Manage protection of cloud native application data

Contributors netapp-soumikd

Monitor jobs

You can monitor the status of the jobs that have been initiated in your working environments. This allows you to see the jobs that have completed successfully, those currently in progress, and those that have failed so you can diagnose and fix any problems.

You can view a list of all the operations and their status. Each operation, or job, has a unique ID and a status. The status can be:

  • Successful

  • In Progress

  • Queued

  • Warning

  • Failed

Steps

  1. Click Backup & Restore.

  2. Click Job Monitoring

    You can click the name of a job to view details corresponding to that operation. If you are looking for specific job, you can:

    • use the time selector at the top of the page to view jobs for a certain time range

    • enter a part of the job name in the Search field

    • sort the results by using the filter in each column heading

View backup details

You can view total number of backups created, policies used for creating backups, database version, and agent ID.

  1. Click Backup & Restore > Applications.

  2. Click icon to select the action corresponding to the application and click View Details.

Important The agent ID is associated to the Connector. If a Connector that was used during registering the Oracle database host no longer exists, the subsequent backups of that application will fail because the agent ID of the new Connector is different. You should run the connector-update API to modify the agent ID.

Update the Connector Details

If a Connector that was used during registering the Oracle database host no longer exists or is corrupted in AWS, you should deploy a new connector. After deploying the new connector, you should run the connector-update API to update the Connector details.

curl --location --request PATCH 'https://snapcenter.cloudmanager.cloud.netapp.com/api/oracle/databases/connector-update' \
--header 'x-account-id: <CM account-id>' \
--header 'x-agent-id: <connector Agent ID >' \
--header 'Authorization: Bearer token' \
--header 'Content-Type: application/json' \
--data-raw '{
"old_connector_id": "Old connector id that no longer exist",
"new_connector_id": "New connector Id"
}

After updating the Connector details, you should connect to the Oracle database host and perform the following steps:

  1. Obtain the plug-in information running on the Oracle database host.
    rpm -qi netapp-snapcenter-plugin-oracle

  2. Uninstall the plug-in.
    sudo /opt/NetApp/snapcenter/spl/installation/plugins/uninstall

  3. Verify that the plug-in is uninstalled successfully.
    rpm -qi netapp-snapcenter-plugin-oracle

After uninstalling the plug-in, you can deploy the plug-in. Learn more.

Configure CA signed certificate

You can configure CA signed certificate if you want to include additional security to your environment.

Configure CA signed certificate for client certificate authentication

The connector uses a self-signed certificate to communicate with plug-in. The self-signed certificate is imported to the keystore by the installation script. You can perform the following steps to replace the self-signed certificate with CA signed certificate.

What you will need

You can run the following command to get the <base_mount_path>:
sudo docker volume ls | grep scs_cloud_volume | awk {'print $2'} | xargs sudo docker volume inspect | grep Mountpoint

Steps

  1. Login to Connector.

  2. Delete all the existing files located at <base_mount_path>/client/certificate in the Connector virtual machine.

  3. Copy the CA signed certificate and key file to the <base_mount_path>/client/certificate in the Connector virtual machine.

    The file name should be certificate.pem and key.pem. The certificate.pem should have the entire chain of the certificates like intermediate CA and root CA.

  4. Create the PKCS12 format of the certificate with the name certificate.p12 and keep at <base_mount_path>/client/certificate.

  5. Copy the certificate.p12 and certificates for all the intermediate ca and root ca to the plug-in host at /var/opt/snapcenter/spl/etc/.

  6. Log in to the plug-in host.

  7. Navigate to /var/opt/snapcenter/spl/etc and run the keytool command to import the certificate.p12 file.
    keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -srcstorepass snapcenter -deststorepass snapcenter -srcalias agentcert -destalias agentcert -noprompt

  8. Import the root CA and intermediate certificates.
    keytool -import -trustcacerts -keystore keystore.jks -storepass snapcenter -alias trustedca -file <certificate.crt>

    Note The certfile.crt refers to the certificates of root CA as well as intermediate CA.
  9. Restart SPL: systemctl restart spl

Configure CA signed certificate for server certificate of plug-in

The CA certificate should have the exact name of the Oracle plug-in host with which the Connector virtual machine communicates.

What you will need

You can run the following command to get the <base_mount_path>:
sudo docker volume ls | grep scs_cloud_volume | awk {'print $2'} | xargs sudo docker volume inspect | grep Mountpoint

Steps

  1. Perform the following steps on the plug-in host:

    1. Navigate to the folder containing the SPL’s keystore /var/opt/snapcenter/spl/etc.

    2. Create the PKCS12 format of the certificate having both certificate and key with alias splkeystore.

    3. Add the CA certificate.
      keytool -importkeystore -srckeystore <CertificatePathToImport> -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS -srcalias splkeystore -destalias splkeystore -noprompt

    4. Verify the certificates.
      keytool -list -v -keystore keystore.jks

    5. Restart SPL: systemctl restart spl

  2. Perform the following steps on the Connector:

    1. Log in to the Connector as non-root user.

    2. Copy the entire chain of CA certificates to the persistent volume located at <base_mount_path>/server.

      Create the server folder if it does not exist.

    3. Connect to the cloudmanager_scs_cloud and modify the enableCACert in config.yml to true.
      sudo docker exec -t cloudmanager_scs_cloud sed -i 's/enableCACert: false/enableCACert: true/g' /opt/netapp/cloudmanager-scs-cloud/config/config.yml

    4. Restart cloudmanager_scs_cloud container.
      sudo docker restart cloudmanager_scs_cloud

Access REST APIs

The REST APIs to protect the applications to cloud is available here.

You should obtain the user token with federated authentication to access the REST APIs. For information to obtain the user token, refer to Create a user token with federated authentication.