PoINT Archival Gateway (PAG) can be installed on several servers (multi-node installation) in the Enterprise Edition or on one server in the Compact Edition. The following section describes the deployment of the Compact Edition.

Installing the PAG Compact Edition on RHEL 9.3 begins by transferring the installation tarball to your server and extracting its contents. After unarchiving, the next step is to install any required .NET runtimes and configure systemd services so PAG can run in the background.

Here is an example:

# scp PagCompactInstall-4.1.228.tar.gz root@linux1:/root/PAG/
# ssh root@linux1
# cd /root/PAG/
# tar -zxvf PagCompactInstall-4.1.228.tar.gz
# tar -zxvf PAG-CGN-FULL-4.1.228.tar.gz -C /
# tar -zxvf PAG-GUI-FULL-4.1.228.tar.gz -C /
# dnf install dotnet-runtime-8.0 aspnetcore-runtime-8.0 -y
# cp -pr /opt/PoINT/PAG/CGN/PagCgnSvc.service /etc/systemd/system
# cp -pr /opt/PoINT/PAG/CGN/pag-cgn.conf /etc/opt/PoINT/PAG/CGN/pag-cgn.conf
# cp -pr /opt/PoINT/PAG/GUI/PagGuiSvc.service /etc/systemd/system
# cp -pr /opt/PoINT/PAG/GUI/pag-gui.conf /etc/opt/PoINT/PAG/GUI/pag-gui.conf

After installing the files and dependencies, it is necessary to update the PAG configuration files in order to reflect the correct IP addresses, ports, and license key. The primary changes typically occur in /etc/opt/PoINT/PAG/CGN/pag-cgn.conf for the S3 REST API and /etc/opt/PoINT/PAG/GUI/pag-gui.conf for the administrative GUI. An example edit might look like this:

# vi /etc/opt/PoINT/PAG/CGN/pag-cgn.conf

[Administration Address]
CGN-GUI-MY-IP=10.251.0.35

[S3 REST API Addresses]
CGN-HTTP-S3-FQDN=linux1.cephlabs.com
CGN-HTTP-S3-IP=10.251.0.35
CGN-HTTP-S3-PORT-NOSSL=4080
CGN-HTTP-S3-PORT-SSL=4443
CGN-HTTP-S3-SSL-CERT-NAME=FILE:PAG.pfx
CGN-HTTP-S3-SSL-CERT-PWD=

[License]
CGN-Configuration-Key=QWYHM-W1787-5SD3X

Likewise, editing the GUI configuration file might involve similar IP updates:

# vi /etc/opt/PoINT/PAG/GUI/pag-gui.conf
[Administration Address]
GUI-DB-IP=10.251.0.35
GUI-DB-PORT=4000

Once the configurations are in place, the services can be enabled and started:

# systemctl enable --now PagCgnSvc
# systemctl enable --now PagGuiSvc

Confirming everything is running allows you to access the PAG GUI on the configured IP address and port through HTTPS. Log in with the default admin credentials, enter your License Key, and activate the software through the "System Management" → "Information" section in the PAG GUI. After licensing, creating a partition and Object Repository in the PAG interface will prepare the backend for storing objects on tape.

Under the menu command “Storage Management” → “Storage Partitions” you get an overview of all created Storage Partitions:

To create a new Object Repository (Bucket), click “Create Object Repository” and fill out the following dialogue.

Under the menu command “Storage Management” → “Object Repositories” you get an overview about all created Object Repositories (Buckets):

Setting up a user with HMAC credentials will allow Ceph to authenticate against PAG’s S3 endpoint.

Integrating PAG as a Storage Class within Ceph

Integrating PAG as a Storage Class within Ceph RGW involves configuring a cloud-tier placement for tape using the standard Ceph CLI. Adding a new point-tape storage class to the default placement looks like this:

# radosgw-admin zonegroup placement add --rgw-zonegroup=default --placement-id=default-placement --storage-class=point-tape --tier-type=cloud-s3
# radosgw-admin zonegroup placement modify --rgw-zonegroup default --placement-id default-placement --storage-class point-tape \
  --tier config=endpoint=http://linux1.cephlabs.com:4080,access_key=9FD33A27642C45480260,secret="YvFLFqQD+fZF+2gwVD4hbbgYzNoo4QeUiprhh0Tv",target_path="cephs3tape",multipart_sync_threshold=44432,multipart_min_part_size=44432,retain_head_object=true,region=default,allow_read_through=true

Check this link for a complete description of all the configuration parameters available.

