Backing up IBM Business Automation Workflow on containers

Edit online
Backing up Business Automation Workflow on containers is essential to ensure rapid recovery of critical data, services, and configurations in the event of a disaster or system failure. The following guidelines are for backing up Business Automation Workflow components that are deployed on a container platform.

Before you begin

  • This content applies to Business Automation Workflow components only. For foundational services (Example - IAM, cert-manager), see IBM Cloud Pak® foundational services External link opens a new window or tab.
  • Replace all instances of bawdeploy with the actual metadata.name from your Business Automation Workflow custom resource (CR).
  • Ensure that the environment is in a quiesced state (all relevant pods and database activity stopped).
  • Optionally, export Business Automation Studio data before shutdown.
  • If upgrading, note down secrets such as platform-oidc-credentials.

Procedure

  1. Scale down all workloads.
    Use the following commands to scale down all deployments and stateful sets:
    
kubectl scale deploy ibm-cp4a-operator --replicas=0 -n your-namespace
kubectl scale deploy ibm-pfs-operator --replicas=0 -n your-namespace
kubectl scale deploy ibm-content-operator --replicas=0 -n your-namespace

for i in $(kubectl get deploy -n your-namespace -o name | grep bawdeploy); do
  kubectl scale $i --replicas=0 -n your-namespace
done

for i in $(kubectl get sts -n your-namespace -o name | grep bawdeploy); do
  kubectl scale $i --replicas=0 -n your-namespace
done
  2. Export the Business Automation Workflow custom resource (CR).
    Export and securely store the final YAML of the Business Automation Workflow CR or take the backup of the latest CR applied.
    kubectl get icp4acluster bawdeploy -n your-namespace -o yaml | \
  yq eval 'del(.metadata.uid, .metadata.resourceVersion, 
.metadata.creationTimestamp, 
.metadata.annotations."kubectl.kubernetes.io/last-applied-configuration", 
.metadata.generation, .status)' - > clean-icp4a.yaml
  3. Back up the security definitions in the following table. For more information, see Creating secrets to protect sensitive configuration data External link opens a new window or tab.
    Table 1. Secrets to back up
    Secrets Category Secret Name Description
    Business Automation Workflow core secrets bawdeploy-cpe-oidc-secret

    admin-user-details    		 Used for core deployment and admin credentials
    Image pull secrets ibm-entitlement-key Not required in air-gapped environments
    LDAP secrets ldap-bind-secret For LDAP binding
    LDAP SSL certificate secret ldap-ssl-cert This is required if SSL is enabled for LDAP. Back up the certificate file.
    Database SSL secrets ibm-dba-db2-cacert (for Db2®)

    ibm-cp4ba-db-ssl-secret-for-<dbServerAlias>    		 This is required if SSL is enabled for databases. Back up the certificate file. For examples of secret names, see Preparing the databases External link opens a new window or tab.
    Encryption key ibm-iaws-shared-key-secret Shared encryption key
    Workflow and Federation ibm-baw-wfs-server-db-secret

    ibm-pfs-admin-secret    		 For Business Automation Workflow and Process Federation Server
    Application Engine ibm-aae-app-engine-secret

    bawdeploy-workspace-aae-app-engine-admin-secret    		 Application Engine secrets
    Navigator and content manager ibm-ban-secret

    ibm-fncm-secret    		 For IBM Business Automation Navigator and Content Cortex
    Business Automation Studio ibm-bas-admin-secret Admin secret for Business Automation Studio
    The following example script can back up secrets across all namespaces, excluding default tokens, kube-system. You can customize the script to back up only the critical secrets required.
    #!/bin/bash
backup_dir="k8s-backup-secret-$(date +%F_%H-%M-%S)"
mkdir -p "$backup_dir"
 
clean_yaml() {
  yq eval 'del(.metadata.uid, .metadata.resourceVersion, .metadata.selfLink, .metadata.creationTimestamp, .metadata.generation, .metadata.managedFields, .metadata.annotations, .metadata.ownerReferences, .status)' -
}
 
