Table of Contents
Overland-Tandberg 8869-RDX User Manual
Displayed below is the user manual for 8869-RDX by Overland-Tandberg which is a product in the Backup Storage Media category. This manual has pages.
rdx
rdxLOCK
LOCK
Administration Guide
Administration Guide
Version 2.3.0.45 - Fix 10
Version 2.3.0.45 - Fix 10
Page 1 of 43 Tandberg Data S.a.r.l. 2016-11-08
Contents
Contents
1 Product Information...................................................................4
1.1 Overview.....................................................................................................4
1.2 Key Features................................................................................................4
1.2.1 Protection Policies....................................................................................4
1.2.2 Enhanced Security Mode (ESM).................................................................5
1.2.3 AES-256.................................................................................................6
1.2.4 Verified Retention Clock (VRC)..................................................................7
1.3 Restrictions..................................................................................................8
2 Installation.................................................................................9
2.1 Installing rdxLOCK........................................................................................9
2.1.1 Starting the Installation............................................................................9
2.1.2 License Agreement.................................................................................10
2.1.3 Select the installation path and additional tasks.........................................11
2.1.4 Start the installation..............................................................................12
2.1.5 Completing the Installation.....................................................................13
2.2 Post-Installation..........................................................................................14
2.3 Uninstalling rdxLOCK...................................................................................15
3 Configuration............................................................................17
3.1 Obtaining and entering the “TimeSync” Key....................................................17
3.2 Setting up a WORM volume..........................................................................20
3.3 Protection policies and retention periods.........................................................23
3.3.1 Directory-level retention period...............................................................23
3.3.2 Single file-level retention period..............................................................23
3.3.3 rdxLOCK Directory Level Retention Policy..................................................25
3.3.4 rdxLOCK Single File Retention Policy........................................................27
3.3.5 Viewing rdxLOCK retention period parameters...........................................30
3.4 Obtaining and entering license keys...............................................................31
3.5 WORM-TO-WORM Replication........................................................................36
3.5.1 rdxLock Replication Service (rdxLockRepSvc)............................................36
1 Configuring WORM volumes for replication...................................................36
2 Monitoring replication activities..................................................................38
3.5.2 rdxLockFSR...........................................................................................39
1 General Information..................................................................................39
2 Syntax....................................................................................................39
3 Options...................................................................................................39
4 Return Codes...........................................................................................40
5 Example..................................................................................................40
Page 2 of 43 Tandberg Data S.a.r.l. 2016-11-08
4 Best Practices...........................................................................41
4.1 Data Protection...........................................................................................41
4.1.1 WORM-TO-WORM Replication..................................................................41
4.1.2 Backup / Restore...................................................................................41
5 Troubleshooting:......................................................................43
5.1 Reporting a Problem....................................................................................43
5.2 rdxLOCK Tab is not available on MS Explorer’s property page...........................43
5.3 Application event log message: “Invalid license”.............................................44
6 Appendix:.................................................................................45
Page 3 of 43 Tandberg Data S.a.r.l. 2016-11-08
1 Product Information
1.1 Overview
rdxLOCK is a hardware-independent software product, which provides infinite or fixed
period WORM (Write Once, Read Many) protection for data on standard hard disk
systems.
Applications can write data locally, via CIFS, FTP or NFS directly to a rdxLOCK protected
file system, but are not allowed to make any modification after the data was locked. The
locking mechanism is completely controlled by rdxLOCK on a directory-level or file-level
basis and ensures that a file object is changed to WORM based on the selected protection
policy. A special API is not necessary for this.
rdxLOCK’s protection policies ensure that files can’t be modified, renamed, moved or
overwritten in any way, preserving data in a non-rewritable, non-erasable manner for a
specified period of time or infinite. Additionally rdxLOCK prevents the alteration of file
attributes.
In order to meet regulatory compliance requirements, rdxLOCK allows the deletion of
data after a pre-defined retention period, but still prevents the user from modifying
expired data.
As rdxLOCK is able to use the existing server and disk storage infrastructure, an audit-
compliant archive can be implemented in a cost effective manner. Even existing file
systems can be converted to WORM file systems by rdxLOCK.
rdxLOCK supports NTFS volumes on 32-bit and 64-bit Windows architectures.
Page 4 of 43 Tandberg Data S.a.r.l. 2016-11-08
1.2 Key Features
Note:
Starting with version 2.3.0 the availability of some functions and features
depends on the installed license.
This administration guide documents the full function and feature set.
