DR Data Center Services VX XX

Directive IT Data Center Services
Directive
IT Data Center Services
Content
1. Purpose...................................................................................................................................................... 4
2. Area of application ..................................................................................................................................... 4
3. Definition of terms & abbreviations ............................................................................................................ 4
4. Content of the directive .............................................................................................................................. 4
4.1 Data and Backup Management ............................................................................................................. 4
4.1.1 Area of application ............................................................................................................................. 4
4.1.2 Data Backup Strategy ........................................................................................................................ 6
4.1.4 Quarterly Backups ............................................................................................................................. 7
4.1.5 Monthly Backups ............................................................................................................................... 8
4.1.6 Locations with automatic tape libraries .............................................................................................. 8
4.1.7 Locations with simple tape drives ...................................................................................................... 8
4.1.8 Locations with Backup deduplication Appliance ................................................................................ 8
4.1.9 Database Backup (others than Oracle or SQL Server) ..................................................................... 8
4.1.10 Backup of Oracle Databases ............................................................................................................. 8
4.1.11 Backup of SQL Server Databases ..................................................................................................... 9
4.1.12 Hypervisor-based Backups ................................................................................................................ 9
4.2 Networking ........................................................................................................................................... 10
4.2.1 Hardware environment for data network ......................................................................................... 10
4.2.2 Passive data network ....................................................................................................................... 10
4.2.3 Configuration and Backup Management ......................................................................................... 10
4.2.4 External Partner Networks / Internet ............................................................................................... 10
4.2.5 Network Protocols ............................................................................................................................ 11
4.2.6 IP addressing ................................................................................................................................... 11
4.2.7 Network Management ...................................................................................................................... 11
4.2.8 Network Monitoring .......................................................................................................................... 11
4.2.9 Redundant WAN Connections ......................................................................................................... 11
4.2.10 High Available LAN .......................................................................................................................... 11
4.2.11 Stand-by equipments ....................................................................................................................... 11
4.3 Servers................................................................................................................................................. 11
4.3.1 Compute .......................................................................................................................................... 11
4.3.2 Server Roles .................................................................................................................................... 12
4.3.3 Environments ................................................................................................................................... 12
4.3.4 Naming Convention ......................................................................................................................... 12
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
4.3.5 User Rights and Roles ..................................................................................................................... 12

