duration of the license. See also Automatic Updates and Automatic Installation on Windows.

Information sign.png Note
As of Grolar release, SEP sesam executables are single signed with SHA256. Because of the buffer limitation of the GetCertHash() function on Windows Server 2008 SP2, the SEP sesam executables which are now signed with a SHA256 certificate cannot run on Windows Server 2008. To install/upgrade SEP sesam on the respective Windows Server version, you have to install a special Windows update first. For details and update download, see any of the following links:

Previous release

Known issues and limitations

Information sign.png Note
Antivirus programs may disrupt network communication and cause SEP sesam processes, such as backup and replication, to fail. One program that is known to cause SEP sesam processes to terminate is Sophos Firewall with IPS (Intrusion Prevention System) enabled. Make sure that there are no antivirus, firewall, IDS or IPS programs preventing interaction with SEP sesam.
SEP sesam v. 4.4.3.61-64 known issues:
SEP sesam v. 4.4.3.64 – Bakups may fail with "Error reading SSH protocol banner"
  • In a high load environment with many backups running simultaneously, backups may fail with "Error reading SSH protocol banner". This happens when the default access mode SM_SSH is used and SEP sesam Server cannot connect to RDS due to limited allowed connections.
Workaround: You have to set the number of maximum allowed connections to 255 for SM_SSH access mode in the sm_sshd.ini file on the client where the error occurs:
      /var/opt/sesam/var/ini # cat sm_sshd.ini
      [SSHD]
      max_connections=255

If sm_sshd.ini file does not exist, create it and set the above parameter.