1.2.1 Protection Policies
Protection policies can be configured either on a volume-level or on the 1st directory
level. The following protection policies are supported:
DLR = Directory Level Retention
The DLR policy is based on directory level, either root directory or 1st directory
level. The advantage of this policy is the option, to prolong the retention period of
a data pool by changing only one single figure.
SFR = Single File Retention (SnapLock Interface)
The SFR policy allows an individual retention period for every individual file. It
provides compatibility with the NetApp, Inc. SnapLock interface.
Page 5 of 43 Tandberg Data S.a.r.l. 2016-11-08
1.2.2 Enhanced Security Mode (ESM)
rdxLOCK protected volumes may be managed on operating system level mostly like any
volume. In particular you can move them from one disk system to another one and you
can mount them on any computer, even if there is no rdxLOCK software installed.
Enhanced Security is an additional security level to encrypt the volume in a way that no
content of the real volume is visible, if rdxLOCK is not installed. Instead of the real
content of the NTFS volume, you can see a small FAT – volume with warning information.
It also inhibits the deletion of files on rdxLOCK protected volumes in the following cases:
The rdxLOCK file system filter has been stopped.
rdxLOCK has been uninstalled from the system.
A rdxLOCK WORM volume has been moved to a server system, which does not
have rdxLOCK installed.
Since rdxLOCK 2.3.0 ESM V5 is used. This version supports encryption with AES-256.
ESM V4 volumes are still supported and can optionally be set to V5. New created
volumes will only be created as V5 with a FAST encryption. The internal ESM number is
increased to prevent older rdxLOCK version mounting this volume. V5 and V4 volumes
can be converted to V5 AES-256.
Note:
Please run a backup of the WORM volume before changing the encryption
method.
Page 6 of 43 Tandberg Data S.a.r.l. 2016-11-08
1.2.3 AES-256 encryption
The AES-256 encryption is using keys with a length of 256 bits. Each WORM volume uses
its own key for both encrypting and decrypting the data. In combination with AES-256
encryption it is possible to grant access to WORM volumes for a dedicated group of
rdxLOCK computer systems by exporting and importing keys.
Initially the volume key is not exported and AES encrypted WORM volumes can be used
on any rdxLOCK system. If a WORM volume should only be accessible by a certain group
of systems the AES key must be first exported and then imported to all other authorized
systems. The system which was used for exporting the key gets implicitly authorized. To
export or import keys the user must hold administrative rights.
The AES key of a WORM volume can be exported by the following rdxLOCK CLI
command:
rdxLockcli KeyExport <volume_drive_letter> > <key_file_name>
example: rdxLockcli KeyExport e: > aes_key_e.txt
With the export command the volume changes its state to “exported” and the ESM
component only decrypts the volume if the key has been imported for this volume on the
local system.
To import the AES key of a WORM volume to a system, the following rdxLOCK CLI
command may be used:
rdxLockcli KeyImport <volume_drive_letter> <key_file_name>
example: rdxLockcli KeyImport e: aes_key_e.txt
Note:
The export and import cli commands are subject to change for upcoming
versions.
Legacy WORM volumes, which have been encrypted with the FAST encryption method,
can be converted to AES-256 using the rdxLOCK GUI by right-clicking the WORM volume
and selecting the menu item “Configure”.
At the bottom of the properties tab window you can change the ESM encryption method
from FAST to AES-256.
Note:
Please run a backup of the WORM volume before changing the encryption
method.
The changing of encryption method may take a long time.
Page 7 of 43 Tandberg Data S.a.r.l. 2016-11-08
1.2.4 Verified Retention Clock (VRC)
A compliant data storage system needs a secure tamper-proof time base to measure
retention periods and ensure WORM integrity.
rdxLOCK provides a secure and compliant retention time management, called Verified
Retention Clock (VRC). This facility has to be synchronized directly after setting up the
software by entering a special key (TimeSync Key). (see chapter 3.1)
This key contains a trusted timestamp for verifying that the system clock is in a certain
range compared to UTC (Coordinated Universal Time). Only if the verification succeeds,
WORM volumes can be initialized, configured and controlled. As long as the verification
has not been executed, the system can not be used for managing WORM volumes.
All WORM volumes created by a rdxLOCK application with a non-verified system clock
are marked as “TEST WORM VOLUMES” and can only be converted to valid, productive
WORM volumes on systems with a verified system clock and as long as their temporary
license is still valid.
After a successful system clock verification, VRC closely monitors the system clock and
ensures that system clock manipulations may not be used to delete files before they
expire. Such manipulations may end in temporary prolongation of retention periods when
the system clock is set in the future or to access restrictions when it is set in the past.