4.3.6 Storage ............................................................................................................................................ 12
4.3.7 Backup ............................................................................................................................................. 12
4.3.8 Monitoring ........................................................................................................................................ 12
4.4 Database.............................................................................................................................................. 13
4.4.1 Database architecture ...................................................................................................................... 13
4.4.1.1 Database vendors ............................................................................................................................ 13
4.4.1.2 Database deployment ...................................................................................................................... 13
4.4.1.3 Database security ............................................................................................................................ 14
4.4.1.4 Database monitoring ........................................................................................................................ 14
4.4.1.5 Database integrity ............................................................................................................................ 15
4.4.1.6 Database backup ............................................................................................................................. 15
4.4.1.7 Database licensing .......................................................................................................................... 15
4.4.1.8 Database roadmap .......................................................................................................................... 15
4.4.1.9 Database incident management and problem management ........................................................... 15
4.4.1.10 Database change management................................................................................................... 15
4.5 Enterprise Storage ............................................................................................................................... 15
4.5.1 Enterprise Storage Systems ............................................................................................................ 15
4.5.2 Storage Area Network ..................................................................................................................... 15
4.5.3 Network Attached Storage ............................................................................................................... 16
4.5.4 Storage Classes .............................................................................................................................. 16
4.5.5 High Availability ............................................................................................................................... 16
4.5.6 Storage Monitoring .......................................................................................................................... 16
5. Applicable documents .............................................................................................................................. 17
6. Change history ......................................................................................................................................... 17
Version 2 page 2 of 17
Overview
Short description DRÄXLMAIER Group (DRX) Information Technology
Function provides centralized and decentralized storage,
backup, networking, database services to all the functions
across the group. The services are provided from Server
Rooms (SR) located at the company HQ and also in
company locations across the world.
Area of application This directive is a guideline to describe and standardize
the infrastructure requirements in the Data Center
Services area for storage, backup, networking, compute
and database services. It is mandatory to all IT staff who
is involved in planning, building and operating these
services.
Related to process evaluate IT infrastructure solution, develop IT
Infrastructure solution, manage IT changes, manage IT
security
Information class Internal
Translated No
document
Control data
Author/reviewer Ghita Victor
Creation/revision 13.03.2020
date
Verifier Ciuca PetruDoru
Verification date 13.03.2020
Approver Moeller Gernot
Approval date 16.03.2020
Version 4
1. Purpose
This directive defines the services provided by the SR, responsibilities in the operation and technical
framework for Datacenter Services; and it ensures that the SR remains secure by having in place directives
and procedures.
2. Area of application
This directive is a guideline to describe and standardize the infrastructure requirements in the Data Center
Services area for storage, backup, networking, compute and database services. It is mandatory to all IT staff
who is involved in planning, building and operating these services.
3. Definition of terms & abbreviations
Term Definition
Retention Policy set of guidelines that describes which data will be archived, how long it will
be kept, archival rules, data formats, and the permissible means of storage,
access, and encryption.
Direct Attached Storage dedicated storage attached directly to the server unit
(DAS)
Synchronous Replication writes the data in the same time on both storage units
Asynchronous Replication writes the data to the primary storage unit than it commits the data to the
memory to be replicated or to a disk-based journal to be replicated latter on.
Abbreviations All relevant abbreviations you can find in the D-World abbreviations list
D-World -> Worldwide -> Service -> Abbreviations
4. Content of the directive
4.1 Data and Backup Management
Access to the backup systems and the storage media has to be documented.
For deleting the data from the backup media special software must be used.
When deleting the media special data protection containers has to be used, if the containers aren't available
is the responsibility of the competent security administrator as specified by the site management, the OEMs
or the law. Lengthy retention periods required by local regulations are to be adhered to.
The backup system or at least the physical storage system should be set up at a place that is separate from
the main data center; if this is not possible for technical reasons (single data center on premise) the backup
media MUST be stored as early as possible at a place that is sufficiently remote to protect it from disasters.
The data has to be stored in a fire-resistant data protection safe or a data protection cabinet. This includes
features such as protection against the penetration of fire, water, gas and against burglary and theft. The
applied resistance class must be DIS90 or equivalent.
Backup data is stored as required by legal, statutory or contractual stipulations according to their individual
time limits and necessary safety levels.
4.1.1 Area of application
The „DRÄXLMAIER Group backup directive applies to all systems which use the
DRÄXLMAIER Group backup infrastructure.
For any software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS),
managed service:
If a backup or data protection is required, the available possibilities of the vendor have to be preferred.
This has to be always a case by case decision.
4.1.2 Data Backup Strategy
Definition:
It regulates the protection and restoration of data on all production servers, all storage devices in all sites of
DRÄXLMAIER Group.
It is designed to protect data in the organization, to be sure it is not lost and can be recovered in the event of
an equipment failure, intentional destruction of data, or disaster and it should be able to:
− Recover from data loss in all circumstances like hard drive failure, virus attacks, theft, accidental
deletes or data entry errors, sabotage, fire, flood, earth quakes and other natural disasters.
− Recover to an earlier state if necessary like due to data entry errors or accidental deletes.
− Recover as quickly as possible with minimum effort, cost and data loss.
− Require minimum ongoing human interaction and maintenance after the initial setup - able to run
automated or semi-automated.
Classification:
Dependent of the data to backup, DRÄXLMAIER Group offer the following backup classes:
Backup class Backup retention Tape-Out for long-term retention
Bronze 30 days no
Silver 90 days no
Gold 90 days yes
Backup classes are defined on a per-server basis. The default class is defined as “Bronze”.
Application / data owner have to decide the required backup class, during the request process.
This have to be done during the project, when a new share, server or infrastructure is implemented.
The assignment has to be documented in the document “Backup Classes - Server Matrix.xlsx”.
Changes of the backup class have always to be aligned between application/data owner and backup team.
The change has to be documented in the document “Backup Classes - Server Matrix.xlsx”.
The new backup classes are introduced in 2018. Older existing systems remain in “Gold” class until it will be
changed.
Strategy:
Backup class “Bronze”

Backups from a period of 30 days should be able to be restored every business day (Mo-Fr)
Backup class “Silver”