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
  mkdir -p "$backup_dir/$ns"
  for secret in $(kubectl get secrets -n "$ns" --no-headers=true 2>/dev/null | awk '{print $1}'); do
    [[ "$secret" == *"default-token"* ]] && continue
    echo "---" >> "$backup_dir/$ns/secrets.yaml"
    kubectl get secret "$secret" -n "$ns" -o yaml | clean_yaml >> "$backup_dir/$ns/secrets.yaml"
  done
done
  4. Back up ConfigMaps.
    Use the provided script to back up all ConfigMaps across namespaces. Clean metadata by using yq.
    #!/bin/bash
backup_dir="k8s-backup-configmap-$(date +%F_%H-%M-%S)"
mkdir -p "$backup_dir"

clean_yaml() {
  yq eval 'del(.metadata.uid, .metadata.resourceVersion, .metadata.selfLink, .metadata.creationTimestamp, .metadata.generation, .metadata.managedFields, .metadata.annotations, .metadata.ownerReferences, .status)' -
}

for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
  mkdir -p "$backup_dir/$ns"
  for cm in $(kubectl get configmaps -n "$ns" --no-headers=true 2>/dev/null | awk '{print $1}'); do
    echo "---" >> "$backup_dir/$ns/configmaps.yaml"
    kubectl get configmap "$cm" -n "$ns" -o yaml | clean_yaml >> "$backup_dir/$ns/configmaps.yaml"
  done
done
  5. If your platform is not Red Hat® OpenShift®, back up all ingress and network policies by using the provided script. This is essential for maintaining pod communication. Choose the script that matches your networking configuration:
    • Use this script if your cluster uses standard ingress and network policies.
      #!/bin/bash
backup_dir="k8s-backup-network-$(date +%F_%H-%M-%S)"
mkdir -p "$backup_dir"

clean_yaml() {
  yq eval 'del(.metadata.uid, .metadata.resourceVersion, .metadata.selfLink, .metadata.creationTimestamp, .metadata.generation, .metadata.managedFields, .metadata.finalizers, .metadata.ownerReferences, .status)' -
}
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
  mkdir -p "$backup_dir/$ns"
  for kind in ingress networkpolicy; do
    for res in $(kubectl get $kind -n "$ns" --no-headers=true 2>/dev/null | awk '{print $1}'); do
      echo "---" >> "$backup_dir/$ns/${kind}.yaml"
      kubectl get $kind "$res" -n "$ns" -o yaml | clean_yaml >> "$backup_dir/$ns/${kind}.yaml"
    done
  done
done
    • Use this script if your cluster uses Kubernetes Gateway API resources.
      Note: For AKS deployments, replace the two networking.gke.io resource types with the equivalent Application Gateway for Containers policy CRDs (alb.networking.azure.io).
      #!/bin/bash
backup_dir="k8s-backup-gatewayapi-$(date +%F_%H-%M-%S)"
mkdir -p "$backup_dir"

clean_yaml() {
  yq eval 'del(.metadata.uid, .metadata.resourceVersion, .metadata.selfLink, .metadata.creationTimestamp, .metadata.generation, .metadata.managedFields, .metadata.finalizers, .metadata.ownerReferences, .status)' -
}

# Core Gateway API + cert-manager + GKE-specific policy resources.
# For AKS, replace the two networking.gke.io kinds with the equivalent
# Application Gateway for Containers policy CRDs (alb.networking.azure.io).
kinds=(
  gateways.gateway.networking.k8s.io
  httproutes.gateway.networking.k8s.io
  referencegrants.gateway.networking.k8s.io
  certificates.cert-manager.io
  healthcheckpolicies.networking.gke.io
  gcpbackendpolicies.networking.gke.io
)

