Netscape Certificate Management System Administrator's Guide:

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Appendix B Backing Up and Restoring Data

Each instance of Netscape Certificate Management System (CMS) uses an instance of Netscape Directory Server version 4.x for storing its persistent objects and an ASCII file named CMS.cfg for storing its configuration information. This appendix explains how to back up the CMS data and configuration information and how to use the backups to restore data if there is a need.

The appendix has the following sections:

Before Backing Up and Restoring Data

Backing Up the CMS Configuration and Data

Restoring the CMS Configuration and Data

Before Backing Up and Restoring Data

This section explains the importance of backing up and restoring data and provides guidelines for preparing to use these processes. Read this section only if you are unfamiliar with this means of protecting data.

What Is a Backup?

An archive or backup is a copy of all or some portion of the data that Certificate Management System manages; this data is vital to the functioning of the server. More specifically, a backup is a copy of one or more files used by Certificate Management System and any supporting data that you might need in order to restore those files.

Important To minimize the chances of a backup being destroyed or getting into the hands of an unauthorized person, be sure to store CMS backups and other backup data in a safe and locked facility. If you need guidelines about securing your backups, see the security measures outlined in the Netscape Certificate Management System Installation and Deployment Guide.

Why You Should Back up Data

All the information or data needed by Certificate Management System is stored in its internal database (explained in "Configuring the Internal Database"). If this data becomes corrupt or inaccessible--for example, as a result of program errors, a disk crash, a power outage, or a disaster that damages your entire facility--the server will not function properly. It is therefore strongly recommended that you back up the internal database periodically.

Periodically backing up data will enable you to use the backup for restoring data in the event of data loss.

Guidelines for Creating a Backup

Here are guidelines to follow in preparation for backing up CMS data:

Plan your backup schedule.

Choose the appropriate backup media.

Check the size of the internal database and configuration files, and make sure that the media has sufficient storage space for creating your backup.

Decide whether you want to back up the internal database and configuration files to separate media. For example, if you plan to back up the internal database to another directory, you will have to copy the configuration files to another media.

Verify data consistency.

Use the appropriate server modes for both Certificate Management System and Netscape Directory Server.

Estimate the time required for a backup, and ensure that an operator is available.

If the backup media is tape, label the tapes appropriately.

What Is a Restore?

The process of restoring data from backups in the event of a data loss is called a restore. During a restore, you copy the data from the backup medium to the internal database of Certificate Management System.

When to Restore Data

If the data managed by Certificate Management System becomes corrupt or inaccessible (for example, as a result of program errors, a disk crash, or a disaster that damages your entire facility), the server will not function properly. To restore Certificate Management System to its original state, you need to use the data backups that you created.

Guidelines for Restoring Data

Here are some guidelines that will help you restore your Certificate Management System internal database:

Choose the appropriate backup media.

Decide on the type of restore.

Verify your internal database configuration and schema.

Perform the restore.

Backing Up the CMS Configuration and Data

Backing up Certificate Management System involves the following steps:

Step 1. Back Up the Configuration Files

Step 2: Back up the Key Pairs

Step 3. Back Up the Internal Database

Important The procedure below explains in general how to back up the server. Be sure to check the following site for technical notes on backing up and restoring Certificate Management System:

http://home.netscape.com/eng/server/cms

Step 1. Back Up the Configuration Files

You can back up the configuration information pertaining to a CMS instance to any backup media, such as a tape or the file system of a computer designated for backing up important files. The following procedure explains how to back up the configuration information of a CMS instance to the file system of a machine used for backups. If your backup media is a tape or any other backup unit, follow the instructions that came with it.

To back up the configuration information of a CMS instance:

Shut down the CMS instance whose configuration information you want to back up; see "Stopping Certificate Management System".

In the file system of the machine used for backups, create a back up directory for storing the configuration information.

Copy the complete config directory contents.

You can find this directory at this location:

<server_root>/cert-<instance_id>/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instanec_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

Step 2: Back up the Key Pairs

Because the destruction of a private key in a disk crash or similar event can be disastrous if you are depending upon that key for a hierarchy of certificate authorities, backing up your key data is commensurately important. If you do make copies of your keys, however, you must protect your backups with the same level of security that you use for protecting your original keys.

If you generated your server's key pairs using the internal token, the key pairs are stored in a file named key3.db file; this is one of the files in the configuration directory. When you backed up the configuration directory in Step 1, this file was copied to the backup media. Make sure that only you or authorized administrators have access to the backup media--for example, if you copied the configuration directory to a backup machine, make sure that the machine is in a locked facility and that it has restricted access.

If the keys are in an external token, such as a smart card, keep it in a locked facility.

Step 3. Back Up the Internal Database

You can back up the internal database in the following ways:

By using the LDIF conversion built into the Directory Server window

By using the db2bak command-line script

By manually copying the internal database directly to a backup directory

The following procedure explains how to back up the internal database using its administration interface, called the Directory Server window, in Netscape Console. When you back up your database from the Directory Server window, the server copies the entire database and associated index files to a backup location. For backing up the internal database by using other methods, see the Netscape Directory Server 4.x documentation.

You can back up the internal database online or offline--that is, while the server is running or shut down.

To back up the internal database of a CMS instance:

In Netscape Console, locate the internal database instance you want to back up.

Select the instance and click Open.

The Directory Server window appears with the Tasks tab open.

Click "Back Up the Directory Server."

The Backup Directory dialog box appears.

Choose a directory name where you want the backup stored.

You can either choose a new directory or use the default directory that the server provides.

Type the full path to the directory in which you want the server to store the backup file, or click the Browse button to select an existing directory.

Use default. Click this button if you want the server to suggest a path for you. If you choose this option, the server stores the backup file in this location:

<server_root>/slapd-<cms_instance_id>/bak/<backup_name>

<server_root> is the directory where the binaries for this instance of Certificate Management System are kept. You first specified this directory during installation.

<cms_instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

bak is the directory to which files are backed up.

<backup_name> is a directory-specified name for the backup. By default, the backup name identifies the date and time when the backup was created in the format YYYY_MM_DD_HH_mm_SS; the date and time has YYYYMMDD (year, month, day) and HHmmSS (hour, minute, second) forms, in that order. For example, a backup created on March 23, 1999 at 11:38:56 a.m. is named 1999_03_23_11_38_56.

Click OK.

The backup process begins.

Restoring the CMS Configuration and Data

If the CMS internal database is corrupted, you can restore it from a previously generated backup. The restore process consists of copying the configuration files and the Directory Server and its associated index files from the backup location to the internal database of Certificate Management System.

Note that restoring your CMS internal database overwrites any existing files.

Note Be sure to check the following site for technical notes on backing up and restoring Certificate Management System:

http://home.netscape.com/eng/server/cms

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.