Backups from a period of 90 days should be able to be restored every business day (Mo-Fr)
Backup class “Gold”

Backups from a period of three months should be able to be restored every business day (Mo-Fr).
The data has to be available in monthly updates (monthly backup) one year prior
to this time period. Furthermore, tapes have to be kept for long-term data
backup in quarterly intervals for a period of 20 years (quarterly backup: beginning of January, April, July and
October). The full backups which are to be retained are to be carried out on separate media on the first
weekend of the month, preferably on Fridays. It must be pointed out here, however, that this is not a certified
compliance-conform archiving solution.
The backup type may vary due to different hardware and software equipment used at the individual
subsidiaries.
Before backup is started, the data set should be available in closed consistent state at the start of the backup
and backup job must finish before data is accessed again.
IT in each site is responsible for the backup / restore process. For next level support the Incident
Management process should be followed.
An assessment of whether certain systems and data records should be backed up has to be made by each
subsidiary IT in agreement with the subsidiary head.
LTO uses an automatic verify-after-write technology to immediate check the data as it is being written. A full
verify is made through the clone job of the monthly full backup.
Furthermore, an adequate supply of backup and cleaning tapes is to be assured and defective tapes should
be replaced immediately.
The head of SO-IT is responsible for permanent adherence to the directives according to specifications.
As mentioned before, implementation of the DRX backup strategy largely depends on the hardware and
software equipment used at each of the subsidiaries.
4.1.3 Restorability Check
A check and verification of the restore process must be done.

It must be done in quarterly intervals.
Browsable backup data has to be used.
It must be documented into template "restoration of the data backup".
The check can be skipped if an ordinary restore task occurred in the past quarter and is also documented.
The template "restoration the data backup" from the Overview IT-directives and standards is to be used to
document.
4.1.4 Quarterly Backups
Quarter Backups should be performed as following:

− "Quarter backup 1/Year" performed on First Friday in April
− "Quarter backup 2/Year" performed on First Friday in July
− "Quarter backup 3/Year" performed on First Friday in October
− "Quarter backup 4/Year" performed on First Friday in January Year + 1
All Quarter backups have to be performed and monitored locally. Incident Management process has to be
used if any issues are encountered.
4.1.5 Monthly Backups

Every first Friday in month, when no quarter backups are performed, a monthly backup is done. All the
servers are backed-up as "MSCLONE" of the previous month.
4.1.6 Locations with automatic tape libraries

The use of tape libraries requires an appropriate auto-changer module of the applied data backup software.
Compliance with the DRX data backup strategy can be attained by effectively using the available tools of the
applied data backup software. Thus, e.g. backing up can be made incrementally during the week and
differentially on Friday evenings. Full backup is always done on the first Friday of the month, as consistent
full backup in accordance with the backup strategy has to be done for the monthly backup and/or for long-
term backup. Clone mechanisms can be used to make a copy of the full backup immediately after the
backup has been completed and store it in a data backup safe.
4.1.7 Locations with simple tape drives

Contrary to the tape libraries a full backup has to be made every Friday.
The following Monday – Thursday incremental backups are made to the same tape media.
In doing so, tapes always have to be used at full capacity and if necessary, additional capacity has to be
provided. After the Thursday backup is finished the tape media has to be stored in a fireproof data backup
safe. At the same time, the tapes are to be appropriately and clearly labeled.
The first backup Friday in the month is to be marked as the monthly backup. The monthly backups at the
beginning of each quarter are declared as being quarterly backups and are then filed for long-term backup.
Once the retention policy of the weekly (full + incr.) backup tapes has expired, they can be returned to the
backup circuit. The same applies to the monthly backup tapes, which can be reused once the calendar year
has come to an end.
4.1.8 Locations with Backup deduplication Appliance

As contrary to above methods backups are not stored on LTO-Tapes, they are written to an appliance with
hard disks which uses a data-deduplication algorithm. Twelve monthly full backups are available online,
which are overwritten automatically after the retention time. Copies of monthly backups to Tape are not
made. Quarterly backups are replicated to a central appliance. The replication is made over the WAN
connection and is limited and adjusted between SO-IT and network department.
In the central location a copy of the quarter backup is made to tape. The tapes have to be stored accordingly
to the ruling directive. Backup server is the server in the central site; therefore a backup server locally is not
necessary.
4.1.9 Database Backup (others than Oracle or SQL Server)

