7.3 Disaster Recovery for a Single ZENworks Linux Management Primary Server

If you have only one primary server and no secondary server in your zone, do the following tasks in the order listed below:

7.3.1 Backup Requirements

The backups need to be obtained on a daily or weekly basis from your running ZENworks Linux Management Server. This backup information is collected from two different classes.

The first class contains some basic configuration information such as the hostname, ZENworks Linux Management zone name, configuration files, object store login information and so forth.

The second class contains information from the object store, data store, and package repository. Ensure that the backup information is recent and is collected within a short time frame to maintain consistency of data. For more information on configuring these backups, see Section 7.1, Safeguarding Your System through Backups.

NOTE:During the package repository backup, ensure that the links to the package files are restored.

A sample script for creating the backups is as follows:

# cat zlm-backup-all.sh 
#!/bin/bash 
BACKUPDIR='/images/backup' 
DAT=`date +%Y%m%d` 

mkdir -p ${BACKUPDIR} 
cd ${BACKUPDIR} 

# CLASS ONE DATA #

#Taking backup of deviceid and secret files

if [ -e /etc/opt/novell/zenworks/zmd/deviceid ]; 
then 
  cp /etc/opt/novell/zenworks/zmd/deviceid ${BACKUPDIR} 
  cp /etc/opt/novell/zenworks/zmd/secret ${BACKUPDIR} 
else 
  cp /etc/zmd/deviceid ${BACKUPDIR} 
  cp /etc/zmd/secret ${BACKUPDIR} 
fi 

# some disk / mount information that the new system can be partitioned #similarly 
df  > disk-layout.log
df  > mount.log

#Taking backup of edirectory
cp /opt/novell/zenworks/datamodel/share/ldap-certs ${BACKUPDIR} 
cp /etc/opt/novell/zenworks/zlm.conf ${BACKUPDIR} 
cp -rp /var/opt/novell/nici . 
cp -rp /var/nds/dib . 
rm dib/dsbk.pipe 
cp /etc/opt/novell/nici* . 

#Taking backup of conf files
cp -rp /etc/opt/novell/zenworks . 
cp -rp /etc/crontab . 

# CLASS TWO DATA #

# Taking backup of data store
zlm_dbbackup.sh -H localhost -D ${BACKUPDIR}/zlm_dbbackup-${DAT} 

# Taking backup of object store - you need to provide the ZLM Administrator #password
zlm_ndsbackup.sh -U admin.system -D ${BACKUPDIR}/zlm_ndsbackup-${DAT} -B 

# Taking backup of package repository
tar -cvzf bundles.tar.gz /var/opt/novell/zenworks/pkg-repo/bundles 
tar -cvzf catalogs.tar.gz /var/opt/novell/zenworks/pkg-repo/catalogs 
cp -Rp /var/opt/novell/zenworks/pkg-repo/files .
cp -Rp /var/opt/novell/zenworks/pkg-repo/packages .

7.3.2 Installating and Configuring a New ZENworks Linux Management Server

  1. Install the new SLES server by using the SLES distribution, patch level, and architecture same as that were used before server failure.

  2. Assign the server, the hostname, domain name, and IP address same as that were used earlier.

  3. Install the same version of the Novell ZENworks Linux Management system by using the same Management zone name and hostname used by the old server. You can see this information in the /etc/opt/novell/zenworks/zlm.conf file.

    1. Run the configuration as a part of the installation, or run it manually later. Until the configuration is complete, ensure that the agents do not communicate with the new server by executing the /etc/init.d/novell-zmd stop command.

  4. Restore the package repository in the /var/opt/novell/zenworks/pkg-repo directory and ensure that the ownership rights are with the zenworks users and the zenworks group.

    1. On restoring the package repository, verify if the package files in the bundles directory contains the correct path.

    2. To check for broken links, run the following command:

      find /var/opt/novell/zenworks/pkg-repo -type l | (while read FN ; do test -e "$FN" || ls -ld "$FN"; done)

      For more information on restoring packages, see Package and Content Management in the Novell ZENworks 7.3 Linux Management Administration Guide.

  5. Restore the ZENworks Linux Management Object Store (eDirectory) backup by executing the following command with the administrator credentials:

    zlm_ndsrestore.sh -U admin.system -F <backup file with full path> -B

    1. Verify the log file /var/opt/novell/logzenworks/ndsrestore.log and ensure that there are no error messages and the restoring process is successful.

    2. Verify if the eDirectory Security Objects (Certificate Authority and SSL certificates) are properly restored by executing the following commands:

      /etc/init.d/ndsd restart

      netstat -tanpu | grep 10636

      The LISTEN line display in the output indicates that the Security Objects are properly restored and the eDirectory is active and listening on the secure LDAP port.

      If the restoration is not successful and eDirectory is not active, see Section 7.3.3, Restoring the eDirectory Security Objects.