We can list our new zonegroup placement configuration with the following command:

# radosgw-admin zonegroup placement list

NOTE: If you have not done any previous Multisite Configuration, a default zone and zonegroup are created for you, and changes to the zone/zonegroup will not take effect until the Ceph Object Gateways are restarted. If you have created a realm for multisite, the zone/zonegroup changes will take effect once the changes are committed with radosgw-admin period update --commit.

# ceph orch restart rgw.default

Bucket Creation and Lifecycle Policy

Next comes the creation of a bucket and the assignment of a lifecycle policy. This policy will automatically transition objects from the STANDARD tier to the point-tape tier after a specified number of days. We first create a bucket called dataset:

# aws --profile tiering --endpoint https://s3.cephlabs.com s3 mb s3://dataset --region default

The contents of point-tape-lc.json might resemble the following:

# cat point-tape-lc.json
{
  "Rules": [
    {
      "ID": "Testing LC. move to tape after 1 day",
      "Prefix": "",
      "Status": "Enabled",
      "Transitions": [
        {
          "Days": 1,
          "StorageClass": "point-tape"
        }
      ]
    }
  ]
}

To apply the lifecycle configuration to the dataset Bucket, you can apply it using the AWS CLI:

# aws --profile tiering  s3api put-bucket-lifecycle-configuration --lifecycle-configuration file://point-tape-lc.json --bucket dataset
# aws --profile tiering  s3api get-bucket-lifecycle-configuration --bucket dataset
{
    "Rules": [
        {
            "ID": "move to tape after 30 days",
            "Prefix": "",
            "Status": "Enabled",
            "Transitions": [
                {
                    "Days": 1,
                    "StorageClass": "point-tape"
                }
            ]
        }
    ]
}

Testing the Integrated Setup

Uploading a file to the bucket and confirming its presence:

# aws --profile tiering  s3 cp 10mb_file s3://dataset/
upload: ./10mb_file to s3://dataset/10mb_file

# aws --profile tiering  s3api list-objects-v2 --bucket dataset
{
    "Contents": [
        {
            "Key": "10mb_file",
            "LastModified": "2025-03-24T15:40:55.879000+00:00",
            "ETag": "\"75821af1e9df6bbc5e8816f5b2065899-2\"",
            "Size": 10000000,
            "StorageClass": "STANDARD"
        }
    ]
}

The Ceph lifecycle daemon will run at scheduled intervals. After it completes, you can check whether objects have transitioned; the size of the object in the Ceph bucket will now be 0, and StorageClass becomes point-tape:

# radosgw-admin lc list
# aws --profile tiering  s3api list-objects-v2 --bucket dataset
{
    "Contents": [
        {
            "Key": "10mb_file",
            "LastModified": "2025-03-24T15:43:02.891000+00:00",
            "ETag": "\"75821af1e9df6bbc5e8816f5b2065899-2\"",
            "Size": 0,
            "StorageClass": "point-tape"
        }
    ]
}

In the output, StorageClass changes to point-tape for objects migrated to the PAG tier. Validating the actual data in the PAG backend is done by querying the bucket path in PAG via its S3 REST API:

# aws --profile points3 --endpoint http://linux1.cephlabs.com:4080 s3api head-object --bucket cephs3tape --key dataset/10mb_file
{
    "AcceptRanges": "bytes",
    "LastModified": "2025-03-24T15:42:23+00:00",
    "ContentLength": 10000000,
    "ETag": "\"e46b7c402bc788a8ea9c4fd02268b744-2\"",
    "ContentType": "application/octet-stream",
    "Metadata": {
        "Rgwx-Source": "rgw",
        "Rgwx-Source-Etag": "75821af1e9df6bbc5e8816f5b2065899-2",
        "Rgwx-Source-Key": "10mb_file",
        "Rgwx-Source-Mtime": "1742830855.879976223",
        "Rgwx-Versioned-Epoch": "0"
    }
}

