Symantec Access Management

Team,

I have been using this process for my TDM (test data management) and usual backup

- Prior published under this location with a PDF example.

• https://communities.ca.com/thread/241771811

Here is the script; update the variables for your own vApp.   

I created a home folder on the remote MS Windows Server (used for IAMCS/CCS/CX UI/Prov Mgr UI)

#!/bin/bash
###########################################################
# #
# CA Identity Suite / Identity Manager Backup Script #
# - Using r14.x backup tools #
# - Example using vApp Appliance #
# - Assumes MS Windows Server 2012/2016 with local #
# service id has been pre-created & shared folder #
# with common shared name at root level (c: or e:) #
# pre-created #
# - Included TDM (Test Data Management) Approach #
# to export business logic from LDIF files from one #
# environment to another (Prod to Dev) #
# without Passwords or Policies unique to the prior #
# environment #
# #
# #
# - AB 01/2017 #
# #
###########################################################

#### Set Variables for Server
BACKUPDATE=`date +%Y%m%d_%H%M%S_%N`
WIN_SERVER_IP=192.168.242.136
IPADDR=$(ip addr | grep "inet " | egrep "eth0$" | awk '{print $2}' | cut -d "/" -f1)
SHARED_FOLDER=vApp_Share
SHARED_PATH=/home/config/$SHARED_FOLDER/
SHARED_BACKUP_PATH=$SHARED_PATH/vApp_$BACKUPDATE/
SMB_USERID=config
SMB_PASSWORD=Password01
IME_USERID=admin
IME_PASSWORD=CAIMAG1
JAVA_EXE=/opt/CA/jdk1.8.0_71/bin/java
IME_PASSWORD_TOOL=/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool
EXPORT_UTIL=/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/ImportExportUtility
IME_URL=http:\/\/$IPADDR:8080
IME_DIRECTORIES=UserStore,ProvStore
IME_NAME=identityEnv

echo "#############################################"
echo "### 01. Remove prior share ###"
echo "#############################################"
echo "sudo /bin/umount //$WIN_SERVER_IP/$SHARED_FOLDER/ > /dev/null 2>&1"
sudo /bin/umount //$WIN_SERVER_IP/$SHARED_FOLDER/ > /dev/null 2>&1
sudo /bin/umount //$WIN_SERVER_IP/$SHARED_FOLDER/
echo ''

echo "#############################################"
echo "### 02. Create mount point & mount share ###"
echo "#############################################"
echo "mkdir $SHARED_PATH > /dev/null 2>&1"
mkdir $SHARED_PATH > /dev/null 2>&1
echo "sudo /bin/mount -t cifs -o username=$SMB_USERID,password=$SMB_PASSWORD,uid=500 //$WIN_SERVER_IP/$SHARED_FOLDER $SHARED_PATH/"
sudo /bin/mount -t cifs -o username=$SMB_USERID,password=$SMB_PASSWORD,uid=500 //$WIN_SERVER_IP/$SHARED_FOLDER $SHARED_PATH/
echo ''

echo "#############################################"
echo "### 03. View Prior Files ####"
echo "#############################################"
cd $SHARED_PATH
ls -al
pwd
echo ''

echo "#############################################"
echo "### 04. Create a PBES Encryption Hash ###"
echo "#############################################"
echo "# Update Password hash for IME Management User"
cd $IME_PASSWORD_TOOL
PASSWORD_HASH_OUTPUT="$($JAVA_EXE -classpath ../lib/idmutils.jar:../lib/log4j.jar:../lib/cryptojFIPS.jar com.netegrity.rtl.jce.JSafeTools -JSAFE -p $IME_PASSWORD)"
PASSWORD_HASH=`echo $PASSWORD_HASH_OUTPUT | grep "{PBES}*" | awk '{print $6}'`
echo ""
echo "# The password hash is: $PASSWORD_HASH "
echo "# for $IME_USERID password = $IME_PASSWORD"
echo ""

