000028020 - How to configure backups if the remote backup folder is secured?

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028020
Applies ToRSA Data Protection Manager Appliance 3.5
IssueHow to configure backups if the remote backup folder is secured?

/opt/tomcat/logs/rsaweb-log.log

DEBUG [ajp-nio-8009-exec-3] RKMALogger.doLog(330) | com.rsa.appliance.web.NewBackupController.configureBackup(NewBackupController.java:133) : Enter method configureBackup
DEBUG [ajp-nio-8009-exec-3] RKMALogger.doLog(330) | com.rsa.appliance.web.NewBackupHandler.configureBackup(NewBackupHandler.java:93) : Enter method configureBackup
DEBUG [ajp-nio-8009-exec-3] RKMALogger.doLog(330) | com.rsa.appliance.service.impl.NewBackupServiceImpl.configureBackup(NewBackupServiceImpl.java:63) : Enter method configureBackup
ALL [ajp-nio-8009-exec-3] AuditServiceImpl.audit(109) | [CONFIGURE_BACKUP] User rkmaadmin has configured backup on bkpuser@10.10.10.10 INFO [ajp-nio-8009-exec-3] RKMALogger.sysLog(372) | [CONFIGURE_BACKUP] User rkmaadmin has configured backup on bkpuser@10.10.10.10
ERROR [ajp-nio-8009-exec-3] RKMALogger.doLog(330) | com.rsa.appliance.web.NewBackupController.configureBackup(NewBackupController.java:149) : Error while configuring backup


/opt/appliance/logs/rkma-system.log

2014-05-29 09:11:10,441 ERROR - error.backup.configuration.remote.host.unreachable


backup.log

Configuring backup ... Started
Cleanup ... Started
Unmounting mount point ... Started
Unmounting mount point ... Done
Removing backup SSH keys ... Started
Removing backup SSH keys ... Done
Cleanup ... Done
Create SSH key ... Started
Create SSH key ... Done
Copy SSH public key to the remote host ... Started
Remote host IP validation ... Done
Copy SSH Public Key to Remote Server /root/.ssh/backupSSHKey.pub dir <hostname>
Failed to copy SSH public key to the remote host  [ERROR CODE: 110 ]
Deleting backup work folder ...

Cause

remote backup user in a chroot environment, as according to SSHFS wiki https://wiki.archlinux.org/index.php/sshfs) this is how you do it secure.

Current backup configuration process:

  1. SSH key created on the appliance
  2. SSH key copied to remote server using SCP
  3. Local mount point is created
  4. Remote backup folder mounted using SSH key
  5. GPG key created
  6. Backup folder created in mounted folder
  7. Backup retention policy file created and copied in mounted folder

Since the user is restricted in doing ONLY internal-sftp, copying the SSH key file using SCP fails.

Resolution

Workaround:

1. On the remote backup server, create the .ssh folder with proper permissions

cd /home/bkpuser/
mkdir .ssh; chown bkpuser:bkpuser .ssh; chmod 700 .ssh

2. On the appliance

mkdir /tmp/mount
sshfs bkpuser@10.101.65.148: /tmp/mount
umask 077
cat /root/.ssh/backupSSHKey.pub >> /tmp/mount/.ssh/authorized_keys
umount /tmp/mount

3. Edit the file /opt/rsa/setup/sh/backup/IncrementalBackupOperations.sh in the method configureBackup to comment those lines:

#Cleanup:
#Unmount mount point and remove Backup SSH keys
#cleanup

#Create Backup SSH Key:
#createSSHKey $SSH_KEY_FILE
#exitOnError $? "Error in creating backup SSH key"

#Copy SSH Public Key To Remote Location:
#copySSHPulicKeyToRemoteLocation $REMOTE_HOST_IP $REMOTE_HOST_USERNAME $SSH_KEY_FILE "$REMOTE_HOST_PASSWORD"
#exitOnError $? "Error in copying backup SSH key to remote location"

4. Configure the backups as normal via the appliance console

NotesKMA-4772
Legacy Article IDa66048

Attachments

    Outcomes