Backup and recovery considerations for EIM

 

You need to develop a backup and recovery plan for your Enterprise Identity Mapping (EIM) data to ensure that your EIM data is protected and can be recovered should there ever be a problem with the directory server that hosts the EIM domain controller. There is also important EIM configuration information that understand how to recover.

 

Parent topic:

Planning Enterprise Identity Mapping for i5/OS

 

Backup and recovery of EIM domain data

How you save your EIM data depends on how you decide to manage this aspect of the directory server that acts as the domain controller for your EIM data.

One way to back up the data, especially for disaster recovery purposes is to save the database library. By default, this is QUSRDIRDB. If changelog is enabled, then you should also save the library QUSRDIRCL. The directory server on the system where you want to restore the library must have the same LDAP schema and configuration as the original directory server. The files that store this information are in /QIBM/UserData/OS400/DirSrv. Additional configuration data is stored in QUSRSYS/QGLDCFG (*USRSPC object) and QUSRSYS/QGLDVLDL (*VLDL object). In order to have a complete backup of everything for your directory server, save both libraries, the integrated file system files, and the QUSRSYS objects.

You may want to review Save and restore Directory Server information in the i5/OS^® Information Center to learn more about how to save and restore essential directory server data.

For example, you could use an LDIF file to save all or part of the directory server contents. To back up the domain information for a IBM^® Directory Server for iSeries™ domain controller complete these steps:

1. In iSeries Navigator, expand Network > Servers > TCP/IP.

2. Right-click the IBM Directory Server, select Tools, then select Export file to display a page that allows you to specify what parts of the directory server contents to export to a file.

3. Transfer the export file to the System i model that you want to use as your backup directory server.

4. In iSeries Navigator on the backup server, expand Network > Servers > TCP/IP.

5. Right-click the IBM Directory Server, select Tools, then select Import to load the contents of the transferred file to the new directory server.

Another method you may consider for saving your EIM domain data, is to configure and use a replica directory server. All changes to EIM domain data are automatically forwarded to the replica directory server so that if the directory server that hosts the domain controller fails or loses EIM data, you can retrieve the data from the replica server.

How you configure and use a replica directory server varies depending on the type of replication model that you choose to use. For more information about replication and configuring the directory server for replication, see Replication and Manage replication in the i5/OS Information Center.

 

Backup and recovery of EIM configuration information

Should your system go down, you may need to restore EIM configuration information for that system. This information cannot be saved and restored easily across systems. These options are available to you to save and restore EIM configuration:

• Use the Save Security Data (SAVSECDTA) command on each system to save EIM and other important configuration information. Then restore the QSYS user profile object on each system.

  You must use the SAVSECDTA command and restore the QSYS user profile object on each system with an EIM configuration individually. You may experience problems if you try to recover the QSYS user profile object on one system when it was saved on a different system.

• Either rerun the EIM Configuration wizard or you manually update the EIM Configuration folder properties. To make this process easier, you should save your EIM implementation planning work sheets or make a record of the EIM configuration information for each system.

Additionally, consider and plan how to back up and recover you network authentication service data if you configured network authentication service as part of implementing a single signon environment.