Novell IDM Fail-Over

Provide Backup and Recovery#

This is a critical problem that needs immediate attention.

Backup Admin Accounts#

As a best practice the following is recommended:

Create a backup admin account#

Create a backup admin account so recovery can be done if the primary admin account is lost due to:
    • bad password
    • deleted
    • corrupted entry
    • Whatever else.

Create Separate accounts for each application#

    • Grant rights only as needed
    • DO not use ADMIN Accounts.

Use Group to Manage Rights#

Create groups for various application accounts and add the ACL to the Groups. Generally never assign rights to a single user entry.

All groups or backup admins with higher privileges than a normal user should be created only in the admins container.

NDS Backup and Recovery#

For NDS Backup and Recovery on all IDV and AUTH (LDAP) servers Our Recommendation is that the following commands (or something similar) be scheduled as appropriate for YOUR ORGANIZATION'S environment.

Review Novell's Documentation.#


FULL Backup once a week, could be done on Weekend. (Windows shown here)#

...\Novell\NDS\dhostcon.exe 10.###.###.### load dsbk backup -b -e secretNICIpassword  -f X:\backup\2010-11-01-03-full.bac -l E:\novell\logs\backup\2010-11-01-03-dsbackup-full.log -t -w

Incremental backup done at least once a day: (Windows shown here)#

...\Novell\NDS\dhostcon.exe 10.###.###.### load dsbk backup -i -f X:\backup\2010-11-01-01-incremental.bac -l E:\novell\logs\backup\2010-11-01-01-dsbackup-incremental.log -t -w
The output of the log files should be reviewed and recovery of a system should be performed to ensure confidence in the restore proceedure.

These commands can be placed in a suitable "script" file and run through the "Windows Task Scheduler"

NAM Backup and Recovery#

Review Novell's documentation#


For the NAM environments there is a Novell Provided script,

C:\Program Files\Novell\bin\ambkup.bat
that can also be, with minor modification be run through the "Windows Task Scheduler".

This should execute on the NAM primary Administration Console servers. The batch file will prompt for passwords and authentication so typically this file would be copied and modified to prevent the prompting.

Be careful as Novell upgrades will overwrite the existing script and may make changes to the operation of the script.

The backup script backs up the objects in the ou=accessManagerContainer.o=novell container. It does not back up the following:

  • Admin user account and password
  • Delegated administrator accounts, their passwords, or rights
  • Role Based Services (RBS) configuration - Delegated Admins
  • Modified configuration files on the devices such as the web.xml file
  • Local files installed on devices such as touch files or log files
  • Custom login pages, custom error pages, or custom messages as identified:
  • You need to perform you own backup of custom or modified configuration files.

NAM Custom Files#

Finally, most organizations have several customized JSP, Java Program files, or custom messages, used in at least NAM and the User Application that should be documented in a well known place and the source code managed for changes to know what file would need to be installed where when building another environment and for general troubleshooting reasons.

As these files are NOT backed up by Novell scripts and will probably be overwritten by NAM Upgrade, backing up the NAM Custom Files should be done as described below:

  • IDP Backup
  • LAG Backup

More Information#

There might be more information for this subject on one of the following: