Install the Vault Backup Utility

The Vault Backup utility provides a full backup for your Safes and Vaults. This enables you to retrieve them when necessary.

Before installation

Before you install the Vault Backup utility, make sure that the Backup utility machine has the following features and capabilities:

At least the same disk space as the Vault database.
The drive where the replicated files will be stored is NTFS.
Accessibility by the Password Vault using the Vault protocol.
Accessibility by your Enterprise backup system.
Physical security that only permits authorized users to access it.
Identical regional and language settings as the Vault machine

Installation

The Vault Backup utility must be installed on a different machine to the Enterprise Password Vault server.

The name of the Vault Backup utility is PrivateArk Replicator. It is installed in the Replicate subfolder of the Server installation folder.

Backup utilities

During the PrivateArk Replicator installation, the following utilities are installed in the Replicate folder of the installation folder.

PAPrebackup – Prepares the Safes for backup
PAReplicate – Backs up the Safes
PARestore – Restores the Safes

PAPrebackup

The PAPrebackup utility prepares the Safes for backup by a third party backup agent. It carries out the prebackup procedure in the following way:

The metadata is stored in the Metadata sub-folder, and the data files are stored in the Data sub-folder. Before the backup procedure begins, the pre-backup procedure copies the metadata files to the ‘Metadata Backup’ folder. If a full backup is requested, a copy of the entire database is created and stored in the Metadata backup sub-folder. If an incremental backup is requested, MySQL binary logs that contain the changes made in the metadata since the last backup are copied to the Metadata backup sub-folder.

The backup process then copies the files from the ‘Metadata Backup’ and ‘Data’ folders without touching the original metadata files in the Metadata folder.

Any User who has the ‘Backup All Safes’ user authorization and the ‘Backup Safe’ authorization in specific Safes can issue the PAPrebackup command for those Safes. Use the Backup User to prepare the backup for the entire Vault.

PAPrebackup provides the following options:

PAPrebackup<Vaultfile>

<User[/password]>
[/LogonFromFile logonfile]
[/Full | /Incremental [/FullOnIncrementalFailure]]
[/BackupPoolName
BackupPoolName>]
/?

This usage is explained in the following table and examples:

Option Description
<Vaultfile> The file containing all the information about the Vault and the Safes within it. By default, this file is called Vault.ini.
<User> The name of the User issuing the command. This User must have the Backup Safe permission.
[/password] The password of the User specified above. If the User issues this command without specifying the password and without specifying the /LogonFromFile parameter, the User is prompted for it before the command is carried out.
[/LogonFromFile]   The pathname of a user credentials file containing an encrypted password that the utility will use to log on instead of a password.
Note: The password in this credentials file is changed after every logon.
[/Full] Generates a full metadata backup. This will generate a complete database backup in the Metadata Backup folder.
[/Incremental] Generates an incremental metadata backup. This will copy relevant MySQL binary logs to the Metadata Backup folder.
[/FullOnIncremental Failure] Prepares a full backup if an incremental backup fails instead of simply displaying an error message.
[/BackupPoolName] Specifies a Backup Pool Name. This is used when there are a number of backup sets for a Vault, or a number of clients used to backup the server. The Pool Name can be specified in the restore process, enabling you to distinguish between different backup sets.
/? Displays the list of options available with this utility.
 

PAPreBackup maintains its own ini file. If neither /Full nor /Incremental is specified, PAPreBackup will attempt to generate an incremental backup. It will only generate a full backup if this utility has never been used before

For example:

 
Paprebackup C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234 /full

The above example will generate a complete metadata backup in the Metadata folder. The utility will take all the relevant information about the Vault from the Vault.ini file stored in C:\PrivateArk\Server\Conf. This command is issued by the Backup User, using the Backup User password, which is ‘Asdf1234’.

As this example will generate a full backup, it would be scheduled to be executed regularly, according to the organization backup policy.

PAReplicate

The PAReplicate utility copies the Safe files from the Vault to a specified computer on the network in a similar structure to that in the Safes folder.

Any User who has the ‘Backup All Safes’ user authorization and the ‘Backup Safe’ authorization in specific Safes can issue this command for those Safes. Use the Backup User to replicate the entire Vault.

You can use PAReplicate to backup a specific Safe or a group of Safes. When using the specific backup, the requested Safe data files are copied to the specified location in the same format as they are stored in the server, and the Vault’s Metadata Backup is copied to the specified location in the Metadata sub‑folder.

PAReplicate can be used as a local backup or as the first step in a backup procedure being carried out by an application that the Vault does not recognize and therefore would not be allowed to cross the firewall.