If possible, databases (e.g. Exchange, MySQL, EnterpriseDB, PostgreSQL, etc.) should be backed up using
appropriate database backup agents, as automatic, granular online backups and recoveries can be carried
out in this case. Backup strategy for databases should be agreed with DBA Team.
4.1.10 Backup of Oracle Databases

Consistent backups of Oracle databases are done with the internal RMAN backup Utility. These backups are
directly stored on tape. Retention is 35 days. Within this period of time an application consistent recovery
can be performed back to any moment in time.
To ensure further recoverability, dumps of the databases are created at every Wednesday, stored on disk
and are backed up according to the effective backup procedure for file-system backups.
There are exceptions to the creation of dumps and backups.

These are recorded in a document which is kept up to date by the DBA Team.
For these databases only RMAN is available as recovery method.
Link to document of excluded databases: http://db_overview.internal.draexlmaier.com
The log-partitions of the Database-servers must be sized in a manner, that it does

not getting full in case of an outage of the Backup-System.
4.1.11 Backup of SQL Server Databases

Consistent backups of SQL Server databases are done by the SQL Server backup agent. These backups
are directly stored on tape. Retention is 35 days. Within this period of time an application consistent recovery
can be performed back to any moment in time.
If is the request of ensuring further recoverability, exports of the databases are created weekly, stored on
disk and are backed up according to the effective backup procedure for file-system backups. The available
file system backup classes are: “Bronze”, “Silver” or “Gold”.
The log-partitions of the Database-servers must be sized in a manner, that it does not getting full in case of
an outage of the Backup-System.
4.1.12 Hypervisor-based Backups
Backups based on hypervisor level are used for disaster recovery purposes.
These backups are limited to backup class “Bronze” or “Silver”.
If there are any long term retention requirements of the data within the VM, backup of the data must be done
by backup agents on guest level.
4.2 Networking
Secured communication between all the subsidiaries of the DRÄXLMAIER Group has become essential in
the course of expanding the DRÄXLMAIER Group into a globally active systems supplier and at the same
time for the purpose of tapping new business areas.
The aim is to create an integrated, uniform structure of communication as a basis for the entire
communication among all the sites, both within the group of companies and to the external partners.
The following guidelines apply to this set-up:
− Adherence to general standards and avoidance of installation of proprietary mechanisms
− The extensibility of the entire system in every direction (open system)
− The provision of standby units for all the components used within the scope of the Provider contracts
− Ensuring communication between all the DRX subsidiaries
− Ensuring communication to all the customers and partners
− Applying hardware that is defined as standard.
The current network structure is shown in the Applicable Document (APD): "WAN_GLOBAL"
4.2.1 Hardware environment for data network

All approved standard hardware used in the operation of the whole network is described in a Standard Article
List "STANDARDARTIKEL" on the intranet.
4.2.2 Passive data network

All installed data cables, data sockets and data cabinets have to fulfill the DRX requirements which are listed
in "PASSIVE_DATA_NETWORK"
4.2.3 Configuration and Backup Management

A uniform configuration of all devices and a back up of all configurations and settings is particularly
significant to network nodes that are critical for the company. It forms the basis for speedy recovery of
operations after a breakdown and/or exchange of hardware.
All the process details for installing, backing up and recovery are listed in the Applicable Documents
"NETWORK_PROCESSES" The responsibility for all steps are listed in the RACI Matrix "NETWORK_RACI"
4.2.4 External Partner Networks / Internet

Connections from and to external networks are made in case of urgent necessity only, e.g. when needed by
the customer. Efforts are made to provide as much security as possible in the type of connection and in the
applied hardware and software. A basic assessment should be done and networks which appear to be
insecure are not allowed to be connected.
Any new installations of access to the company network for a DRX employee require prior approval by the
line manager. An application form is available in DFM
Access options for partner companies are granted to trustworthy companies only. Responsibility for the
partner companies is assumed by the internal DRX applicant and also requires approval by a director.
All access to external networks, particularly to the Internet, has to be approved by CISO and safeguarded
according to the given specifications. Due to the high degree of risk, use of unapproved, not appropriately
safeguarded access is strictly prohibited.
Access to internet is allowed either centrally trough the main firewall in the HQ either with local internet
breakouts. In both situations internet access is monitored and protected against malware and viruses the
same way, access policies are defined and managed central.
Unsecure Internet access with 3/4G modems or any other devices except ones
described above is strictly forbidden.
4.2.5 Network Protocols

