Highlighted
Respected Contributor.
Respected Contributor.
492 views

eDirectory restart after DSBK Restore

Jump to solution

Hi all,

After 'successful' DSBK backup (NICI included) and DSBK restore (NICI included) on a separate server with 'temporary' Tree (no driverset on the server).
Procedure seemed to be successful, as I decided to double check via iManager, iMonitor.
All seemed to be functional, except for the drivers that were in "Unknown state"
An attempt to restart the vault (ndsmanage stop & start) resulted in the unexpected issue.
ndsmanage shows that the vault is "ACTIVE", but I could not access it via iManager or iMonitor.

eDirectory:9.2;  server:4.6

Any ideas/clues/pointers on what I am missing/did wrong will be greatly appreciated.

 

************* ndsd.log       after ndsmanage restart        ***********

 

Apr 18 18:00:40 Path of NetIQ eDirectory configuration file /etc/opt/novell/eDirect
ory/conf/nds.conf
Apr 18 18:00:40 Host process for NetIQ eDirectory 9.2 v40201.14 successfully start
ed
Apr 18 18:00:40 Successfully enabled FIPS mode for SSL communication.
Apr 18 18:00:40 DHLog: file size 1048576
[ -- DHost Logging STARTED Sat Apr 18 18:00:40 2020 -- ]
Apr 18 18:00:40 MASV Init called
Apr 18 18:00:40 Mandatory Access Control Service Version 9.2.0.0 started
Apr 18 18:00:40 NMAS Server Version: 9.2.0.0 Build: 20190927 started
Apr 18 18:00:40 SPM DClient Version: 9.2.0.0 Build: 20190824 started
Apr 18 18:00:40 MASV Init called
Apr 18 18:00:40 MASV already initialized.
Apr 18 18:00:41 The local agent could not be opened - failed, CCS_UnwrapKey failed (-6061)
Apr 18 18:00:42 NICIext_Health.log in directory: /var/opt/novell/eDirectory/log/
Apr 18 18:00:42 GAMS Init called
Apr 18 18:00:42 Graded Authentication Management Service Version 9.2.0.0 started
Apr 18 18:00:42 Information: SNMP Trap Server for NetIQ eDirectory 9.2 v40201.11 started.

Apr 18 18:00:42 NDS iMonitor for NetIQ eDirectory 9.2 v40201.15 started successfully.
Apr 18 18:00:43 NetIQ PKI Services Started Successfully
Apr 18 18:00:43 Loading SecretStore Server...
Apr 18 18:00:43 NetIQ SecretStore Service Version 9.2.0.0 Loaded Successfully
Apr 18 18:00:43 Loading SecretStore NCP Transport Plugin...
Apr 18 18:00:43 NetIQ SecretStore NCP Plugin Version 9.2.0.0 Loaded Successfully.
Apr 18 18:00:43 LDAP Agent for NetIQ eDirectory 9.2 (40201.29) stopped

 

|==================DSBackup Log: Backup================|
Backup type: Full
Log file name: /root/jubackuplog.log
Backup started: 2020-4-17'T7:50:30
Backup file name: /root/juvault.bak
Server name: \T=JUVAULT\O=system\OU=servers\CN=juvault
Current Roll Forward Log: 00000001.log
DS Version: 4020114
Backup ID: 5E993596
NICI BACKUP: "NICI Files have been backed up Successfully"
Starting database backup...
Database backup finished
Completion time 00:00:02
Backup completed successfully

 

//*************** backup ndsd.log ******************************************
Command line backup -b -f /root/juvault.bak -l /root/jubackuplog.log -e XXXXXX
Processing command line
Backup type: Full
Log file name: /root/jubackuplog.log
Backup started: 2020-4-17'T7:50:30
Backup file name: /root/juvault.bak
Server name: \T=JUVAULT\O=system\OU=servers\CN=juvault
Current Roll Forward Log: 00000001.log
DS Version: 4020114
Backup ID: 5E993596
NICI BACKUP: "NICI Files have been backed up Successfully"
Starting database backup...
Database backup finished
Completion time 00:00:02
Backup completed successfully