echo "########################################################"
echo "### 05. Update IM Import/Export Tool Properties File ###"
echo "########################################################"
cd $EXPORT_UTIL
# Create fresh backup of orginal config.properties file
cp -r -p config.properties.org config.properties > /dev/null 2>&1
cp -r -p config.properties config.properties.org > /dev/null 2>&1
# Change config file tokens to correct values for IM Export with sed command
# use single quote for exact match, use double quote to allow string replacements
sed -i "s|baseUrl=http://hostname.mydomain.com:8080|baseUrl=$IME_URL|g" config.properties
sed -i "s|userName=imuser|userName=$IME_USERID|g" config.properties
sed -i "s|password={PBES}:HUkQTOZbkIs=|password=$PASSWORD_HASH|g" config.properties
sed -i 's|mode=import|mode=export|g' config.properties
# sed -i 's|resourceType=ALL|resourceType=ALL|g' config.properties
sed -i "s|directories=cadir,prov_dir|directories=$IME_DIRECTORIES|g" config.properties
sed -i "s|environment=env|environment=$IME_NAME|g" config.properties
sed -i "s|roleDefFileName=env-RoleDefinitions|roleDefFileName=$IME_NAME-RoleDefinitions|g" config.properties
# Address double backslash with single quote in sed; then replace with correct token value
sed -i 's|localPath=C:\\\\IME\\\\Temp|localPath=|g' config.properties
sed -i "s|localPath=|localPath=$SHARED_PATH|g" config.properties
#sed -i 's|timeout=10|timeout=10|g' config.properties
#sed -i 's|restartEnv=yes|restartEnv=yes|g' config.properties
cp -r -p config.properties config.properties.$BACKUPDATE
echo ""
echo ""
echo "### View the updates to config.properties ###"
echo ""
cat config.properties | grep -v "#"
echo ""
echo "### View the updates to config.properties ###"
echo ""
echo ""
#exit

echo "####################################################"
echo "### 06. Export the IME via IM Import/Export Tool ###"
echo "####################################################"
# Call the IM Export Tool
. ImportExportUtil.sh
echo ''
# Put the config.properties file back to orginal state
cp -r -p config.properties.org config.properties > /dev/null 2>&1

echo "######################################################"
echo "### 07. Rename Exported Files with time-date stamp ###"
echo "######################################################"
echo ''
echo "Rename the output file with date time-stamp"
mkdir $SHARED_BACKUP_PATH > /dev/null 2>&1
cd $SHARED_PATH
pwd
#cp -r -p UserStore.xml "$SHARED_BACKUP_PATH/UserStore_$BACKUPDATE.xml"
mv -f UserStore.xml "$SHARED_BACKUP_PATH/UserStore_$BACKUPDATE.xml"
#cp -r -p ProvStore.xml "$SHARED_BACKUP_PATH/ProvStore_$BACKUPDATE.xml"
mv -f ProvStore.xml "$SHARED_BACKUP_PATH/ProvStore_$BACKUPDATE.xml"
#cp -r -p identityEnv.zip "$SHARED_BACKUP_PATH/identityEnv_$BACKUPDATE.zip"
mv -f identityEnv.zip "$SHARED_BACKUP_PATH/identityEnv_$BACKUPDATE.zip"
ls -al $SHARED_BACKUP_PATH
echo ''

echo "###########################################################"
echo "### 08. Update CA Directory DSA to allow online backup ###"
echo "###########################################################"
echo " - Configure CA Directory to provide an data dump (zdb file) while DSA are online"
su - dsa -c 'cp -r -p $DXHOME/config/settings/impd.dxc.org $DXHOME/config/settings/impd.dxc'
su - dsa -c 'cp -r -p $DXHOME/config/settings/default.dxc.org $DXHOME/config/settings/default.dxc' > /dev/null 2>&1
su - dsa -c 'cp -r -p $DXHOME/config/settings/impd.dxc $DXHOME/config/settings/impd.dxc.org'
su - dsa -c 'cp -r -p $DXHOME/config/settings/default.dxc $DXHOME/config/settings/default.dxc.org' > /dev/null 2>&1
# Edit the DSA settings file to add in one line. dump dxgrid-db;
su - dsa -c 'echo "dump dxgrid-db;" >> $DXHOME/config/settings/impd.dxc'
su - dsa -c 'chmod 744 $DXHOME/config/settings/default.dxc'
su - dsa -c 'echo "dump dxgrid-db;" >> $DXHOME/config/settings/default.dxc'
echo ""