TCP/IP is the only network protocol approved and supported in the DRÄXLMAIER Group worldwide.
4.2.6 IP addressing
A global IP addressing schema is defined and maintained central in the file "NETWORKS". The management
and documentation of the local IP addresses in the subsidiaries is the responsibility of the local IT.
.
4.2.7 Network Management

The management of the global data network is organized centrally, but executed locally.
To support all necessary processes some software-based management tools are used. This provide a
uniform configuration of all devices
4.2.8 Network Monitoring

The network monitoring is done by a central solution at the headquarters. The local IT can request access to
the system. For the maintenance in the monitoring system of the equipment in subsidiaries the Onsite IT is
responsible. All details are listed in the RACI Matrix "MONITORING_RACI"
4.2.9 Redundant WAN Connections

Redundant connections are used for Level 2 and Level 3 locations when a downtime of the communication
cannot be accepted. In this setup, site or building is connected to the network with a second active line on
the same path in Level 2 and in a full path redundancy in Level 3. In the case of an incident, the routing will
switch automatically to the second path Level 1 locations have no second connection.
4.2.10 High Available LAN

Only in Level 3 locations a high available local network is requested. Therefore all connections between the
switches and all devices are redundant. In case of incidents failover will be performed automatically.
4.2.11 Stand-by equipment

Stand-by equipment has to be present on site for each type of device. The same conditions must be applied
for all accessories like: device modules, power chargers, cables etc
4.3 Servers
This section describes the server deployments in DRÄXLMAIER Group in order to ensure required
availability of services, as well as the safety and efficiency of their operation.
4.3.1 Compute
Server infrastructure, except the mainframe located in headquarters, is standardized on Intel’s x86
architecture. On this hardware platform operating systems are installed either natively or virtualized. In the
central data centers it is preferred to virtualize operating systems for efficiency, flexibility and manageability.
In local SR's data centers operating systems are installed natively or virtualized dependent on cost
effectiveness.
4.3.2 Server Roles

The operating systems provide dedicated or mixed functionality which we refer to as “Server Roles”.
Examples of such roles are: file, database, application, web, etc… servers. Servers generally have a
dedicated role assigned to them this enhances security and simplifies configuration, leading to high levels of
standardization.
4.3.3 Environments
Server roles are divided into different environments which describe the importance of the role. As an
example an application server role could be in once instance be a test instance and in another productive.
This means that there is a distinct difference to the operative importance the server plays in the different
environments. For example loss of data or service in the test environment is acceptable, whereby in
production this can lead to financial and/or image loss to the DRÄXLMAIER Group.
4.3.4 Naming Convention

Server naming is governed by a naming convention which must be followed. The naming of a server has the
purpose to simplify the management. This is done for purposes of security and administration easy
depending on the role.
4.3.5 User Rights and Roles

It is mandatory to segregate rights between different kinds of users who access to the servers. The users
who access the servers have this based upon their role as either being e.g. an administrator, operator or end
user who is consuming a service like a file share.
The rule applies that only persons who need access to a server in their capacity as an administrator of the
server or of a hosted application is permitted to logon to the server. The persons who have the right to
access the server, must be divided in roles which define the rights that person has on the server. The rights
assigned to a role must cover all the aspects of those users responsibilities and no more. Examples of this
are that the highest level system administrator has full control over all aspects of the server and a user who
administrates an hosted application must have all the rights to the application being administrated, but no
further rights to the operating system.
4.3.6 Storage
Servers provide storage for service to store or to serve data from. This storage can be locally attached to the
server inform of internal hard disks or consumed via SAN/NAS depending on the nature of the architecture,
location and service provided.
4.3.7 Backup
The services provided by the server inherently produce data, some of which is important to backup and other
that are not. Backup are to be made firstly to prevent loss of important data and to enable a speedy recovery
of service in the event that a service needs recovery. It is be ensured that servers that provided service that
can lead to financial and/or image loss to the DRÄXLMAIER Group are backed-up with our approved backup
solution.
4.3.8 Monitoring
As with backup monitoring is to be implemented, to reduce the implications of financial and/or image loss to
the DRÄXLMAIER Group, on system in this importance category. By detecting system health and
performance issues before they become problems and allowing administrators to react in a timely fashion to
proactively resolve detected issues.
4.4 Database
This section describes the database operation in DRÄXLMAIER Group in order to ensure required
availability of services, security and efficiency in operation.
4.4.1 Database architecture