Small changes in the system clock are manageable, but when the clock is adjusted over
large ranges, or the system is switched off or rebooted for any reasons, this does result
in a prolongation of retention periods. In order to mitigate such artificially extended
retention time periods, VRC allows a drifting of the retention time offset (RTT-Offset) up
to a week per year in order to make up for downtimes due to system maintenance and
other housekeeping events. Any longer periods of downtime will need to be handled via a
TimeSync Key, if the RTT-Offset is beyond an acceptable value.
VRC is designed to support removable WORM media as well. Taking a WORM volume
offline for an extended time period does not end up in a temporary prolongation of
retention periods registered in a volume.
Page 8 of 43 Tandberg Data S.a.r.l. 2016-11-08
1.3 Restrictions
rdxLOCK Version 2.3.0.45 - Fix 10 is designed for NTFS formatted volumes on
primary partitions of basic disks with MBR (master boot record) and GPT (GUID
Partition Table) partitioning scheme. If rdxLOCK is configured for a volume
residing on a dynamic disk, the Enhanced Security Mode will not be supported on
that volume.
rdxLOCK may not be installed on systems which do have any version of TrueCrypt
installed.
rdxLOCK supports local disks, certified removable media and certified removable
devices.
Other file systems than NTFS are not supported.
System volumes and cluster quorum disks are excluded by the configuration
procedure.
Appending data to rdxLOCK protected files is not supported.
Files having Extended Attributes or reparse points attached can’t be set to WORM.
The Recycle Bin functionality can not be used on WORM volumes, since rdxLOCK
denies the move operation to the recycle bin, when an expired WORM file is
selected for deletion. Therefore it is recommended to deactivate the Recycle Bin
for the individual WORM volumes in order to make the deletion of expired WORM
files possible.
Please note that Microsoft has redesigned the Recycle Bin behavior in Windows
VISTA, Windows 2008 Server and Windows 7. The properties of the Recycle Bin
are now tied to user profiles rather than the actual disk. Therefore each user must
explicitly switch off the Recycle Bin of the corresponding WORM volumes when
accessing them locally for deleting expired WORM files.
Upgrades are only supported from rdxLOCK version 2.1.0 Build 29 and higher.
Previous versions need special support, so please contact your service provider.
Read-only volumes are not supported.
Volumes mounted inside a WORM volume are not WORM protected.
Shrinking an ESM protected volume is not supported.
Adding a mirror to an ESM protected volume is not supported.
Volumes marked as 'active' can not be used in ESM mode.
Backing up an image of a single, ESM encrypted partition on a GPT disk is not
supported. In this case an image backup of the entire GPT disk must be created
including the backup of unused sectors.
The replication service user account needs administrative rights including the
backup, restore and take ownership privilege. When replicating to a remote share
the appropriate share permissions and NTFS security rights must be granted to
the service user account accordingly.
Page 9 of 43 Tandberg Data S.a.r.l. 2016-11-08
2 Installation
Administrative rights are required to install, configure, set policies and retention times,
license or update rdxLOCK. When installing on Windows 7, Windows 2008 Server or
higher you need to be logged in as Administrator or you need to run the installation
program using the context menu option “Run as administrator”.
2.1 Installing rdxLOCK
2.1.1 Starting the Installation
To install rdxLOCK
Close all applications running on the system.
Run the program rdxLocksetup_<version>.exe to start the installation wizard.
In case no other application is opened at this time, you can proceed with the installation
process by clicking the Next button.
Page 10 of 43 Tandberg Data S.a.r.l. 2016-11-08
2.1.2 License Agreement
You have to agree to the license contract in order to continue with the rdxLOCK
installation procedure.
Page 11 of 43 Tandberg Data S.a.r.l. 2016-11-08
2.1.3 Select the installation path and additional tasks
Page 12 of 43 Tandberg Data S.a.r.l. 2016-11-08
2.1.4 Start the installation
After clicking the Install button, rdxLOCK will be installed to the selected destination
folder.
Page 13 of 43 Tandberg Data S.a.r.l. 2016-11-08
2.1.5 Completing the Installation
On the completion screen you have the option to install rdxLOCK’s Enhanced Security
Module, which allows configuration of rdxLOCK’s Enhanced Security Mode on a per
volume base.
Installing the Enhanced Security Module requires a system reboot.
Page 14 of 43 Tandberg Data S.a.r.l. 2016-11-08
2.2 Post-Installation
After a new installation or an upgrade from versions prior to 2.2.6, the system clock
needs to be verified by a TimeSync key. Please refer to the chapter “Obtaining and
entering the TimeSync Key” for further information.
Note:
As long as the system clock is not verified, the following restrictions exist:
New volumes couldn't be initialized.