echo "######################################################################################"
echo "### 09. Re-init all DSA to data dump the CA DSAs for IMCD/Userstore (1) & IMPD (4) ###"
echo "######################################################################################"
echo " - This make take 5-30 seconds to complete "
su - dsa -c 'dxserver init all' > /dev/null 2>&1
# View for zdb or zd? (in-progress) files
#su - dsa -c 'find $DXHOME/data/ -name "*.zd*" '
#su - dsa -c 'find $DXHOME/backup/ -name "*.zd*" '
echo ""
sleep 10

echo "#################################################################"
echo "### 10. Export DSA backup/offline zdb data files to LDIF file ###"
echo "#################################################################"
echo "10a. Set DSA profile for CONFIG user to ensure DXHOME variable is used"
echo " - Export will happen after the backup/offline zdb files are fully created"
echo " - This make take 5-60 seconds to complete "
. /opt/CA/Directory/dxserver/install/.dxprofile
echo ""
###
echo "10b. Set WHILE loop for Main (main) DSA"
until [ -f $DXHOME/data/ca-prov-srv-01-impd-main/ca-prov-srv-01-impd-main.zdb ]
do
echo " - Waiting till CA Directory has completed online data dump of IMPD main DSA"
sleep 5
done
sleep 5
echo "10c. Execute dxdumbdb for Main (main) DSA - FULL, TDM-NoPassword"
# Use $DXHOME/backup as intermediate location due to folder permission on vApp Server
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-main_FULL_$BACKUPDATE.ldif ca-prov-srv-01-impd-main" > /dev/null 2>&1
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-main_TDM_No_Passwords_$BACKUPDATE.ldif -x eTPassword,eTEncryptedPassword,eTExitAuthPassword,eTSelfAdminPassword,eTPreviousPassword,eTPropagatePassword,eTIMPasswordData,eTSyncPassword,eTPropagatePassword,eTPSAgentChangePassword,eTTestPassword ca-prov-srv-01-impd-main" > /dev/null 2>&1
sleep 5
echo "10d. Copy LDIF to MS Windows Samba share for Main (main) DSA - FULL, TDM-NoPassword"
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-main_FULL_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-main_TDM_No_Passwords_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/

echo ""
###
echo "10e. Set WHILE loop for Common Objects (co) DSA"
until [ -f $DXHOME/data/ca-prov-srv-01-impd-co/ca-prov-srv-01-impd-co.zdb ]
do
echo " - Waiting till CA Directory has completed online data dump of IMPD common objects (co) DSA"
sleep 5
done
sleep 5
echo "10f. Execute dxdumbdb for Common Objects (co) DSA - FULL, TDM-NoPassword"
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-co_FULL_$BACKUPDATE.ldif ca-prov-srv-01-impd-co" > /dev/null 2>&1
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-co_TDM_No_Passwords_$BACKUPDATE.ldif -x eTPassword,eTEncryptedPassword,eTExitAuthPassword,eTSelfAdminPassword,eTPreviousPassword,eTPropagatePassword,eTIMPasswordData,eTSyncPassword,eTPropagatePassword,eTPSAgentChangePassword,eTTestPassword ca-prov-srv-01-impd-co" > /dev/null 2>&1
sleep 5
echo "10g. Copy LDIF to MS Windows Samba share for Common Objects (co) DSA - FULL, TDM-NoPassword"
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-co_FULL_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-co_TDM_No_Passwords_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/

echo ""
###
echo "10h. Set WHILE loop for Inclusions (inc) DSA"
until [ -f $DXHOME/data/ca-prov-srv-01-impd-inc/ca-prov-srv-01-impd-inc.zdb ]
do
echo " - Waiting till CA Directory has completed online data dump of IMPD inclusions (inc) objects DSA"
sleep 5
done
sleep 5
echo "10i. Execute dxdumbdb for Inclusions (inc) DSA - FULL, TDM-NoPassword"
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-inc_FULL_$BACKUPDATE.ldif ca-prov-srv-01-impd-inc" > /dev/null 2>&1
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-inc_TDM_No_Passwords_$BACKUPDATE.ldif -x eTPassword,eTEncryptedPassword,eTExitAuthPassword,eTSelfAdminPassword,eTPreviousPassword,eTPropagatePassword,eTIMPasswordData,eTSyncPassword,eTPropagatePassword,eTPSAgentChangePassword,eTTestPassword ca-prov-srv-01-impd-inc" > /dev/null 2>&1
sleep 5
echo "10j. Copy LDIF to MS Windows Samba share for Inclusions (inc) DSA - FULL, TDM-NoPassword"
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-inc_FULL_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-inc_TDM_No_Passwords_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/