for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
  mkdir -p "$backup_dir/$ns"
  for kind in "${kinds[@]}"; do
    for res in $(kubectl get "$kind" -n "$ns" --no-headers=true 2>/dev/null | awk '{print $1}'); do
      echo "---" >> "$backup_dir/$ns/${kind}.yaml"
      kubectl get "$kind" "$res" -n "$ns" -o yaml | clean_yaml >> "$backup_dir/$ns/${kind}.yaml"
    done
  done
done
  6. Back up persistent volume claim (PVC) definitions.
    Use the script to back up PVC definitions. 
    #!/bin/sh  
NS=your-namespace
pvcbackup() {
    kubectl get pvc -n $NS --no-headers=true | while read each
    do
        pvc=`echo $each | awk '{ print $1 }'`

        if [[ "$pvc" == ibm-bts-cnpg*  ]] ; then
          # skip BTS PVCs
          continue 
        fi

        echo "---" >> pvc.yaml
        kubectl get pvc $pvc -n $NS -o yaml \
            | yq eval 'del(.status, .metadata.finalizers, .metadata.resourceVersion, .metadata.uid, .metadata.annotations, .metadata.creationTimestamp, .metadata.selfLink, .metadata.managedFields, .metadata.ownerReferences, .spec.volumeMode, .spec.volumeName)' -  >> pvc.yaml
    
    done
} 
pvcbackup
    The following table lists PVC definitions that must be backed up and restored (see the "Back up or replication required" column), along with others that can be optionally backed up.
    Table 2. PVC Definitions
    Component Persistent volume claim name Description Back up or replication required

    IBM Business Automation Navigator

    		 icn-asperastore Business Automation Navigator storage for Aspera®. No
    icn-cfgstore Liberty configuration for Business Automation Navigator. Yes
    icn-logstore Liberty and Business Automation Navigator logs. Shared by multiple IBM Content Navigator pods. No
    icn-pluginstore Storage for custom plug-ins. No
    icn-vw-cachestore Cache storage for the Daeja® ViewONE cache. No
    icn-vw-logstore Viewer logs for the Daeja ViewONE. No
    Do not back up PVCs such as:
    • data-iaf-system-elasticsearch-es-data-0
    • iaf-system-elasticsearch-es-snap-main-pvc
    • ibm-bts-cnpg-*
    • user-home-pvc
    For more information on other PVCs based on your capabilities, see Persistent volume claims to be backed up External link opens a new window or tab.
  7. Back up PVC content (Network File System (NFS) or local storage).
    If your environment relies on dynamic provisioning, it is crucial to make sure that all data stored in your Persistent Volumes (PVs) is properly backed up. This step is vital for accurately restoring your environment. During the restoration process, the backed-up data is used to repopulate the corresponding PVs and to re-create the associated Persistent Volume Claims (PVCs).
    Note: Folder names for dynamically provisioned PVs are not static. For example, a folder name might be named: bawent-cmis-cfgstore-pvc-ctnrs-pvc-e5241e0c-3811-4c0d-8d0f-cb66dd67f672. These names vary with each deployment. For a successful restore, maintain a clear mapping between PVC names and their corresponding folder paths.

    Use the script to back up content of your dynamically provisioned PVs. 

    #!/bin/bash
NS=your-namespace
SRC_PV=<my-storage-class-path>
DEST_BACKUP=backups-pvc-content

mkdir -p "$DEST_BACKUP"

kubectl get pvc -n $NS --no-headers=true | while read line; do
  pvc=$(echo $line | awk '{print $1}')
  pv=$(echo $line | awk '{print $3}')
  [[ "$pvc" == ibm-bts-cnpg* ]] && continue
  src="$SRC_PV/$NS-$pvc-$pv"
  dst="$DEST_BACKUP/$pvc"
  if [ -d "$src" ]; then
    echo "Backing up $pvc from $src to $dst"
    mkdir -p "$dst"
    cp -r "$src/." "$dst/"
  else
    echo "Missing source for PVC: $pvc"
  fi
done
  8. Make copies of the following files:
    • JDBC drivers
    • Customized runtime files (example - fonts)
    • Persistent storage and database configuration files
    For more information, see the following links:
  9. Back up your databases regularly to ensure disaster recovery readiness. For PostgreSQL or Oracle, see:
    For Db2 deployment, ensure that you perform either an offline or online backup of all relevant databases. This typically includes databases such as GCDDB, BAWTOS, BAWDB, ICNDB, BAWDOCS, BAWDOS, and any others specific to your runtime or authoring environment.
    Note: The actual database names may differ from those listed above. Please refer to your .properties files or query the database server to identify the correct database names for your environment.
    1. For online backup:
      1. Run the following Db2 archival commands for each database.
        mkdir  -p   /home/db2inst1/archive/TOSDB 
db2 update db cfg for TOSDB using LOGINDEXBUILD  on 
db2 update db cfg for TOSDB using LOGARCHMETH1   disk:/home/db2inst1/archive/TOSDB   
 
