Previous Contents DocHome Index Next |
iPlanet Trustbase Transaction Manager 3.0.1 Beta Configuration and Installation |
Chapter 8 Configuration Recovery
The objectives of this chapter are to cover:
Dynamic Configuration Export and Import
What data needs to be backed up
What data is frequently written
What configuration data needs to be backed up
Dynamic Configuration Export
To export dynamic configuration items for backup use the Config | Export setting in the iTTM admin screens.
This will return a file for download. Some browsers may display this file rather than saving - in this case use View Source to generate a text document containing the exported configuration and save to the desired location.
Configuration Security
Since the administration screens are accessible remotely, it is essential to protect the system from a malicious users attempting to change the iTTM config, rendering it open to attack. The administration screens are protected from unauthorised use but it might still be possible for a malicious user to trick an authorised administrator into importing a modified config file. To protect against this kind of attack, the configuration is exported with a signature. Only configuration signed by the designated key will be reimported (using Config | Import).
By default, the IPSC key will be used to sign configuration. If you wish to change the signing key or signing algorithm you will need the following Configuration Parameters found in /opt/ittm/myhost/tbase.properties for XMLConfig Import/Export
SigningAlgorithm - Default: SHA1withRSA
- algorithm with which to generate signature on exported config
- alias with which to mark token key store entry for signing exported config
To change the signing key, a token key store certificate / key entry should be generated and marked with the SigningAlias (the previous alias should be removed). This does not need to be issued by a Certificate Authority.
Dynamic Configuration Import
This is done in the same way that you import any file with the restriction that you can only import what you have exported from that specific instance of iTTM
Data Model
This section is intended to illustrate the Data Model so that the user can make their own decision about how they wish to procede with archiving and backup.
Figure 8-1    Oracle Data tables
Figure 8-2    Oracle OCSP tables
Figure 8-3    Comms
Figure 8-4    Audits
Figure 8-5    Users
Figure 8-6    Roles
Figure 8-7    Identrus
Figure 8-8    Errors
Database Table Definitions
This section classifies all of the tables in an iTTM/iTPS/BIAB/Tooled Up installation.
All tables marked as 'Private Internal Data' are controlled by the specified product and the sructures of these tables are subject to change in future revisions.
All tables marked as 'No Longer Used' are tables that existed in an earlier version of the product that are deprecated in the current version. Because of upgrade paths these tables are not dropped by their respective products, the DBA is at liberty to drop these tables once the contained data is no longer needed.
Auditdata
Contains internal audit information & indicates what the TC processed.
Figure 8-9    TTM table Auditdata
Column Name
Type
Size
NULL
Key Information
Description
Auditparameters
Log of all event specific parameters for each audit event.
Figure 8-10    iTTM table Auditparameters
Column Name
Type
Size
NULL
Key Information
Description
The "tag" number when this parameter value is inserted into the audit_text
audit_text
Maps audit strings to locale specific strings
Figure 8-11    iTTM table audit_text
Column Name
Type
Size
NULL
Key Information
Description
The text of the audit message or type in a locale specific form
bill_data
Billing records are a sub-set of the information within the raw message log that provides sufficient information to determine who made each transaction. These tables are designed for used by third party tools that generate the actual Bill for the customer. The definitions for the bill table columns are as follows:
Figure 8-12    iTTM table bill_data
cert_data
In order to reduce the volume of data logged with each Identrus message the certificates contained with the message header are stripped out and stored in a certificate table. If the iPlanet Trustbase Transaction Manager has already logged a particular certificate in the table it will not be logged again. The information stored within the table is:
Figure 8-13    iTTM table cert_data
Column Name
Type
Size
NULL
Key Information
Description
The issuer distinguished name of the certificate, RFC 2253 format string.
The subject distinguished name from the certifcate, in RFC2253 format
Error
The actual error log table is described below, this table is not normally viewed by the administrator directly, instead there is an Oracle view called errorview that provides a resolved view of the errors that have been logged.
Figure 8-14    iTTM table error
error_codes
The iPlanet Trustbase Transaction Manager error logging mechanism requires that every different occurrence of an error be given a code which is unique throughout iPlanet Trustbase Transaction Manager.
Figure 8-15    iTTM table error_codes
error_parameters
This is a cross referencing table used for querying errors. parameters are used to expand text according to the error text.
Figure 8-16    iTTM table error_parameters
Column Name
Type
Size
NULL
Key Information
Description
error_support
When an error is logged it is often accompanied by some free form string data which helps to store the context in which the error occurred to aid diagnosis. The most common example of such data is exception stack traces.
