Chapter 8   Backup


The objectives of this chapter are to cover:

• What data needs backup?

• Archiving for Raw Data and Init Table

• What happens when certificates expire?

• How to do Disaster Recovery?

What data needs backup?

---

The database tables employed by the iPlanet Trustbase Transaction Manager fall into two groups:

• Those that are to all intents and purposes read-only (e.g. configuration information)

• Those that are used to store large volumes of frequently written data (e.g. raw log)

This next section describes the function and composition of the tables used, so that the database administrator may more accurately devise an archiving strategy.

What data is Read-Only?

The following tables are largely used for static read-only data. These tables are not expected to grow to large sizes, so archiving should not be required, and all data can be kept online. However these tables should be backed up initially after configuration and after any subsequent certificate or configuration changes for backup and disaster recovery purposes.

• Identrus
  • OCSP_DATA

    Identrus OCSP log

  • IDENTRUS_DATA

    Identrus Message log

• Other tables
  • AUTHORISATION
    Maps role names to service names

  • CERTIFICATEAUTHENTICATION
    Maps certificate details to roles

  • CONFIG
    Used to store configuration data for the system. Each system element has one row in this table, so the table will only grow when new system elements are added.

  • ROLES
    Stores information about roles

  • ROLE_DESCRIPTION

    Role Description

  • USERNAMEPASSWORDAUTH
    Maps username / password combinations to roles

  • AUDIT_SERVICES

    Audit logging configuration

  • AUDIT_TEXT

    Locale based audit messages

  • DEFAULT_LOCALE

    Locale Configuration

  • ERROR_CODES

    Error Message text

• The initialisation files *.properties and proxi.ini that can be found in /opt/TTM/<machine-name>

• When utilising an HSM such as nCipher, module keys. nCipher "Security World" allows module keys to be backed. Consult the KeySafe User Guide using the Administrator Card Set.

What Tables are used for frequently written data?

The following tables are written frequently and can be expected to grow rapidly. Therefore it will be necessary to archive data from these tables as storage limits are approached. These logs contain important information that mean it is imperative to avoid loss. A regular back-up process should be in force for the following tables:

• Frequently Written Data
  • CERT_DATA
    All unique certificates from Identrus Messaging

  • BILL_DATA
    Billing Records for processed Identrus Messaging

  • AUDITDATA
    Stores audit log data

  • AUDIT_PARAMETERS

    Message specific audit data

    ERROR_PARAMETERS

    Message specific error data

  • ERROR
    Stores error log data

  • ERROR_SUPPORT

    Additional error data, such as stack traces

  • RAW_DATA
    Stores all the raw message data entering an leaving the system. This table is used for non-repudiation purposes, and is referenced by the INIT_TABLE described below. Due to this link, the archiving procedure for both these tables should follow that described above

• INIT_TABLE
  Stores information relating to the integrity of the raw log tables.

• ENVIRONMENTS

  Store operational context information

• OCSP_REQUESTS

  ITTM OCSP Responder request log

• OCSP_RESPONSES

  iTTM OCSP Responder response log

• SMIME_TRANSPORT

  SMIME transport details

• SMTP_CONNECTION

  SMTP connection data from SMTP proxy

• SMTP_MESSAGE

  SMTP message details from SMTP proxy

• SSL_CONNECTION

  SSL Connection details from SSL Proxy

• Any other raw data and init tables for raw logs created with AddLoggerWizard

Archiving for Raw Data and Init Table

---

For Identrus, the log init_table and raw_data table are inter linked. A raw_data record holds actual message data along with a time stamp that is digitally signed. An init_table record points to the beginning of a set of raw_data records. To archive raw_data, stop iTTM and archive the conetnt of the raw_data and init_table tables. User defined raw logs may be archived in the same way.

What happens when certificates expire?

---

It is possible to have two sets of certificates running simultaneously. When certificates are nearing their expiry date the following procedure needs to be adopted.

There are two cases:

1. CA certificate expiry
   1. New CA cert issued to same key

   Add the new CA certificate as a TrustedCertificateEntry using the TokenKeyTool

   1. New CA cert issued to new CA key

   All certificates issued by the expired certificate in a Trust Domain must be reissued with the CA certificate, and imported to the KeyEntry using TokenKeyTools importkeychain command.

2. Subject Certificate expiry
   1. New Certificate to be issued to same key

      Use TokenKeyTool to generate a Certificate request for the KeyEntry associated with the expired certificate and import the resulting certificate to the KeyEntry.

   2. New cert to be issued to new key

      Generate new key (with same subject name as old key, if desired) using TokenKeyTool. Generate a Certificate request, and import the resulting certificate to the KeyEntry. More pertinent aliases from the old to the new KeyEntry using TokenKeyTool

How to do Disaster Recovery?

---

In the event of hardware or disk failure it will be necessary to perform a disaster recovery. By ensuring the following contents are intact through restoration from backup, a iPlanet Trustbase Transaction Manager can continue its operation.

• nCipher Users only. nCipher "Security World" needs to be restored according to the KeySafe User Guide using the Administrator Card Set and the nCipher backup data.

• Reinstall iPlanet Trustbase Transaction Manager, Application Server and database.

• Reinstate *.properties and proxi.ini found in /opt/TTM/<machine-name>

• Reinstate database from the backup of tables created under the user specified in the SQL script in your Installation Guide. If necessary consult your Database Administrator.

  
  

  ---

  Note	Refer to the installation worksheet for information about the setup of iPlanet Trustbase Transaction Manager's application server and database.

  ---