Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Administration

Scheduling Backups

search

Please Note:

Scheduling Backups

Note

This feature is not included in Community Edition and requires a valid Virtual CipherTrust Manager license. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.

The CipherTrust Manager can periodically run database backup jobs in the background. This can be achieved by creating scheduler job configurations for database backups. Scheduler configurations are supported for both system and domain scoped backups. Refer to Backups for details on backups and their types.

You must be in the Backup Admins or Domain Backup admins group, and logged into the root domain to manage backup job configurations.

In a clustered environment, by default the scheduled backup can run on any cluster node. There is an option in the API and CLI to restrict which nodes can run the scheduled backup.

Caution

By default, no limit is set on the number of backup files retained on CipherTrust Manager. To avoid disk space issues, we strongly recommend using the --retention-count flag to set a limit on the number of backup files to retain.

As well, disk space issues can also occur if you do not periodically transfer or manually delete backup files. We recommend using the --do-scp true and --conn "<scp_connection_name>" flags to send backup files to an external server registered as an external connection.

This section provides examples of backup scheduler configurations using the ksctl utility. Refer to the ksctl or API documentation for details.

Note

Scheduler itself is a generic service, so it provides granularity of a minute. A job configuration should take the nature of operation information into consideration. For example, backing up a database every minute is a highly unlikely use case.

Scheduling system scoped backup jobs

To schedule a system scoped backup job, run the command:

ksctl scheduler configs create backup --name <config_name> --run-at "<cron_expression_format>" --description "<config-description>" --backup-key-id "<backup_key_ID>" --retention-count <number_of_backups_to_retain> --do-scp --conn <scp-connection>

Here,

  • <config_name>: Name for the job configuration.

  • <cron_expression_format>: Time when the job runs. The format must have five fields. If the number of fields is not equal to five, the format becomes invalid. Refer to Time Specification for details.

  • <config_description>: Description of the job configuration.

  • <backup_key_ID>: ID of the backup key. If a key ID is not specified, the default backup key will be used.

    Note

    If you are operating a cluster and specify a backup key, be sure to upload that backup key to every node. Otherwise, the scheduled backup will fail on nodes that do not have the backup key.

  • <number_of_backups_to_retain> : An integer value indicating how many backup files to store on the CipherTrust Manager.

  • <scp-connection>: Name or ID of the SCP connection to external SCP server.

Example

The following command schedules a system scoped database backup job using the specified backup key everyday at 9 AM.

ksctl scheduler configs create backup --name daily\_backup --run-at "0 9 * * *" --description "Daily system backup" --backup-key-id "e817b3ba-1787-496a-b5ac-27756e9efb1b" --retention-count 5

Scheduling domain scoped backup jobs

To schedule a domain scoped backup job, run the command:

ksctl scheduler configs create backup --scope "domain" --name <config_name> --run-at "<cron_expression_format>" --description "<config_description>" --retention-count <number_of_backups_to_retain>

Here,

  • scope: Scope of the backup is domain. The scope flag must be used for scheduling domain scoped backup jobs.

  • <config_name>: Name for the job configuration.

  • <cron_expression_format>: Time when the job runs. The format must have five fields. If the number of fields is not equal to five, the format becomes invalid. Refer to Time Specification for details.

  • <config_description>: Description of the job configuration.

  • <number_of_backups_to_retain> : An integer value indicating how many backup files to store on the CipherTrust Manager.

Example:

The following command schedules a domain scoped database backup job every Monday at 9 AM.

ksctl scheduler configs create backup --scope "domain" --name daily_backup --run-at "0 9 * * 1" --description "Weekly domain backup"`
--retention-count 5

Scheduling backup for customer fragments

This section describes how to schedule backup for customer fragments.

Prerequisites

  • CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.

  • Make sure that secrets-manager service (Admin Settings > Services) is enabled:

    • Before creating a scheduler for backup.

    • While running the scheduler to create backup.

    Otherwise, domain backup/partial domain backup will not include customer fragments into it.

Important notes

  • You can schedule backup of customer fragments in the root domain only.

  • For the non-root domain users, backup will include all other resource types excluding customer fragments.

  • If users of CSM Admins group want to schedule backup for customer fragments, they must also be part of the Domain Backup Admins and Domain Restore Admins groups.