mkdir  -p   /home/db2inst1/archive/GCDDB 
db2 update db cfg for GCDDB using LOGINDEXBUILD  on 
db2 update db cfg for GCDDB using LOGARCHMETH1   disk:/home/db2inst1/archive/GCDDB   
 
mkdir  -p   /home/db2inst1/archive/AAEDB 
db2 update db cfg for AAEDB using LOGINDEXBUILD  on 
db2 update db cfg for AAEDB using LOGARCHMETH1   disk:/home/db2inst1/archive/AAEDB   
 
mkdir  -p   /home/db2inst1/archive/ICNDB 
db2 update db cfg for ICNDB using LOGINDEXBUILD  on 
db2 update db cfg for ICNDB using LOGARCHMETH1   disk:/home/db2inst1/archive/ICNDB   
 
mkdir  -p   /home/db2inst1/archive/BAWDB 
db2 update db cfg for BAWDB using LOGINDEXBUILD  on 
db2 update db cfg for BAWDB using LOGARCHMETH1   disk:/home/db2inst1/archive/BAWDB   
 
mkdir  -p   /home/db2inst1/archive/DOCSDB 
db2 update db cfg for DOCSDB using LOGINDEXBUILD  on 
db2 update db cfg for DOCSDB using LOGARCHMETH1   disk:/home/db2inst1/archive/DOCSDB   
 
mkdir  -p   /home/db2inst1/archive/DOSDB 
db2 update db cfg for DOSDB using LOGINDEXBUILD  on 
db2 update db cfg for DOSDB using LOGARCHMETH1   disk:/home/db2inst1/archive/DOSDB 

mkdir  -p   /home/db2inst1/archive/BASDB 
db2 update db cfg for BASDB using LOGINDEXBUILD  on 
db2 update db cfg for BASDB using LOGARCHMETH1   disk:/home/db2inst1/archive/BASDB 

mkdir  -p   /home/db2inst1/archive/APPDB 
db2 update db cfg for APPDB using LOGINDEXBUILD  on 
db2 update db cfg for APPDB using LOGARCHMETH1   disk:/home/db2inst1/archive/APPDB 

mkdir  -p   /home/db2inst1/archive/ADPBASE 
db2 update db cfg for ADPBASE using LOGINDEXBUILD  on 
db2 update db cfg for ADPBASE using LOGARCHMETH1   disk:/home/db2inst1/archive/ADPBASE 

mkdir  -p   /home/db2inst1/archive/PROJ1 
db2 update db cfg for PROJ1 using LOGINDEXBUILD  on 
db2 update db cfg for PROJ1 using LOGARCHMETH1   disk:/home/db2inst1/archive/PROJ1

mkdir  -p   /home/db2inst1/archive/DEVOS1 
db2 update db cfg for DEVOS1 using LOGINDEXBUILD  on 
db2 update db cfg for DEVOS1 using LOGARCHMETH1   disk:/home/db2inst1/archive/DEVOS1