  6. Restore the ZENworks Linux Management server configuration files you added as backups earlier by using the following commands:

    cp {BACUP_PATH}/zenworks/serverid /etc/opt/novell/zenworks

    cp {BACUP_PATH}/zenworks/serversecret /etc/opt/novell/zenworks

    cp {BACUP_PATH}/deviceid /etc/zmd/

    cp {BACUP_PATH}/secret /etc/zmd/

    For SLES 9 and RHEL 5 devices, the restoration path of the deviceid and secret files is /etc/opt/novell/zenworks/zmd. Verify the log files to ensure that there are no error messages and the restoration of files is successful.

  7. From the server.xml backup file that was used in the old server, copy the lines starting with the words connectionName and connectionPassword into your current server.xml file in the /etc/opt/novell/zenworks/tomcat/base directory.

  8. Restore the database backup by using the current datastore (postgresql) password from the new server. You can obtain the current database password using the following command:

    grep password /etc/opt/novell/zenworks/hibernate.cfg.xml

    Restore the backup by using the following command:

    zlm_dbrestore.sh -d zenworks -U zenadmin -F <BACKUP-FILE>

    For information on backing up and restoring the Data Store, see ZENworks Object Store and Data Store Maintenance in the Novell ZENworks 7.3 Linux Management Administration Guide.

  9. Restart the ZENworks Linux Management services by using the zlm-config --restart command and test the restored ZENworks Linux Management system.

    Verify the log files to ensure that there are no errors.

  10. Copy the ZENworks Linux Management mirror configuration files from the backup directory to the new ZENworks Linux Management server machine.

7.3.3 Restoring the eDirectory Security Objects

While restoring the eDirectory Security Objects, the Certificate Authority can fail to register properly and the SSL certificate of the LDAP server might not work. To verify this, run the /etc/init.d/ndsd restart command.The LISTEN line display ensures proper restoration of the Security Objects and proper functioning of your ZENworks Linux Management server.

Scenario1: Restoring the eDirectory Security Objects on a 64-bit device

  1. Stop the eDirectory path by using the /etc/init.d/ndsd stop command.

  2. Add a library path by using the vi /etc/ld.so.conf.d/novell-NDSbase.conf command.

  3. Modify the file from:

    /opt/novell/eDirectory/lib

    /opt/novell/eDirectory/lib/nds-modules

    to:

    /opt/novell/eDirectory/lib64

    /opt/novell/eDirectory/lib64/nds-modules

    /opt/novell/lib64

  4. Run the ldconfig command.

  5. Restart the eDirectory by using the /etc/init.d/ndsd start command.

Scenario 2: Restoring eDirectory Security Objects by using LDAP

If you are not using a 64-bit device, use the following method to restore the eDirectory Security Objects when the LISTEN line does not display on running the /etc/init.d/ndsd restart command:

  1. Run the following command:

    ldapconfig set 'Require TLS for Simple Binds with Password=no' -a admin.system

  2. Delete the eDirectory certificate authority by using the ldap delete command. Ensure that you insert the same ZENworks Linux Management zone name in the delete command that you used during the backup of the zlm.conf file.

    ldapdelete -H ldap://localhost:10389 -D cn=admin,o=system -W -Z -x 'cn=<ZLM management zone name> -TREE CA,cn=Security'

  3. Re-create the certificate authority and all server certificates by executing the ndsconfig upgrade command using the administrator context as admin.system and the ZCC administrator password.

  4. Migrate the eDirectory configuration file to the original location:

    mv /etc/opt/novell/eDirectory/conf/nds.conf /etc

    Delete the line /etc/opt/novell/eDirectory/conf/nds.conf from the file /etc/opt/novell/eDirectory/conf/.edir/instances.0

  5. Run the /etc/init.d/ndsd restart command and verify if the LISTEN line displays on the ldap port.

  6. Run the following command to set the Password value to 'yes':

    ldapconfig set 'Require TLS for Simple Binds with Password=yes' -a admin.system

  7. Capture the keystorePass public key of the eDirectory certificate authority by using the following command:

    cat /etc/opt/novell/zenworks/tomcat/base/server.xml | grep keystorePass

  8. Run the openssl s_client -connect localhost:10636 -showcerts -keyform DER command. The certificates used by the new ZENworks Linux Manangement server are displayed.

  9. Copy the second certificate in the displayed list into the ca.b64 file.

    NOTE:An example certificate, such as 1 s:/OU=Organizational CA/O=ZONE-TREE, where ZONE is the Management zone name, starts from --BEGIN CERTIFICATE-- to --END CERTIFICATE--

  10. Create a new keystore and copy it to the appropriate location. This step needs to be done outside the backup directory. Provide the password obtained in Step 7 as the keystore password.

    /opt/novell/eDirectory/lib64/nds-modules/embox/jre/bin/keytool -import - file ca.b64 -alias 127.0.0.1 -keystore ldap-certs

    cp ldap-certs /opt/novell/zenworks/datamodel/share/ldap-certs