This section describes the GUI steps for scheduling a domain backup.

  1. Log on to the CipherTrust Manager GUI as administrator.

  2. Navigate to Admin Settings > Schedules.

  3. Click Add Schedule. The Add New Schedule wizard is displayed.

  4. Select Domain Backup radio button. Click Next.

  5. Provide Schedule Name and Description.

  6. Select Enable Schedule check box so that backup can be scheduled. Click Next.

  7. Add Schedule Config. Refer to Time Specification for details.

  8. Select Number of backups to retain (leave blank for unlimited) from spinbox. This value indicates how many backup files to store on the CipherTrust Manager. Provide description and select domain backup key from the list.

  9. Click Add Schedule. The backup will include all resources types including customer fragments.

    You can see the list of created backup schedules on the dashboard.

  1. Log on to the CipherTrust Manager GUI as administrator.

  2. Navigate to Admin Settings > Schedules.

  3. Click Add Schedule. The Add New Schedule wizard is displayed.

  4. Select Partial Domain Backup radio button. Click Next.

  5. Provide Schedule Name and Description.

  6. Select Enable Schedule check box so that backup can be scheduled. Click Next.

  7. Add Schedule Config. Refer to Time Specification for details.

  8. Choose Keys, if needed. Click Next.

  9. Choose CTE policies, if needed. Click Next.

  10. Choose user/email/group, if needed. Click Next.

  11. In the Choose Customer Fragments section, select any one of the three (3) options:

    • Select All - Selects all customer fragments at once. If new customer fragments are added to the system after the backup is scheduled, the new customer fragments will also be added to the backup.

    • Manual Select - Click the plus (+) button next to the fragments you want to select. Select at least one customer fragment.

    • None - No customer fragment will be selected.

    You can also use the search bar to find the customer fragments.

  12. Select Number of backups to retain (leave blank for unlimited) from spinbox. This value indicates how many backup files to store on the CipherTrust Manager. Provide description and select domain backup key from the list.

  13. Click Add Schedule. The backup will include the customer fragments and the associated keys.

    You can see the list of created backup schedules on the dashboard.

To view/edit the partial domain backup schedule:

  1. Go to the desired backup schedule.

  2. Click the ellipsis on the right side of a schedule and click View/Edit as shown below.

  3. Go to CUSTOMER FRAGMENTS section to view/edit the details.

For full domain backup:

ksctl scheduler configs create backup --scope "domain" --name <config_name> --run-at "<cron_expression_format>" --description "<config_description>" --retention-count <number_of_backups_to_retain>

For details, refer to Scheduling domain scoped backup jobs

For partial domain backup:

Example 1

ksctl scheduler configs create backup --name "cf-backup-scd" --run-at "*/5 * * * *" --scope "domain" -description "test cf backup scheduler" --filters [{"resourceType": "customer_fragments", "resourceQuery":{"names":["CipherTrust Manager's default customer fragment"]}}]

Here,

Filters are a set of selection criteria to specify what resources to include in the backup. Only applicable to domain-scoped backups. For example, to backup CSM customer fragments, set the filter to [{"resourceType": "customer_fragments", "resourceQuery":{"names":["CipherTrust Manager's default customer fragment"]}}].

In resourceQuery you can pass either "ids" or "names" as parameters. In the above example, we are passing "names" of the customer fragments.

Example 2

ksctl scheduler configs create backup --name "cf-backup-scd" --run-at "*/5 * * * *" --scope domain -description "test cf backup scheduler" --filters '[{"resourceType": "customer_fragments", "resourceQuery":{"ids":["47f03ddd-c92b-4834-a4d3-dfe60b5fcf6a","fd9cf9b5-179a-4eba-a58b-dd321484e474"]}}]'

In the above example, we are passing "ids" of the customer fragments.

Example 3

ksctl scheduler configs create backup --name "cf-backup-scd-1" --run-at "*/5 * * * *" --scope domain -description "test cf backup scheduler" --filters-jsonfile filter.json

filter.json

[{"resourceType": "customer_fragments", "resourceQuery":{"names":["CipherTrust Manager's default customer fragment","CF 1"]}}]

In the above example, we are using JSON file to pass the parameters.

On this page