 

When PAReplicate is executed, it automatically carries out a pre-backup procedure, and there is no need to run PAPreBackup separately

PAReplicate provides the following options:

PAReplicate<VaultFile>

<User [/password]>
[/LogonFromFile logonfile]
[/SafesPattern pattern]
[/MetadataReplicateFromHour <FromHour>]
[/MetadataReplicateToHour <ToHour>]
[/MetadataOnly | /DataOnly]
[/FullBackup]
[/IncludeUnmodifiedSafesData]
[/BackupPoolName BackupPoolName]
[/TsParmFile TsParmFilePath]
[/IniFile IniFilePath]
</EnableTrace>
/?

This usage is explained in the following table and examples:

Option Description
<Vaultfile > The file containing all the information about the Vault and the Safes within it. By default, this file is called Vault.ini.
<User> The name of the User issuing the command. This User must have the Backup Safe permission.
[/password] The password of the User specified above. If the User issues this command without specifying the password and without specifying the /LogonFromFile parameter, the User is prompted for it before the command is carried out.
[/LogonFromFile]   The pathname of a user credentials file containing an encrypted password that the utility will use to log on instead of a password.
Note: The password in this credentials file is changed after every logon.
[/Safespattern] The complete name or part of the Safe to backup. You can use wildcards to specify more than one Safe. If you do not use this parameter, all Safes in the Vault will be replicated.
/MetadataReplicate FromHour Replicates the metadata from a specific hour.
/MetadataReplicate ToHour Replicates the metadata until a specific hour.
/MetadataOnly Replicates only the metadata backup files, not the data files.
/DataOnly Replicates only the data files, not the metadata.
/FullBackup Forces a full backup (instead of the default incremental backup).
IncludeUnmodified SafesData During replication, do NOT skip Safes that were not modified/accessed since the previous data replication. This parameter is used to force PAReplicate to replicate Safes data that was previously replicated but that was deleted.
/BackupPoolName Specifies a Backup Pool Name. This is used when there are a number of backup sets for a Vault, or a number of clients used to backup the server. The Pool Name can be specified in the restore process, enabling you to distinguish between different backup sets.
/TsParmFile Specifies an alternative TSParm.ini file. The TSParm.ini file specifies the target Safe folder for the replication process. This is used when a client is used to replicate several Vault machines, so each can have its own replicated Safes folder structure.
/IniFile Specifies an alternative PAReplicate.ini file. The PAReplicate.ini file maintains replication status, and is managed by PAReplicate. This is used when a client is used to replicate several Vault machines, so each can have its own replicated Safes folder structure.
/EnableTrace Enables a high level of tracing in the PAReplicate.log file.
/? Displays the list of options available with this utility.
 

PAReplicate maintains its own ini file. If /FullBackup is not specified, PAReplicate will attempt to generate an incremental backup. It will only generate a full backup if this utility has never been used before or if a failure occurs

For example:

 
Pareplicate C:\PrivateArk\Server\Conf\Vault.ini /logonfromfile backupuser.ini /FullBackup

The above example will replicate the Safes from the Vault to the location specified in the TSParm.ini file. The utility would take all the relevant information about the Vault from the Vault.ini file stored in C:\PrivateArk\Server\Conf and the logon credentials of the user who will access the Vault from the ‘backupuser.ini’ credentials file, which is stored in the same location as the ‘pareplicate’ utility.

As no Safespattern parameter is specified, all the Safes in the Vault will be replicated.

As this example will generate a full metadata backup, it would be scheduled to be executed regularly, according to the organization’s backup policy.

Logging

Each time PAReplicate is run, the Vault creates a log file that records the process. This file, called PAReplicate.log, is stored in the PrivateArk\Replicate folder on the machine where the utility is run, usually the DR machine. When the log file reaches 100MB, it will automatically be moved into the Logs\Old subfolder and a new log file will be created.

To enable a high level of tracing in the PAReplicate.log, specify the /EnableTrace parameter in the PAReplicate utility. As most of the information required for simple troubleshooting is regularly saved in the log file, this parameter is only necessary for advanced troubleshooting.

In addition, critical log messages are copied to the Microsoft Event log.

PARestore

The PARestore utility enables you to restore Safes that have previously been either replicated or backed up to the Vault.

The Safe data files are restored to the PrivateArk\Restored Safes folder in the same structure as that in which they were backed up. After the metadata backup files are restored to the PrivateArk\Restored Safes\Metadata folder, a synchronization procedure will take place, after which users will be able to work with the files immediately.

 

When you restore a single Safe, its original Owners are not restored with the Safe data. Safe members must be added manually

Only Users with the ‘Restore All Safes’ authorization in the Vault can restore a Safe. For more information, refer to Required access rights.

For information about restoring the Vault, refer to the Privileged Access Security Implementation Guide.

Following the installation

 
TruePrivileged Access Security11.1