SEP sesam v. 4.4.3.64 – Client SMS access settings are cleared on the Micro Focus Linux client after update to version 4.4.3.64
  • If you open the properties of an already configured Micro Focus client with Linux OS and click OK, Micro Focus Storage Management Services (SMS) access settings are cleared.
Workaround: In the client properties, select OES-Linux from the Operating system drop-down list and then re-enter and save the settings. SEP support is working on this issue and will provide a fix as soon as possible.
SEP sesam v. 4.4.3.62 – When restoring a Hyper-V VM to a different hypervisor node, hypervisor system volume may get full due to temporarily stored files
  • If you restore a Hyper-V VM to a different hypervisor node (other than original), then some data, such as memory files (.vmrs), is temporarily stored in the folder <SEPsesam\var\tmp> on the target hypervisor. In case of restoring a Hyper-V VM with large memory size (RAM), temporarily stored data may result in full hypervisor system volume.
Workaround: SEP support is working on this issue and will provide a solution as soon as possible.
SEP sesam Server v. 4.4.3.61/.62 – VMware mount/attach does not work with Windows data mover v. 4.4.3.48
  • If SEP Server version is 4.4.3.61, but the Windows data mover is still 4.4.3.48, VMware mount/attach does not work.
Resolve: New backups can be mounted/attached without problems when both, the Windows data mover and SEP sesam Server have the same version – update the data mover to the same version as your SEP sesam Server!
SEP sesam Server v. 4.4.3.61/.62 – VMware mount/attach does not work for incremental (INCR) backups performed with previous version
  • If SEP Server version is 4.4.3.61 and INCR VMware backups have been performed with the previous SEP sesam version, attaching and mounting VMDK is not possible. The problem is that in the .lis file the date format of INCR savesets is incorrect, while sm_vfs expects a date and time greater than the time of the corresponding FULL backup.
Workaround:
  • Please contact SEP sesam support at support@sep.de for assistance OR
  • Perform the following tasks manually to fix the date in the .lis files: Delete all .lsl and .lst files. Then use a plain text editor, such as Notepad++, to modify the dates in all .lis files: Use Windows Explorer to navigate to lis folder and search for: *_V?201*.lis. Select all found files and use the right mouse button to open them. Then find and replace (use Search > Replace) the date "0000-00-00 00:00:00" with any real date, for example, "2018-01-01 01:01:01". In all subsequent INCR files there must be a time stamp that is more recent, e.g. "2018-01-01 01:01:02", "2018-01-01 01:01:03"!
  • SEP sesam v. 4.4.3.56-4.4.3.62 – After the last Windows 10 update, system state restore fails to set standard attributes for Windows Defender files and directories
    • After automatically updating Windows 10, system state restore finishes with warnings because standard attributes for Windows Defender files and directories are not set.
    Workaround: SEP support is working on this issue and will provide a solution as soon as possible.
    SEP sesam v. 4.4.2.xx and 4.4.3.xx – Restore of multiple Oracle archive log files from tape fails
    • When restoring multiple Oracle archive log files that were written at different time intervals to the same tape, restore fails. The problems is that RMAN starts a restore for every Oracle log file with no drive number set, thus the restore job is submitted into queue manager without drive number, using different drives. Then restore requires a tape which is already mounted on another drive and, consequently, fails.
    Workaround: To ensure that only one tape drive is used during the backup, start the RMAN restore with only one drive by setting the value of SESAM_DRIVE.
    Fixed with SEP sesam Server 4.4.3.64:
    SEP sesam v. ≤ 4.4.3.62 – (CVE-2018-1000805) Paramiko contains a Incorrect Access Control vulnerability in SSH server that can result in Remote Code Execution (RCE)
    • SEP sesam uses Paramiko for the SM_SSH access mode. Paramiko contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. The vendor has confirmed the vulnerability; it relates to Paramiko versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6. This issue is listed as CVE-2018-1000805 in the MITRE CVE dictionary and in the NIST NVD.
    Fixed: With version Paramiko 2.4.2 included in SEP sesam v. 4.4.3.64.
    SEP sesam v. 4.4.3.62 – After upgrading SEP sesam to v. 4.4.3.62, backup of CIFS shares ending with $, e.g., //win-server/D$, does not work
    • After installing the update 4.4.3.62, backing up CIFS shares with path //path ending with $, e.g., backup source //win-server/D$, no longer works as it is passed as URI encoded. Backup of CIFS shares without the $ character works without problems because it does not contain any special characters.
    SEP sesam v. 4.4.3.60-4.4.3.62 – Restore from tape takes a long time or may be aborted due to positioning of the tape taking too long
    • As of 4.4.3.60 Grolar, SEP sesam does not use fast forward (fast positioning) to the file mark where the saveset is stored on tape; instead the tape is read from the beginning which causes the restore process to take longer or the restore timed out.
    Fixed with SEP sesam version 4.4.3.62:
    SEP sesam v. ≤ 4.4.3.61 – (CVE-2018-7750) Paramiko transport.py authentication bypass in the SSH Server functionality; possible security risk because SM_SSH access mode uses weak ciphers
    • SEP sesam uses Paramiko transport.py for the SM_SSH access mode. A vulnerability in Paramiko transport.py could allow unauthorized access to SEP sesam because transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step. By using a customized SSH client, an attacker can skip the authentication step and gain unauthorized access to resources on the SEP sesam system. This issue is listed as CVE-2018-7750 in the MITRE CVE dictionary and in the NIST NVD.
    • Weak ciphers/MAC are available for connection with SM_SSH access.
    Fixed: New python paramiko module solves issues with unauthorized access and weak ciphers. Update all SEP sesam Clients, SEP sesam Servers and Remote Device Servers to SEP sesam version 4.4.3.62 Grolar.
    SEP sesam v. 4.4.61 – When using the Browser button to select a new NDMP target restore volume/directory, NetApp NDMP restore does not restore to the specified restore target, but restores data to the original volume instead
    • When using the Browser button to find the target directory/volume for restore, the target path for NetApp NDMP restore is incorrectly specified with prefix NDMP:, which leads to relocation source. Consequently, the data is restored to the original volume instead to the specified target. Note that entering the target restore path manually in the field correctly restores data to the specified target.
    SEP sesam v. 4.4.3.61 – Citrix XenServer new FULL/DIFF/INCR backup levels with CBT do not handle correctly the master/slave configuration
    • After update, Citrix XEN module supports FULL/DIFF/INCR backup levels with CBT but this new feature does not handle master/slave configuration. Note: In 4.4.3.61 the backup worked if the task was configured for the master system, but it did not work if configured for the slave.
    SEP sesam v. 4.4.3.61 – SEP sesam default access mode SM_SSH converts UTF-8 characters to a non-UTF-8 locale which can result in data loss
    • Due to newly introduced default SM_SSH access mode, SEP sesam installations with special backup source encoding (e.g., a multi-byte character set such as Chinese or Japanese) may face issues due to incorrect conversion of UTF-8 characters to a non-UTF-8 local encoding which does not provide the required characters. Such conversion may result in data loss.
    Fixed: Special characters are transferred with URI (Uniform Resource Indicator) encoding.
    SEP sesam v. 4.4.3.61 – Browsing RHV/RHEV does not work 
    • Browsing the RHV management system fails with invalid AccessMode: PROXY.
    SEP sesam v. 4.4.3.61 – No operations possible anymore with SAP Business One license
    • If the license used is SAP Business One and the drive is set to more than 1 stream in the database, then operations related to the drive are no longer possible.
    SEP sesam v. 4.4.3.60 – BSR Pro backup fails
    • BSR Pro backup fails with BSR Pro unknown return code (0X1). On some Windows OS (mainly Windows Server 2008 [R2]) this error could happen due to problems when checking the areas that are not to be compressed.
    Fixed: With version BSR Pro 3.3.185.
    SEP sesam v. 4.4.3.56/4.4.3.59 (beta) – After upgrading to Windows server 2016, Windows restore fails
    SEP sesam v. 4.4.3.53 - Selective restore of NDMP saveset on NetApp via HTTP interface fails
    • Selective restore failed because sbc_ndmp did not always process the HTTP buffers correctly.
    Fixed with SEP sesam Server 4.4.3.61:
    SEP sesam v. 4.4.3.60 – Starting a command event by using Activities -> Immediate start button does not work
    • Trying to start a command event from menu: Activities -> Immediate Start -> Command fails to open the dialog box and the command cannot be started manually.
    SEP sesam v. 4.4.3.60 – Windows Installation on x86 creates MSI Exception
    • In case of Windows systems with x86 architecture an MSI exception appears in the event log during the update of the SEP sesam together with SEP sesam BSR Pro Windows installation; however, all sesam services are running and SEP sesam is working properly.