WORM Volumes created by rdxLOCK version 2.2.5 or previous are put to READ-
ONLY mode and are not switched to the regular WORM mode until the TimeSync
verification has been succeeded.
Page 15 of 43 Tandberg Data S.a.r.l. 2016-11-08
2.3 Uninstalling rdxLOCK
rdxLOCK can be uninstalled by using the Windows Software Manager. Click Start ->
Control Panel -> Add or Remove Programs, select the rdxLock product and press the
Remove button.
Page 16 of 43 Tandberg Data S.a.r.l. 2016-11-08
If the Enhanced Security Mode was installed, a reboot is required to completely remove
rdxLOCK from your system.
NOTE:
If you remove the rdxLOCK product from your system, you will not be able to access
WORM-committed files anymore.
In addition, if the Enhanced Security Mode was previously applied to a WORM volume,
the WORM NTFS file system is hidden and inaccessible after uninstalling the rdxLOCK
product. The former NTFS WORM volume is displayed as a FAT file system with the label
“Volume Lock” in this case.
Page 17 of 43 Tandberg Data S.a.r.l. 2016-11-08
3 Configuration
3.1 Obtaining and entering the “TimeSync” Key
A TimeSync key is used to verify that the system clock is in a certain range compared to
UTC and therefore ensures that file retention times are managed in a safe and secure
fashion. If the TimeSync key verification process succeeds for the first time, the system
will be ready for handling WORM volumes. Every additional TimeSync operation resets
the RTT-Offset. rdxLOCK maintains this internal “corrective retention time offset”
parameter (RTT-Offset) to manage the time offset between the system clock and the
Verified Retention Clock (VRC). These offsets occur due to normal situations like the
system being powered down or potentially abnormal situations where the system clock is
changed or potentially rolled back.
To apply a TimeSync key take the following steps:
start the rdxLock GUI application and select the menu item Configuration Apply→
TimeSync.
click on the web link in the dialog below:
Page 18 of 43 Tandberg Data S.a.r.l. 2016-11-08
Copy the TimeSync key string from the web page directly to the corresponding
dialog's input field and press the Apply button. Alternatively, you may save the
key to a file first and select that file for applying the TimeSync key.
Note:
It may take up to 2 minutes until the system clock gets verified. VRC information is
displayed in the output panel view called “VRC” of the rdxLockGUI application.
Page 19 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.2 Setting up a WORM volume
For converting an NTFS volume to a WORM volume, use MS Explorer, Disk
Management or rdxLOCK GUI to open the property page of the appropriate
volume and select the rdxLOCK tab. This approach can only be used if you are
logged in as the local administrator or as a domain administrator with special
security options (see section 5.2 for further information). Alternatively, you may
run the rdxLock GUI program, right-click the appropriate volume and select
“Configure”. If you are logged in as a standard user, who is not a member of the
local administrator group, you will get an UAC prompt for entering the
administrator's password in order to run the program with full elevated rights and
privileges as an Administrator.
Page 20 of 43 Tandberg Data S.a.r.l. 2016-11-08
Select the “ENABLE WORM MODE” checkbox and set up the directory-level, on
which you want to configure protection policies.
Optionally you may activate the “Enhanced Security Mode” (ESM).
To save your settings, press the APPLY or OK button.
Confirm you settings and press the OK button.
After confirming the WORM – Mode, the whole volume is set
to WORM status and can never return to non-WORM status.
If Enhanced Security Mode is selected, data on the volume
will be encrypted after confirmation. This process could be
long-lasting depending on the amount of used data blocks on
the volume and your hardware.
Switch off the recycle bin functionality for the newly configured WORM volume.
NOTE:
Page 21 of 43 Tandberg Data S.a.r.l. 2016-11-08
The Enhanced Security Mode may be activated on a WORM
volume at any time, but can not be switched off after its
activation.
(rdxLOCK root directory tab information after converting a volume to WORM state.)
Page 22 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.3 Protection policies and retention periods
After a volume has been configured for WORM, protection policies should be defined
either on the root directory or on any folder of the 1st directory level. There is no
requirement to set such policies, but just setting the WORM mode without policies would
not have much effects. Without policies, files would not become WORM protected.
WORM protection and policies can be configured EITHER on the Root-level OR on any
folder of the 1st directory-level of a WORM volume. You can not set policies on both
levels. You can also set some folders with policies and leave others rewritable.
Definition of Terms:
DLR (Directory Level Retention): Retention periods are related to directories, not to
single files. All files in a certain directory and all sub-directories are treated the same
way.
SFR (Single File Retention): Retention periods are related to individual files.
