After you complete Prepare for the Dogtag backup, you can perform the Dogtag backup.
Warning
The content of a Dogtag database is tightly connected with the content of a Barbican database running on the Galera cluster. Therefore, we recommend running backups of Dogtag and Barbican simultaneously.
To back up the Dogtag server files and database:
Log in to Salt Master node.
Obtain the host name of the remote server node:
salt -C 'I@backupninja:server' pillar.get "linux:network:fqdn"
Create a backup directory:
salt -C 'I@dogtag:server and *01*' cmd.run "mkdir -p /var/backups/dogtag"
Export the signing certificate and key:
Export the credentials. For example:
salt -C 'I@dogtag:server and *01*' cmd.run "grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/internal.txt"
salt -C 'I@dogtag:server and *01*' cmd.run "grep internaldb= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/pass.txt"
Export the certificate. For example:
salt -C 'I@dogtag:server and *01*' cmd.run "PKCS12Export -debug -d /var/lib/pki/$PKINAME/alias -p /etc/dogtag/internal.txt -o /etc/dogtag/ca-certs.p12 -w /etc/dogtag/pass.txt"
Remove the internal password file:
salt -C 'I@dogtag:server and *01*' cmd.run "rm -f /etc/dogtag/internal.txt"
Export CSR:
salt -C 'I@dogtag:server and *01*' cmd.run "echo '-----BEGIN NEW CERTIFICATE REQUEST-----' > /etc/dogtag/ca_signing.csr"
salt -C 'I@dogtag:server and *01*' cmd.run "sed -n '/^ca.signing.certreq=/ s/^[^=]*=// p' < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> /etc/dogtag/ca_signing.csr"
salt -C 'I@dogtag:server and *01*' cmd.run "echo '-----END NEW CERTIFICATE REQUEST-----' >> /etc/dogtag/ca_signing.csr"
Run the database backup:
salt -C 'I@dogtag:server and *01*' cmd.run "/usr/sbin/db2bak-online -Z pki-tomcat -j /etc/dogtag/pass.txt -A /var/lib/dirsrv/slapd-pki-tomcat/bak"
Note the backup directory from the system response. For example:
Back up directory: /var/lib/dirsrv/slapd-pki-tomcat/bak/pki-tomcat-2019_8_14_11_28_25
Remove the Dogtag password file:
salt -C 'I@dogtag:server and *01*' cmd.run "rm -f /etc/dogtag/pass.txt"
Create a .tar
archive that contains the Dogtag server files. For
example:
salt -C 'I@dogtag:server and *01*' cmd.run "tar czvf /var/backups/dogtag/dogtag_backup-$(date +%F_%H-%M-%S).tar.gz --ignore-failed-read -C / \
etc/pki/pki-tomcat \
etc/dogtag/ca-certs.p12 \
etc/dogtag/ca_signing.csr \
etc/sysconfig/pki-tomcat \
etc/sysconfig/pki/tomcat/pki-tomcat \
etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service \
var/lib/pki/pki-tomcat \
var/log/pki/pki-tomcat \
usr/share/pki/server/conf/database.conf \
usr/share/pki/server/conf/schema.conf
Create the remote backup directory. For example:
salt -C 'I@backupninja:server' cmd.run "mkdir -p /srv/volumes/backup/backupninja/dogtag"
Transfer the data to the remote node. For example:
salt -C 'I@dogtag:server and *01*' cmd.run "/usr/bin/rsync -rhtPpv --rsync-path=rsync --progress /var/backups/dogtag/* -e ssh backupninja@<remote_node>:/srv/volumes/backup/backupninja/dogtag"
Note
The command above transfers all backups from the backup directory, and not just the last one, unless they are already present on the remote node.
Verify that the file transfer has been completed:
salt -C 'I@backupninja:server' cmd.run "ls -l /srv/volumes/backup/backupninja/dogtag"
The backup directory should include the
dogtag_backup-<some_timestamp>.tar.gz
file.