Backing up an OpenAM server

To backup an OpenAM configuration you should both back up the physical files and export the configuration. It would also be a good practice to schedule a regular LDIF dump of the configuration LDAP server tree. Info to follow.


Ypu should come up with file system path standards for your OpenAM and OpenDJ installations that include a standard for the configuration directory other than the default.

For example:

/opt/openam/[instance_name]-server

If the name of the server was “testam”, this would translate to:

/opt/openam/testam-server

Use tar to backup these files to an appropriate place.

tar -czf /data/backup/testam-server.tgz testam

Exporting an OpenAM configuration is performed using the ssoadm utility (see my post on OpenAM Tools for where to get this).

ssoadm export-svc-config 
-e XXXXXXXXXXXXXXXXXXXXXXXXXX
-u amAdmin 
-f $OPENAM_HOME/config/pwd.txt 
-o /data/backup/openam/server-node1-cfg.xml

“-e” is the password encryption key for the subject server. See Keys in OpenAM for where to find it.

“-u” is the administrative user, usually amAdmin.

“-f” is the full path to the admin user’s password file. “$OPENAM_HOME” is an environment variable I set with my own standard “openam.env” file in the application server system user’s home directory (in my case “tomcat6”).

“-o” is the full path to the export file.

When backing up, you should substitute the actual server name for “node1” to keep your exports straight (for example, “server-testam-cfg.xml”).

Dumping the configuration LDAP server tree would be performed using the ldapsearch command:

ldapsearch -h test.example.com -p 1389 -D "cn=directory manager" 
-w xxxxxxxx -b "dc=opensso,dc=java,dc=net" -s sub 
"(objectclass=*)" >/data/backup/opendj/testam-server.ldif

The ldapsearch command used is what ships with OpenDJ. In my builds I create a ds-app1.env file in the opendj system user’s home that can be used to automatically put this in your path when sourced.