4.4.1.1 Database vendors
Three database vendors are officially supported for on premise deployments: Microsoft SQL Server, Oracle
Database Server, EnterpriseDB, Postgres and MySQL.
− Oracle Database Server is used mainly for production critical applications.

− Microsoft SQL Server is used mainly for office and non-production applications.
− EnterpriseDB represent the open source Postgres with enterprise features. The main use case is to
offer alternative to Oracle due the similarity but also to used as alternatives for high demanding
applications.
− MySQL Server is used for non-production critical applications.
4.4.1.2 Database deployment

For all new installations that require a database engine a Database Architect must be involved in the
architecture definition phase in order to ensure that DRX requirements for the database are met.
The minimum requirements are:

− Type of a relational or nonrelational database needed
− SLA required for the application and database
− Infrastructure: On premise or cloud
− Database deployment: existing or new server
− If a new database environment is needed, requirements must be defined for the hardware /
virtual machines
− Identification of special database requirements in regarding deployment and configuration
Cloud Databases
A cloud database service represent a database that runs on a cloud computing platform. The cloud
database service can requested as PaaS/DBaaS (Platform as a Service,/Database as a Service) or
IaaS (Infrastructure as a Service). The DBaaS model is a based subscription service in which the
database runs on the service provider's physical infrastructure.
For IaaS, database delivery team support all the versions that exist on premise deployment (see
chapter 4.4.1.1). For PaaS, deployments database delivery team offer support for all database
technologies present in the agreed cloud vendors, for both database types: SQL and NoSQL.
A SQL or relational database is composed of a set of interrelated tables that are organized into rows
and columns. The relationship between tables and columns (fields) is specified in a schema.
NoSQL is a non-relational database management system that does not require a fixed schema and has
a different way of storage the data. The purpose of using a NoSQL database is for distributed data
stores with humongous data storage needs. NoSQL is used for Big data and real-time web apps.
NoSQL database stands for "Not Only SQL" or "Not SQL.". Some types of NoSQL databases: Key-
Value, Document store, Column based, Graph based.
A catalog of preferred database architecture deployments is maintained by the Database Architect in the
APD "Database Approved Architectures"
All new database installations must be:

− Performed by DBA team
− Performed by the Application Admin team (internal or external) together with DBA team.
− No new database installation will be performed without the involvement of the DBA team.
4.4.1.3 Database security

− Access control
Database access control is performed manually by the DBA team. User management is controlled using
requests created in Infrastructure request form application.
https://infrastructure-requests.internal.draexlmaier.com
For each member of database administration team individual administrative accounts are created with DBA
privilege for Oracle and SYSADMIN for SQL Server. Each member is connecting to the databases via
SSMS, TOAD or SQLPLUS using the customized account.
The detailed procedure for database access control is maintained by DBA in APD "Database Access Control
Procedure"
− Audit
Database audit and logging is implemented and maintained by the DBA Team in a unified way using scripts.
For Oracle databases the audit level is for SYSDBA connections. The audit trail is stored on disk in a specific
directory for each database instance. The audit trails is kept on disk for the last day only.
All audit trails are backed up on tape according to the effective backup procedure for file-system backups.
The database and listener logs and trace files are archived automatically using scheduled scripts. The
archive directory is backed up on tape according to the effective backup procedure for file-system backups.
On all Oracle productive databases the DDL (Data Definition Language) statements are audited via
AUDIT_DDL trigger. The audit records provide information about the operation that was audited, the user
who performed the operation and the time of the operation. Audit records are stored in a table, accessible
only by DBAs.
For SQL Server databases the audit and logs are recorded in Windows Event Logs. The logs are archived
and backup up according with the Windows File system backup policy implemented at server level.
− Patching
As a result of security scans database patches and specific database configurations are installed in order to
mitigate the identified security bugs.
As a result of incident analysis database software bugs are discovered. Depending on the criticality and type
of issue, patches are installed on specific database instances or on all database instances.
Patching activity takes place following the general change management procedure.
The procedure of updating the Oracle database is to create a new Oracle Home with the identified patches
applied and start to deploy it to the database servers. Whenever the downtime for databases is obtained,
configuration database file can be moved from the old home to the new one. In case of issues, rollback can
be performed meaning moving back the database files.
The plan is too apply patches according below steps:
1. Evaluate security fixes and bug fixes;
2. Check for patch conflicts;
3. Apply patch on test environment. Create a new patched Oracle Home;
4. Deploy the patched Oracle Home on QUAL and DEV environment;
5. Rollout on productive environment;
The full procedure of applying security patch is maintained by DBA in APD “Database Security Patch
Procedure".
4.4.1.4 Database monitoring

