7 Database Maintenance (UNIX)
This chapter provides instructions to back up, restore, and create offline storage of RSA Authentication Manager data. It also describes how to manage the audit trail database by deleting or archiving old log records, and how to update information in your extension data records. Finally, it provides instructions to run external procedures directly from the Database Administration application.
This chapter describes some tasks that you do by entering UNIX commands at the command line prompt on the UNIX RSA Authentication Manager machine. It describes other tasks for which you need the Database Administration application.
Run this application on your Remote Administration machine.
Before you begin, read the following section, “Maintaining Adequate Disk Space,” for important information about maintaining adequate disk space on RSA Authentication Managers.
Maintaining Adequate Disk Space
If writing to an RSA Authentication Manager database fails because the file system is full, Authentication Manager programs will abort. Take whatever measures are necessary to avoid having inadequate disk space.
Important: Do not allow a Primary or Replica Authentication Manager’s disk to become more than 90% full.
Because disk space requirements vary depending on your particular implementation of the system, use the examples of database sizes in the following table as guidelines only.
Number
10000 5000 25000 19.2 MB 11 MB 1.1 MB
RSA Authentication Manager 6.1 Administrator’s Guide
138 7: Database Maintenance (UNIX)
Reclaiming Disk Space with Database Compression
Periodically, you must compress the Authentication Manager and log databases so that disk space is used more efficiently. RSA Security provides a database compression utility that enables you to reclaim disk space used by the RSA Authentication Manager databases. For example, after you have done a large number of deletions, such as purging old log records, use the compression utility to free the disk space the log database is no longer using.
Use the database compression utility also to shrink the sdserv.bi and sdlog.bi files.
These files are created by the software for use in rolling back transactions if a group of transactions cannot be completed successfully. They are never automatically purged and can become quite large, especially after operations, such as importing tokens, that make a large number of changes to the databases.
No RSA Authentication Manager programs or database brokers can be allowed to run during the compression operation. It may therefore be most convenient to use this utility when you have stopped the aceserver process and the brokers to do your daily backup.
With multiple Replicas, authentication services continue to be available even if you shut down the Primary in order to back up data and compress the files.
To compress the database files on either the Primary or a Replica:
1. If you are not logged in as root or as the owner of the RSA Authentication Manager files, su to one of these two accounts.
If you are unsure who was designated as file owner, run ACEPROG/sdinfo to view the configuration values.
2. Terminate all RSA Authentication Manager programs, including the aceserver process.
3. Stop the database brokers with the command:
sdconnect stop
4. Run sdcompress, specifying which database is to be compressed:
ACEPROG/sdcompress -l | -s
where -s (“server”) compresses sdserv and -l (“log”) compresses sdlog.
The sdcompress script automatically creates a backup of the database that is stored until the compression operation is successfully concluded. In cases of depleted disk space so extreme that there is not enough room to store this
temporary backup, run sdcompress with the -n option. This command creates no backup and should only be used when absolutely necessary. If you must use it, first make a tape backup of the databases.
ACEPROG/sdcompress -db -n
7: Database Maintenance (UNIX) 139
Backing Up and Restoring RSA Authentication Manager Data
Follow the instructions in this section to create reliable, complete backup files:
• ACEDATA:
– Back up the log and Authentication Manager databases daily. (You can set up RSA Authentication Manager to save the log database to an archive file according to a schedule and method you select. For more information, see
“Scheduling Automated Log Database Maintenance” on page 157.) – Back up the sdconf.rec file any time you make changes to it.
– Back up the license.rec file after initial installation of the product or after you upgrade the license record for any reason.
– Back up SSL files for remote administration and LDAP synchronization (sdti.cer, server.cer, server.key, key3.db, and cert7.db).
– Back up custom queries (queries\*).
– Back up sdtacplus.cfg if you are using TACACS+.
• ACEPROG
– Back up the configuration file hosts.conf.
– Backup the configuration file sdcommdConfig.txt.
