System Backup

Use the System Backup function to define a backup operation that can be run on demand or on a scheduled basis.

System Backup

Use system backups to backup and store all of the necessary data and configuration values to restore a server if something happens to your system.

Configuration information and data are written to separate encrypted files and sent to the specified destination, using the transfer method that you configured for backups on this appliance.
Note: To restore backed up system information, use the restore system CLI command. The CLI command, diag, can also be used, if diag is defined as a role for the user.

System backup supports the following methods:

  • SCP: Defined by default and accessible via CLI and the GUI.
  • FTP: Defined by default and accessible via CLI and the GUI.
  • Centera: Add to the GUI by logging in to the CLI and running the following command, store storage centera backup on.
  • TSM: Add to the GUI by logging in to the CLI and running the following command, store storage tsm backup on.
  • AMAZON S3: Defined by default and accessible via CLI and GUI. It is accessible from CLI if it is defined in the GUI.
  • SoftLayer: SoftLayer cloud backup.
  • Cleversafe: Stores backups in a similar fashion to Amazon S3. Draws a list of available buckets for you directly to the GUI. The first listed name is the name of the bucket you saved to the database.
    Note: You cannot make new buckets nor delete any buckets (from the Guardium UI/CLI).
Note: System restore must be done to the same patch level of the system backup. For example, if you backed up the appliance when it was on Version 10.0, Patch 7. If you now want to restore this backup into a newly built appliance, you must first install Version 10.0, Patches 1- 7 on the appliance. Then, you can restore the file.

To back up system information:

  1. Click Manage > Data Management > System Backup to open System Backup.
  2. Select a storage method. Depending on how the Guardium system is configured, only some of the buttons are available. For more information about configuring the archive and backup storage methods, see the show storage-system and store storage-system commands in Configuration and Control CLI Commands.
    • AMAZON S3
    • Cleversafe
    • EMC CENTERA
    • FTP
    • SCP
    • SoftLayer
    • TSM
  3. Enter the requested configuration information for the selected storage method protocol.
  4. Select one or both of the Backup check boxes:
    • Select Configuration to back up all definitions.
    • Select Data to back up all data. (Not needed if you are archiving data regularly.)
  5. Use the Scheduling section to define a schedule for running this operation regularly.
  6. Click Save to verify and save the configuration changes. The system attempts to verify the configuration by sending a test data file to that location.
    • If the operation fails, an error message displays and the configuration is not saved.
    • If the operation succeeds, the configuration is saved.
  7. Click Run Once Now to run the operation once.
Note: During a file transfer, if the backup file transfer fails, the last file in each set of backup/archive files (such as system backup, configuration backup, archive, CSV archive) is saved in the diag/current folder. Then when the backup file destination is again online, you can manually transfer the backup files from the diag/current folder to the destination. The set of backup/archive files is saved in the diag/current folder only if the file transfer fails. If there is a file transfer failure during another backup file transfer, the set of backup/archive files is again saved in the diag/current folder. However, in order to avoid saving too many files and running out of disk space, only the latest file of each type will be saved. The earlier backup files will be overwritten.
Note: When performing a system backup and restore from one server, which has GIM defined, to another server, you must configure a GIM failover to the restore server. This GIM configuration applies to a Backup Central Manager or a System backup and restore.

SCP and FTP files via different ports

Change the ports that can be used to send files over SCP and FTP.

For System Backup : Set the protocol (SCP or FTP) and specify Host, Directory and Port. The default port for ssh/scp/sftp is 22. The default port for FTP is 21.

Prevent backup/archive scripts from filling up /var

The backup process will check for room in /var before running and fail. This process will also warn the user if there is insufficient space for backup.

The archive process will check the size of the static tables and make sure there is room in /var to create the archive.

An error is logged in the logfile and GUI if the backup is over 50%. For example:
ERROR: /var backup space is at 60% used. Insufficient disk space for backup.

Amazon S3 Archive and Backup in Guardium

Use this feature to archive and backup data from Guardium to Amazon S3.

Amazon S3 (Amazon Simple Storage Service) provides a simple web service interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any developer access to the same highly scalable, reliable, secure, inexpensive infrastructure that Amazon uses to run its own websites.

Prerequisites

  • An Amazon account.
  • Register for S3 service
  • Amazon S3 credentials are required in order to access Amazon S3. These credentials are:
    • Access Key ID: identifies user as the party responsible for service requests. It needs to be included it in each request. It is not confidential and does not need to be encrypted. (20-character, alphanumeric sequence).
    • Secret Access Key: Secret Access Key is associated with Access Key ID calculating a digital signature included in the request. Secret Access Key is a secret, and only the user and AWS should have it (40-character sequence). This key is just a long string of characters (and not a file) that is used to calculate the digital signature that needs to be included in the request.

Two archive operations are available on the Administration Console, in the Data Management section of the menu:

  • Data Archive backs up the data that has been captured by the appliance, for a given time period.
  • Results Archive backs up audit tasks results (reports, assessment tests, entity audit trail, privacy sets and classification processes) as well as the view and sign-off trails and the accommodated comments from work flow processes.

When Guardium data is archived, there is a separate file for each day of data.

Archive data file name format: 

 <time>-<hostname.domain>-w<run_datestamp>-d<data_date>.dbdump.enc

The archive function creates signed, encrypted files that cannot be tampered with. The names of the generated archive files should not be changed. The archive operation depends on the file names created during the archiving process.

System backups are used to backup and store all the necessary data and configuration values to restore a server in case of hardware corruption.