Database monitoring is implemented for all production databases. The database monitoring tool collects
performance and availability metrics, stores them for a specific period of time (not less than 45 days) and
generates alerts.
The alerts are notifying the DBA team for Warning and Critical metrics and the ITCC team for critical metrics.
The detailed procedure for Database Monitoring is described in APD "Database Monitoring Procedure"
document.
4.4.1.5 Database integrity

In order to ensure the productive data are not accidentally changed, the test environment (databases) should
be isolated from the productive environment.
4.4.1.6 Database backup

Backup of the databases is described in chapter 4.1.9 and 4.1.10
4.4.1.7 Database licensing

Responsible for license management for databases is Database Licensing team. Purchasing of new or
additional licenses without an agreement with the team is forbidden.
4.4.1.8 Database roadmap

Databases are upgraded to new versions periodically. The DBA team is analyzing for each vendor (Oracle
and Microsoft) the support lifecycle timeframes of used database software. Based on this, upgrade projects
are initiated and executed. Each upgrade project consists of the following steps:
− Application certification with the new database software
− Proof of concept of the upgrade process
− Planning and execution of the upgrade process
4.4.1.9 Database incident management and problem management

Database Incident management is performed according with incident and problem management procedures.
4.4.1.10 Database change management

Database change management is performed according with change management procedures.
4.5 Enterprise Storage

4.5.1 Enterprise Storage Systems
Data storage is a vital service for DRÄXLMAIER Group, the purpose of this section is to define guidelines
and to ensure that the storage service provided towards the end customers is: durable, available, secure,
scalable, and high-performing.
In DRX two concepts are used for storing data: DAS (Direct Attached Storage) and dedicated central storage
units.
DAS is used in direct relation to Servers so will be defined and described in the server section.
Enterprise Storage Systems are dedicated storage systems which provide storage through a SAN (Storage
Area Network).
The DRÄXLMAIER Group standards and requirements for planning and implementing a Enterprise Storage
System are defined in Applicable Document "IT-Applicable Document Enterprise Storage Vx_xx"
4.5.2 Storage Area Network

To get the most performance, flexibility and high availability a Storage Area Network (SAN) is used in
Enterprise environments.
A SAN (Storage Area Network) is used to provide LUN´s (logical unit numbers) to one or more servers
system.
SAN storage protocols are reliable block-level storage protocols.

The widespread protocols are:

• FC (Fibre Channel)
• iSCSI (Internet Small Computer Systems Interface)
• FcoE (Fibre Channel over Ethernet)
To add security and simplify management, a fibre channel zoning is used to restrict access based on devices
or ports. There are two zoning models, WWN (World Wide Name) and port zoning.
DRÄXLMAIER Group uses the WWN (World Wide Name) zoning model in his Data Center in Vilsbiburg.
This provides the most flexible infrastructure. A cable can be moved from one port to another without
reconfiguring zones.
The DRÄXLMAIER standards and requirements for planning and implementing a Storage Area Network are
defined in Applicable Document "IT-Applicable Document SAN Vx_xx"
4.5.3 Network Attached Storage