Note: RSA Security recommends that you back up the databases when no RSA Authentication Manager programs are running. If you must make a backup without closing all of the programs, see the section, “Backing Up Data While RSA Authentication Manager Programs Are Running” on page 140.
Backing Up Data While RSA Authentication Manager Programs Are Not Running
If you have multiple Replicas, you can stop all RSA Authentication Manager programs on an Authentication Manager to back up data with no loss in authentication.
To back up the databases while they are not in use:
1. Make sure that no one is running any RSA Authentication Manager program.
2. At a command prompt, type:
rptconnect stop aceserver stop sdconnect stop
If you do not run sdconnect stop, your backups will include the lock files sdserv.lk and sdlog.lk. If you make and then restore database backups that contain lock files, sdconnect start fails.
RSA Authentication Manager 6.1 Administrator’s Guide
140 7: Database Maintenance (UNIX)
3. Locate the data files you want to back up.
The database files are stored in the ACEDATA directory (for example, /top/ace/data).
These are the log database (sdlog) files:
sdlog.b1
These are the Authentication Manager database (sdserv) files:
sdserv.b1
4. Use the UNIX command tar -p or cp -p to copy the log and Authentication Manager database files.
Use the tar command to copy files to tape and the cp command to copy files to another directory. Preserve the file permissions by using the -p option.
Backing Up Data While RSA Authentication Manager Programs Are Running
This section describes the database backup command, which you can use to back up databases on both Primary and Replicas. However, a better backup method is described in the preceding section, “Backing Up Data While RSA Authentication Manager Programs Are Not Running,”Note: Do not use this backup method if you are in single-user mode. You can back up while RSA Authentication Manager programs are running without endangering the integrity of the database, but the backup you get may not be complete. Before you begin, make sure that no one else is backing up a database at the same time.
Simultaneous multiple backups can slow system performance significantly.
Syntax
The sdbkup command has the following syntax:
sdbkup [online] databasefile backupfile
The following table describes the options of the sdbkup command:
Option Description
online Specifies that you want to perform the backup while RSA Authentication Manager programs are running.
databasefile Specifies the full pathname of the database file you want to back up (usually a file in the ACEDATA directory).
backupfile Specifies the full pathname (or the name only) of the backup file.
7: Database Maintenance (UNIX) 141 For example, to back up the Authentication Manager database to a file named
sdserv1, the command line would be:
sdbkup online /ace/data/sdserv /dev/rst0/sdserv1 If there is a file named sdserv1 already, the following prompt appears:
*** backup_file already exists ***
Do you want to continue and overwrite the file? (y/n) [y]:
If you want to overwrite the sdserv1 file, the command line would be:
sdbkup online /ace/data/sdserv dev/rst0/sdserv1
Restoring Databases Created by the Database Backup Command
Use the procedure described in this section to restore the databases created by the database backup command.
To restore a database:
1. Make sure that no RSA Authentication Manager program is running.
2. Stop the Report Creation Utility (if it is running), the aceserver process, and the database broker:
rptconnect stop aceserver stop sdconnect stop
3. To restore the Authentication Manager database:
sdrest /top/ace/data/sdserv /dev/rst0 4. To restore the log database:
sdrest /top/ace/data/sdlog /dev/rst0
5. Generate a Replica Package for all Replicas, and distribute the new database files in the Replica Package to all Replicas.
If Push DB Assisted Recovery is allowed, the Primary will push the new database files to the Replicas when you restart the Primary. Otherwise, copy the database files to the Replicas manually.
6. Restart the Primary.
Recovering Data From an Offline Backup or a Server
When you need to recover data that was not backed up through the sdbkup command, (for more information, see “Backing Up Data While RSA Authentication Manager Programs Are Running” on page 140), the appropriate procedure depends on the location of the most up-to-date database:
• If the best database available is one you produced by the method described in
“Backing Up Data While RSA Authentication Manager Programs Are Not Running” on page 139, use the first procedure in this section to recover data.