mkdir  -p   /home/db2inst1/archive/AEOS 
db2 update db cfg for AEOS using LOGINDEXBUILD  on 
db2 update db cfg for AEOS using LOGARCHMETH1   disk:/home/db2inst1/archive/AEOS
      2. Run the following Db2 backup commands for each database.
        mkdir -p /home/db2inst1/backup/2500/offline
db2 backup db TOSDB online to /home/db2inst1/backup/2500/offline 
db2 backup db GCDDB online to /home/db2inst1/backup/2500/offline 
db2 backup db AAEDB online to /home/db2inst1/backup/2500/offline 
db2 backup db ICNDB online to /home/db2inst1/backup/2500/offline 
db2 backup db BAWDB online to /home/db2inst1/backup/2500/offline 
db2 backup db DOCSDB online to /home/db2inst1/backup/2500/offline 
db2 backup db DOSDB online to /home/db2inst1/backup/2500/offline 
db2 backup db BASDB online to /home/db2inst1/backup/2500/offline 
db2 backup db APPDB online to /home/db2inst1/backup/2500/offline 
db2 backup db ADPBASE online to /home/db2inst1/backup/2500/offline 
db2 backup db PROJ1 online to /home/db2inst1/backup/2500/offline 
db2 backup db DEVOS1 online to /home/db2inst1/backup/2500/offline 
db2 backup db AEOS online to /home/db2inst1/backup/2500/offline
    2. Terminate your database connections to prevent errors during the backup.
      db2 force applications all
    3. For offline backup, run the following command: 
      db2 backup db TOSDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db GCDDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db AAEDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db ICNDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db BAWDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db DOCSDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db DOSDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db BASDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db APPDB to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db ADPBASE to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db PROJ1 to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db DEVOS1 to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
db2 backup db AEOS to /home/db2inst1/backup/2500/offline WITH 2 BUFFERS BUFFER 1024
  10. Back up indexed data, saved searches, and reusable queries.
    For each Business Automation Workflow instance that is either federated or has full-text search that is enabled, you must back up the following components:
    • Indexed data of the BPD runtime
    • Saved search definitions
    • Reusable queries
      Note: Backing up case instance indexes is not supported. Instead, rebuild case indexes as described in Rebuilding a case index.
    1. Backing up indexed data.

      If you are using a containerized environment with full-text search enabled, or a traditional WebSphere® Application Server environment where Business Automation Workflow indexes BPD tasks and process instances into the Federated Data Repository (FDR):

      If Process Federation Server is configured to federate an on-premises Business Automation Workflow instance on WebSphere Application Server, and indexing is enabled by using <ibmPfs_bpdIndexer>:
    2. Backing up saved searches and reusable queries

      For all Business Automation Workflow instances that are federated or have full-text search that is enabled:

      • Regularly back up saved search definitions and reusable queries.
      • Restore them in the backup environment.

      The Process Federation Server API is available on both standalone and embedded instances. Embedded APIs are exposed on each containerized Business Automation Workflow instance.

      To perform these backups:

  11. When using IBM Business Automation Insights, it’s important to backup your data because it is stored in two separate locations:
  12. Optional: If necessary, back up the LDAP files. Different types of LDAP servers have different backup methods. Make sure that the restored data in the LDAP database is the same as the source LDAP. For IBM Security Directory Server see IBM Security® Directory Server backup and restore External link opens a new window or tab.
  13. To back up business teams service (BTS), see Backing up and restoring External link opens a new window or tab.
  14. Complete the backup procedures for the following components that you configured in your environment.

What to do next

When the backup is complete, scale up your environment pods by running the following commands


for i in $(kubectl get deploy -n your-namespace -o name | grep bawdeploy); do
  kubectl scale $i --replicas=1 -n your-namespace
done

for i in $(kubectl get sts -n your-namespace -o name | grep bawdeploy); do
  kubectl scale $i --replicas=1 -n your-namespace
done

kubectl scale deploy ibm-cp4a-operator --replicas=1 -n your-namespace
kubectl scale deploy ibm-pfs-operator --replicas=1 -n your-namespace
kubectl scale deploy ibm-content-operator --replicas=1 -n your-namespace
Note:
  • Different capabilities within Cloud Pak for Business Automation use different persistent volume claims. Make sure to identify and back up all relevant PVCs according to the specific components you are using. For more information, see Persistent volume claims to be backed up External link opens a new window or tab.