- Q. How often should I perform a backup?
- Q. Do I have to shutdown the AM server before I take a backup?
- Q. What is the difference between the Service configuration backup and the Configuration directory backup?
- Q. What types of information are contained in the Configuration directory?
- Q. What types of information are contained in the xml file generated by ssoadm export-svc-cfg?
- Q. Do I have to include the AM logs and archived-config directories in my backup as they are quite large?
- Q. Is there anything else I should back up?
A. The frequency of backups depends on your business needs. You should consider things like how often you make customization and configuration changes, and how important it is for you to keep the audit data in your logs.
However, you can back up the Service configuration while AM is running.
Q. What is the difference between the Service configuration backup and the Configuration directory backup?
A. The Configuration directory backup is the most comprehensive and also includes your Service configuration. You must take a backup of the Configuration directory after you have configured AM, but further backups are only needed if you make changes that affect the files in this directory, such as changing the embedded configuration store’s connection parameters. However, it is recommended that you do still take periodic backups of the Configuration directory to be certain that your backup is current, whilst doing Service configuration exports more regularly per How do I export and import Service configurations for AM (All versions)?
If you have an external configuration store, you must make separate backups to ensure that data is recoverable.
- Backing up the Configuration directory backs up the full configuration.
- Backing up the Service configuration backs up only a subset of the data.
- If you have a known good Configuration directory backup, you usually only need to back up the Service configuration regularly, as this is the data most likely to change.
- If you are already doing full Configuration directory backups regularly, a separate Service configuration backup is redundant.
For best practices, you should only import the configuration data if it is known to be more up-to-date than the configuration it is overwriting,
It is always good practice to export a configuration before importing a new one.
Refer to the following links for further information:
- AM 7 and later: AM Maintenance Guide › Backing Up Configurations and DS Maintenance Guide › Backup and Restore.
- If you use an external DS for your configuration store: How do I design and implement my backup and restore strategies for DS 5.x and 6.x? and FAQ: Backup and restore in DS 5.x and 6.x
- If you use an embedded DS for your configuration store: To Back Up All Server Configuration Data. This backs up all the LDAP data (which contains the Service configuration data in XML), in addition to the bootstrap and configuration files detailed in Q. What types of information are contained in the Configuration directory? The Service configuration is the XML blob contained in LDAP that describes the services, policies, etc.
A. The Configuration directory (/path/to/openam) contains files created during the install process. Some of these files contain critical information that is required when AM initializes; AM cannot start if these files become corrupt or are missing. For this reason, it is essential to back up the Configuration directory to enable you to recover AM to its original state if needed. The files used when AM initializes includes all the files in the /opends directory and the following files:
- boot.json (located in the /config sub-directory in AM 7 and later).
- keystore.jceks or keystore.jks depending on which keystore you are using.
- certificate stores
It basically exports all the nodes under ou=services,ROOT_SUFFIX. This will contain information including configuration data for realms, policies, identity stores URIs and hostnames.
Q. Do I have to include the AM logs and archived-config directories in my backup as they are quite large?
A. Although these directories can be quite large and are not critical when restoring, it is recommended that they are included in your backups. The log data from your last good backup can be very useful if you experience an outage and need to restore from backup as they may contain errors that help you to identify the reason for the outage. Similarly, the archived configs can be useful for reference.
To reduce the size of these directories, you could consider only keeping these files for a selected period of time and then clearing the old files off the server once this period of time has elapsed.
A. You should take a backup of the openam.war file if you have made any changes; this file does not change by itself. You should also back up any service XML schema files that you have customized; these files are located in the /path/to/openam/config/xml directory.
Finally, it is a good idea to back up any external resources such as user data stores, agents etc.
See Maintenance Guide › Backing Up Configurations for further information.
It is also recommended that you take a file system backup of the directories for each AM server in your deployment as described in Upgrade Guide › Backing Up the Deployment. If you ever need to restore a corrupted AM server, it is essential to have a backup of your configuration store and the file system backup. Additionally, you should back up the $HOME/.openamcfg/ directory; the file used to bootstrap (the bootstrap locator file) is located in this directory.