Skip to main content

SecureAuth Appliance Disaster Recovery Backup

Introduction

Summary

The corruption or loss of configuration and other customized file resources can threaten your customer Service Level Agreements (SLAs) and make the recovery of SecureAuth services difficult and time consuming. There are many approaches to Disaster Recovery preparation ranging from a very manual backup of configuration files to a complete system recovery image including the operating system, system state and all data. SecureAuth recommends using the existing DR backup strategy for the SecureAuth Appliance that is currently used for other Windows Servers in your organization. Be sure this strategy includes the following backup considerations to maintain consistency or process to minimize additional work.

Purpose

Use this article to design an appropriate backup and recovery process for your system.

Backup Considerations

Consider the following factors when implementing your backup strategy.

  • The SecureAuth IdP is a collection of Authentication realms configured for specific uses.

  • The configuration settings, custom verbiage, customized web pages and scripts for each Authentication realm are located within the realm's source directory.

  • All Realm source directories are found in sub-directories of the D:\SecureAuth directory.

  • The configuration settings are contained within an encrypted Web.Config file. The SecureAuth Application reads the configuration file in its encrypted state; but if you try to read the file using a text editor, the sections which contain sensitive account/password or directory store information are not readable due to the encryption applied to those sections.

  • The System's RSA key is used to encrypt/decrypt the web.config files. If the Operating System is lost, the key is not available and the web.config files cannot be decrypted.

  • Changes to verbiage using the SecureAuth Administration console can be applied to all or specific realms. The verbiage is contained within a resource file contained within the realm's source directory.

  • Master style sheets as well as other Look and Feel related resource files can be applied to all or specific realms. The customized files for each realm are contained within the realm's source directory.

  • Log and configuration history files are stored in each realm's source directory.

  • Some SecureAuth configurations require a publicly trusted SSL certificate to be installed on the Appliance. An SSL certificate consists of a public and private key pair. The keys are stored separately. Both keys are required for re-installation.

  • All SecureAuth Appliances have a SecureAuth Corporation CA signed SSL certificate which is used for the encryption of all communications between the SecureAuth appliance and the SecureAuth Hosted Services. An SSL certificate consists of a public and private key pair. The keys are stored separately. Both keys are required for re-installation.

For more information on General DR backup strategies. See this Microsoft technet Disaster Recovery article.

Backup Recommendations

  • For hardware appliances, SecureAuth recommends maintaining a weekly, full backup that includes system state and daily incremental backups stored in a designated DR location. This provides the ability to entirely restore a hardware appliance in the case of operating system failure or in the event of disk or other hardware failure.

  • For Virtual appliance, SecureAuth recommends that a copy of the SecureAuth Appliance Virtual Image is copied and stored in a designated DR host or location. Also perform weekly full and incremental backups. Depending on the type of virtualization product used, SecureAuth also recommends that a snapshot or point-in-time backup be used to provide the quickest recoverability to a known working state.

  • For both hardware and virtual appliances, SecureAuth recommends using a backup preparation script to collect and prepare the appliance data for backup. This script is described in the following section and can be used to manually prepare important files for a one-time backup or with a scheduled task to prepare files for weekly or daily backups.

Backup Preparation Script

Terms of Use (the "TERMS")

ACCEPTANCE OF TERMS: This batch file is provided "as is" with no express or implied warranty. SecureAuth Corporation accepts no responsibility or liability under any circumstances for any loss or damage of any kind incurred as a result of its use. You hereby agree that SecureAuth Corporation cannot be held liable in any way for any loss related to its use. You agree that you must evaluate, and bear all risks associated with the use of this batch file including any reliance, completeness, or usefulness. If you do not agree to these terms, do not proceed.

Process Description

This script automates the processes related to preparing a backup of important SecureAuth Appliance configuration, SSL certificates, license and resource files.

Upon execution, all web.config files are decrypted. All SSL certificates from the Local Computer Personal Certificate store are exported (in PFX format) and placed in the D:\SecureAuth root folder. A password protected .ZIP archive is created containing the configuration, license, resource files and master style sheets for all authentication realms and is stored in the D:\MFCAPP_bin\SecureAuth_Archive folder. Upon completing the creation of the .ZIP Archive, the web.config files are re-encrypted.

Note

A minimum of 5 and maximum of 9 archive files are kept at all times. The password for these archives is defined in this script or can be entered as a parameter during the manual execution of the script.

IMPORTANT! The password entered for the .ZIP archive is ALSO used when exporting the SSL certificates.

BE SURE TO KEEP THIS PASSWORD OR THE BACKUP FILES WILL BE USELESS.

Usage

  1. If this the first time you are running the backup process, contact support.secureauth.com for the SABackup.zip file.

  2. Execute the SecureAuth_Backup_Prep.bat file from this location using one of the following methods.

Note

This script must be executed using an account with Administrator rights.

Interactive mode

You are prompted to enter the Backup Type (Min/All) and an archive password. This can be used to quickly backup or collect the information needed during a appliance upgrade or migration.

e.g. secureauth_backup_prep.bat

Non-interactive mode

To put the script into non-interactive mode, specify quiet on the command line. Then specify the password for the backup. For the backup type, enter All or Min (All / Min can be used with a scheduled task).

Example

secureauth_backup_prep.bat quiet P@ssw0rd all

Warning

The command option (switch) All backs up the entire d:\SecureAuth directory.The command optionMin only backs up the web.config., language files, and license files.

SecureAuth recommends using All for a complete backup of your SecureAuth Appliance.

To provide the best DR capabilities, in conjunction with the use of this script, the following directories should be backed to a location other than the SecureAuth Appliance. In the event of full system failure, the appliance configuration can be fully restored to a new appliance using the contents of these folders:

  • D:\MFCAPP_bin\SecureAuth_Archive

  • D:\MFCAPP_bin\SecureAuth_Current

  • D:\SecureAuth (if backup type Min is used)

Contents of Archive File

  • Web.Config_<Date-Time>.zip – a password-protected ZIP file with decrypted configuration files of all Authentication realms and their history

  • MFA.SecureAuth.Resource.dll - backup of verbiage changes

  • MFC.SecureAuth.License.dll - backup of License file

  • CSS style sheets - backup of graphical style sheets

  • Master and Master.vb - backup of additional graphics, look and feel files

  • PFX Certificates - exported certificates from the Local Computer Personal Certificate Store