FAQ
ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: Backing up AM

Last updated Apr 13, 2021

The purpose of this FAQ is to provide answers to commonly asked questions regarding backing up AM.


2 readers recommend this article

Frequently asked questions

Q. How often should I perform a backup?

A. The frequency of backups depends on your business needs. You should consider things like how often you make customization and configuration changes, and how important it is for you to keep the audit data in your logs.

Q. Do I have to shutdown the AM server before I take a backup?

A. You must shutdown the AM server before backing up the Configuration directory, backing up the Configuration directory while AM is running can introduce problems with the embedded DS data store.

However, you can back up the Service configuration while AM is running.

Q. What is the difference between the Service configuration backup and the Configuration directory backup?

A. The Configuration directory backup is the most comprehensive and also includes your Service configuration. You must take a backup of the Configuration directory after you have configured AM, but further backups are only needed if you make changes that affect the files in this directory, such as changing the embedded configuration store’s connection parameters. However, it is recommended that you do still take periodic backups of the Configuration directory to be certain that your backup is current, whilst doing Service configuration exports more regularly per How do I export and import Service configurations for AM (All versions)? 

If you have an external configuration store, you must make separate backups to ensure that data is recoverable.

In summary:

  • Backing up the Configuration directory backs up the full configuration.
  • Backing up the Service configuration backs up only a subset of the data.
  • If you have a known good Configuration directory backup, you usually only need to back up the Service configuration regularly, as this is the data most likely to change.
  • If you are already doing full Configuration directory backups regularly, a separate Service configuration backup is redundant.

For best practices, you should only import the configuration data if it is known to be more up-to-date than the configuration it is overwriting,

Note

It is always good practice to export a configuration before importing a new one.

Refer to the following links for further information:

Q. What types of information are contained in the Configuration directory?

A. The Configuration directory (/path/to/openam) contains files created during the install process. Some of these files contain critical information that is required when AM initializes; AM cannot start if these files become corrupt or are missing. For this reason, it is essential to back up the Configuration directory to enable you to recover AM to its original state if needed. The files used when AM initializes includes all the files in the /opends directory and the following files:

  • boot.json (located in the /config sub-directory in AM 7 and later).
  • keystore.jceks or keystore.jks depending on which keystore you are using.
  • certificate stores
  • .version

Q. What types of information are contained in the xml file generated by ssoadm export-svc-cfg?

A. It is the content of the configuration store that the ssoadm export-svc-cfg exports into XML format.

It basically exports all the nodes under ou=services,ROOT_SUFFIX. This will contain information including configuration data for realms, policies, identity stores URIs and hostnames.

Q. Do I have to include the AM logs and archived-config directories in my backup as they are quite large?

A. Although these directories can be quite large and are not critical when restoring, it is recommended that they are included in your backups. The log data from your last good backup can be very useful if you experience an outage and need to restore from backup as they may contain errors that help you to identify the reason for the outage. Similarly, the archived configs can be useful for reference.

To reduce the size of these directories, you could consider only keeping these files for a selected period of time and then clearing the old files off the server once this period of time has elapsed.

Q. Is there anything else I should back up?

A. You should take a backup of the openam.war file if you have made any changes; this file does not change by itself. You should also back up any service XML schema files that you have customized; these files are located in the /path/to/openam/config/xml directory.

Finally, it is a good idea to back up any external resources such as user data stores, agents etc.

See Maintenance Guide › Backing Up Configurations for further information.

Note

It is also recommended that you take a file system backup of the directories for each AM server in your deployment as described in Upgrade Guide › Backing Up the Deployment. If you ever need to restore a corrupted AM server, it is essential to have a backup of your configuration store and the file system backup. Additionally, you should back up the $HOME/.openamcfg/ directory; the file used to bootstrap (the bootstrap locator file) is located in this directory.

See Also

Maintenance Guide › Backing Up Configurations

Upgrading AM

Related Training

ForgeRock Access Management Core Concepts (AM-400)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.