    Limitations

    SEP sesam backup for hypervisors (VMware, Hyper-V, Citrix Xen, KVM, OpenNebula) cannot back up the data on external disks

    The data of such disks is silently skipped from backup, hence the backup saveset contains no data for the external disk while the backup succeeds and no warning about the missing data is issued (except for VMware, see below).

    • In case of VMware, SEP sesam cannot back up the data on the independent or Raw Device Mapping (RDM) disks due to a VMware limitation that does not support including independent/RDM disks in virtual machine snapshots. As of Grolar, SEP sesam issues a warning about the missing data for VMware independent/RDM disk. To avoid the warnings and have a successful backup, you should exclude the independent disks/RDMs from the backup task or install a SEP sesam Client in the virtual machine and perform an additional file or application backup to back up this data.
    • In case of other hypevisors (Hyper-V, Citrix Xen, KVM, OpenNebula), SEP sesam cannot back up the data on the RDM disks or on a VM without attached SCSI controller(s). To back these hypervisors, you have to add one or more SCSI controller to the virtual machine before performing a backup, even if there are no devices to use the SCSI, or you have to install a SEP sesam Client in the virtual machine and perform an additional file or application backup to back up this data.
    SEP Warning.png Warning
    If a restore of a VM with external disk is performed to the original VM by using the option overwrite, the disk is re-created and all existing data on the restore target is lost.
    Old disk_info Linux backup task is no longer supported – its usage may result in data loss

    During update all customers which are still using backup task with source disk_info backup task are notified that the disk_info Linux backup task is no longer supported. It has been replaced by BSR Linux/REAR. If you still use the obsolete disk_info backup task, you will no longer be able to restore your data.

    • Reconfigure your old disk_info Linux backup tasks by selecting the Linux BSR as a task type in the task properties or create new backup tasks with type Linux BSR. For details, see Disaster Recovery for Linux 3.0.
    SEP Warning.png Warning
    SEP AG is not responsible for potential data loss that may occur as a result of backing up data with unsupported backup task.
    BSR Pro Direct forensic imaging method does not work with SEP sesam versions Tigon V2 and Grolar

    BSR Pro Direct forensic imaging method is only possible if a special snapshot driver is installed and the system is rebooted after installation. It is otherwise not possible to create a consistent image.

    • The existing BSR Pro installation package containing the driver is stored in the <SESAM_BIN>/skel directory. Follow the steps for installing additional driver as described in Steps for using Direct forensic option.

    Enhancements and changes

    S3 cloud storage

    An S3 (simple storage solution) cloud storage can now be used to safely store and retrieve your business data. SEP sesam treats the S3 cloud storage like any other devices. It creates the snapshots and synchronizes data to the cloud. For details, see S3 Cloud Storage Backup.

    NetApp storage snapshots

    SEP sesam provides backup and restore integration built on NetApp Snapshot copies. You need to configure a new data store type – NetApp Snap Store to easily use hardware snapshots as usual backups. For details, see NetApp Storage Snapshots Backup.

    Hyper-V backup and restore

    Separate task for each VM
    It is no longer possible to back up multiple VMs running on a Hyper-V with a single task. Now you have to create a separate task for each VM running on a Hyper-V standalone server or Hyper-V cluster. However, you can assign individual backup tasks to a task group and then trigger the backup of all tasks belonging to that group with a single event. For details, see Hyper-V Backup.
    Single item restore for Hyper-V
    Now you can restore single items from Hyper-V FULL backups if the saveset is stored on a data store or Si3 deduplication store. For details, see Hyper-V Restore.