All configuration information and data is written to a single encrypted file and sent to the specified destination, using the transfer method configured for backups on this appliance.

Backup system file format:

<data_date>-<time>-<hostname.domain>-SQLGUARD_CONFIG-9.0.tgz
<data_date>-<time>-<hostname.domain>-SQLGUARD_DATA-9.0.tgz

The Aggregation/Archive Log report can be used to verify that the operation completes successfully. There should be multiple activities listed for each Archive operation, and the status of each activity should be Succeeded.

Regardless of the destination for the archived data, the Guardium catalog tracks where every archive file is sent, so that it can be retrieved and restored on the system with minimal effort, at any point in the future.

A separate catalog is maintained on each appliance, and a new record is added to the catalog whenever the appliance archives data or results.

Catalog entries can be transferred between appliances by one of the following methods:

  • Aggregation: Catalog tables are aggregated, which means that the aggregator will have the merged catalog of all of its collectors

  • Export/Import Catalog: These functions can be used to transfer catalog entries between collectors, or to backup a catalog for later restoration, etc.

  • Data Restore: Each data restore operation contains the data of the archived day, including the catalog of that day. So, when restoring data, the catalog is also being updated.

When catalog entries are imported from another system, those entries will point to files that have been encrypted by that system. Before restoring or importing any such file, the system shared secret of the system that encrypted the file must be available on the importing system.

Enable Amazon S3 from the Guardium CLI

Amazon S3 archive and backup option is enabled by default in the Guardium GUI. To enable Amazon S3 via Guardium CLI, run the following CLI commands:

store storage-system amazon_s3 archive on
store storage-system amazon_s3 backup on

Amazon S3 requires that the clock time of Guardium system to be correct (within 15-minutes). Otherwise, this will result in an Amazon error. If there is too large a difference between the request time and the current time, the request will not be accepted.

If the Guardium system time is not correct, set the correct time using the following CLI commands:
show system ntp server
store system ntp server (An example is ntp server: ntp.swg.usma.ibm.com)
store system ntp state on

User Interface

Use the System Backup screen (Manage > Data Management > System Backup) to configure the backup. After enabling Amazon S3 through the CLI commands, Amazon S3 will appear in the list of protocols.

User input requires:

  • S3 Bucket Name (Every object stored in Amazon S3 is contained in a bucket. Buckets partition the namespace of objects stored in Amazon S3. Within a bucket, you can use any names for your objects, but bucket names must be unique across all of Amazon S3.
  • Access Key ID
  • Secret Access Key
Note:
  • If bucket name does not exist, it will be created.
  • Secret Access Key is encrypted when saved into the database.
  • Check that the files were uploaded on Amazon S3.
  1. Log onto AWS Management Console using your email address and password.

    http://aws.amazon.com/console/

  2. Click on S3.
  3. Click on the bucket that you specified in the Guardium UI.

SoftLayer Object Storage

SoftLayer Object Storage is a redundant and highly scalable cloud storage service. Use it to easily store, search, and retrieve data across the Internet. It is based on the OpenStack Swift platform and may be accessed through a RESTful API and Web Portal.

Information needed beforehand:

  • Authentication Endpoints: Authentication requests should be sent to the endpoint associated with the location of your Object Storage account. https://dal05.objectstorage.softlayer.net/auth/v1.0
  • Container: The basic storage unit for all the data within Object Storage is a container. It stores data/files and must be associated with an Object Storage account.
  • X-Auth-User: Username to authenticate with: Tenant value:username
  • X-Auth-Key: API key (Password) to authenticate with.

Account credentials can be retrieved by logging onto https://control.softlayer.com/

System Backup by SoftLayer from GUI
  1. Click Manage > Data Management > System Backup, Manage > Data Management > Data Archive, or Manage > Data Management > Results Archive.
  2. Select the SoftLayer protocol.
  3. Fill in Authentication Endpoint URL (example, https://dal05.objectstorage.softlayer.net/auth/v1.0)
  4. Specify an Object Storage container name (example, yourname_Container)
  5. Specify the X-Auth-User (Tenant value: Username) (example, username)
  6. Fill in the X-Auth Key (example, password)
  7. Specify what to Backup: Configuration or Data
  8. Modify Scheduling or Run Once Now.
System Backup via CLI (Configuration)

Access CLI.

CLI> backup system.

1. DATA

2. CONFIGURATION

Please enter the number of your choice: (q to quit) 1

1. SCP

2. CONFIGURED DESTINATION

Please enter the number of your choice: (q to quit) 2

Make sure destination is configured in the GUI under the <System Backup> option

Please wait, this may take some time.

Performing a DEFAULT backup, config=

System Backup and System Restore

Access CLI.

CLI> restore system

1. SCP

2. FTP

3. TSM

4. CENTERA

5. AMAZONS3

7. SOFTLAYER

8. SFTP

Please enter the number of your choice: (q to quit) 7

Enter the SoftLayer Authentication Endpoint URL:

Enter SoftLayer Object Storage Container name:

Enter SoftLayer X-Auth-User:

Enter X-Auth-Key:

Enter a file name from list:

Authenticate success!

Download file success!

Select your recovery type, for most cases, use the normal option:

1. normal

2. upgrade

System Backup > Cleversafe

Prerequisite

The Guardium server must be set to the correct local time. Use NTPserver to change if necessary.

System Backup selections:

Authentication endpoint URL

(AWS) Access key

(AWS) Secret access key

Bucket name

Answer yes to all certificate questions.