Home > Storage > PowerMax and VMAX > Mainframe > Dell PowerMax: Data Protector for z Systems (zDP) Best Practices > Overview
Secure snapshots survive the previously mentioned SRP full events that compromise nonsecure snapshots. At 90% SRP full, all new snapshot creation, whether secure or not, stops. SnapVX-created snapshot jobs fail, and zDP stops. Worse, at 90% SRP usage, the array fails any existing nonsecure snapshots as it sacrifices snapshots to keep host I/O or SRDF functioning. Secure snapshots do not fail when the SRP% reaches the 90% threshold.
Nonsecure snapshots exist indefinitely until they are terminated. If zDP stops or is stopped, the existing snapshots are not terminated until zDP is restarted. Secure snapshots behave differently. The secure attribute is specified at creation time, but you can also add it after the snapshot is created. The unit of time that a snapshot must exist is measured in days. When it is associated with an expiration date and time, the snapshot cannot be terminated. Also, the snapshot cannot be destroyed by a command or by an array-full condition as mentioned previously. Secure snapshots expire, but they are not terminated. For example, if zDP stops or is stopped on Friday, and zDP was creating secure snapsets with a time to live of two days, on Monday, all zDP snapshots are expired. As a result, individuals who have access to the zDP environment can delete the snapsets because they are no longer secure. This behavior means that it is more important to monitor zDP more closely if secure snapshots are being created to avoid having gaps in snapshot protection.
Secure snapshots behave like nonsecure snapshots and can be linked and unlinked, but they cannot be terminated until expiration (also called time to live). Secure snapshots that are in a linked status can expire, but they do not terminate. Secure snapshots do not change the space consumption of a snapshot. Changes made to the snapshot source volume accumulate SRP space, and this behavior is no different than nonsecure snapshot behavior. This operational difference is present because secure snapshots cannot be terminated if an SRP space shortage becomes critical. The sizing headroom should be more conservative when planning for secure snapshots.
zDP can SKIP intervals of secure snapshots to easily provide a mix of secure and nonsecure snapshots using the CYCLE parameter. The following example shows a VDG definition that specifies snapshots taken every hour for 48 hours, and every other snapshot is secure with a lifespan of 2 days.
CYCLE_TIME(12,0,SECURE,1,4),
The SKIP feature (represented by 4 in the above cycle definition) was developed to enable reclaiming SRP space by terminating nonsecure snapsets, should SRP space usage reach critically low levels. If zDP stops at any time, the nonsecure snapsets remain indefinitely which reduces the risk of losing cyber protection. Be careful when using the SKIP parameter, and choose a value that is consistent with the secure lifespan expiration. As a best practice, use the following formula:
SNAPSHOT INTERVAL MIN * MAX_SNAPSETS / 60 MIN PER HR = AGE OF OLDEST SNAPSHOT (HRS)
The age of the oldest snapshot should be an even number of days so that zDP terminates nonsecure snapshots at the same frequency as the secure snapshot expiration.
Here is an example of a definition that may cause issues:
10 MIN INTERVAL * 256 MAX_SNAPSHOTS / 60 = 42.7 HOURS which is not an even multiple of days.
A more suitable definition would be as follows:
12 MIN INTERVAL * 240 MAX_SNAPSHOTS / 60 = 48 HOURS with a two-day SECURE attribute.