Object Retrieval Workflow

A restore request can be made with the restore-object API call. First, a temporary restore:

# aws --profile tiering  s3api restore-object --bucket dataset --key hosts --restore-request Days=3

You can later confirm the restored object is accessible and listed in Ceph:

# aws --profile tiering s3 ls s3://dataset
2025-03-24 11:43:02   10000000 10mb_file

# aws --profile tiering  s3api head-object --bucket dataset --key 10mb_file
{
    "AcceptRanges": "bytes",
    "Restore": "ongoing-request=\"false\", expiry-date=\"Thu, 27 Mar 2025 15:45:25 GMT\"",
    "LastModified": "2025-03-24T15:43:02+00:00",
    "ContentLength": 10000000,
    "ETag": "\"\"e46b7c402bc788a8ea9c4fd02268b744-2\"\"",
    "ContentType": "application/octet-stream",
    "Metadata": {},
    "StorageClass": "point-tape"
}

If we don’t specify Days In the restore request, it triggers a permanent restore. For example:

# aws --profile tiering - s3 cp 20mb_file s3://dataset/
upload: ./20mb_file to s3://dataset/20mb_file

Once the LC policy transitions the object:

aws --profile tiering  s3api head-object --bucket dataset --key 20mb_file | grep StorageClass
"StorageClass": "point-tape"

Then, a permanent restore:

# aws --profile tiering  s3api restore-object --bucket dataset --key 20mb_file --restore-request {}

After this, the storage class is back to STANDARD:

# aws --profile tiering  s3api head-object --bucket dataset --key 20mb_file

{
    "AcceptRanges": "bytes",
    "LastModified": "2025-03-24T15:55:10+00:00",
    "ContentLength": 20000000,
    "ETag": "\"\"ab1a8bc4a7d7dd90231ae582e7dd35fa-4\"\"",
    "ContentType": "application/octet-stream",
    "Metadata": {},
    "StorageClass": "STANDARD"
}

Conclusion

By following the above approach, you can effectively deploy the PoINT Archival Gateway emulator, integrate it into IBM Storage Ceph as a new tape storage tier, and validate the entire lifecycle workflow — from upload and automatic migration to restore and verification. This combined solution reduces storage costs, enhances data protection and compliance, and provides on‐premises tape capabilities through a familiar S3 interface.

Overview of Archival and Tiered Storage Challenges

As data growth accelerates, organizations increasingly rely on archival and tiered storage to efficiently manage capacity, cost, performance and compliance. These storage models aim to balance frequently accessed "hot" data with rarely used "cold" data by placing them on appropriate storage tiers. However, implementing and managing archiving and tiering pose several challenges. Storage systems must be able to integrate different storage technologies (flash, disk, and tape) so that data is stored on the most appropriate technology according to its importance and use. The tiering and archiving process must be carried out automatically based on policies. It is also crucial that the storage systems support standardized protocols. The combination of IBM Storage Ceph and PoINT Archival Gateway addresses these challenges. PoINT Archival Gateway integrates tape storage products homogeneously into a Ceph Cluster via the standardized S3 interface. This connection makes it possible to fulfill archiving and tiering requirements in a consistent, complete system.

Introducing PoINT Archival Gateway

Overview

PoINT Archival Gateway (PAG) is a high-performance, scalable S3 object storage on tape. The software solution connects S3-capable storage systems like IBM Storage Ceph with tape libraries as target storage.

The basic functions of PAG include user, data, and storage management, as well as access control, logging, and monitoring. PAG allows direct writing to tape media. No expensive disk caches are required. Optional integration of an additional disk/flash-based storage class can meet the demands of use cases that require fast data access. Internal tiering using the standardized S3 Lifecycle Policies ensures optimized data and storage management.