Auto-commit: Files written into a certain location are committed to be WORM after a
defined period of time (AUTOCOMMIT DELAY) by rdxLOCK Software. (No application
activity is needed.)
Application-commit: Files written into a certain location are NOT committed to be WORM
without application activities. To set files to WORM status the application has to follow
the SnapLock procedure.
Depending on rdxLOCK’s WORM Mode, retention periods are handled differently.
rdxLOCK distinguishes between directory-level (DLR) and single file-level (SFR) retention
periods.
3.3.1 Directory-level retention period
The rdxLOCK DLR policy determines the expiration date of a WORM file by adding
the retention period, which is configured on a directory-level and inherited to all
its sub-directories, to the WORM-commit timestamp of that file.
The DLR policy always uses “auto-commit” mode. Means all files are set to WORM
after the “auto-commit delay” period. No file may stay on non-worm status in
such folders.
Since the expiration date is not explicitly attached to a file during the WORM
commit phase, but is calculated whenever the file is selected for deletion, it is
easily possible to increase retention periods of WORM file sets, which reside in the
same directory hierarchy.
3.3.2 Single file-level retention period
The rdxLOCK SFR policy allows for association of file retention periods and WORM
status at the granularity of individual files. Since the expiration date is written to
the file’s “last-access timestamp” (SnapLock Functionality), every WORM
committed file has an individual associated retention period. The expiration date is
either set by an application through changing the file’s last-access timestamp or
the expiration date is derived from the configured default retention period, when
the file is committed to WORM state.
Page 23 of 43 Tandberg Data S.a.r.l. 2016-11-08
The WORM commit operation is either triggered automatically by rdxLOCK (auto-
commit mode), or by an application (application-commit mode) by setting the
read-only attribute of the file.
When Application-commit mode is active, files MUST be set read-only to get
WORM protection. If the file’s read-only attribute is not set in application-commit
mode, the file remains unprotected.
The auto-commit mode of the SFR policy is similar to the auto-commit mode of
the DLR policy, but when retention periods have to be prolonged, auto-committed
WORM files have to be set individually to the new retention period.
Page 24 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.3.3 rdxLOCK Directory Level Retention Policy
The rdxLOCK DLR policy allows the configuration of a fixed or infinite retention
period on the root directory or on any folder of the 1st directory level of a WORM
volume. Retention periods can be increased at any time, but it’s not allowed to
decrease a retention period. Since rdxLOCK associates the retention period
defined on a directory with each WORM file inside that directory tree, extending
the retention period will also affect already WORM committed files.
The rdxLOCK DLR policy automatically commits files to WORM after their creation,
whereas the WORM trigger can be delayed by the value, configured for the
“AUTOCOMMIT DELAY” parameter. This value can be set between 0 and 100000
seconds (~ 27.7 hours). The value could be modified at any time
(increade/decrease) to fit to your needs.
The following configuration dialog can be activated by right-clicking the
appropriate folder using MS Explorer and selecting “Properties” or “Configure”
when using the rdxLock GUI program.
Page 25 of 43 Tandberg Data S.a.r.l. 2016-11-08
The following rules apply to WORM files covered by a rdxLOCK DLR policy:
oWORM files can not be modified, overwritten, renamed or deleted.
oWORM files can not be changed back to non-WORM files.
oSecurity settings (ACL) on WORM files can not be changed any more. Therefore
we recommend to always using security groups in order to be able to change
security for single users by adding or removing them from the assigned group.
The following rules apply to expired WORM files covered by a rdxLOCK DLR policy:
oExpired files can only be deleted. Renaming or modifying an expired WORM file is
not allowed.
oIncreasing the retention period of a DLR policy will also be reflected on expired
WORM files, which means that an expired WORM file may be WORM protected
again depending on the length of the new retention period.
Page 26 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.3.4 rdxLOCK Single File Retention Policy
The rdxLOCK SFR policy provides compatibility with applications using the
SnapLock interface to write data to a NetApp filer or similar systems.
MAXIMUM RETENTION is limited to 3651770 days [~9998 years) and that means infinite in
practice. MINIMUM RETENTION may be set to 0 days. The AUTOCOMMIT DELAY value can
be set between 0 and 100000 seconds (~27.7 hours).
Page 27 of 43 Tandberg Data S.a.r.l. 2016-11-08
The following steps are necessary to convert a file to WORM, when using the
rdxLOCK SFR policy without the AutoCommit feature enabled.
oCopy a writable file to a directory, which is covered by the SFR policy.
oSet the last-access timestamp of the file to the desired expiration date. If
this step is skipped the “default retention” parameter is used. If the last-
access timestamp is set past the maximum retention period, rdxLOCK will
ignore the longer setting and replaces it with the maximum retention
period.
oSetting the read-only attribute of the file triggers the WORM commit
operation.