A NAS (Network Attached Storage) is a file-level storage protocol.
The protocols NFS or SMB/CIFS are used to access the storage through the Ethernet network infrastructure.
Security is provided through ACL´s on the file and share level.
4.5.4 Storage Classes

To provide a cost efficient and on the other hand high available storage with high-performance, different
classes of storage are available.
• Enterprise Storage Level

• Mid-Range Storage Level
• Low-Cost Storage Level
4.5.5 High Availability

To provide high availability in case of storage failures, different technologies are used.
• Storage based replication (synchronous or asynchronous)

• Storage Virtualization
• Host-Based mirroring
• Application based high availability through e.g. log shipping mechanism
4.5.6 Storage Monitoring

Monitoring of the Enterprise Storage Systems is done either by
• DRÄXLMAIER Group´s Monitoring systems
Vendor specific dial home solutions
5. Applicable documents
Name Description
WAN_GLOBAL Network Map
STANDARDARTIKEL Standard article list
PASSIVE_DATA_NETWORK Spefications for the passive LAN
NETWORK_PROCESSES Definition of network processes
NETWORK_RACI Responsibilities for operating the data network
NETWORKS Allocation of IP networks
MONITORING_RACI Describes how the network is monitored
Database Approved Architectures Description of database architectures approved
Database Monitoring Procedure Procedure which details the monitoring of databases
Database Security Patch Procedure Procedure which details the applying of database
security patches
IT-Applicable Document Enterprise Storage Vx_xx Description of the enterprise storage
IT-Applicable Document SAN Vx_xx Description of the enterprise SAN
6. Change history
Version Change description Changed by Change date

1 Creation Mario Lohner 2016-NOV-09
2 Adjustment of Backup regulations Martin Brandl 24.01.2018
3 Adjustment of Database directives Victor Ghita 27.02.2019
4. Add the new database technologies Victor Ghita 13.03.2020

DR Data Center Services VX XX

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DR Data Center Services VX XX

Uploaded by

Copyright:

Available Formats

Directive IT Data Center Services

IT Data Center Services

4.3.5 User Rights and Roles ..................................................................................................................... 12

3. Definition of terms & abbreviations

D-World -> Worldwide -> Service -> Abbreviations

4. Content of the directive

4.1 Data and Backup Management

4.1.1 Area of application

4.1.2 Data Backup Strategy

Backup class Backup retention Tape-Out for long-term retention

Gold 90 days yes

Backup class “Bronze”

Backup class “Silver”

Backup class “Gold”

4.1.3 Restorability Check

A check and verification of the restore process must be done.

4.1.4 Quarterly Backups

Quarter Backups should be performed as following:

4.1.5 Monthly Backups

4.1.6 Locations with automatic tape libraries

4.1.7 Locations with simple tape drives

4.1.8 Locations with Backup deduplication Appliance

4.1.9 Database Backup (others than Oracle or SQL Server)

4.1.10 Backup of Oracle Databases

There are exceptions to the creation of dumps and backups.

The log-partitions of the Database-servers must be sized in a manner, that it does

4.1.11 Backup of SQL Server Databases

4.1.12 Hypervisor-based Backups

4.2.1 Hardware environment for data network

4.2.2 Passive data network

4.2.3 Configuration and Backup Management

4.2.4 External Partner Networks / Internet

4.2.5 Network Protocols

4.2.7 Network Management

4.2.8 Network Monitoring

4.2.9 Redundant WAN Connections

4.2.10 High Available LAN

4.2.11 Stand-by equipment

4.3.2 Server Roles

4.3.4 Naming Convention

4.3.5 User Rights and Roles

4.4.1 Database architecture

− Oracle Database Server is used mainly for production critical applications.

4.4.1.2 Database deployment

The minimum requirements are:

All new database installations must be:

4.4.1.3 Database security

4.4.1.4 Database monitoring

4.4.1.5 Database integrity

4.4.1.6 Database backup

4.4.1.7 Database licensing

4.4.1.8 Database roadmap

4.4.1.9 Database incident management and problem management

4.4.1.10 Database change management

4.5 Enterprise Storage

4.5.2 Storage Area Network

SAN storage protocols are reliable block-level storage protocols.

The widespread protocols are:

4.5.3 Network Attached Storage

4.5.4 Storage Classes

• Enterprise Storage Level

4.5.5 High Availability