OpenSSO Enterprise creates and manages configuration and service management data in the embedded configuration datastore. If this data becomes corrupt or if some of it is missing, OpenSSO Enterprise will not function properly. Because of this, it is recommended that you backup your configuration datastore on a regular basis. Thus, in the event of a machine crash or other corrupting influence, you can restore the configuration data to its previous, non-corrupt state. This chapter describes the backup and restore procedures for the OpenSSO Enterprise server configuration data and contains the following sections.
OpenSSO Enterprise supports the following types of configuration datastores:
The procedures in this chapter do not apply to the user datastore.
Embedded configuration datastore: Configuration data is stored on the server local to the instance of OpenSSO Enterprise with an exposed LDAP port. This is the default datastore installed during initial configuration of OpenSSO Enterprise.
Sun Directory Server configuration datastore: Configuration data is stored in an instance of Sun Directory Server, which can be selected and configured during initial configuration of OpenSSO Enterprise.
The backup and restore procedures are dependent on the following:
The OpenSSO Enterprise bits are not corrupted.
The backup and restore procedures described in this document pertain only to the service configuration information stored in the defined configuration datastore. All other product files (including the bootstrap file, debug/log files, and key store files) are in the configuration directory defined during deployment (for example, /opensso) and are NOT in the scope of the these procedures.
All of the restore options provided require the OpenSSO Enterprise web application to be re-configured thus, it is assumed that some configuration parameters will have to be used during the product reconfiguration. As long as the original system-generated configuration file .configParam (created as the result of a successful OpenSSO configuration and located in the configuration directory defined during OpenSSO Enterprise deployment; by default /opensso) is backed up, the information in it can be used to create a configuration file for use as input to the command-line configurator. For more information, see Chapter 5, Configuring OpenSSO Enterprise Using the Command-Line Configurator, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
After OpenSSO Enterprise is successfully configured, it is assumed that no OpenDS interface or any other utility is used directly to manipulate the configuration data store.
This procedure describes how to back up the data contained the configuration datastore.
Make sure that the configuration datastore is running, but there are no write procedures being sent to the configuration datastore.
Export the service configuration data to an XML file using the ssoadm command line utility option export-svc-cfg. For example:
$ cd sso_tools_dir
$ ./ssoadm export-svc-cfg –u username –f password file location –e key to encyrpt password –o XML-backup-file
If multiple servers are configured to share the same configuration store, the step is only required to be executed once on one of the servers.
Move XML-backup-file (from the previous step) to a secure location.
It is recommended to also create an MD5 hash of this file and to store it in a secure location. Use the hash file for future verification.
This section contains instructions to restore saved configuration data to the OpenSSO Enterprise configuration data store or the Directory Server configuration data store. Restoration of the configuration data can be done by loading an XML file or through directory replication. There are two methods to restore the configuration data for the OpenSSO configuration data store:
Use this option if there is only one OpenSSO Enterprise instance and it is corrupted or, multiple servers are configured to share the same configuration datastore and all instances are corrupted.
Use this option in the case where multiple OpenSSO Enterprise instances are configured to share the same configuration datastore and at least one of the instances is uncorrupted.
This section contains the following procedures.
To Restore the Embedded Configuration Datastore by Loading XML
To Restore by Replication of the OpenSSO Configuration Data store
To Restore the Directory Server Configuration Datastore by Loading XML
To Restore by Replication of the Directory Server Configuration Datastore
In cases where the default OpenSSO Enterprise configuration data store is used, check its status by running ssoadm embedded-status on the command line. This will help to determine the proper restoration procedure to use. See Chapter 1, ssoadm Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.
Use this option if there is only one OpenSSO Enterprise instance and it is corrupted or, multiple servers are configured to share the same configuration datastore and all instances are corrupted. If multiple instances of OpenSSO Enterprise are configured to share the same configuration datastore, repeat steps 1 through 4 on each instance first and then do step 5 and step 6.
Stop all instances of OpenSSO Enterprise.
Remove all files and directories from the existing configuration directory.
$ rm -rf configuration_directory
Restart all instances of OpenSSO Enterprise.
