Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:backups [2019/04/29 08:41]
fiserp [Repository backups]
tutorial:adm:backups [2020/03/20 10:13] (current)
fiserp [Restoring IdM application]
Line 15: Line 15:
 For instructions about keypair initialization,​ backup creation and recovery and also for the actual command to carry out these actions, please refer to the script itself. For instructions about keypair initialization,​ backup creation and recovery and also for the actual command to carry out these actions, please refer to the script itself.
  
-When you obtain the repository backup, you can restore the repository:+When you obtain the repository backup, ​**you can restore the repository**:
   - Stop the identity manager container.   - Stop the identity manager container.
   - Backup current repository somewhere else - in case you need to check some data later.   - Backup current repository somewhere else - in case you need to check some data later.
Line 53: Line 53:
 #do the dump #do the dump
 # say we run the actual backup and create dump1.dmp, dump2.dmp and dump3.dmp here # say we run the actual backup and create dump1.dmp, dump2.dmp and dump3.dmp here
 +# STRONGLY ADVISED TO GZIP YOUR BACKUPS, SCRIPT DOES NOT DO THAT FOR YOU !!!
 +
  
 #pack the dump #pack the dump
 #tar usage "tar [parameters] archive_name file1 [file2 file3 ...]" #tar usage "tar [parameters] archive_name file1 [file2 file3 ...]"
-tar --remove-files -czf current_backup.tgz dump1.dmp dump2.dmp dump3.dmp+tar --remove-files -cf current_backup.tar PUT-YOUR-FILES-HERE 
 +chmod 600 current_backup.tar
 </​code>​ </​code>​
 And change them to (expected name of the czechidm database is ''​czechidm''​):​ And change them to (expected name of the czechidm database is ''​czechidm''​):​
 <code bash> <code bash>
 #do the dump #do the dump
-pg_dump --create --dbname=czechidm > czechidm.sql+pg_dump --create ​-Z 9 --dbname=czechidm > czechidm.sql.gz
  
 #pack the dump #pack the dump
 #tar usage "tar [parameters] archive_name file1 [file2 file3 ...]" #tar usage "tar [parameters] archive_name file1 [file2 file3 ...]"
-tar --remove-files -czf current_backup.tgz czechidm.sql+tar --remove-files -czf current_backup.tgz czechidm.sql.gz
 </​code>​ </​code>​
  
Line 135: Line 138:
  
 In some cases, CzechIdM is not deployed with frontend and backend bundled together in the ''​idm.war''​. When backing up such environment,​ the backend should be backed up the way as was just described. The frontend, which may be deployed somewhere else, should be backed up in a similar way using the same script. For example, when running frontend application from separate Apache HTTPD, you should deploy another backup script which backs up ''/​var/​www/​html/​\*''​ directory instead of ''/​opt/​tomcat/​current/​webapps/​\*''​. In some cases, CzechIdM is not deployed with frontend and backend bundled together in the ''​idm.war''​. When backing up such environment,​ the backend should be backed up the way as was just described. The frontend, which may be deployed somewhere else, should be backed up in a similar way using the same script. For example, when running frontend application from separate Apache HTTPD, you should deploy another backup script which backs up ''/​var/​www/​html/​\*''​ directory instead of ''/​opt/​tomcat/​current/​webapps/​\*''​.
 +
 +===== Restoring IdM application =====
 +<​note>​
 +This is a basic DR howto for restoring the identity manager in case you lose it. It does not deal with other disaster scenarios.
 +
 +If you backup your environment in some other way, virtual machine snapshots for example, use your DR procedures.
 +</​note>​
 +
 +When the application is lost - due to HW or virtualization failure, human error or due to security compromise, you can restore it using backups and documentation. In this case, we show how to restore everything on the clean operating system installation.
 +  - Install the operating system.
 +  - Configure the OS according to your internal standards.
 +  - Configure the OS according to [[https://​wiki.czechidm.com/​doku.php?​id=start&​do=search&​q=server+preparation|Server Preparation howto]]. Snapshot of this howto should be already part of your documentation - this is important because the wiki content evolves in time.
 +  - Deploy and configure the CzechIdM according to [[https://​wiki.czechidm.com/​doku.php?​id=start&​do=search&​q=idm+installation|IdM installation howto]]. Snapshot of this howto should be already part of your documentation - this is important because the wiki content evolves in time.
 +    - When creating a database user and CzechIdM database in the PostgreSQL, use credentials you already used before the failure. Restore the database from backup, for example ''​psql ... < idm-database-backup.sql''​.
 +    - **Do not** create brand new configuration in ''/​opt/​czechidm''​. Restore it from your backup.
 +    - **Do not** download new ''​idm.war'',​ restore it from your backup.
 +  - Disable all new outgoing connections from the IdM machine **except for communication between your station and IdM server**.
 +    - This way, the IdM will not start to communicate with end systems until you check its data is consistent.
 +    - But you will still be able to access the web UI.
 +  - Start the Tomcat container and wait for the identity manager to deploy.
 +  - Log into the application as an administrator (use locally-authenticated account - any account that was granted ''​superAdminRole''​ role).
 +  - Disable LRTs, kill all those that are running.
 +  - Check data in the application:​ logs, audit trails, data on users and roles, event and provisioning queues. Diagnose and resolve any weirdness (especially in queues).
 +  - Allow outgoing connections from the IdM machine.
 +  - Test connections to all end systems, reprovision some users to end systems. Check event and provisioning queues for any errors and resolve them if needed.
 +  - Test your general use-cases / UAT tests to make sure the application works as intended.
 +  - Schedule LRTs.