Skip to main content
NetApp Knowledge Base

SnapLock feature in ONTAP 9

Views:
10,123
Visibility:
Public
Votes:
15
Category:
ontap-9
Specialty:
dp
Last Updated:

Applies to

ONTAP 9

Answer

What is SnapLock?

SnapLock feature is now introduced in clustered Data ONTAP with ONTAP 9 release. It is a high performance compliance solution that provides capability of data retention and WORM protection for retained data. SnapLock creates non-modifiable and non-erasable volumes to prevent files from being altered or deleted until a set retention date. It has file-level retention for CIFS and NFS.

How to enable this feature?

SnapLock is a license-based feature with two modes: Enterprise and Compliance.

  • SnapLock Compliance (SLC) implements strict regulatory requirements for data retention such as the SEC 17a-4(f) rule,  FINRA, and CFTC, as well as national requirements for the German-speaking countries (DACH).  Volumes committed to SnapLock Compliance cannot be altered or modified, and can only be deleted after WORM data has passed the retention period.
  • SnapLock Enterprise (SLE) implements best practices guidelines for protecting digital asset with WORM type data storage. Data stored on SnapLock enterprise volume cannot be altered or modified. Data stored is not for strict regulatory compliance. Also the SnapLock enterprise data can be destroyed by administrator with root privileges on storage system that hosts the SnapLock enterprise volume prior to the end of the retention period.
What capabilities are supported by SnapLock Compliance and Enterprise modes?

Refer to the documentation for up-to-date information on capabilities differences between Compliance and Enterprise.

What ONTAP features are supported with SnapLock?

Refer to the documentation for up-to-date information on features that are supported with SnapLock Compliance mode, SnapLock Enterprise mode, or both.

How is the retention period determined?

SnapLock relies on ComplianceClock service in clustered Data ONTAP which is a software-based tamper-resistant clock. ComplianceClock can be initialized only once by the administrator after which it operates based on hardware ticks. Once initialized, the administrator cannot perform any action that will cause forward adjustment. This ensures that the retention period of WORM files can never be shortened by doing forward adjustments of the reference clock.

What are the SnapLock Compliance Clocks?

System ComplianceClock (SCC) is maintained per node. ComplianceClock can be initialized only once per node.
Volume ComplianceClock (VCC) is the individual ComplianceClock for each SnapLock volume. All retention decisions related to data in a particular SnapLock volume are taken based on VCC of that volume. VCCs of all SnapLock volumes run independently of each other. VCC is initialized when the SnapLock volume is created. VCC takes its initial value from SCC and can never be altered. SCC needs to be initialized before creating SnapLock volumes.

What are the values available for retention period?

Each SnapLock volume can have individual retention period. ONTAP 9 enforces retention until retention period ends. After the retention period, records can be deleted but not modified. ONTAP 9 does not automatically delete any record. All records must be deleted manually or using an application. Retention period is calculated based on VCC. You can extend the retention period to a future date or infinite, but never decrease it. SLC or SLE volume has 3 retention periods: minimum retention period, maximum retention period, and default retention period.

Snaplock-minimum period: File is committed with at least this much retention period on a SnapLock volume. Administrator can increase it any time. However, changing this value will not affect the retention period of existing WORM files. Default value for snaplock-minimum-period for SLE and SLC is 0 years.
Snaplock-maximum-period: Limits the max amount of retention period while committing files to WORM state. When a user is extending the retention period of the WORM file, this value is ignored. Changing the value will not affect the retention periods of existing WORM files.
Default value of  snaplock-maximum-periods for SLE and SLC is 30 years.
Snaplock-default-period: Default retention period is used to compute retention time while committing WORM file if retention time is not set explicitly. There are two ways to specify the retention time of a WORM file:

  • Using NFS/CIFS setattr operation to set file atime
  • In case retention time (file atime) is not set before committing the file to WORM, SnapLock uses volume's snaplock-default-period to set the retention time.
What are some other features of SnapLock?
  • Autocommit: SnapLock autocommit feature automatically commits files to WORM state if the file is not changed during specified autocommit period and it is set at the volume level. If the SnapLock volume goes offline or in the restricted state, this feature gets disabled. It is enabled automatically when the volume becomes online again.
  • Privilege delete is only available with SLE volume and it allows privileged user to delete a file before it reaches its retention period. This feature needs SnapLock audit log to be configured. The deletion is logged in audit file on SLC log volume for tracking purposes.
  • WORM appendable file: WORM append feature allows one to create WORM file and append data to it. The data is added in the chunks of 256K and this size cannot be changed.
  • File fingerprint captures file related metadata and calculates hash digest over file's data and metadata using standard hash algorithm such as MD5 and SHA-256. This enables users to verify the integrity of the file. SnapLock does not store any file fingerprints data on the disk, but it is exported externally using ONTAP CLI or ZAPI.
  • Committing files to WORM: You can use an application to commit files to WORM over NFS or CIFS or use SnapLock autocommit feature. Use a WORM append file to retain data that is written incrementally like log information or file metadata.
  • Data protection: You can use SnapLock for SnapVault to WORM-protect snapshot copies on secondary storage. You can use SnapMirror to replicate WORM files to another location for disaster recovery.

Note: From ONTAP 9.5 and later, either a SnapLock Enterprise volume or a SnapLock Compliance volume can be used for audit logging.

Additional Information

additionalInformation_text

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.