If the AutoCommit feature is enabled, files are automatically converted to WORM
state after they have not been modified for a specified period of time
(AUTOCOMMIT DELAY).
The following rules apply to WORM files covered by a rdxLOCK SFR policy:
oWORM files can not be modified, overwritten, renamed or deleted.
oWORM files can not be changed back to non-WORM files.
oWORM files reflect their expiration date in the last-access timestamp.
oExpiration dates can only be extended beyond their original retention
period.
oSince the expiration date of a WORM file is stored in its last-access
timestamp attributes, the last-access timestamp is not updated on a read
access as on a standard NTFS file system.
oSecurity settings (ACL) on WORM files can not be changed any more.
Therefore we recommend to always using security groups in order to be
able to change security for single users by adding or removing them from
the assigned group.
The following rules apply to expired WORM files covered by rdxLOCK SFR policy:
oExpired files can only be deleted. Renaming or modifying an expired
WORM file is not allowed.
ordxLOCK permits applications to reset the read-only attribute of expired
WORM files back to writable.
oA new expiration date may be set on expired WORM files and the file’s
read-only attribute may be set again for re-committing the file to WORM
state.
Page 28 of 43 Tandberg Data S.a.r.l. 2016-11-08
The following rules apply to both rdxLOCK WORM policies:
ordxLOCK WORM policies can either be configured on the Root-level
or on any folder of the 1st directory-level of a WORM volume.
ordxLOCK DLR and SFR policies may coexist on folders of the 1st directory-
level.
oWhen configuring protection policies on the 1st directory level, it is not
mandatory to assign a WORM policy to each folder in this hierarchy.
oDirectories containing WORM files may not be renamed.
oNew created directories can be renamed within the “AUTOCOMMIT-DELAY”
period after their creation, respectively within 60 seconds if the
AutoCommit feature is disabled.
Page 29 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.4 Obtaining and entering license keys
rdxLOCK includes a trial license that allows the use of a WORM volume for 60 days. The
trial license has neither a capacity limit nor a limit on the amount of WORM volumes. If
you want to keep a WORM volume past the trial period expires, you can register the
volume to obtain a key for a permanent license.
Notes:
Access to a WORM volume with an expired trial or temporary license will
be denied.
A permanent license key can only be requested on a system with a
verified system clock.
Each WORM volume is registered separately and therefore has its own rdxLOCK
generated serial number, which is needed when requesting a permanent license key for a
WORM volume.
To find the WORM volume serial number and install a permanent license, take the
following steps:
In the Windows Start menu, select Programs -> rdxLock -> rdxLockGUI
In the rdxLOCK user interface, select WORM volumes and right-click on the
WORM volume for which you want to request a permanent license.
Click “Request License”
Page 30 of 43 Tandberg Data S.a.r.l. 2016-11-08
Enter the Capacity-ID, which you have received from your rdxLOCK sales
representative. Characters are automatically converted to upper case when
entering lower case.
After pressing the “OK” button rdxLOCK generates the license request key, which
must be sent to the licensing service by using either the on-line WEB-PORTAL or
sending the information via email.
Please ensure that your server is connected to the internet, when choosing the “WEB-
PORTAL” for requesting the license key.
To access the licensing service you have to log in to the WEB-PORTAL. If you do not
yet have log-in access, please register and provide a valid email address, which is
used by the licensing service to respond back to you.
Page 31 of 43 Tandberg Data S.a.r.l. 2016-11-08
If you decide to send the license key request via email, you may either use the
menu item “EMAIL…”, which launches your email client and automatically
generates an email with the necessary information or you may copy the license
request key to a text file and send it as an email attachment to
supportEMEA@tandbergdata.com.
After receiving the permanent license key for the volume, click “Install License” and
select the file containing the license information.
Check the license status on the right-side pane of the rdxLOCK GUI. It may take
up to 4 minutes until the license status is updated.
Page 32 of 43 Tandberg Data S.a.r.l. 2016-11-08
After you have installed a permanent license, you can still add additional WORM
capacity to a WORM volume by an add-on license. The new add-on license key is
installed via the volume’s context menu item “Install License” as well.
rdxLOCK monitors the capacity on each WORM volume and displays a warning
message in the application event log when a WORM volume nears its capacity limit. If
the capacity limit is exceeded, write operations on the volume will be denied until
additional WORM capacity is licensed for the volume.
The rdxLOCK user interface provides an overview of the installed license types,
status and used/free WORM capacity.