 

==================DSBackup Log: Restore================|
Log file name: /root/juvaultrestore.log
Restore started: 2020-4-18'T15:38:16
Restore file name: /root/juvault.bak
Restoring file /var/opt/novell/eDirectory/data/dsnici.bak
NICI RESTORE: "NICI Files have been Restored Successfully"
Starting database restore...
Restoring file /root/juvault.bak
Warning! Roll forward logs have been turned off and reset to the default location
Database restore finished
Completion time 00:00:07
Restore completed successfully

Labels (1)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

dsbk restore -f file_name -l log_file_name -e password

Restart the ndsd server.

dsbk restore -f file_name -l log_file_name -a -r -o

IIRC this hasn't always been properly covered in the docs but by now it is.

https://www.netiq.com/documentation/edirectory-9/edir_admin/data/bunbduw.html

I'd assume it's about a single server tree.

 

If you like it: like it.

View solution in original post

0 Likes
8 Replies
Highlighted
Knowledge Partner
Knowledge Partner

The local agent could not be opened - failed, CCS_UnwrapKey failed (-6061)

So obviously a NICI issue.

Which command line options did you use for the restore?

Generally it often helped to

- restore nici first

- bounce the daemon (or the entire box)

- restore the dib

 

If you like it: like it.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Thanks Mathias.

the  restore command used was       "   dsbk restore -r -a -o -f /root/juvault.bak -l /root/juvaultrestore.log -e XXXXXX  "

which I suppose includes the "NICI switch"   -e password.

I  restarted the box, but the issue is still unresolved.

How do I restore the NICI first before the dib ? 

 

 

 

 

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

dsbk restore -f file_name -l log_file_name -e password

Restart the ndsd server.

dsbk restore -f file_name -l log_file_name -a -r -o

IIRC this hasn't always been properly covered in the docs but by now it is.

https://www.netiq.com/documentation/edirectory-9/edir_admin/data/bunbduw.html

I'd assume it's about a single server tree.

 

If you like it: like it.

View solution in original post

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.
Thanks Mathias.
The 3 steps worked the trick.

I wrongly assumed combining the parameters in one command , before restarting the box would do it 🙂
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Well, as it's perfectly fine to backup NICI and DIB in one step one could assume a single step would be fine for a restore, too. But technically, starting with NICI 2.0 back in the NetWare days, you need a matching NICI offset initialized (i.e. active) for a successful DIB restore. For many years this wasn't documented very well, i was honestly surprised to see that it is by now.

Anyway: good to hear that it works now. And thanks for reporting back.

 

If you like it: like it.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi @mathiasbraun ,

In relation to the restore process, I am facing a new challenge, as the drivers would not start.
Carried out backup, and restored a server (single instance) having a temporary TREE.
The data is available, but the drivers would not start.

The message from one of the driver's log is:

[04/28/20 18:02:09.459]:JUUserApp :Reading driver information from the \JUVAULT\system\judriverset\JUUserApp object.
[04/28/20 18:02:09.461]:JUUserApp :Reading named passwords list.
[04/28/20 18:02:09.461]:JUUserApp :Named passwords:
[04/28/20 18:16:04.900]:JUUserApp :Trace Level: 3
[04/28/20 18:16:04.900]:JUUserApp :Reading driver information from the \JUVAULT\system\judriverset\JUUserApp object.
[04/28/20 18:16:04.900]:JUUserApp :Reading named passwords list.
[04/28/20 18:16:04.901]:JUUserApp :Named passwords:

 

 

From the ndsd.log , I get this, which seems to point to xdasconfig.properties. The setup is  IDM4.6 with eDir92,
I noticed the documentation suggesting use of xdasconfig has been deprecated in eDir92, and recommend use of CEF, 

ndsd.log:


Apr 28 17:54:34 DHLog: file size 1048576
[ -- DHost Logging STARTED Tue Apr 28 17:54:34 2020 -- ]
Apr 28 17:54:34 MASV Init called
Apr 28 17:54:34 Mandatory Access Control Service Version 9.2.0.0 started
Apr 28 17:54:35 NMAS Server Version: 9.2.0.0 Build: 20190927 started
Apr 28 17:54:35 SPM DClient Version: 9.2.0.0 Build: 20190824 started
Apr 28 17:54:35 MASV Init called
Apr 28 17:54:35 MASV already initialized.
Apr 28 17:54:35 Skipping initialization of SAM server on non-OES server
Apr 28 17:54:38 log4cxx: Could not read configuration file [/etc/opt/novell/eDirectory/conf/xdasconfig.properties].
Apr 28 17:54:38 log4cxx: Could not read configuration file [/etc/opt/novell/eDirectory/conf/xdasconfig.properties].
Apr 28 17:54:40 NICIext_Health.log in directory: /var/opt/novell/eDirectory/log/
Apr 28 17:54:40 GAMS Init called
Apr 28 17:54:40 Graded Authentication Management Service Version 9.2.0.0 started
Apr 28 17:54:40 Information: SNMP Trap Server for NetIQ eDirectory 9.2 v40201.11 started.

Apr 28 17:54:41 Loading SecretStore Server...
Apr 28 17:54:41 NetIQ SecretStore Service Version 9.2.0.0 Loaded Successfully
Apr 28 17:54:41 Loading SecretStore LDAP Transport Plugin...
Apr 28 17:54:41 NetIQ SecretStore LDAP Plugin Version 9.2.0.0 Loaded Successfully.
Apr 28 17:54:41 SecretStore LDAP Extension Handler Loaded Successfully
Apr 28 17:54:41 NMAS Server Version: 9.2.0.0 Build: 20190927 started
Apr 28 17:54:41 SPM DClient already started (2)
Apr 28 17:54:41 LDAP Agent for NetIQ eDirectory 9.2 (40201.29) started
Apr 28 17:54:41 NDS iMonitor for NetIQ eDirectory 9.2 v40201.15 started successfully.
Apr 28 17:54:41 SASL Version: 9.2.0.0 Build: 20190927 started
Apr 28 17:54:42 NetIQ PKI Services Started Successfully
Apr 28 17:54:42 PKIHealth.log in directory: /var/opt/novell/eDirectory/log/
Apr 28 17:54:42 Loading SecretStore NCP Transport Plugin...
Apr 28 17:54:42 NetIQ SecretStore NCP Plugin Version 9.2.0.0 Loaded Successfully.
NetIQ JClient 4.02.0116-4.2.116. (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
Apr 28 18:02:09 log4cxx: Could not read configuration file [/etc/opt/novell/eDirectory/conf/xdasconfig.properties].

 


Please am I missing some tweakings or reconfigurations ?
I need to get the drivers up and running, to enable setting up RBPM.

Thanks for anticipated pointers/clues.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

This question should likely better get asked in a new thread in the IDM forums. Other than that, my first guess would be that this is related to the DirXML-ServerKeys attribute which resides on the pseudoserver object and will likely not fit anymore after a restore from dsbk or a dibclone operation. Your trace seems to stop handling named passwords which are encrypted using the values on this attribute. I remember i had to use dump to clear this up a LOOOOONG time ago, but IIRC a corresponding action has been added to dxcmd shortly after (starting IDM 4.0 maybe). I don't currently have access to an IDM system, but after logging into dxcmd it must have been something like "driver set operations" -> "regenerate IDM server keys". Don't nail me on this. You'll likely have to set new passwords afterwards.

But as mentioned: someone in the IDM forums will for sure know better. And i you open a thread there, don't forget to mention that the issue came up after a dsbk restore, this will guide folks to the right direction.

If you like it: like it.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.
Thanks @Mathias, I will open the new thread in the IDM forum
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.