Archive and Restore

• Archive and Restore Overview

• Configure Data Archive and Purge

• Configure Results Archive

• Restore Data

• Archive Catalog

• Export Catalog

• Import Catalog

• Investigation Center

Archive and Restore Overview

Archive and purge operations should be run on a scheduled basis. There are two archive operations available on the Administration Console, in the Data Management section of the menu:

• Data Archive backs up the data that has been captured by the appliance, for a given time period. When configuring Data Archive, a purge operation can also be configured. Typically, data is archived at the end of the day on which it is captured, which ensures that in the event of a catastrophe, only that day's data will be lost. The purging of data depends on the application and is highly variable, depending on business and auditing requirements. In most cases data can be kept on the machines for more than six months.

• Results Archive backs up audit tasks results (reports, assessment tests, entity audit trail, privacy sets and classification processes) as well as the view and sign-off trails and the accommodated comments from workflow processes. Results sets are purged from the system according to the workflow process definition.

In an aggregation environment, data can be archived from the collector, from the aggregator, or from both locations. Most commonly, the data is archived only once, and the location from where it is archived varies depending on the customer's requirements.

Archive files can be sent using SCP or FTP protocol, or to an EMC Centera or TSM storage system (if configured). You can define a single archiving configuration for each Guardium appliance.

Guardium’s archive function creates signed, encrypted files that cannot be tampered with. DO NOT change the names of the generated archive files. The archive and restore operations depend on the file names created during the archiving process.

Archive and export activities use the system shared secret to create encrypted data files. Before information encrypted on one system can be restored on another, the restoring system must have the shared secret that was used on the archiving system when the file was created.

• Note: For more information about the system shared secret, see About the System Shared Secret in the Guardium Administration Guide; and for information on how backup and restore shared secret files from one system to another, see the description of the aggregator backup keys file and aggregator restore keys file commands in the CLI Reference.

About the Catalog

Regardless of the destination for the archived data, the Guardium catalog tracks where every archive file is sent, so that it can be retrieved and restored on the system with minimal effort, at any point in the future.

A separate catalog is maintained on each appliance, and a new record is added to the catalog whenever the appliance archives data or results. Catalog entries can be transferred between appliances by one of the following methods:

• Aggregation - Catalog tables are aggregated, which means that the aggregator will have the merged catalog of all of its collectors

• Export/Import Catalog (described below)  - These functions can be used to transfer catalog entries between collectors, or to backup a catalog for later restoration, etc.

• Data Restore - Each data restore operation contains the data of the archived day, including the catalog of that day. So, when restoring data, the catalog is also being updated.

When catalog entries are imported from another system, those entries will point to files that have been encrypted by that system. Before restoring or importing any such file, the system shared secret of the system that encrypted the file must be available on the importing system. See the description of the aggregator backup keys file and aggregator restore keys file commands in the CLI Reference, for instructions on how to get the shared secrets from one appliance to another.

Several commands are provided on the Administration Console for catalog maintenance:

• Archive Catalog - If archive files are moved to another location after the Guardium archive operation, Guardium has no way of knowing what happened to those files. For these situations, the archive catalog can be maintained manually, using the Archive Catalog command on the Administration Console, to add or remove archive entries.

• Export Catalog - Export either the data or results catalog.

• Import Catalog - Import a previously exported data or results catalog.

• Back to top

Configure Data Archive and Purge

1. Select Administration Console > Data Archive.

2. If it is not already checked, mark the Archive checkbox. Additional fields will appear in the Configuration panel.

3. In the boxes following Archive data older than, specify a starting day for the archive operation as a number of days, weeks, or months prior to the current day, which is day zero. These are calendar measurements, so if today is April 24, all data captured on April 23 is one day old, regardless of the time when the operation is performed. To archive data starting with yesterday’s data, enter the value 1, and select Day(s) from the list.

4. Optionally, use the boxes following Ignore data older than to control how many days of data will be archived. Any value specified here must be greater than the Archive data older than value.

• Note: If you leave the Ignore data older than row blank, you will archive data for all days older than the value specified in the Archive data older than row. This means that if you archive daily and purge data older than 30 days, you will archive each day of data 30 times (before it is purged on the 31st day).

5. Mark the Archive Values box to include values (from SQL strings) in the archived data. If this box is cleared, values will be replaced with question mark characters on the archive (and hence the values will not be available following a restore operation).

6. Select storage method radio button from the list below. Depending on how the appliance has been configured, one or more of these buttons may not be available. For a description of how to configure the archive and backup storage methods, see the description of the show and store storage-system commands in the CLI Appendix.

