Reconfiguring backup settings for the management subsystem (10.0.1.1-eus or greater)

You can use the apicup utility to add or reconfigure backup settings for the management subsystem, after completion of initial installation.

About this task

Warning: If you use the S3 backup protocol, changes to the backup settings result in a short period of database downtime.
  • After initial installation, use these steps to add or reconfigure the backup settings.
  • When you add or reconfigure backups after completion of the initial installation, the steps are the same as configuring during the initial installation, with the addition of using apicup to install (activate) the new settings immediately after adjusting the settings. During initial configuration, you typically wait to use apicup to activate settings until all other subsystem settings (unrelated to backup) are complete.
  • You can add or reconfigure scheduled backups, or generate manual (on-demand) backups.
Note: You must backup both the Management and Portal subsystems at the same time, to ensure synchronicity across the services.

Procedure

  1. Use apicup to specify backup settings:
    apicup subsys set <subsystem_name> <setting>=<value>
    Table 1. Configuration settings for backup of management subsystem
    Parameter Description
    database-backup-protocol The type of the backup. Supported types:
    • objstore
      apicup subsys set mgmt database-backup-protocol=objstore
    • sftp
      apicup subsys set mgmt database-backup-protocol=sftp

      The default value is sftp.

      Note: Workaround for reconfiguring from S3 to SFTP on 10.0.1.2-eus, including ifixes

      When switching from S3 to SFTP, the s3provider field remains in the CR after switching the protocol, which can prevent the cluster from coming up. To workaround this issue, complete the following steps:

      1. ssh into a Management VM and log in as root.
      2. Edit the CR file:
        kubectl edit mgmt -oyaml
      3. Remove the s3provider field under spec.databaseBackup
      4. Ensure that restartDB is set to true
              restartDB:
                accept: true
        
    • local - Local storage backups
      apicup subsys set mgmt database-backup-protocol=local
    Note:
    • The public certificate on the S3 storage provider must be signed by a known certificate authority that is trusted by API Connect. Use of an untrusted authority can cause the following error during backup upload: x509: certificate signed by unknown authority.
    database-backup-auth-pass The password for the server specified in database-backup-host. If using object store, this would be the S3 Secret Access Key parameter. The password will be stored in Base64 encoded format.

    For example:

    apicup subsys set mgmt database-backup-auth-pass '<password>'
    

    Note that you cannot use the `=` sign to assign the password to database-backup-auth-pass.

    database-backup-auth-ssh-key Version 10.0.1.4-ifix1-eus or later: Optional. OpenSSH private key for DB backups using SFTP only. Changing this value will restart the DB.
    Important:
    • Use apicup certs to set this value. Do not use apicup subsys.
    • Only OpenSSH keys are supported.1
    apicup certs set mgmt database-backup-auth-ssh-key <ssh private key filepath>
    database-backup-auth-user The username for the server specified in database-backup-host. If using object store, this would be the S3 Secret Key ID.
    apicup subsys set mgmt database-backup-auth-user <user_name>
    
    database-backup-s3provider When using objstore type backup, specify the name of the S3 provider to use. Specify one of the supported values:
    • ibm
    • aws
    • custom - This type is supported on Version 10.0.1.2-eus or later
    Not required for local backups or SFTP backups.
    apicup subsys set mgmt database-backup-s3provider=ibm
    database-backup-host The backups host:
    • For objstore type backup, specify S3 endpoint with the corresponding S3 region in the format <S3endpoint>/<S3region>
      apicup subsys set mgmt database-backup-host=s3.eu-gb.cloud-object-storage.appdomain.cloud/eu-standard
    • For sftp type, the SFTP server hostname
      apicup subsys set mgmt database-backup-host=my.sftp.backup.domain.example.com
    • Not required for local storage backups
    database-backup-path The path to the location of the backup:
    • For objstore backups, the name of your S3 bucket to store backup data. For example, bucket-name/folder. The use of subdirectories in the bucket name is not supported.
      apicup subsys set mgmt database-backup-path=apic-backup
      Note: When your deployment includes a management subsystem in two different clusters (with active databases), the two management subsystems cannot use the same s3 bucket name in the database backup configurations. Each management subsystem must use a unique s3 bucket name.

      Ensure that bucket-name/folder is empty. If the folder was previously used for backups, the folder will not be empty, and stanza create might encounter an error.

      • Explanation: Once a folder is used, archive.info and backup.info files are created. During stanza creation, the process compares the database version and database system id between the two info files and the current Postgres database cluster. Stanza creation fails if there is a mismatch. To prevent this possibility, remove all files from the folder before configuring.
    • For sftp type, the folder name on the SFTP server
      apicup subsys set mgmt database-backup-path=<folder_name>
    • Not required for local storage backups
    database-backup-port The port for the protocol to connect to the database-backup-host. The backup port is not required for object storage. Default: 22
    apicup subsys set mgmt database-backup-port=<port_number>
    database-backup-retries For sftp type backups, the number of times the ibm-apiconnect Operator attempts backups in the event of a failed SFTP backup.
    apicup subsys set mgmt database-backup-retries=3

    Default value: 0.

    Not used for objstore or local storage backup.

    database-backup-schedule Cron like schedule for performing automatic backups. The format for the schedule is:
    • * * * * *
    • - - - - -
    • | | | | |
    • | | | | +----- day of week (0 - 6) (Sunday=0)
    • | | | +------- month (1 - 12)
    • | | +--------- day of month (1 - 31)
    • | +----------- hour (0 - 23)
    • +------------- min (0 - 59)

    The backup schedule defaults to 0 0 * * *. This means a backup is run every day at midnight and minute zero.

    The timezone for backups is UTC.

    When you configure a host, if you do not specify a value for database-backup-schedule, the default backup schedule is automatically set. Note that the default backup schedule is not set, and scheduled backups not enabled, until host configuration is completed.

    apicup subsys set mgmt database-backup-schedule="0 0 * * *"
    backup-certs

    Version 10.0.1.2-eus or later

    Optional. Backup certificates to use for TLS communication between API Connect and the backup server.

    Supported for custom s3 backups only. Use this setting when you have set database-backup-s3provider=custom

    For example:

    apicup subsys set mgmt backup-certs=<certificate_name>
    database-backup-s3-uri-style

    Version 10.0.1.2-eus or later

    Optional: Specifies whether the URI is in the form of host or path.

    Used only with custom s3providers. Use this setting when you have set database-backup-s3provider=custom.

    apicup subsys set mgmt database-backup-s3-uri-style='<host|path>'

    Supported values:

    • host
    • path
    Note: To view all subsystem settings for the management subsystem:
    apicup subsys get <subsystem_name> --validate
  2. Apply the settings:
    apicup subsys install <subsystem_name>
    Note: The apicup subsys install command automatically runs apicup health-check prior to installing the new configuration. An error is displayed if a problem is found that will prevent successful reconfiguration.

    In some scenarios, after you fix the problem, the health check might continue to fail. In this case, you can use the --skip-health-check flag to suppress the automatic health check:

    apicup subsys install <subsystem_name> --skip-health-check
  3. Ensure that the changes were applied successfully:
    apicup subsys health-check <subsystem_name>
1 PuTTY style keys can be converted to OpenSSH by using the PuTTY Key Generator (PuTTYgen) application; see https://www.puttygen.com/.