How to make a complete backup of Symantec Data Center Security (DCS) or Symantec Critical System Protection (SCSP) for disaster recovery plan

book

Article ID: 159322

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Critical System Protection Client Edition Data Center Security Monitoring Edition Data Center Security Server Advanced

Issue/Introduction

Make a complete backup of DCS/SCSP for a disaster recovery plan. 

Cause

In the event of a catastrophic failure you would like to have a complete backup that will allow you to quickly restore your database. This can also be used if you want to move your database from one server to another.  There might be additional steps needed (modifying the server.xml to point to the new server). 

Environment

Data Center Security Server Advanced

Critical System Protection 

Resolution

To make a complete backup of your SCSP server perform the following steps:

1.  Copy and backup the following files from your SCSP server:

<install directory>\symantec\critical system protection\server\agent-cert.ssl
<install directory>\symantec\critical system protection\server\server-cert.ssl
<install directory>\symantec\critical system protection\server\ui-cert.ssl
<install directory>symantec\critical system protection\server\tomcat\conf\server.xml

Copy and backup the below for DCS:SA server: 

<install directory>\Symantec\Data Center Security Server\Server\agent-cert.ssl
<install directory>\Symantec\Data Center Security Server\Server\sss.ssl
<install directory>\Symantec\Data Center Security Server\Server\umcserver.ssl
<install directory>\Symantec\Data Center Security Server\Server\server-cert.ssl
<install directory>\Symantec\Data Center Security Server\Server\rootkey.ssl
<install directory>\Symantec\Data Center Security Server\Server\tomcat\conf\server.xml
<install directory>\Symantec\Data Center Security Server\Server\tomcat\conf\quartz.properties
<install directory>\Symantec\Data Center Security Server\Server\umc\ssl\umcCA\certs (backup the entire certs folder)

2.  Login to Microsoft SQL Server Management Studio.

3.  Right click on SCSPDB and choose Tasks\Back Up. NOTE: It is recommended to use the "full" backup option. (**For DCS also backup the UMC database**)

4. After making a full database backup, also backup the Security Login Accounts. (These users are NOT backed up when you backup the database. The users must be copied using a MS SQL script http://support.microsoft.com/kb/918992)

To run the script, login to Microsoft SQL Server Managment Studio.

5.  From Microsoft SQL Server Managment Studio, click on New Query.  Copy the following into the query window:

USE master
GO
IF OBJECT_ID ('sp_hexadecimal') IS NOT NULL
  DROP PROCEDURE sp_hexadecimal
GO
CREATE PROCEDURE sp_hexadecimal
    @binvalue varbinary(256),
    @hexvalue varchar (514) OUTPUT
AS
DECLARE @charvalue varchar (514)
DECLARE @i int
DECLARE @length int
DECLARE @hexstring char(16)
SELECT @charvalue = '0x'
SELECT @i = 1
SELECT @length = DATALENGTH (@binvalue)
SELECT @hexstring = '0123456789ABCDEF'
WHILE (@i <= @length)
BEGIN
  DECLARE @tempint int
  DECLARE @firstint int
  DECLARE @secondint int
  SELECT @tempint = CONVERT(int, SUBSTRING(@binvalue,@i,1))
  SELECT @firstint = FLOOR(@tempint/16)
  SELECT @secondint = @tempint - (@firstint*16)
  SELECT @charvalue = @charvalue +
    SUBSTRING(@hexstring, @firstint+1, 1) +
    SUBSTRING(@hexstring, @secondint+1, 1)
  SELECT @i = @i + 1
END

SELECT @hexvalue = @charvalue
GO
 
IF OBJECT_ID ('sp_help_revlogin') IS NOT NULL
  DROP PROCEDURE sp_help_revlogin
GO
CREATE PROCEDURE sp_help_revlogin @login_name sysname = NULL AS
DECLARE @name sysname
DECLARE @type varchar (1)
DECLARE @hasaccess int
DECLARE @denylogin int
DECLARE @is_disabled int
DECLARE @PWD_varbinary  varbinary (256)
DECLARE @PWD_string  varchar (514)
DECLARE @SID_varbinary varbinary (85)
DECLARE @SID_string varchar (514)
DECLARE @tmpstr  varchar (1024)
DECLARE @is_policy_checked varchar (3)
DECLARE @is_expiration_checked varchar (3)