• EMC CENTERA

• TSM

• SCP

• FTP

7. Perform the appropriate procedure (below), depending on the storage method selected:

• Configure SCP or FTP Archive or Backup

• Configure EMC Centera Archive or Backup

• Configure TSM Archive or Backup

8. Optionally mark the Purge box to define a purge operation. When this box is marked, additional fields display.

• IMPORTANT: The Purge configuration is used by both Data Archive and Data Export. Changes made here will apply to any executions of Data Export and vice-versa. In the event that purging is activated and both Data Export and Data Archive run on the same day, the first operation that runs will likely purge any old data before the second operation's execution. For this reason, any time that Data Export and Data Archive are both configured, the purge age must be greater than both the age at which to export and the age at which to archive.

9. If purging data, use the Purge data older than fields to specify a starting day for the purge operation as a number of days, weeks, or months prior to the current day, which is day zero. All data from the specified day and all older days will be purged, except as noted below. Any value specified for the starting purge date must be greater than the value specified for the Archive data older than value. In addition, if data exporting is active, the starting purge date specified here must be greater than the Export data older than value. See the IMPORTANT note above.

• Notes: There is no warning when you purge data that has not been archived or exported by a previous operation.

• The purge operation does not purge restored data whose age is within the do not purge restored data timeframe specified on a restore operation.

10. Click Apply to verify and save the configuration changes. The system will attempt to verify the configuration by sending a test data file to that location.

• If the operation fails, an error message will be displayed and the configuration will not be saved.

• If the operation succeeds, the configuration will be saved.

11. To run or schedule the archive and purge operation, do one of the following:

• Click the Run Once Now button to run the operation once.

• Click the Modify Schedule button to schedule the operation to run on a regular basis. See Scheduling in the Common Tools book for instructions on using the general purpose scheduler.

12. Click Done when you are finished.

13. Back to top

Configure SCP or FTP Archive or Backup

After selecting SCP or FTP in an archive or backup configuration panel, the following information must be provided:

1. In the Host box, enter the IP address or host name of the host to receive the archived data.

2. In the Directory box, identify the directory in which the data is to be stored. How you specify this depends on whether the file transfer method used is FTP or SCP.

• For FTP: Specify the directory relative to the FTP account home directory.

• For SCP: Specify the directory as an absolute path.

3. In the Username box, enter the user name for logging onto the SCP or FTP server. This user must have write/execute permissions for the directory specified in the Directory box (above).

4. In the Password box, enter the password for the above user, then enter it again in the Re-enter Password box.

5. Return to the archiving or backup procedure to complete the configuration.

• Back to top

Configure EMC Centera Archive or Backup

After selecting EMC Centera in an archive or backup configuration panel, the following information must be provided:

1. In the Retention box, enter the number of days to retain the data. The maximum is 24855 (68 years). If you want to save it for longer, you can restore the data later and save it again.

2. In the Centera Pool Address box, enter the Centera Pool Connection String; for example:
   
   10.2.3.4,10.6.7.8?/var/centera/profile1_rwe.pea

3. Click the Upload PEA File button to upload a Centera PEA file to be used for the connection string.

• Note: If the message "Cannot open the pool at this address.." appears, check the size of the Guardium appliance host name. A timeout issue has been reported with Centera when using host names that are less than four characters in length.

4. Click the Apply button to save the configuration. The system will attempt to verify the Centera address by opening a pool using the connection string specified. If the operation fails, you will be informed and the configuration will not be saved.

5. Return to the archiving or backup procedure to complete the configuration.

• Back to top

Configure TSM Archive or Backup

Before archiving to a TSM server, a dsm.sys configuration file must be uploaded to the Guardium appliance, via the CLI. See import tsm config in the CLI Reference Appendix.

After selecting TSM in an archive or backup configuration panel, the following information must be provided:

1. In the Password box, enter the TSM password that this Guardium appliance will use to request TSM services, and re-enter it in the Re-enter Password box.

2. Optionally enter a Server name matching a servername entry in your dsm.sys file.

3. Optionally enter an As Host name.

4. Click the Apply button to save the configuration. When you click the Apply button, the system attempts to verify the TSM destination by sending a test file to the server using the dsmc archive command. If the operation fails, you will be informed and the configuration will not be saved.

5. Return to the archiving or backup procedure to complete the configuration.

• Back to top

Configure Results Archive

1. Select Administration Console > Results Archive.

2. In the boxes following Archive results older than, specify a starting day for the archive operation as a number of days, weeks, or months prior to the current day, which is day zero. These are calendar measurements, so if today is April 24, all results created on April 23 are one day old, regardless of the time when the operation is performed. To archive results starting with yesterday’s data, enter the value 1, and select Day(s) from the list.

