如何从ISE导出配置和操作数据备份

下载选项

  • PDF     (650.2 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (511.9 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (449.7 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2020 年 6 月 4 日
文档 ID:215355

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

    本文档介绍如何获取身份服务引擎(ISE)的按需配置数据和操作数据备份。

    先决条件

    要求

    Cisco 建议您了解以下主题:

    • 身份服务引擎(ISE)的基本知识。
    • 如何配置存储库。

    使用的组件

    本文档中的信息基于以下软件和硬件版本:

    • 思科身份服务引擎2.7

    本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

    背景信息

    确保ISE在环境中可用的另一个关键策略是拥有可靠的备份策略。ISE备份有两种类型:配置备份和操作备份

    思科ISE允许您备份来自主PAN和监控节点的数据。可以从CLI或用户界面进行备份。


    配置数据 — 包含特定于应用的和Cisco ADE操作系统的配置数据。可以使用GUI或CLI通过主PAN进行备份。


    运行数据 — 包含监控和故障排除数据。备份可通过主PAN GUI或使用监控节点的CLI完成。

    备份存储在存储库中,可以从同一存储库中恢复。您可以安排备份自动运行,也可以按需手动运行。您可以从GUI或CLI查看备份的状态,但只能从CLI查看恢复的状态。

    警告:思科ISE不支持VMware快照以备份ISE数据。使用VMware快照或任何第三方备份备份ISE数据会导致停止思科ISE服务。

    配置

    从GUI执行按需ISE配置数据备份

    步骤1.配置存储库请参阅如何在ISE上配置存储库

    步骤2.登录ISE,导航至Administration > System > Backup & Restore,选择Configuration Data Backup,单击Backup Now,如图所示:

    步骤3.提供备份名称、存储库名称和加密密钥,然后点击备份。

    提示:确保记住加密密钥。

    注意:ISE配置备份包含系统和受信任证书,且不包含内部证书颁发机构(CA)证书。

    要从ISE CLI手动备份内部证书颁发机构(CA)存储。通过SSH登录ISE主管理节点(PAN)节点并运行命令应用程序configure ise > select选项7以导出内部CA存储

    ise/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[0]Exit

7
Export Repository Name: FTP-Repo
Enter encryption-key for export: 
Security Protocol list Start
Inside Session facade init
Old Memory Size : 7906192
Old Memory Size : 7906192
Export in progress...
Old Memory Size : 7906192

The following 5 CA key pairs were exported to repository 'FTP-Repo' at 'ise_ca_key_pairs_of_ise':
        Subject:CN=Certificate Services Root CA - ise
        Issuer:CN=Certificate Services Root CA - ise
        Serial#:0x08f06033-2a4c4fcc-b297e75a-04f11bf9

        Subject:CN=Certificate Services Node CA - ise
        Issuer:CN=Certificate Services Root CA - ise
        Serial#:0x3a0e8d8a-5a2846be-a902c280-b5d678aa

        Subject:CN=Certificate Services Endpoint Sub CA - ise
        Issuer:CN=Certificate Services Node CA - ise
        Serial#:0x33b14150-596c4552-ad0a9ab1-9541f0bb

        Subject:CN=Certificate Services Endpoint RA - ise
        Issuer:CN=Certificate Services Endpoint Sub CA - ise
        Serial#:0x37e17494-cf1d4372-bf0ba1e6-83653826

        Subject:CN=Certificate Services OCSP Responder - ise
        Issuer:CN=Certificate Services Node CA - ise
        Serial#:0x68a694ed-bc48481d-bc6cc58e-60a44a61

ise CA keys export completed successfully

    从CLI执行按需ISE配置数据备份

    步骤1.配置存储库请参阅如何在ISE上配置存储库

    步骤2.登录PAN节点的CLI并运行命令:

     backup <backup file name> repository <repository name> ise-config encryption-key plain <encryption key>

    ise/admin# backup ConfigBackup-CLI repository FTP-Repo ise-config encryption-key plain 
      
      
% Internal CA Store is not included in this backup. It is recommended to export it using "application configure ise" CLI command 
% Creating backup with timestamped filename: ConfigBackup-CLI-CFG10-200326-0705.tar.gpg 
% backup in progress: Starting Backup...10% completed 
% backup in progress: Validating ISE Node Role...15% completed
% backup in progress: Backing up ISE Configuration Data...20% completed
% backup in progress: Backing up ISE Indexing Engine Data...45% completed
% backup in progress: Backing up ISE Logs...50% completed
% backup in progress: Completing ISE Backup Staging...55% completed
% backup in progress: Backing up ADEOS configuration...55% completed 
% backup in progress: Moving Backup file to the repository...75% completed 
% backup in progress: Completing Backup...100% completed 
ise/admin#

    从GUI执行按需ISE操作数据备份

    步骤1.配置存储库请参阅如何在ISE上配置存储库

    步骤2.启动ISE操作备份。

    登录ISE GUI,导航至Administration > System > Backup & Restore,选Operational Data Backup,单击Backup Now,如图所示:

    步骤3.提备份名称、存储库名称和加密密钥,然后点击备份。

    提示:确保记住加密密钥。

    从CLI执行按需ISE操作数据备份

    步骤1.配置存储库请参阅如何在ISE上配置存储库

    步骤2.登录到主MNT节点的CLI并运行命令:

    backup <backup file name> repository <repository name> ise-operational encryption-key plain <encryption key>

    ise/admin# backup Ops-Backup-CLI repository FTP-Repo ise-operational encryption-key plain <backup password>
% Creating backup with timestamped filename: Ops-Backup-CLI-OPS10-200326-0719.tar.gpg
% backup in progress: Starting Backup...10% completed
% backup in progress: starting dbbackup using expdp.......20% completed
% backup in progress: starting cars logic.......50% completed
% backup in progress: Moving Backup file to the repository...75% completed
% backup in progress: Completing Backup...100% completed
ise/admin#

    验证

    导航至管理>系统>备份和还原以查看配置数据备份进度,如图所示:

    导航至管理>系统>备份和恢复,以便查看运行数据备份进度,如图所示:

    您还可以从PAN节点的CLI检查配置备份的进度。

    ise/admin# show backup status 
%% Configuration backup status
%% ----------------------------
%      backup name: ConfigBackup-CLI
%       repository: FTP-Repo
%       start date: Thu Mar 26 07:05:11 IST 2020
%        scheduled: no
%   triggered from: CLI
%             host: 
%           status: Backup is in progress
%       progress %: 50
% progress message: Backing up ISE Logs

%% Operation backup status
%% ------------------------
%  No data found. Try 'show backup history' or ISE operation audit report
ise/admin#

    备份完成后,您可以将备份状态视为功。

    故障排除

    确保ISE索引引擎服务在ISE管理节点上运行。

    ise-1/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          15706       
Database Server                        running          89 PROCESSES
Application Server                     running          25683       
Profiler Database                      running          23511       
ISE Indexing Engine                    running          28268       
AD Connector                           running          32319       
M&T Session Database                   running          23320       
M&T Log Processor                      running          16272

    要在ISE上调试备份还原,请使用以下调试:

    ise-1/admin# debug backup-restore backup ?
  <0-7>  Set level, from 0 (severe only) to 7 (all)
  <cr>   Carriage return.

ise-1/pan# debug backup-restore backup 7
ise-1/pan#
    ise-1/pan# 6 [25683]:[info] backup-restore:backup: br_history.c[549] [system]: ISE backup/restore initiated by web UI as ise.br.status is 'in-progress' in /tmp/ise-cfg-br-flags
    7 [25683]:[debug] backup-restore:backup: br_backup.c[600] [system]: initiating backup Config-Backup to repos FTP-Repo
    7 [25683]:[debug] backup-restore:backup: br_backup.c[644] [system]: no staging url defined, using local space
    7 [25683]:[debug] backup-restore:backup: br_backup.c[60] [system]: flushing the staging area
    7 [25683]:[debug] backup-restore:backup: br_backup.c[673] [system]: creating /opt/backup/backup-Config-Backup-1587431770
    7 [25683]:[debug] backup-restore:backup: br_backup.c[677] [system]: creating /opt/backup/backup-Config-Backup-1587431770/backup/cars
    7 [25683]:[debug] backup-restore:backup: br_backup.c[740] [system]: creating /opt/backup/backup-Config-Backup-1587431770/backup/ise
    7 [25683]:[debug] backup-restore:backup: br_backup.c[781] [system]: calling script /opt/CSCOcpm/bin/isecfgbackup.sh
    6 [25683]:[info] backup-restore:backup: br_backup.c[818] [system]: adding ADEOS files to backup
    6 [25683]:[info] backup-restore:backup: br_backup.c[831] [system]: Backup password provided by user
    6 [25683]:[info] backup-restore:backup: br_backup.c[190] [system]: No post-backup entry in the manifest file for ise
    7 [25683]:[debug] backup-restore:backup: br_backup.c[60] [system]: flushing the staging area
    6 [25683]:[info] backup-restore:backup: br_backup.c[912] [system]: backup Config-Backup-CFG10-200421-0646.tar.gpg to repository FTP-Repo: success
    6 [25683]:[info] backup-restore:backup: br_history.c[487] [system]: updating /tmp/ise-cfg-br-flags with status: complete and message: backup Config-Backup-CFG10-200421-0646.tar.gpg to repository FTP-Repo: success

    使用no debug backup-restore backup 7可禁用节点上的调试。

    ise-1/admin# no debug backup-restore backup 7
    TAC Authored

    由思科工程师提供

    • Pankaj Kumar
      Cisco TAC Engineer
    • Prashant Joshi
      Cisco TAC Engineer

    此文档是否有帮助?

    Feedback反馈

    联系我们

    本文档适用于以下产品