• If the most up-to-date database is on one of your Replicas, use the second procedure in this section.
• If your Primary has the most up-to-date database, use the third procedure in this section.
RSA Authentication Manager 6.1 Administrator’s Guide
142 7: Database Maintenance (UNIX)
To restore data from an offline backup:
1. If you are not logged in as root or as the owner of the RSA Authentication Manager files, su to one of these two accounts.
2. Stop all RSA Authentication Manager programs running on the Primary.
Stop the Report Creation Utility (if it is running), the aceserver process, and the database broker by entering the following commands at a command prompt:
rptconnect stop aceserver stop sdconnect stop
3. Using the command appropriate to the backup file format, copy the backup sdlog and sdserv databases to the ACEDATA directory.
These are the log database (sdlog) files:
sdserv.b1
These are the Authentication Manager database (sdserv) files:
sdserv.b1
4. Generate a Replica Package for all Replicas, and distribute the new database files in the Replica Package to all Replicas.
If Push DB Assisted Recovery is allowed, the Primary will push the new database files to the Replicas. Otherwise, copy the database files to the Replicas manually.
5. Start the aceserver on the Primary.
To restore data on a Replica to the Primary:
1. If you are not logged on as root or as the owner of the RSA Authentication Manager files, su to one of these two accounts.
2. Stop all RSA Authentication Manager programs running on the Primary.
Stop the Report Creation Utility (if it is running), the aceserver process, and the database broker by entering the following commands at a command prompt:
rptconnect stop aceserver stop sdconnect stop
3. Repeat steps 1 and 2 on the Replica.
7: Database Maintenance (UNIX) 143 4. Using the command appropriate to the backup file format, copy the Replica
database to the Primary.
The files to copy from the Replica to the Primary are sdserv.bi, sdserv.db, sdserv.lg, sdserv.lic, and sdserv.vrs.
5. Generate a Replica Package for all Replicas, and distribute the new database files in the Replica Package to all Replicas.
If Push DB Assisted Recovery is allowed, the Primary will push the new database files to the Replicas. Otherwise, copy the database files to the Replicas manually.
6. Start the aceserver on the Primary.
7. Start the aceserver on the Replica.
To restore data on the Primary to a Replica:
1. If you are not logged on as root or as the owner of the RSA Authentication Manager files, su to one of these two accounts.
2. Make sure that no RSA Authentication Manager programs are running on the Replica.
Stop the Report Creation Utility (if it is running), the aceserver process, and the database broker by entering the following commands at a command prompt:
rptconnect stop aceserver stop sdconnect stop
3. Repeat steps 1 and 2 on the Primary.
4. Generate a Replica Package for all Replicas, and distribute the new database files in the Replica Package to all Replicas.
If Push DB Assisted Recovery is allowed, the Primary will push the new database files to the Replicas. Otherwise, copy the database files to the Replicas manually.
5. Start the aceserver on the Primary.
6. Start the aceserver on the Replica.
RSA Authentication Manager 6.1 Administrator’s Guide
144 7: Database Maintenance (UNIX)
Importing and Exporting Database Records
Some RSA Authentication Manager data can be exported and stored in clear ASCII text files. These files are for offline viewing or processing rather than for backup purposes. They cannot be restored to the databases for use by the Authentication Manager.
You can use the RSA Authentication Manager Database Administration application on your Remote Administration machine to create text files containing the following kinds of data:
• Certain user data such as user name and login. Click User > List Users and click Help for instructions.
• Log records in the form of an RSA Authentication Manager report.
For more information, see “Sending a Report to a File” on page 167.
• Log records in Comma-Separated Values (CSV) format for use with third-party software such as Microsoft Excel.
For more information, see “Scheduling Automated Log Database Maintenance”
on page 157.
Store these files in a secure area. The data they contain can pose serious threats to system security if unauthorized personnel gain access to it.