    Changed block tracking (CBT) support for Citrix XenServer 7.3: Citrix XenServer new backup levels

    SEP sesam introduces support for the XenServer changed block tracking feature (CBT) that offers incremental backup capabilities; hence, new backup levels (FULL, INC and DIFF) are available for Citrix XenServer backups. For details, see Citrix XenServer Backup.

    Access control lists (ACLs)

    The administrators can configure ACLs to enable or disable access to location (group of clients) or specific client. Note that before configuring ACLs, database-based authentication must be activated and users configured and added to the relevant group. For details, see Using Access Control Lists.

    NDMP direct access recovery (DAR)

    Direct access recovery (DAR) index is required to restore a directory or a single file from a NDMP backup (selective restore). As of version 4.4.3 Grolar, DAR is enabled by default (no configuration is required). While DAR can greatly reduce the time it takes to restore individual files, it might be unnecessary in case you want to backup and consequently restore only the whole volume. In such case, you may disable DAR to improve backup performance. For details, see NDMP Backup.

    Self-Service Restore Assistant

    It is now possible to use web restore assistant to restore data not only from regular Path backups, but also from NDMP and NSS file system Path backups as well as emails from Kopano backups with a few simple steps. You can connect to web restore assistant and perform a restore if you have appropriate permissions. If a backup is encrypted and the password is not stored in the SEP sesam database, it is now possible to enter the encryption password online. For details, see Self-Service Restore Assistant.

    New default access mode

    The default access mode is now SM_SSH (previously CTRL) which provides strong authentication and secured data communication for clients and servers in the SEP sesam environment. SSL libraries now include libmicrohttpd, libcurl, and libopenssl.
    Note that it is strongly recommended to use the default SM_SSH instead of CTRL access mode whenever possible.

    Improved functionality

    GUI enhancements

    • SEP sesam introduces a number of data store enhancements (S3 credentials tab, Si3 State tab, new data store type, etc.). For details, see Configuring a Data Store and Configuring Si3 Deduplication Store.
    • Database-based authentication and authorization are extended and can be combined with the LDAP authentication and authorization and/or with AD (Active Directory). SEP sesam authorizes the users based on the mapped roles and their associated privileges. For details, see About Authentication and Authorization, Configuring LDAP/AD Authentication, and Configuring Database-Based Authentication.
    • SEP sesam features a GUI that can be customized and now also adjusted by selecting one of the following UI modes: basic, advanced or expert. The mode can be changed in GUI: from the menu bar select Configuration -> Defaults -> Extras -> UI Mode. For details, see UI Mode.
    • A force refresh can be used to clear the GUI cache memory and consequently to update the view. For details, see All Results by State.
    • Rather than deactivating a schedule (and all related jobs), you can now deactivate a single task but keep it in the list of tasks. You can also disable a whole task group by using the same option the Execution is blocked. You can enable a disabled task and/or task group again at any time. For details, see Disabling and Enabling Backup Task and Disabling and Enabling Task Group.
    • New Manage multiple drives option is introduced to enable you to easier change drives properties (e.g., maximum number of parallel streams (max channels), delete drives, create new drives, etc). It lists all configured drives and allows you to change the properties settings of multiple drives, after which SEP sesam restarts the drives automatically. For details, see Manage multiple drives. Now it is also possible to reconfigure all drives by using Configure all drives option.

    Changes in SEP sesam License

    • New license editions VM Essential and VM Essential Plus introduce a CPU socket based license for VMware and Hyper-V backup.
    • New license for 'source Side Deduplication'

    End of maintenance and support

    Unsupported SEP sesam Server OS

    The following operating systems are no longer supported for SEP sesam Server:

    • Ubuntu 14.04
    • Windows Server 2008 Win7.gif
    • Information sign.png Note
      The limitation applies only to SEP sesam Server systems and does not affect SEP sesam Clients. Windows Server 2008 R2 SP1 is still supported. For a complete list of supported SEP sesam Clients, see SEP sesam support matrix.

    For a complete list of supported SEP sesam clients, see SEP sesam Support Matrix.

    Major fixes and changes

    SEP AG recommends that you update to latest Grolar version 4.4.3.64. There are no service packs necessary. See Change report Grolar for major fixes and changes. See all changes at SEP sesam download – changes.

    See also

    SEP sesam Release Versions