Reconfiguring backup settings for the management subsystem (10.0.1.1-eus or greater)

You can use the apicup utility to add or reconfigure backup settings for the management subsystem, after completion of initial installation.

About this task

Warning: If you use the S3 backup protocol, changes to the backup settings result in a short period of database downtime.

After initial installation, use these steps to add or reconfigure the backup settings.
When you add or reconfigure backups after completion of the initial installation, the steps are the same as configuring during the initial installation, with the addition of using apicup to install (activate) the new settings immediately after adjusting the settings. During initial configuration, you typically wait to use apicup to activate settings until all other subsystem settings (unrelated to backup) are complete.
You can add or reconfigure scheduled backups, or generate manual (on-demand) backups.

Note: You must backup both the Management and Portal subsystems at the same time, to ensure synchronicity across the services.

Procedure

Use apicup to specify backup settings:

apicup subsys set <subsystem_name> <setting>=<value>

Table 1. Configuration settings for backup of management subsystem
Parameter	Description
`database-backup-protocol`	The type of the backup. Supported types: `objstore` `apicup subsys set mgmt database-backup-protocol=objstore` `sftp` `apicup subsys set mgmt database-backup-protocol=sftp` The default value is `sftp`. Note: Workaround for reconfiguring from S3 to SFTP on 10.0.1.2-eus, including ifixes When switching from S3 to SFTP, the `s3provider` field remains in the CR after switching the protocol, which can prevent the cluster from coming up. To workaround this issue, complete the following steps: ssh into a Management VM and log in as `root`. Edit the CR file: `kubectl edit mgmt -oyaml` Remove the `s3provider` field under `spec.databaseBackup` Ensure that `restartDB` is set to `true` `restartDB: accept: true` `local` - Local storage backups `apicup subsys set mgmt database-backup-protocol=local` Note: The public certificate on the S3 storage provider must be signed by a known certificate authority that is trusted by API Connect. Use of an untrusted authority can cause the following error during backup upload: `x509: certificate signed by unknown authority`.
`database-backup-auth-pass`	The password for the server specified in `database-backup-host`. If using object store, this would be the S3 Secret Access Key parameter. The password will be stored in Base64 encoded format. For example: `apicup subsys set mgmt database-backup-auth-pass '<password>'` Note that you cannot use the ``=`` sign to assign the password to `database-backup-auth-pass`.
`database-backup-auth-ssh-key`	Version 10.0.1.4-ifix1-eus or later: Optional. OpenSSH private key for DB backups using SFTP only. Changing this value will restart the DB. Important: Use `apicup certs` to set this value. Do not use `apicup subsys`. Only OpenSSH keys are supported.¹ `apicup certs set mgmt database-backup-auth-ssh-key <ssh private key filepath>`
`database-backup-auth-user`	The username for the server specified in `database-backup-host`. If using object store, this would be the S3 Secret Key ID. `apicup subsys set mgmt database-backup-auth-user <user_name>`
`database-backup-s3provider`	When using `objstore` type backup, specify the name of the S3 provider to use. Specify one of the supported values: `ibm` `aws` `custom` - This type is supported on Version 10.0.1.2-eus or later Not required for local backups or SFTP backups. `apicup subsys set mgmt database-backup-s3provider=ibm`
`database-backup-host`	The backups host: For `objstore` type backup, specify S3 endpoint with the corresponding S3 region in the format `<S3endpoint>/<S3region>` `apicup subsys set mgmt database-backup-host=s3.eu-gb.cloud-object-storage.appdomain.cloud/eu-standard` For `sftp` type, the SFTP server hostname `apicup subsys set mgmt database-backup-host=my.sftp.backup.domain.example.com` Not required for local storage backups
`database-backup-path`	The path to the location of the backup: For `objstore` backups, the name of your S3 bucket to store backup data. For example, `bucket-name/folder`. The use of subdirectories in the bucket name is not supported. `apicup subsys set mgmt database-backup-path=apic-backup` Note: When your deployment includes a management subsystem in two different clusters (with active databases), the two management subsystems cannot use the same s3 bucket name in the database backup configurations. Each management subsystem must use a unique s3 bucket name. Ensure that `bucket-name/folder` is empty. If the folder was previously used for backups, the folder will not be empty, and stanza create might encounter an error. Explanation: Once a folder is used, archive.info and backup.info files are created. During stanza creation, the process compares the database version and database system id between the two info files and the current Postgres database cluster. Stanza creation fails if there is a mismatch. To prevent this possibility, remove all files from the folder before configuring. For `sftp` type, the folder name on the SFTP server `apicup subsys set mgmt database-backup-path=<folder_name>` Not required for local storage backups
`database-backup-port`	The port for the protocol to connect to the `database-backup-host`. The backup port is not required for object storage. Default: 22 `apicup subsys set mgmt database-backup-port=<port_number>`
`database-backup-retries`	For `sftp` type backups, the number of times the `ibm-apiconnect` Operator attempts backups in the event of a failed SFTP backup. `apicup subsys set mgmt database-backup-retries=3` Default value: `0`. Not used for `objstore` or local storage backup.
`database-backup-schedule`	Cron like schedule for performing automatic backups. The format for the schedule is: * * * * * - - - - - \| \| \| \| \| \| \| \| \| +----- day of week (0 - 6) (Sunday=0) \| \| \| +------- month (1 - 12) \| \| +--------- day of month (1 - 31) \| +----------- hour (0 - 23) +------------- min (0 - 59) The backup schedule defaults to `0 0 * * `. This means a backup is run every day at midnight and minute zero. The timezone for backups is UTC. When you configure a host, if you do not specify a value for `database-backup-schedule`, the default backup schedule is automatically set. Note that the default backup schedule is not set, and scheduled backups not enabled, until host configuration is completed. `apicup subsys set mgmt database-backup-schedule="0 0 * *"`
`backup-certs`	Version 10.0.1.2-eus or later Optional. Backup certificates to use for TLS communication between API Connect and the backup server. Supported for custom s3 backups only. Use this setting when you have set `database-backup-s3provider=custom` For example: `apicup subsys set mgmt backup-certs=<certificate_name>`
`database-backup-s3-uri-style`	Version 10.0.1.2-eus or later Optional: Specifies whether the URI is in the form of `host` or `path`. Used only with custom s3providers. Use this setting when you have set `database-backup-s3provider=custom`. `apicup subsys set mgmt database-backup-s3-uri-style='<host\|path>'` Supported values: `host` `path`

Note: To view all subsystem settings for the management subsystem:

apicup subsys get <subsystem_name> --validate

Apply the settings:
```
apicup subsys install <subsystem_name>
```
Note: The apicup subsys install command automatically runs apicup health-check prior to installing the new configuration. An error is displayed if a problem is found that will prevent successful reconfiguration.
In some scenarios, after you fix the problem, the health check might continue to fail. In this case, you can use the --skip-health-check flag to suppress the automatic health check:
```
apicup subsys install <subsystem_name> --skip-health-check
```
Ensure that the changes were applied successfully:
```
apicup subsys health-check <subsystem_name>
```

¹ PuTTY style keys can be converted to OpenSSH by using the PuTTY Key Generator (PuTTYgen) application; see https://www.puttygen.com/.