Page 33 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.5 WORM-TO-WORM Replication
rdxLOCK provides the following replication facilities:
3.5.1 rdxLock Replication Service (rdxLockRepSvc)
This service is designed for automatic, one-way synchronization of rdxLOCK WORM
volumes. Files are expected to be added, changed or deleted in one location (Source)
only. Therefore it is highly recommended to not add, update or delete files on the target
location.
rdxLOCK Replication Service keeps track of changes to files and directories on a WORM
volume by monitoring the Windows USN Journal. Therefore changes on a volume are
detected as they occur and the replication of the changes is triggered immediately. This
approach provides an exact 1:1 replica of all files in the source location to the target
location in real-time, preventing the need for more time consuming methods like
scanning the entire source volume for changes. In addition all associated meta data of
the original WORM file are maintained in the replicated file copy such as timestamps,
attributes, NTFS file permissions and retention period.
Since files are pushed from source to target location asynchronously, there may occur a
temporary difference between the two locations depending on the replication backlog. In
case of a data loss situation the source volume can be replaced by the target volume
without any additional modifications.
Based on the technical implementation of the service, the replication has to be configured
before data is transferred to the WORM volume. If the replication is configured for a non-
empty WORM volume, a “manual” replication tree walk must be run in advance to get the
target volume synchronized. The necessary tool rdxLockFSR is explained in chapter
3.5.2.
1 Configuring WORM volumes for replication
Set up the source volume for WORM
Set up the target volume for WORM (use identical set-up as source)
Create a share on the root directory of the target volume and define the
appropriate share permission (FULL_CONTROL) for the user account of the
rdxLockRepSvc service.
Run the rdxLock GUI application
Right-click on the source WORM volume and select “Configure Replication”
Select the checkbox “Enable Replication”
Set up the target path using the “Browse” button
Configure the Logging Level
Page 34 of 43 Tandberg Data S.a.r.l. 2016-11-08
Set up the appropriate user for the rdxLockRepSvc. The service must run
under a user account with the following privileges:
Backup files and directories
Restore files and directories
Take ownership of files and other objects
Additionally, the user account must have the appropriate rights
(FULL_CONTROL) on the target WORM volume(s).
Press the OK button.
Replication Setup dialog:
After configuring the WORM volume for replication, proceed with creating
your WORM folders on the 1st directory level of the source WORM volume
and apply the appropriate rdxLOCK WORM policies on the folders. The
policies will be automatically replicated to the target volume.
Page 35 of 43 Tandberg Data S.a.r.l. 2016-11-08
2 Monitoring replication activities
The rdxLockRepSvc service writes logging information to the file
<rdxLock installation path>\log\FLReplication.log.
Depending on the “Application Event Log Level”, rdxLockRepSvc creates events in
the Windows Application Event Log.
Page 36 of 43 Tandberg Data S.a.r.l. 2016-11-08
3.5.2 rdxLockFSR
1 General Information
rdxLockFSR is a command line tool and can be used to run manual or scheduled
replication operations on rdxLOCK WORM volumes. rdxLockFSR determines the file
candidates to be replicated by scanning the source and target volume for file differences.
2 Syntax
rdxLockFSR <root_directory_source> <root_directory_target> [options]
3 Options
-c All files will be copied from source to target, independent of their
file attributes and timestamps.
-r Deletes files in the target location, which do not exist in the source
location.
-l <logfile> Writes logging information to the file <logfile>. If this option is not
specified, messages are written to stdout.
-d <loglevel> Specifies the level of logging information.
1: Error
2: Warning
3: Info
4: Trace
-t <capacity> Specifies the minimum free space in MB on the target volume, that must
be available before a file is replicated. This option is useful to avoid “disk
full” conditions on the target volume.
-m Ignore milliseconds in timestamps.
-j Do not overwrite a file on the target volume, if its modification timestamp
is newer.
-y Ignore file creation timestamp.
-Y Ignore file attributes.
Page 37 of 43 Tandberg Data S.a.r.l. 2016-11-08
-a Replicate directories only.
-B Terminate on error.
Without option -B, the program continues with the next file candidate.
-n Simulation mode.
4 Return Codes
0 Operation was successful.
1 Parameter or option is incorrect.
2 An error has occurred during processing.
(see logging information for further details)
5 Example
rdxLockFSR e:\ \\TargetSystemName\RootShare -d 2 –l c:\temp\logfile.txt
Page 38 of 43 Tandberg Data S.a.r.l. 2016-11-08
4 Best Practices
4.1 Data Protection
The following data protection strategies are available for rdxLOCK WORM volumes:
4.1.1 WORM-TO-WORM Replication
rdxLOCK Replication Service is configured at the volume level and maintains an exact
1:1 replica of the original WORM volume in real-time. Target volumes can reside on the
same host or remotely on a warm-standby server.