Key Features

• High data throughput thanks to parallelism

• High availability with redundant server nodes

• High scalability, including load balancing

• Direct write/read tape access – no disk caches required

• S3 and S3 Glacier compatibility, including lifecycle policies

• LTO and 3592 tape drive support

• Erasure Coding over tape

• Object Versioning

• Data protection through object locking, authentication, and encryption

Introducing IBM Storage Ceph Object Storage

Overview

IBM Storage Ceph is an Enterprise-grade software-defined storage solution. Built
for data-intensive applications. Designed for hybrid cloud, it empowers organizations to modernize infrastructure and reduce costs with flexible deployment in the data center or as a service.

Ceph provides a single, efficient, unified storage platform for object, block, and file storage with Enterprise support and services, certified updates, and service-level agreements for production environments.

Install and run IBM Storage Ceph on industry-standard x86 server hardware of a company's preferred hardware vendor.

Key Features:

• Enterprise Ready: Robust, scalable, and widely deployed S3 endpoint, delivering low-latency, high-performance, enterprise-ready Object Storage.

• S3 & IAM Fidelity: A complete subset of the Amazon S3 and IAM dialects. Constantly increasing the number of supported S3 APIs

• Easy to Deploy: Deploy the Object Storage service and Multi-Site Replication in a matter of minutes from the UI or CLI. Day-two Admin Operations API for Automation

• Security, Compliance, and Audit capabilities. Encryption, STS, Object Lock, Public Access Block, MFA Delete, IAM policy (bucket, user, session, role)

• Scalability and Growth Potential: Limitless Capacity. Scale horizontally to petabyte and exabyte levels. Elastic Growth: add storage nodes without downtime.

IBM Storage Ceph Object Tiering Capabilities

Ceph offers object storage tiering capabilities to optimize cost and performance by seamlessly moving data between storage classes. These tiers can be configured locally within an on-premise infrastructure or extended to include cloud-based storage classes, providing a flexible and scalable solution for diverse workloads. With policy-based automation, administrators can define lifecycle policies to migrate data between high-performance storage and cost-effective archival tiers, ensuring speed, durability, and cost-efficiency.

Benefits of Integrating PAG with IBM Storage Ceph Object Storage

PAG allows a homogeneous integration of a tape storage class into a Ceph cluster. In this way, a multi-tier configuration with tape as an active archive tier can be realized. Ceph supports policy-based data archival and retrieval capabilities that integrate PAG as an S3 tape endpoint for long-term retention, disaster recovery, or cost-optimized cold storage. By leveraging policy-based automation, Ceph ensures that data is moved to PAG and, thus, to tape according to predefined lifecycle rules. PAG ensures efficient tape integration in Ceph, as no additional disk storage class is required.

The benefits of the combined Ceph and PAG solution are:

• Cost-optimization by tiering cold data to tape

• Minimal power consumption thanks to energy-efficient tape technology

• Direct tape integration without additional disk storage class

• Fulfillment of archiving and compliance requirements

• Cybercrime protection through “air-gapped” tape media

• Optimized data placement to balance speed, durability, and cost efficiency

• Independence from tape manufacturer

PAG and IBM Storage Ceph Integration Workflow

1. A Ceph Administrator sets a Cloud-Tier (Tape) Storage Class
   The Ceph administrator (using either the CLI or an operations API) configures a storage tier to route objects to PoINT Archival Gateway (PAG), offering an S3 Tape endpoint.

2. End User Creates Objects in a Ceph Bucket
   An end user (or application) uploads objects (e.g., JPG files) via the standard S3 API into a “User Data Bucket” managed by Ceph Object. These newly created objects initially reside in the configured “hot” (or standard) tier.

3. Lifecycle Policy Governs Transition
   A lifecycle policy is defined on the user bucket; for example, it specifies that after 365 days, any object older than that threshold should move to the lower‐cost, long‐term storage tier (tape) through PAG.

4. Automatic Archival to Tape
   Once an object’s age meets the policy rule (after 365 days), Ceph automatically transitions it to the tape tier through PAG.