echo ""
###
echo "10k. Set WHILE loop for Notify (notify) DSA"
until [ -f $DXHOME/data/ca-prov-srv-01-impd-notify/ca-prov-srv-01-impd-notify.zdb ]
do
echo " - Waiting till CA Directory has completed online data dump of IMPD notify objects DSA"
sleep 5
done
sleep 5
echo "10l. Execute dxdumbdb for Notify (notify) DSA - FULL, TDM-NoPassword"
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-notify_FULL_$BACKUPDATE.ldif ca-prov-srv-01-impd-notify" > /dev/null 2>&1
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/ca-prov-srv-01-impd-notify_TDM_No_Passwords_$BACKUPDATE.ldif -x eTPassword,eTEncryptedPassword,eTExitAuthPassword,eTSelfAdminPassword,eTPreviousPassword,eTPropagatePassword,eTIMPasswordData,eTSyncPassword,eTPropagatePassword,eTPSAgentChangePassword,eTTestPassword ca-prov-srv-01-impd-notify" > /dev/null 2>&1
sleep 5
echo "10m. Copy LDIF to MS Windows Samba share for Notify (notify) DSA - FULL, TDM-NoPassword"
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-notify_FULL_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/
cp -r -p $DXHOME/backup/ca-prov-srv-01-impd-notify_TDM_No_Passwords_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/

echo ""
###
echo "10n. Set WHILE loop for Userstore DSA"
until [ -f $DXHOME/backup/UserStore_userstore-01.zdb ]
do
echo " - Waiting till CA Directory has completed online data dump of IMCD UserStore DSA"
sleep 5
done
sleep 5
echo "10o. Execute dxdumbdb for Userstore DSA - Full, TDM-NoPassword, TDM-NoPassword_nor_Policies"
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/UserStore_userstore-01_FULL_$BACKUPDATE.ldif UserStore_userstore-01" > /dev/null 2>&1
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/UserStore_userstore-01_TDM_No_Passwords_$BACKUPDATE.ldif -x userPassword UserStore_userstore-01" > /dev/null 2>&1
su - dsa -c "dxdumpdb -z -f $DXHOME/backup/UserStore_userstore-01_TDM_No_Pwd_or_Policies_$BACKUPDATE.ldif -x userPassword,IdentityPolicy,createTimestamp,modifiersName,modifyTimestamp UserStore_userstore-01" > /dev/null 2>&1
sleep 5
echo "10p. Copy LDIF to MS Windows Samba share for Userstore DSA - FULL, TDM-NoPassword, TDM-NoPassword_nor_Policies"
cp -r -p $DXHOME/backup/UserStore_userstore-01_FULL_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/
cp -r -p $DXHOME/backup/UserStore_userstore-01_TDM_No_Passwords_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/
cp -r -p $DXHOME/backup/UserStore_userstore-01_TDM_No_Pwd_or_Policies_$BACKUPDATE.ldif $SHARED_BACKUP_PATH/

echo ""
###

echo "##########################################################"
echo "### 11. Backup Custom Folders for vApp ###"
echo "##########################################################"
echo " -Copy process will follow soft links and return full files"
mkdir $SHARED_BACKUP_PATH > /dev/null 2>&1
cp -r -p -L /opt/CA/VirtualAppliance $SHARED_BACKUP_PATH > /dev/null 2>&1

echo ""
echo ""
echo "Size of backup folder: `du -hs $SHARED_BACKUP_PATH`"
echo ""
echo ""
echo "Done for now"

Thank you for sharing this Alan!

Identity Suite vApp Backup Process for IME, IMCD, IMPD, & custom Files 

To get this script working in vApp v14.1 with latest patches you need to add an extra lib under step 4:

PASSWORD_HASH_OUTPUT="$($JAVA_EXE -classpath ../lib/bc_001-fips-1.0.0.jar:../lib/idmutils.jar:../lib/log4j.jar:../lib/cryptojFIPS.jar com.netegrity.rtl.jce.JSafeTools -JSAFE -p $IME_PASSWORD)"

Thanks for the follow up and validation.

Any other thoughts or changes you recommend?

Cheers,

Alan