如何從ISE匯出配置和運算元據備份

下載選項

  • PDF     (662.0 KB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (511.9 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (449.8 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2020 年 6 月 4 日
文件 ID:215355

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本文檔介紹如何對身份服務引擎(ISE)進行按需配置資料和運算元據備份。

    必要條件

    需求

    思科建議您瞭解以下主題:

    • 身份服務引擎(ISE)的基本知識。
    • 如何配置儲存庫。

    採用元件

    本文中的資訊係根據以下軟體和硬體版本:

    • 思科身分識別服務引擎2.7

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。

    背景資訊

    確保環境中可用ISE的另一個關鍵策略是制定可靠的備份策略。ISE備份有兩種型別:配置備份和操作備份

    Cisco ISE允許您從主PAN和監控節點備份資料。可以從CLI或使用者介面進行備份。


    配置資料 — 包含特定於應用和Cisco ADE作業系統配置資料。可使用GUI或CLI通過主PAN進行備份。


    運行資料 — 包含監控和故障排除資料。可以通過主PAN GUI或使用監控節點的CLI進行備份。

    備份儲存在儲存庫中,可以從同一儲存庫中恢復。您可以安排備份自動運行,也可以根據需要手動運行。您可以從GUI或CLI檢視備份的狀態,但只能從CLI檢視還原的狀態。

    注意:Cisco ISE不支援用於備份ISE資料的VMware快照。使用VMware快照或任何第三方備份來備份ISE資料會導致停止思科ISE服務。

    組態

    從GUI執行按需ISE配置資料備份

    步驟1.配置儲存庫,請參閱如何在ISE上配置儲存庫

    步驟2.登入到ISE,導航到Administration > System > Backup & Restore,選擇Configuration Data Backup,按一下Backup Now,如下圖所示:

    步驟3.提供備份名稱、儲存庫名稱和加密金鑰,然後按一下備份。

    提示:確保您記住加密金鑰。

    附註:ISE配置備份包含系統和受信任證書,並且不包含內部證書頒發機構(CA)證書。

    從ISE CLI手動備份內部證書頒發機構(CA)儲存。通過SSH登錄到ISE主管理節點(PAN)節點,並運行命令application configure ise > select option 7以匯出內部CA儲存。

    ise/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[0]Exit

7
Export Repository Name: FTP-Repo
Enter encryption-key for export: 
Security Protocol list Start
Inside Session facade init
Old Memory Size : 7906192
Old Memory Size : 7906192
Export in progress...
Old Memory Size : 7906192

The following 5 CA key pairs were exported to repository 'FTP-Repo' at 'ise_ca_key_pairs_of_ise':
        Subject:CN=Certificate Services Root CA - ise
        Issuer:CN=Certificate Services Root CA - ise
        Serial#:0x08f06033-2a4c4fcc-b297e75a-04f11bf9

        Subject:CN=Certificate Services Node CA - ise
        Issuer:CN=Certificate Services Root CA - ise
        Serial#:0x3a0e8d8a-5a2846be-a902c280-b5d678aa

        Subject:CN=Certificate Services Endpoint Sub CA - ise
        Issuer:CN=Certificate Services Node CA - ise
        Serial#:0x33b14150-596c4552-ad0a9ab1-9541f0bb

        Subject:CN=Certificate Services Endpoint RA - ise
        Issuer:CN=Certificate Services Endpoint Sub CA - ise
        Serial#:0x37e17494-cf1d4372-bf0ba1e6-83653826

        Subject:CN=Certificate Services OCSP Responder - ise
        Issuer:CN=Certificate Services Node CA - ise
        Serial#:0x68a694ed-bc48481d-bc6cc58e-60a44a61

ise CA keys export completed successfully

    從CLI執行按需ISE配置資料備份

    步驟1.配置儲存庫,請參閱如何在ISE上配置儲存庫

    步驟2.登入PAN節點的CLI並運行以下命令:

     backup <backup file name> repository <repository name> ise-config encryption-key plain <encryption key>

    ise/admin# backup ConfigBackup-CLI repository FTP-Repo ise-config encryption-key plain 
      
      
% Internal CA Store is not included in this backup. It is recommended to export it using "application configure ise" CLI command 
% Creating backup with timestamped filename: ConfigBackup-CLI-CFG10-200326-0705.tar.gpg 
% backup in progress: Starting Backup...10% completed 
% backup in progress: Validating ISE Node Role...15% completed
% backup in progress: Backing up ISE Configuration Data...20% completed
% backup in progress: Backing up ISE Indexing Engine Data...45% completed
% backup in progress: Backing up ISE Logs...50% completed
% backup in progress: Completing ISE Backup Staging...55% completed
% backup in progress: Backing up ADEOS configuration...55% completed 
% backup in progress: Moving Backup file to the repository...75% completed 
% backup in progress: Completing Backup...100% completed 
ise/admin#