Reconfigure the OpenSSO Enterprise web application by accessing the OpenSSO Enterprise configurator.
All configuration attributes must be redefined as they were originally defined. For the configuration of the second and all succeeding OpenSSO Enterprise instances, choose the Add to Existing Deployment option during configuration and point it to the first instance.
Import the saved service configuration data to the configuration datastore using the ssoadmin command line utility option import-svc-cfg.
./ssoadm import-svc-cfg -u username -f password_file_location -e key_to_enctrypt_password -X backup_xml_file
In the case of the multiple server configuration, this step only needs to be done once.
Restart all OpenSSO Enterprise instances.
Use this option in the case where multiple OpenSSO Enterprise instances are configured to share the same configuration datastore and at least one of the instances is uncorrupted.
Log in to the console of an uncorrupted instance of OpenSSO Enterprise as administrator.
Remove the corrupted OpenSSO Enterprise instance(s) from the platform server list.
The de-provisioning of the OpenSSO configuration datastore node will take effect after all the OpenSSO servers are restarted.
Remove all files and directories from the existing configuration directory for all corrupted instances of OpenSSO Enterprise.
$ rm -rf configuration_directory
Restart all instances of OpenSSO Enterprise including those that are corrupted.
Reconfigure the OpenSSO Enterprise web application on the corrupted OpenSSO Enterprise instance by accessing the OpenSSO Enterprise configurator.
All configuration attributes must be redefined as they were originally defined.
Import the saved service configuration data to the configuration datastore using the ssoadm command line utility option import-svc-cfg.
./ssoadm import-svc-cfg -u username -f password_file_location -e key_to_enctrypt_password -X backup_xml_file
In the case of the multiple server configuration, this step only needs to be done once.
Restart all OpenSSO Enterprise instances.
Use this option if there is only one OpenSSO Enterprise instance and it is corrupted or, multiple servers are configured to share the same configuration datastore and all instances are corrupted. If multiple instances of OpenSSO Enterprise are configured to share the same configuration datastore, repeat steps 1 through 4 on each instance first and then do step 5 and step 6.
Stop all OpenSSO Enterprise instances.
Remove all files and directories from the existing configuration directory.
$ rm -rf configuration_directory
Confirm that the Directory Server configuration datastore is up and running with no OpenSSO Enterprise service configuration.
Reconfigure the OpenSSO Enterprise web application by accessing the OpenSSO Enterprise configurator.
All configuration attributes must be redefined as they were originally defined. For the configuration of the second and all succeeding OpenSSO Enterprise instances, choose the Add to Existing Deployment option during configuration and point it to the first instance.
(Optional) Repeat these steps on each instance of OpenSSO Enterprise that is configured to share the same Directory Server configuration datastore.
Import the saved service configuration data to the configuration datastore using the ssoadmin command line utility option import-svc-cfg.
./ssoadm import-svc-cfg –u username -f password_file_location –e key_to_enctrypt_password -X backup_xml_file
In the case of the multi-server configuration, this step only needs to be done once.
Restart all OpenSSO Enterprise instances.
Use this option in the case where multiple OpenSSO Enterprise instances are configured to share the same configuration datastore and at least one of the instances is uncorrupted.
Log in to the console of an uncorrupted instance of OpenSSO Enterprise as administrator.
Remove the corrupted OpenSSO Enterprise instance(s) from the platform server list.
The de-provisioning of the OpenSSO configuration datastore node will take effect after all the OpenSSO servers are restarted.
Remove all files and directories from the existing configuration directory for all corrupted instances of OpenSSO Enterprise.
$ rm -rf configuration_directory
Restart all of the OpenSSO Enterprise servers including those that are corrupted.
Reconfigure the OpenSSO Enterprise web application by accessing the OpenSSO Enterprise configurator.
All configuration attributes must be redefined as they were originally defined.
Import the saved service configuration data to the configuration datastore using the ssoadm command line utility option import-svc-cfg.
./ssoadm import-svc-cfg -u username -f password_file_location -e key_to_enctrypt_password -X backup_xml_file
In the case of the multi-server configuration, this step only needs to be done once.
Restart all OpenSSO Enterprise instances.