How to create and restore a LoadMaster Configuration or Certificate Backup
This article provides further information on the backup and restore options in the Kemp LoadMaster.
Intended Audience
This article is intended to be used by anyone interested in finding out more information about the backup and restore functionality in the LoadMaster.
This Knowledge Base article consists of the following parts:
- System Backup and Restore
- SSL Certificate Backup and Restore
- Automated Backups
- Preparing the Remote Host for Automated Backups using SCP
1 System Backup and Restore
You can back up and restore the LoadMaster configuration settings as needed. You can take manual backups, but you can also save backups to a remote server. The complete configuration (the Virtual Service, GEO, Edge Security Pack (ESP), and base configuration) of the LoadMaster is saved to a single file on the server along with statistical data.
The server must be running an FTP daemon or an SSH daemon. By default, the remote protocol is FTP but that can be changed to SCP.
You can configure automated backups daily or weekly.
Create a Backup File
Generate a backup that contains the Virtual Service configuration, the local appliance information, and statistics data. The backup does not contain license information and SSL certificate information.
For ease of identification, the backup file name includes the LoadMaster's hostname.
- Open the Web User Interface (WUI) of the LoadMaster to back up.
- Navigate to System Configuration > System Administration > Backup/Restore.
-
Click Create Backup File.
The backup file downloads. The backup filename includes a date and timestamp.
Note: SSL certificates are not included in this backup. To back up the certificates, please refer SSL Certificate Backup and Restore section.
By default, the LoadMaster includes a Netstat output in backups. When this is included, backups take longer to complete. You can stop including the Netstat output by disabling the Include Netstat in Backups option in the Debug Options screen (System Configuration > Logging Options > System Log Files > Debug Options).
Restore Backup File
When restoring a configuration, you specify what parts of the configuration should be restored:
- The Virtual Service configuration only
- The LoadMaster base configuration only
- The GEO Configuration only
- The ESP SSO configuration only
- A combination of the Virtual Service, GEO, ESP, and/or LoadMaster base configuration
Base configuration - Contains the information about the basic configuration of the LoadMaster, that is, the IP addresses of the various interfaces and the keyboard and time zone settings.
Virtual Service configuration - Contains only the settings relating to the Virtual Services and the Real Servers.
GEO configuration - Contains only the settings relating to the GEO configuration.
ESP SSO configuration - Stores the SSO domains, LDAP endpoints, and SSO custom image sets. This does not restore the Virtual Service settings - use the VS Configuration option to restore those.
Steps to follow:
- Open the WUI of the LoadMaster to restore the settings.
- Navigate to System Configuration > System Administration > Backup/Restore.
- Click Choose File.
- Browse to and select the backup file.
- Select which configuration settings you want to restore.
Note: Restoring the base configuration changes the IP address of the LoadMaster to the IP address of the LoadMaster that was backed up. - Click Restore Configuration.
Reboot of the appliance is only required if the base configuration is restored.
It is not possible to restore a single machine configuration onto a High Availability (HA) machine or restore a HA configuration onto a single machine.
When performing a restore on the standby machine of a HA cluster, only the base configuration can be restored. The Virtual Service configuration is taken from the active machine.
It is not possible to restore a configuration with ESP-enabled Virtual Services onto a machine that is not enabled for ESP.
2 SSL Certificate Backup and Restore
Refer to the sections below for details on backing up and restoring SSL certificates.
SSL Certificates Backup
To backup an SSL certificate, you need to create a Passphrase for it.
Passphrase - Used to create and restore the SSL certificate.
Create Backup File - Backup all the Virtual Services and intermediate certificates.
- Go to Certificates & Security > Backup/Restore Certs.
- In the Certificate Backup section, type a Passphrase.
Note: The passphrase must be alpha-numeric. It is case sensitive. A maximum of 64 characters is allowed.
Note: This passphrase will be required when restoring the backup. If it is forgotten, there is no way to restore the certificate(s). - Type the same passphrase again in the Retype Passphrase text box.
- Click Create Backup File.
SSL Certificates Restore
When restoring the SSL Certificate, you must enter the Passphrase defined when the backup was performed.
Backup File - Select the SSL certificate backup file.
Which Certificates - Select the restore options: All Virtual Service and Intermediate Certs, Intermediate Certificates only, and Virtual Service certificates only.
Restore Certificates - Restore the selected certificate.
- Go to Certificates & Security > Backup/Restore Certs.
- In the Restore Certificates section, choose the SSL certificate file.
- Choose Which Certificates you want to restore.
- Enter the Passphrase.
- Click Restore Certificates.
3 Automated Backups
If the Enable Automated Backups check box is selected, the system may be configured to perform daily or weekly automated backups.
For ease of identification, the backup file name includes the LoadMaster's hostname.
If the automated backups are not performed at the correct time, ensure the NTP settings are configured correctly.
When to perform backup
Specify the time (24-hour clock) of backup. Also select whether to backup daily or on a specific day of the week. When ready, click Set Backup Time.
In some situations, spurious error messages may be displayed in the system logs, such as:
Dec 8 12:27:01 KEMP_1 /usr/sbin/cron[2065]: (system) RELOAD (/etc/crontab)
Dec 8 12:27:01 KEMP_1 /usr/sbin/cron[2065]: (CRON) bad minute (/etc/crontab)
These can be safely ignored and the automated backup will likely still complete successfully.
Backup Method
Select the file transfer method for automated backups:
Ftp (insecure)
scp (secure)
sftp (secure)
If using SCP, you must supply the Private Key File.
Remote User
Set the username required to access remote host.
Private Key File
If using SCP as the backup method, the Private Key File must be provided. This is the SSH private key generated using ssh-keygen on the remote SCP server.
Remote password
The Remote password is used when the Backup Method is set to Ftp (insecure). Set the password required to access remote host. This field accepts alphanumeric characters and most non-alphanumeric characters. Disallowed characters are as follows:
Control characters
' (apostrophe)
` (grave)
The delete character
Remote host - Set the remote host name.
Remote Pathname - Set the location on the remote host to store the file.
Test Automated Backups
Clicking Test Backup performs a test to check if the automated backup configuration is working correctly. You can view the results of the test within the System Message File.
4 Preparing The Remote Host For Automated Backups Using SCP
To prepare the remote host for automated backups using SCP, perform the following steps from the remote server that the LoadMaster backups will be sent to:
-
Run the ssh-keygen command to generate the public/private RSA key pair.
-
Do not assign a passphrase (leave the value empty).
-
By default, the following files are created in the /home/user/.ssh/ directory:
- id_rsa (private key file) - this file will be uploaded to the LoadMaster.
- id_rsa.pub (public key file) - this value must be copied into the appropriate files on the remote host.
-
Run the ssh-copy-id command to copy the public key information into the authorized_keys and known_hosts files: ssh-copy-id user@server.
-
The /home/user/.ssh directory now has the following files:
- authorized_keys
- id_rsa
- id_rsa.pub
- known_hosts
-
Export the private key (id_rsa) from the server.
-
Upload the private key (id_rsa) as the Private Key File in the LoadMaster.
-
Ensure to create a backup directory on the server and enter this path as the Remote Pathname in the LoadMaster, for example, /home/user/LMbackups.