WORM-TO-WORM replication significantly improves application reliability in the event of a
disaster. If the primary WORM volume fails, businesses can switch to the target WORM
volume immediately and use it as a new source WORM volume or the administrator can
rebuild the new source WORM volume by copying the files from the target to the new
source using rdxLockFSR.
Since changes are propagated to the associated target locations as they occur rather
than at discrete time intervals, replication affords users a higher level of protection than
automatic backup. Using automatic backups only may cause data loss of all modifications
made between the last backup and the point in time when the fault occurred.
Data replication combined with automatic backups offers the highest level of business
continuity and safety.
4.1.2 Backup / Restore
In order to meet regulatory compliance rules and preserve the WORM aspects of the
original files we only advise to use Full Image Backup for protecting WORM volumes.
Since an Image Backup is an exact duplicate of a volume, data can be quickly restored to
the exact state it was when the backup was performed. This behavior ensures that
WORM volumes are always completely restored in case of a disaster recovery.
File based restore can not guarantee that all WORM files are restored.
A suitable image backup and restore solution should provide the following features:
Total Reliability
Online image backup
Creating a consistent image backup of a WORM volume while the volume is
available to other system applications is mandatory.
Page 39 of 43 Tandberg Data S.a.r.l. 2016-11-08
Differential or incremental online image backup
Differential or incremental image backup speeds up the image backup
process and saves disk space, since only files which have been changed
since the last (full) backup need to be backed up.
Network support
Image files can be saved directly to internal and network drives.
Configurable image file sizes
The solution should allow specifying a maximum size for the disk image
files.
Support of volumes larger 2 TB (GPT disk)
Command line support
This functionality is needed for automating backup and restore procedures.
Compression mode
Data Encryption
The following Image Backup product has been evaluated with rdxLOCK:
Image for Windows, TeraByte Inc.
http://www.terabyteunlimited.com/image-for-windows.htm
NOTES:
The option “Backup unused sectors” must be selected when backing up an ESM
encrypted WORM volume on a GPT disks.
A new permanent license key is required when restoring a WORM volume from a
full image backup copy.
Page 40 of 43 Tandberg Data S.a.r.l. 2016-11-08
5 Troubleshooting:
5.1 Reporting a Problem
For technical assistance with a registered version of rdxLOCK, email your inquiries to
supportEMEA@tandbergdata.com.
Please have the following information included in your email when you report a rdxLOCK
issue:
Issue description
Provide symptoms of the issue.
When did the issue occur?
Which activities have caused the issue?
Which file objects are affected by the issue?
rdxLOCK Service Report.
The rdxLOCKGUI application automatically generates a Service Report by
selecting the menu item <Diagnostics> -> <Generate Service Report>. All service
information is stored to the file FL_Diag.zip, which is located in the directory
<rdxLOCK installation directory>\Diagnostics.
List of third-party-applications installed on your system, including antivirus
scanners and backup management applications.
5.2 rdxLOCK Tab is not available on MS Explorer’s property page
The rdxLOCK tab on the MS Explorer’s property page is only available for local or domain
administrators.
If rdxLOCK is running on Windows 2008 Server, Windows 7 or Windows 2012 Server
please set up the User Account Control accordingly:
If the built-in domain administrator account is used for configuring rdxLOCK, the local
security policy "User Account Control: Admin Approval Mode for the Built-in Administrator
Account" must be disabled.
If another domain admin account than the built-in domain administrator is used, the local
security policy "User Account Control: Run all administrators in Admin Approval
Mode" must be disabled.
Page 41 of 43 Tandberg Data S.a.r.l. 2016-11-08
5.3 Application event log message: “Invalid license”
An invalid license may result from the following conditions:
Temporary license has been expired.
License information can’t be read on the WORM volume. Please check, if
the rdxLock service is running.
WORM volume has been restored. In this case a new permanent license
must be requested.
Page 42 of 43 Tandberg Data S.a.r.l. 2016-11-08
6 Appendix:
Filter - Compatibility:
rdxLock was successfully tested in combination with the following 3rd party applications:
- Symantec AntiVirus Version 12
- McAfee VirusScan Enterprise 8.7
- TrendMicro ServerProtect 5.58
- 3rd party replication tools were not tested with rdxLock version 2.2.
For last minute information regarding limitations and known problems, please read the
ReadMe.txt.
Page 43 of 43 Tandberg Data S.a.r.l. 2016-11-08