000012282 - Restoring a pre-SP2 backup to a SP2 appliance fails - Restore database backup to Authentication Manager 7.1 SP4 or Appliance or later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012282
Applies ToSecurID Appliance 3.0
configuration failed
finalize-radius-restore fails
IssueRestoring a pre-SP2 backup to a SP2 appliance fails - Restore database backup to Authentication Manager 7.1 SP4 or Appliance or later
'Migrate' an AM 7.1 or Appliance 3.0 database to a Linux based AM 7.1 Server or to another Appliance running the same or later version of AM, e.g. SP2 to SP4 is OK, but can't migrate an SP4 database to SP3 or SP2, schema has changed
CauseIn some situations it is necessary to restore a pre-SP2 appliance backup to an SP2 appliance. Due to a missing section in a file, the radius restore portion will fail. This solution addresses some of the specifics (which are not entirely clear in the documentation) as well as provides the updated xml file.
  1. Take a backup on the current system:

Open an SSH session and log in as user emcsrv:

sudo su rsaadmin (this makes you the rsaadmin user) 

cd /usr/local/RSASecurity/RSAAuthenticationManager/utils 

./rsautil setup-replication -a list 

./rsautil setup-replication -a remove-replica -n <name of replica to be removed> 

<repeat as necessary for other replicas> 

./rsautil setup-replication -a remove-unreg-replicas 

./rsautil manage-rep-error -a run-script -o cleanup_propagation.sql 

Confirm and answer Y to all questions. 

./rsautil manage-backups -a export -f /tmp/backup.dmp 

This will create /tmp/backup.dmp and /tmp/backup.secrets, use WinSCP to copy these files off the A130 Appliance. If your promotion fails or you need to rebuild a new A250 primary, here are those commands

You can change the name of backup.dmp to something else. This will create two files in the /tmp directory, one named backup.dmp, the other named backup.secrets.


Stop all services:

cd /usr/local/RSASecurity/RSAAuthenticationManager/server/

./rsaam stop all


Once services have stopped do the following if not running SP4:


sudo su - root

cd /usr/local/RSASecurity/RSAAuthenticationManager/

tar cvf  /tmp/backupradius.tgz radius

cd /tmp

chmod 777 backup*


The three files can now be pulled off the box using sftp.

***We are now done working with this box, the following steps will be on the other appliance***



  1. Factory default the other appliance to latest Service Pack if not already there.
  2. Perform Quick Setup on the newly defaulted appliance. The fully-qualified domain name and IP address do not need to match the original system.

The following must match between the original system and the new system:

-         master password

-         install Super Admin user name and password


  1. Once the box is up and running, open an Operations Console.
  2. Go to Deployment Configuration->Radius->Manage Existing
  3. If a radius server is present, delete it
  4. Go to Deployment Configuration->Radius->Configure Server
  5. Configure the Radius server
  6. Once this is done, close the Operations Console window
  7. Use sftp to place the three backup files and the updated finalize-radius-restore.xml in the /tmp directory
  8. Stop all Authentication Manager Services on the primary instance.
  9. Start the database listener and database server services.
  10. SSH to Appliance and sudo su rsaadmin then Issue the following commands:

cd /usr/local/RSA Security/RSA Authentication Manager/utils 

       ./rsautil setup-replication -a list 



       ./rsautil setup-replication -a remove-replica -n <replica> (if have any replicas) 

       ./rsautil setup-replication -a remove-primary (don?t worry) 

       ./rsautil manage-backups -a import -D -f /updates/backup.dmp 

Enter Master Password: 

       ./rsautil setup-replication -a set-primary (told you not to worry) 

       cd ../server 

 ./rsaam start all

 OPTIONALLY migrate RADIUS from Pre-SP4

  1. After you Start all services, Open an Operations Console and go to Deployment Configuration->Radius->Manage Existing.  Delete the radius server.
  2. Exit the Operations Console.
  3. On your SSH session, stop the radius service:

cd /usr/local/RSASecurity/RSAAuthenticationManager/server

./rsaam stop radius

  1. Change user to root:


sudo su ? root


  1. Execute the following commands:

 cd /usr/local/RSASecurity/RSAAuthenticationManager

cp /tmp/backupradius.tgz .

(note the space then period at the end of the last command)

tar xvf backupradius.tgz

cd /usr/local/RSASecurity/RSAAuthenticationManager/config/radius/restore

cp finalize-radius-restore.xml finalize-radius-restore.bak

chown rsaadmin:rsaadmin finalize-radius-restore.bak

cp /tmp/finalize-radius-restore.xml .

(note the space then period at the end of the last command)

chown rsaadmin finalize-radius-restore.xml

chgrp rsaadmin finalize-radius-restore.xml

cd /usr/local/RSASecurity/RSAAuthenticationManager/config

./configUtil.sh configure radius finalize-radius-restore


If the configUtil command successfully executes and displays the Message

?Configuration Completed,? ignore the following error message that displays

while the command runs:

[ERROR] Unexpected issue with XUI call : RADIUS server

does not responds within the timeout

[SOLUTION] RADIUS server is not configured properly ;

Please re-run the RADIUS server configuration again


RADIUS server does not responds within the timeout


Replicas would need to be generated and attached after this.


The updated finalize-radius-restore.xml is located here:




NOTE: if using a .tgz backup made from a pre-sp2 appliance taken from the operations console, the backup file, when extracted from the .tgz file will be named BACKUP.dump
Legacy Article IDa49470