3. Optionally, use the boxes following Ignore results older than to control how many days of results will be archived. Any value specified here must be greater than the Archive results older than value.

4. Select storage method radio button from the list below. Depending on how the appliance has been configured, one or more of these buttons may not be available. For a description of how to configure the archive and backup storage methods, see the description of the show and store storage-system commands in the CLI Appendix.

• EMC CENTERA

• TSM

• SCP

• FTP

5. Perform the appropriate procedure (below), depending on the storage method selected:

• Configure SCP or FTP Archive or Backup

• Configure EMC Centera Archive or Backup

• Configure TSM Archive or Backup

6. In the Comment box, optionally enter comments to be stored with the configuration.

7. Click Apply to verify and save the configuration changes. The system will attempt to verify the configuration by sending a test data file to that location.

• If the operation fails, an error message will be displayed and the configuration will not be saved.

• If the operation succeeds, the configuration will be saved.

8. To run or schedule the archive and purge operation, do one of the following:

• Click the Run Once Now button to run the operation once.

• Click the Modify Schedule button to schedule the operation to run on a regular basis. See Scheduling in the Common Tools book for instructions on using the general purpose scheduler.

9. Click Done when you are finished.

• Back to top

Restore Data

Before Restoring Data:

• Before restoring from TSM, a dsm.sys configuration file must be uploaded to the Guardium appliance, via the CLI. See import tsm config in the CLI Reference Appendix.

• Before restoring from EMC Centera, a pea file must be uploaded to the Guardium appliance, via the Data Archive panel.

• Before restoring or importing a file that was encrypted by a different Guardium appliance, make sure that the system shared secret used by the appliance that encrypted the file is available on this appliance (otherwise, it will not be able to decrypt the file). See About the System Shared Secret in the Guardium Administration Guide for more information.

To restore data:

1. Select Administration Console > Data Restore.

2. Enter a date in the From box, to specify the earliest date for which you want data.

3. Enter a date in the To box, to specify the latest date for which you want data.

4. In the Host Name box, optionally enter the name of the Guardium appliance from which the archive originated.

5. Click the Search button.

6. In the Search Results panel, mark the Select box for each archive you want to restore.

7. In the Don't purge restored data for at least box, enter the number of days that you want to retain the restored data on the appliance.

8. Click the Restore button.

9. Click Done when you are finished.

• Back to top

Archive Catalog

1. Select Administration Console > Archive Catalog.

2. Do one of the following:

• To display catalog entries:

1. Enter a date in the From box, to specify the earliest date for which you want to display catalog entries.

2. Enter a date in the To box, to specify the latest date for which you want to display catalog entries.

3. Optionally enter a Host Name to identify the host on which the archive is stored.

4. Click the Search button.

• To add a catalog entry:

1. Click the Add button.

2. Enter a File Name.

3. Enter a Host Name.

4. Enter the Path for the file. For FTP: specify the directory relative to the FTP account home directory; for SCP: Specify the directory as an absolute path; for TSM: Specify the directory as an absolute path of the original location .

5. Enter a User Name for access to this location.

6. Enter a Password for the above.

7. In the Retention box, enter the number of days this entry is to be kept in the catalog (the default is 365).

8. Select the Storage System on which the file is contained.

9. Click Accept.

• To remove a catalog entry:

1. Open the catalog (see To display catalog entries, above).

2. Mark the Select box.

3. Click the Remove Selected button.

3. Click Done when you are finished.

• Back to top

Export Catalog

1. Select Administration Console > Export Catalog.

2. From the Type list, select the type of catalog to export: Data Catalog or Results Catalog.

3. Select all of the definitions of this type to be exported.

• To select multiple contiguous definitions: Click the mouse on the first definition to export, hold down the Shift key, and click the mouse on the last definition to export.

• To select multiple non-contiguous definitions: Hold down the Ctrl key and click the mouse on each definition to be exported.

4. Click the Export button. Depending on your browser security settings, you may receive a warning message asking if you want to save the file or to open it using an editor.

5. Save the exported file in an appropriate location.

6. Click the Done button when you are finished.

• Back to top

Import Catalog

1. Select Administration Console > Import Catalog.

2. Enter the name of the file containing the exported catalog entries, or click the Browse button to locate and select that file.

3. Click the Upload button. You are notified when the operation completes and the definitions contained in the file will be displayed.

4. Optionally repeat the previous two steps to upload additional files.

5. Click (Import this set of Definitions) to import a set of definitions, or click (Remove this set of Definitions without Importing) to remove the uploaded file without importing the definitions.

6. You will be prompted to confirm either action.

7. Click the Done button when you have finished importing or removing all uploaded files.

• Back to top