Figure 8-17    iTTM table error_support
identrus_data
The Identrus data table records identrus specific message data, which can be related to the raw log records in the raw_data table, using the rawrecordid foreign key.
Figure 8-18    iTTM table identrus_data
Column Name
Type
Size
NULL
Key Information
Description
the DOCTYPE of the message.e.g.CSCRequest, PingRequest etc..
The protocol over which the messge arrived e.g. HTTP or SMTP
ocsp_data
This data records all the ocsp transactions -- responses and requests that are carried out between the local ocsp responder and iTTM.
Figure 8-19    iTTM table ocsp_data
Column Name
Type
Size
NULL
Key Information
Description
The URL to which the request was submitted to or the response was received from
ocsp_requests
Records messages sent from iTTM to the OCSP Responder.
Figure 8-20    iTTM table ocsp_requests
Column Name
Type
Size
NULL
Key Information
Description
ocsp_responses
Records messages received from the OCSP responder to iTTM
Figure 8-21    iTTM table ocsp_responses
Column Name
Type
Size
NULL
Key Information
Description
raw_data
The raw log inserts a row into a relational database table for each log operation. The structure of the database table is described here. All raw log tables have the same structure, although each raw log uses a different table, whose name is determined when the raw log is created with the AddLoggerWizard. The raw logging facility records raw incoming and outbound message data.
Figure 8-22    iTTM table raw_data
smime_transport
Logs incoming SMIME connections
Figure 8-23    iTTM table smime_transport
Column Name
Type
Size
NULL
Key Information
Description
The issuer_dn of the certificate that was used to verify the message
The serial number of the certificate used to verify the message.
smtp_connection
The ssl_connection and smtp_message tables both have connection_id fields that are passed to the iPlanet Trustbase Transaction Manager running in the application server. This connection_id is stored within the Identrus Log table allowing queries that link the originator information with the actual requests made.
Figure 8-24    iTTM table smtp_connection
Column Name
Type
Size
NULL
Key Information
Description
smtp_message
Logs incoming SMTP mail messages.
Figure 8-25    iTTM table smtp_message
Column Name
Type
Size
NULL
Key Information
Description
What configuration data needs to be backed up?
Configuration information is split into two sections: static information (changing which requires a restart of Trustbase) and dynamic information (at present this consists of the Audit Logging and Error Logging settings).
Static configuration can easily be backed up by copying the
to a storage directory. Typically this would involve
As mentioned in an earlier section, to export dynamic configuration items for backup use the Config | Export setting in the iTTM admin screens.
This will return a file for download. Some browsers may display this file rather than saving - in this case use View Source to generate a text document containing the exported configuration and save to the desired location.
For a list of sql tables see for instance
select TABLE_NAME from USER_TABLES;
We now list the important sql tables
Take a snapshot backup of the environment.
Export: Release 8.1.7.0.0 - Production on Wed Feb 27 10:30:38 2002
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Log as a super user with DBA privilage and export the iTTM user. Refer to the Oracle documentation http://technet.oracle.com for the Export tool user guide.
To backup the LDAP directory used by iAS you can replicate the server, see for instance
iWS copy the installation directory i.e. /opt/iws6
The HSM security world i.e. /opt/nfast/kmdata
iTTM software components are of course available on the CD-ROM supplied with this document.
What happens when certificates expire?
It is possible to have two sets of certificates running simultaneously. When certificates are nearing their expiry date the following procedure needs to be adopted.
CA certificate expiry
All certificates issued by the expired certificate in a Trust Domain must be reissued with the CA certificate, and imported to the KeyEntry using TokenKeyTools importkeychain command.
Subject Certificate expiry
How to do Disaster Recovery?
In the event of hardware or disk failure it will be necessary to perform a disaster recovery. By ensuring the following contents are intact through restoration from backup, a iPlanet Trustbase Transaction Manager can continue its operation.
nCipher Users only. nCipher "Security World" needs to be restored according to the KeySafe User Guide using the Administrator Card Set and the nCipher backup data.
Reinstall iWS 6.0 SP2, iAS 6.0 SP3, database and iTTM 3.0.1
Import saved Configuration via
Reinstate database from the backup of tables created under the user specified in the SQL script in your Installation Guide. If necessary consult your Database Administrator.
Note Refer to the installation worksheet for information about the setup of iPlanet Trustbase Transaction Manager's application server and database.
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated October 31, 2002