    從GUI執行按需ISE運算元據備份

    步驟1.配置儲存庫,請參閱如何在ISE上配置儲存庫

    步驟2.啟動ISE操作備份。

    登入到ISE GUI,導航到管理>系統>備份和還原,選擇運算元據備份,按一下立即備份,如下圖所示:

    步驟3.提供Backup Name、Repository Name和Encryption Key,然後按一下Backup。

    提示:確保您記住加密金鑰。

    從CLI執行按需ISE運算元據備份

    步驟1.配置儲存庫請參閱如何在ISE上配置儲存庫

    步驟2.登入到主MNT節點的CLI並運行命令:

    backup <backup file name> repository <repository name> ise-operational encryption-key plain <encryption key>

    ise/admin# backup Ops-Backup-CLI repository FTP-Repo ise-operational encryption-key plain <backup password>
% Creating backup with timestamped filename: Ops-Backup-CLI-OPS10-200326-0719.tar.gpg
% backup in progress: Starting Backup...10% completed
% backup in progress: starting dbbackup using expdp.......20% completed
% backup in progress: starting cars logic.......50% completed
% backup in progress: Moving Backup file to the repository...75% completed
% backup in progress: Completing Backup...100% completed
ise/admin#

    驗證

    導覽至Administration > System > Backup & Restore,以檢視Configuration Data Backup進度,如下圖所示:

    導覽至Administration > System > Backup & Restore以檢視Operational Data Backup進度,如下圖所示:

    您還可以從PAN節點的CLI檢查配置備份的進度。

    ise/admin# show backup status 
%% Configuration backup status
%% ----------------------------
%      backup name: ConfigBackup-CLI
%       repository: FTP-Repo
%       start date: Thu Mar 26 07:05:11 IST 2020
%        scheduled: no
%   triggered from: CLI
%             host: 
%           status: Backup is in progress
%       progress %: 50
% progress message: Backing up ISE Logs

%% Operation backup status
%% ------------------------
%  No data found. Try 'show backup history' or ISE operation audit report
ise/admin#

    備份完成後,您可以看到備份狀態成功。

    疑難排解

    確保ISE管理節點上正在運行ISE索引引擎服務

    ise-1/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          15706       
Database Server                        running          89 PROCESSES
Application Server                     running          25683       
Profiler Database                      running          23511       
ISE Indexing Engine                    running          28268       
AD Connector                           running          32319       
M&T Session Database                   running          23320       
M&T Log Processor                      running          16272

    要在ISE上調試備份還原,請使用以下調試:

    ise-1/admin# debug backup-restore backup ?
  <0-7>  Set level, from 0 (severe only) to 7 (all)
  <cr>   Carriage return.

ise-1/pan# debug backup-restore backup 7
ise-1/pan#
    ise-1/pan# 6 [25683]:[info] backup-restore:backup: br_history.c[549] [system]: ISE backup/restore initiated by web UI as ise.br.status is 'in-progress' in /tmp/ise-cfg-br-flags
    7 [25683]:[debug] backup-restore:backup: br_backup.c[600] [system]: initiating backup Config-Backup to repos FTP-Repo
    7 [25683]:[debug] backup-restore:backup: br_backup.c[644] [system]: no staging url defined, using local space
    7 [25683]:[debug] backup-restore:backup: br_backup.c[60] [system]: flushing the staging area
    7 [25683]:[debug] backup-restore:backup: br_backup.c[673] [system]: creating /opt/backup/backup-Config-Backup-1587431770
    7 [25683]:[debug] backup-restore:backup: br_backup.c[677] [system]: creating /opt/backup/backup-Config-Backup-1587431770/backup/cars
    7 [25683]:[debug] backup-restore:backup: br_backup.c[740] [system]: creating /opt/backup/backup-Config-Backup-1587431770/backup/ise
    7 [25683]:[debug] backup-restore:backup: br_backup.c[781] [system]: calling script /opt/CSCOcpm/bin/isecfgbackup.sh
    6 [25683]:[info] backup-restore:backup: br_backup.c[818] [system]: adding ADEOS files to backup
    6 [25683]:[info] backup-restore:backup: br_backup.c[831] [system]: Backup password provided by user
    6 [25683]:[info] backup-restore:backup: br_backup.c[190] [system]: No post-backup entry in the manifest file for ise
    7 [25683]:[debug] backup-restore:backup: br_backup.c[60] [system]: flushing the staging area
    6 [25683]:[info] backup-restore:backup: br_backup.c[912] [system]: backup Config-Backup-CFG10-200421-0646.tar.gpg to repository FTP-Repo: success
    6 [25683]:[info] backup-restore:backup: br_history.c[487] [system]: updating /tmp/ise-cfg-br-flags with status: complete and message: backup Config-Backup-CFG10-200421-0646.tar.gpg to repository FTP-Repo: success

    使用no debug backup-restore backup 7禁用節點上的調試。

    ise-1/admin# no debug backup-restore backup 7
    TAC Authored

    由思科工程師貢獻

    • Pankaj Kumar
      Cisco TAC工程師
    • Prashant Joshi
      Cisco TAC工程師

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品