5. Long‐Term Storage and Retrieval
   After archiving, the objects are stored on tape media via PAG. Objects are still referenced in Ceph’s metadata and can be retrieved later using the same S3 Ceph endpoints, the PAG tape tier.

IBM Storage Ceph 8.0 introduced policy-based data retrieval, which marks a significant evolution in its capabilities and is now available as a Tech Preview. This enhancement enables users to retrieve archived objects from S3 Tape endpoints like PAG directly into their on-prem Ceph environment.

Data can be restored as temporary or permanent objects:

• Temporary restores: The restored data bypasses lifecycle cloud-transition rules and is automatically deleted after the specified time, reverting the object to its previous stub state.

• Permanent restores: These fully reintegrate objects into the Ceph cluster, where they are treated like (and become) regular objects and subjected to standard lifecycle policy and replication processes.

This retrieval of objects can be done in two different ways:

• S3 RestoreObject API: Allows users to retrieve objects from the remote S3 endpoint using the S3RestoreObject API request

• Read-through Object Retrieval: This feature enables standard S3 GET requests on transitioned objects to restore them to the Ceph cluster transparently.

Use Cases for Policy-Based Archive & Retrieval from Tape

• Long‐Term Regulatory Compliance

  • Auditing & Retention Requirements: Many industries (financial, healthcare, government, etc.) mandate that data be retained for specific durations. Tape storage via PoINT Archival Gateway offers robust, cost‐effective retention for compliance.

• Media & Content Archiving

  • High‐Volume Media Libraries: Studios, broadcasters, and content creators can seamlessly tier infrequently accessed assets—like raw footage or archived episodes—to tape.

  • On‐Demand Retrieval: Producers or editors can conveniently restore assets (even partially) from tape to local Ceph storage for quick re‐edits or distribution.

• Scientific & HPC Research

  • Large Data Sets: Research organizations often generate massive volumes of data that need to be preserved long‐term yet accessed intermittently for analysis.

  • Policy‐Driven Workflows: Using Ceph’s lifecycle policies, hot scientific data can remain on a fast disk while older or completed experimental data moves to tape, reducing active storage costs.

• Cybersecurity & Ransomware Protection

  • Air‐Gapped Defense: Tape media provides an inherently offline storage layer, reducing the attack surface for malicious encryption or deletion.

  • Immutable Backups: Policy‐based retention periods, combined with encryption and tape’s offline status, safeguard critical data from cyber threats.

• Multi‐Cloud & Hybrid Strategies

  • Consistent S3 Interface: Organizations can leverage tape, public clouds, or on‐prem Ceph storage pools using the same S3 APIs and lifecycle policies, simplifying hybrid data flows.

  • On‐Demand Retrieval: Data archived to tape can be restored as needed without changing application logic, thanks to the same S3 access pattern.

Increasing Data Security and Performance by Erasure Coding on Tape

Erasure Coding provides data security on the tape media. This process stores blocks of data redundantly on multiple media. This means the data will not be lost even if one medium fails. PoINT Archival Gateway supports the Erasure Code (EC) rates 1/2, 1/3, 1/4, 2/3, 2/4 and 3/4. In combination with Erasure Coding, data security, and redundancy can be further increased, e.g., by using two, three, or four tape media in parallel in the tape storage class. Such a combination of multiple media is called a Protected Volume Array. A Protected Volume Array consisting of N tape media can extend over N tape libraries. The EC rates 1/2, 1/3, and 1/4 indicate the automatic creation of copies. For the tape storage class, multiple tape copies can be created (even in different libraries). Throughput rates can be significantly increased with EC rates that distribute data across multiple media (EC 2/3, 2/4, and 3/4).

In addition to increased redundancy, throughput rates can be increased dramatically with EC rates that distribute data across multiple media (EC 2/3, 2/4, and 3/4).

Conclusion

Following the above approach, you can effectively deploy the PoINT Archival Gateway emulator, integrate it into IBM Storage Ceph as a new tape storage tier, and validate the entire lifecycle workflow—from upload and automatic migration to restore and verification. This combined solution reduces storage costs, enhances data protection and compliance, and provides on‐premises tape capabilities through a familiar S3 interface.