SecureAuth Backup Tool Usage

Decrypt the web.config Files

Before performing a full backup, it is necessary to decrypt the web.config files through the SecureAuth administrative interface
 

Begin the Full Backup

1. Launch the SecureAuth Backup Tool at D:\MFCApp_BIN\Extras\SABackupTool\SABackup.bat

The splash page for the tool appears. The page advances automatically in 5 seconds, or the spacebar can be pressed to advance manually. 

The legal disclaimer appears.

2. Type AGREE at the prompt if the terms are accepted, and press Enter. If the terms are not accepted, press Enter and the script exits automatically.

3. From the Main Menu, type 2 and press Enter to select the Full Backup option.

4. Enter a strong password to protect the backup and press Enter.

The description screen appears. Enter a description of this backup (up to 45 characters) and press Enter to continue.

The Preflight stage of the backup begins. During this phase, the  Backup Tool  checks various aspects of the SecureAuth environment to help ensure a successful backup is performed. If the tool encounters an error, a message appears with instructions.

After the Preflight stage, the Backup Tool enters the Archiving stage. During this phase the actual backup of the SecureAuth files occurs.

A message appears when the archive process is complete. After 5 seconds, an automatic redirection to the Main Menu is executed.

Decrypt the web.config Files

Before performing a restore operation, it is necessary to decrypt the web.config files through the SecureAuth administrative interface
 

Begin the Restore

1. Launch the SecureAuth Backup Tool at D:\MFCApp_BIN\Extras\SABackupTool\SABackup.bat

The splash page for the tool appears. The screen will advance automatically in 5 seconds, or the spacebar can be pressed to advance manually. 

The legal disclaimer appears.

2. Type AGREE at the prompt and press Enter to accept the terms. If the terms are not accepted, press Enter and the script exits automatically.

3. From the Main Menu, type 3 and press Enter to select the Restore option.

4. To choose an archive to restore from backup, type the number of the file and press Enter to continue.

5. Enter the password for the archive to be restored, and press Enter to continue.

A warning about the restore process appears.

6. Read the message carefully.

7. Type OK to continue and press Enter. To abort the restore process, type CANCEL and press the Enter key.

8. The backup tool begins the final stages of the Preflight operation, in which it validates both the SecureAuth IdP environment and the integrity of the backup archive. Any errors detected during Preflight will appear. 

9. The backup tool begins restoring files. Note that some screens are displayed based on backup type, and therefore not all shown below may appear.

The post-restore instructions appear.

10. Read these instructions carefully and follow them after exiting the backup tool. Note that some screens will display; these are based on backup type and / or environment. Therefore, not all of the screens below may appear.

Carefully review the instructions below and ensure all applicable steps are followed after a restore. Failure to follow all applicable steps may result in a damaged SecureAuth IdP installation.

Reset File Permissions and Shares Tool

The Reset File Permissions and Shares Tool is a utility shipped with all SecureAuth IdP Appliances. Its purpose is to validate correct settings for privileges on all files and folder in the D:\SecureAuth directory. It also validates correct file shares configured for the SecureAuth Filesync Service. For help using this tool, see the SecureAuth support document Using the Reset File Permissions and Shares Tool.

Certificates

The SecureAuth Backup Tool restores the X.509v3 certificates and machine key associated with the archived installation. Starting with version 2.1, appropriate privileges are assigned to restored certificates automatically based on the configuration of realms and, in most cases, no administrative intervention should be required. However, if there is customization for the SecureAuth environment, it is possible the detection algorithm may not set a needed privilege. For environments with customization, see the SecureAuth support document SecureAuth Backup Tool: Assigning Certificate Privileges and ensure certificates are assigned proper credentials.

Windows Firewall

During the Restore process, your Windows Firewall settings are reinstated from backup. To ensure contact with the SecureAuth IdP Appliance is not lost when the settings are reinstated, all Firewall profiles were turned off. If your SecureAuth IdP Appliance normally uses the Windows Firewall with Advanced Security, please review the restored configuration and re-enable your firewall at the earliest possible opportunity. Please see the Microsoft support document Windows Firewall with Advanced Security Properties Page.  

Listed below are resolutions to common issues with the SecureAuth Backup Tool:

Error 503 displayed in Administrative Console after Restore

If this error appears, it's likely the IIS configuration files were restored to a different SecureAuth appliance than the one on which the backup was performed. In this scenario, the computer name and password configured for the SecureAuth0Pool application pool are incorrect. Without the proper credentials for the account, the application pool is unable to start, rendering the SecureAuth administrative interface unusable. To resolve this issue, run the RefreshSecureAuth0 script located at D:\MFCApp_Bin\Extras. The script will update the account information for the SecureAuth0Pool and resolve the problem.

Custom Verbiage not displaying properly after Restore of Minimum Backup

If a minimum backup from an older version of SecureAuth is restored to a newer version of SecureAuth, custom verbiage may not display properly. In versions of SecureAuth IdP prior to 7.2, DLLs were not Strong-Named, while newer versions of the product use strong-named DLLs for enhanced security. If the SecureAuth Backup Tool determines an older version of SecureAuth (lacking Strong-Named support) is being restored to a newer version with strong-named support, it will skip restoration of the MFA.SecureAuth.Resource.dll which contains the compiled verbiage.

If the unsigned MFA.SecureAuth.Resource.dll was restored to the newer version of SecureAuth, .NET errors would be generated for users and the installation would be rendered inoperable. By blocking the restore action, this situation does not occur. In this scenario however, the resource files are brought forward and the customized text is viewable in the verbiage editor. To resolve this issue, make a small change in the verbiage editor and then click the Save and Compile button to compile a new MFA.SecureAuth.Resource.dll.

SecureAuth Backup Tool Release History

2.4.0 2016-04-09

• [BUG] User-friendly URLs (also known as vanity URLs) are properly handled starting with this version
• [BUG] The WebConfigManager was deprecated to resolve error messages duting realm encrypt / decrypt process
• [FEATURE] .NET 4.6.1 is now officially supported (4.6.0 remains unsupported)
• [FEATURE] Enhanced logging was added

• • A logs directory was added and the debug functionality will now retain the history
  • During a Full Backup, a log file FullBackupOutput  will be created in the logs directory so progress of the archive process can be tracked
  • Added more detail to the debug log to help better diagnose problems

2.4.1 2016-05-17

• [BUG] During unattended operations, the tool would stop at the description screen and prevent a fully automated process. The prompt will no longer appear during unattended operations and default verbiage will show in the description.

• [SECURITY] The 7Zip binary has been updated to 16.0.0.0 to address recent security vulnerabilities found in 7Zip. The security vulnerabilities are tracked under CVE-2016-2335 and CVE-2016-2234.