Back up the Dogtag server files and database

Back up the Dogtag server files and databaseΒΆ

After you complete Prepare for the Dogtag backup, you can perform the Dogtag backup.


The content of a Dogtag database is tightly connected with the content of a Barbican database running on the Galera cluster. Therefore, we recommend running backups of Dogtag and Barbican simultaneously.

To back up the Dogtag server files and database:

  1. Log in to Salt Master node.

  2. Obtain the host name of the remote server node:

    salt -C 'I@backupninja:server' pillar.get "linux:network:fqdn"
  3. Create a backup directory:

    salt -C 'I@dogtag:server and *01*' "mkdir -p /var/backups/dogtag"
  4. Export the signing certificate and key:

    1. Export the credentials. For example:

      salt -C 'I@dogtag:server and *01*' "grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/internal.txt"
      salt -C 'I@dogtag:server and *01*' "grep internaldb= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/pass.txt"
    2. Export the certificate. For example:

      salt -C 'I@dogtag:server and *01*' "PKCS12Export -debug -d /var/lib/pki/$PKINAME/alias -p /etc/dogtag/internal.txt -o /etc/dogtag/ca-certs.p12 -w /etc/dogtag/pass.txt"
    3. Remove the internal password file:

      salt -C 'I@dogtag:server and *01*' "rm -f /etc/dogtag/internal.txt"
  5. Export CSR:

    salt -C 'I@dogtag:server and *01*' "echo '-----BEGIN NEW CERTIFICATE REQUEST-----' > /etc/dogtag/ca_signing.csr"
    salt -C 'I@dogtag:server and *01*' "sed -n '/^ca.signing.certreq=/ s/^[^=]*=// p' < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> /etc/dogtag/ca_signing.csr"
    salt -C 'I@dogtag:server and *01*' "echo '-----END NEW CERTIFICATE REQUEST-----' >> /etc/dogtag/ca_signing.csr"
  6. Run the database backup:

    salt -C 'I@dogtag:server and *01*' "/usr/sbin/db2bak-online -Z pki-tomcat -j /etc/dogtag/pass.txt -A /var/lib/dirsrv/slapd-pki-tomcat/bak"

    Note the backup directory from the system response. For example:

    Back up directory: /var/lib/dirsrv/slapd-pki-tomcat/bak/pki-tomcat-2019_8_14_11_28_25
  7. Remove the Dogtag password file:

    salt -C 'I@dogtag:server and *01*' "rm -f /etc/dogtag/pass.txt"
  8. Create a .tar archive that contains the Dogtag server files. For example:

    salt -C 'I@dogtag:server and *01*' "tar czvf /var/backups/dogtag/dogtag_backup-$(date +%F_%H-%M-%S).tar.gz --ignore-failed-read -C / \
    etc/pki/pki-tomcat \
    etc/dogtag/ca-certs.p12 \
    etc/dogtag/ca_signing.csr \
    etc/sysconfig/pki-tomcat \
    etc/sysconfig/pki/tomcat/pki-tomcat \
    etc/systemd/system/ \
    var/lib/pki/pki-tomcat \
    var/log/pki/pki-tomcat \
    usr/share/pki/server/conf/database.conf \
  9. Create the remote backup directory. For example:

    salt -C 'I@backupninja:server' "mkdir -p /srv/volumes/backup/backupninja/dogtag"
  10. Transfer the data to the remote node. For example:

    salt -C 'I@dogtag:server and *01*' "/usr/bin/rsync -rhtPpv --rsync-path=rsync --progress /var/backups/dogtag/* -e ssh backupninja@<remote_node>:/srv/volumes/backup/backupninja/dogtag"


    The command above transfers all backups from the backup directory, and not just the last one, unless they are already present on the remote node.

  11. Verify that the file transfer has been completed:

    salt -C 'I@backupninja:server' "ls -l /srv/volumes/backup/backupninja/dogtag"

    The backup directory should include the dogtag_backup-<some_timestamp>.tar.gz file.