How to backup the eDirectory database and associated Security Services files on NetWare

  • Document ID:3290174
  • Creation Date:18-Jan-2007
  • Modified Date:06-Jun-2012
    • Micro Focus Products:
      eDirectory
      NetWare

Environment

Novell NetWare Server NICI
Novell Modular Authentication Service version 2.3
Novell iManager
Novell eDirectory 8.7.3
Novell Portal Services
Novell Tomcat 4.0
Novell Apache 2.0.48
Novell NetWare 6.5
Novell Certificate Server - PKIS Services

Situation

A customer is having an issue that involves certificates, nici, nmas, etc. that must be preserved in order to duplicate an issue in-house.
Restoring the eDirectory database alone does not restore the KMOs, nici files, tree keys, etc.
How to backup the eDirectory database and associated Security Services files.

Resolution

Below is the procedure for performing this task on the NetWare platform.

Primer:
Creating a backup of the eDirectory database, otherwise known as "grabbing a dib", will backup all objects from that server's perspective. However, this will not, in itself, restore the Security Domain Infrastructure. Many of the keys and settings are not held in objects but rather as files on the server's volume. (For more information on the SDI please see the May 2002 AppNote). A non-functioning SDI can affect services that depend on it such as Certificate Services, Single Signon, NMAS, DirXML/IDM, etc. For example if the original Organizational CA's information is not backed up, certificates will continue to function but no new ones can be minted and those already created will not validate. In additiona to a eDirectory database backup; the CA, external certs, nici keys , tree keys and server keys need to be backup up as well.

The easiest way to backup both eDirectory and the SDI files is to have a copy of all replicas on one server who is also the Organizational CA for the tree and who, by default, is the Security Key ServerDN. If this is not the case you will need additional server dibs backups from other servers who hold parts of the tree this server does not.

Below are the items to backup:
a. Perform a DSREPAIR -RC on the Org CA server. The eDirectory backup file(s) will be saved to the SYS:SYSTEM\DSR_DIB directory. Perform this on all servers that hold parts of the tree this server does not hold. These files should be copied and sent offsite.
b. Copy all files in the server's SYS:SYSTEM\NICI directory
c. Copy of the CA's SYS:PUBLIC\ROOTCERT.DER file. It would be a good thing to do this for all servers. It should be performed again each time NetWare is upgraded.
d. Copy SYS:TOMCAT\4\WEBAPPS\NPS\WEB-INF\PORTALSERVLETPROPERTIES file from any Portal or iManager servers.
e. Copy SYS:ADMINSRV\CONF\.KEYSTORE file from any Portal or iManager servers.

The backup of these files can performed either thru cron jobs, existing SMS compliant backup software or using the NRM archive function.

Additional Information


Formerly known as TID# 10096647
Formerly known as TID# NOVL101045