Previous Contents DocHome Index Next |
iPlanet Trustbase Transaction Manager 3.0 Configuration and Installation |
Chapter 8 Backup
The objectives of this chapter are to cover:
What data needs backup?
Archiving for Raw Data and Init Table
What data needs backup?
The database tables employed by the iPlanet Trustbase Transaction Manager fall into two groups:
Those that are to all intents and purposes read-only (e.g. configuration information)
This next section describes the function and composition of the tables used, so that the database administrator may more accurately devise an archiving strategy.Those that are used to store large volumes of frequently written data (e.g. raw log)
What data is Read-Only?
The following tables are largely used for static read-only data. These tables are not expected to grow to large sizes, so archiving should not be required, and all data can be kept online. However these tables should be backed up initially after configuration and after any subsequent certificate or configuration changes for backup and disaster recovery purposes.
Identrus
OCSP_DATA
Other tables
IDENTRUS_DATA
- Identrus OCSP log
- Identrus Message log
AUTHORISATION
The initialisation files *.properties and proxi.ini that can be found in /opt/TTM/<machine-name>
Maps role names to service namesCERTIFICATEAUTHENTICATION
Maps certificate details to rolesCONFIG
Used to store configuration data for the system. Each system element has one row in this table, so the table will only grow when new system elements are added.ROLES
Stores information about roles
USERNAMEPASSWORDAUTH
- Role Description
Maps username / password combinations to roles
AUDIT_TEXT
- Audit logging configuration
DEFAULT_LOCALE
- Locale based audit messages
ERROR_CODES
- Locale Configuration
- Error Message text
When utilising an HSM such as nCipher, module keys. nCipher "Security World" allows module keys to be backed. Consult the KeySafe User Guide using the Administrator Card Set.
What Tables are used for frequently written data?
The following tables are written frequently and can be expected to grow rapidly. Therefore it will be necessary to archive data from these tables as storage limits are approached. These logs contain important information that mean it is imperative to avoid loss. A regular back-up process should be in force for the following tables:
Frequently Written Data
CERT_DATA
INIT_TABLE
All unique certificates from Identrus MessagingBILL_DATA
Billing Records for processed Identrus MessagingAUDITDATA
Stores audit log data
ERROR
- Message specific audit data
- ERROR_PARAMETERS
- Message specific error data
Stores error log data
RAW_DATA
- Additional error data, such as stack traces
Stores all the raw message data entering an leaving the system. This table is used for non-repudiation purposes, and is referenced by the INIT_TABLE described below. Due to this link, the archiving procedure for both these tables should follow that described above
Stores information relating to the integrity of the raw log tables.
OCSP_REQUESTS
- Store operational context information
OCSP_RESPONSES
- ITTM OCSP Responder request log
SMIME_TRANSPORT
- iTTM OCSP Responder response log
SMTP_CONNECTION
- SMIME transport details
SMTP_MESSAGE
- SMTP connection data from SMTP proxy
SSL_CONNECTION
- SMTP message details from SMTP proxy
Any other raw data and init tables for raw logs created with AddLoggerWizard
- SSL Connection details from SSL Proxy
Archiving for Raw Data and Init Table
For Identrus, the log init_table and raw_data table are inter linked. A raw_data record holds actual message data along with a time stamp that is digitally signed. An init_table record points to the beginning of a set of raw_data records. To archive raw_data, stop iTTM and archive the conetnt of the raw_data and init_table tables. User defined raw logs may be archived in the same way.
What happens when certificates expire?
It is possible to have two sets of certificates running simultaneously. When certificates are nearing their expiry date the following procedure needs to be adopted.
CA certificate expiry
New CA cert issued to same key
- Add the new CA certificate as a TrustedCertificateEntry using the TokenKeyTool
New CA cert issued to new CA key
Subject Certificate expiry
- All certificates issued by the expired certificate in a Trust Domain must be reissued with the CA certificate, and imported to the KeyEntry using TokenKeyTools importkeychain command.
New Certificate to be issued to same key
New cert to be issued to new key
- Use TokenKeyTool to generate a Certificate request for the KeyEntry associated with the expired certificate and import the resulting certificate to the KeyEntry.
- Generate new key (with same subject name as old key, if desired) using TokenKeyTool. Generate a Certificate request, and import the resulting certificate to the KeyEntry. More pertinent aliases from the old to the new KeyEntry using TokenKeyTool
How to do Disaster Recovery?
In the event of hardware or disk failure it will be necessary to perform a disaster recovery. By ensuring the following contents are intact through restoration from backup, a iPlanet Trustbase Transaction Manager can continue its operation.
nCipher Users only. nCipher "Security World" needs to be restored according to the KeySafe User Guide using the Administrator Card Set and the nCipher backup data.
Reinstall iPlanet Trustbase Transaction Manager, Application Server and database.
Reinstate *.properties and proxi.ini found in /opt/TTM/<machine-name>
Reinstate database from the backup of tables created under the user specified in the SQL script in your Installation Guide. If necessary consult your Database Administrator.
Note Refer to the installation worksheet for information about the setup of iPlanet Trustbase Transaction Manager's application server and database.
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated November 21, 2001