Cloud-Out Rubrik CDM to Tape

By now you have probably heard of Rubrik Cloud Data Management, “the new kid on the block”. It is a great tool to make your data work for you. You have the data spread out in the clusters using erasure coding and you can offload to a public or private cloud. What it can’t do is write data to tape.

In this blog we will show one way to achieve tape offload from Rubrik CDM by using IBM Spectrum Protect

This helps your organization to achieve Airgap by writing data to tape, where it can’t be easily altered. It will also help you to offload data even if you have sensitive information where you can´t send the data abroad or even let the data leave your datacentre.

Rubrik to tape

Rubrik can offload data to the S3 interface of Spectrum Protect.
Spectrum protect have strong support for tape with built in ILMT, Data that is no longer needed by Rubrik can be scrubbed from the tapes in Spectrum Protect. Data placement is continuously optimized by moving data from tape to tape.

Using a combination of IBM Spectrum Protect and Rubrik where we use Spectrum Protect for legacy workloads and Rubrik for modern workloads like Casandra etc.

In this blog are we will show how we have solved archiving to tape from Rubrik CDM 5.x to IBM Spectrum Protect Server 8.1.10.

Rubrik CDM will restore small portions of the archived objects to ensure that the data is available. This is one area where other tape based solutions will cause problems, not so with Spectrum Protect, it has a built-in queue for restoring data from tape, in our testing we have not experienced any timeout issues in delivering the data to the CDM in a timely manner.


Rubrik CDM must be configured to allow s3CompatibleForceV4Signing, this must be done by Rubrik engineers, jut open a support ticket and ask them to “Set s3CompatibleForceV4Signing to true”.

It goes without saying that you must have a tape library defined and tested with Spectrum rotect before you proceed.


Spectrum Protect Setup:

To prepare Spectrum Protect to receive data from Rubrik CDM we need to define a domain. And one file device storage pool and one tape storage pool (sequential media).

Once this is setup we define the object node.
Cold Cache Storage Pool

  • Create a Tape Pool
  • Create a Disk Cache pool
  • Object Storage Domain
  • Create Object Node

Create Device classes and Storage Pools

Before we can cloud out data from Rubrik we need to setup a Tape Storage Pool and a temporary Disk Cache Pool in Spectrum Protect that can retrieve S3 data.

We start by defining a tape pool and then a cold data cache pool.

define <Tape Device Class Name> devt=LTO Format=drive library=<Your Tape Library>
define stgpool <Tape Pool Name> <Tape Device Class Name> maxscratch=10

Now can we create a Object Storage Pool using the parameter STGTYPE=COLDDATACACHE but you also need to create a Hot Storage pool for S3 Metadata, but this pool can be any regular pool you already have, like a directory container pool.

define stgpool <NAME> stgtype=colddatacache directory=<PATH TO DISK CACHE> maxsize=<CACHE SIZE> migprocess=<number of tape drives to use> next=<Tape Pool>


Create a Object Domain:

Next step in this process is to create a Rubrik Object Policy Domain to make sure you save the data to the new Cold Storage Pool.

Define objectdomain <DOMAIN NAME> standardpool=<YOUR PRIMARY POOL> coldpool=<YOUR COLD POOL CACHE>

If you don’t want to use tape you can always ignore the coldpool parameter and you will save it to your primary pool for faster access then cold storage.


Create the Rubrik Credentials

Now do we need to create a node for the Rubrik Data to send it it’s data to.

Register Node <NODENAME> domain=<OBJECT DOMAIN> type=objectclient

Now will you see your Access Key ID and Access Key:

SP> register node <rubrik node> domain=<domain> type=objectclient
ANR2470I The new authentication credentials for object client node <RUBRIK NODE> are: Access Key ID: <ACCESS KEY>, Secret Access Key: <SECRET ACCEES KEY>.
ANR2060I Node <RUBRIK NODE> registered in policy domain <OBJECT DOMAIN>.

Copy and save both keys before continuing.


Generate Certificate

To get Rubrik authorized with the Spectrum Protect server we do need to generate a SSL certificate.

If you are running Spectrum Protect Server on Windows, please download the openssl binary to that server to be able to generate a local certificate.

If you are using Redhat you can use yum install openssl for other distribution please view their documentation. 

openssl genrsa -out rubrik_encryption_key.pem 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)


Define Archive location to Spectrum Protect

Login to your Rubrik Cluster and click on the settings icon and select Archival Location.

Click on the (+) icon to add new Archival Location.

Archival Location in Rubrik SettingsArchive Type:
Object Store

Object Store Vendor:
S3 Compatible ….

Access Key:
<Your Spectrum Protect Node Access Key>

Secret Key:
<Your Spectrum Protect Node Secret Access Key >

Host Name:
<IP Address / DNS to your Spectrum Protect S3 Agent Node>:<S3 Agent Port>

Bucket Prefix:
< Name_Of_Rubrik_Cluster >

Number of Buckets:
<10 is a good number> this is how many sessions Rubrik CDM will use to offload data

RSA Key:­
Paste the private key you generated with openssl genrsa 2048 remember to paste all text including:


Rubrik Add Archival S3 Settings

Enjoy your Cloud Storage on-premises

Now let’s enjoy your Cloud-Out to your Spectrum Protect Server environment.

Easiest way to view the data is in Rubrik, but also in the Spectrum Protect Server.

Spectrum Protect Console OutputRubrik Archive Overview








We hope you found this blog post useful.

Daniel Larsson

Subscribe to blog