DECLARE @defaultdb sysname
 
IF (@login_name IS NULL)
  DECLARE login_curs CURSOR FOR

      SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM 
sys.server_principals p LEFT JOIN sys.syslogins l
      ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name <> 'sa'
ELSE
  DECLARE login_curs CURSOR FOR


      SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM 
sys.server_principals p LEFT JOIN sys.syslogins l
      ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name = @login_name
OPEN login_curs

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
IF (@@fetch_status = -1)
BEGIN
  PRINT 'No login(s) found.'
  CLOSE login_curs
  DEALLOCATE login_curs
  RETURN -1
END
SET @tmpstr = '/* sp_help_revlogin script '
PRINT @tmpstr
SET @tmpstr = '** Generated ' + CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */'
PRINT @tmpstr
PRINT ''
WHILE (@@fetch_status <> -1)
BEGIN
  IF (@@fetch_status <> -2)
  BEGIN
    PRINT ''
    SET @tmpstr = '-- Login: ' + @name
    PRINT @tmpstr
    IF (@type IN ( 'G', 'U'))
    BEGIN -- NT authenticated account/group

      SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' FROM WINDOWS WITH DEFAULT_DATABASE = [' + @defaultdb + ']'
    END
    ELSE BEGIN -- SQL Server authentication
        -- obtain password and sid
            SET @PWD_varbinary = CAST( LOGINPROPERTY( @name, 'PasswordHash' ) AS varbinary (256) )
        EXEC sp_hexadecimal @PWD_varbinary, @PWD_string OUT
        EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT
 
        -- obtain password policy state
        SELECT @is_policy_checked = CASE is_policy_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name
        SELECT @is_expiration_checked = CASE is_expiration_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name
 
            SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' WITH PASSWORD = ' + @PWD_string + ' HASHED, SID = ' + @SID_string + ', DEFAULT_DATABASE = [' + @defaultdb + ']'

        IF ( @is_policy_checked IS NOT NULL )
        BEGIN
          SET @tmpstr = @tmpstr + ', CHECK_POLICY = ' + @is_policy_checked
        END
        IF ( @is_expiration_checked IS NOT NULL )
        BEGIN
          SET @tmpstr = @tmpstr + ', CHECK_EXPIRATION = ' + @is_expiration_checked
        END
    END
    IF (@denylogin = 1)
    BEGIN -- login is denied access
      SET @tmpstr = @tmpstr + '; DENY CONNECT SQL TO ' + QUOTENAME( @name )
    END
    ELSE IF (@hasaccess = 0)
    BEGIN -- login exists but does not have access
      SET @tmpstr = @tmpstr + '; REVOKE CONNECT SQL TO ' + QUOTENAME( @name )
    END
    IF (@is_disabled = 1)
    BEGIN -- login is disabled
      SET @tmpstr = @tmpstr + '; ALTER LOGIN ' + QUOTENAME( @name ) + ' DISABLE'
    END
    PRINT @tmpstr
  END

  FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
   END
CLOSE login_curs
DEALLOCATE login_curs
RETURN 0
GO

This will create two stored procedures in the master database. The procedures are names sp_hexadecimal and sp_help_revlogin.

Next you will need to open another New Query and run the following:

EXEC sp_help_revlogin

This will output the logins with SID. 

6.  Copy the output to Notepad and save it as SCSPusers.txt (This is everything you need to be able to completely restore your database should it become corrupted)

 

TO RESTORE:

1.  Install SCSP Server and Console.  Select Tomcat and schema for the install option and point it to your SQL server.

2.  After installing, stop the SCSP(DCS) manager service and then delete the SCSP database and security accounts. 

3.  From Microsoft SQL Server Management Studio, right click on database and choose "restore Database"

4.  Choose from device and browse to your backup (click and browse to it and then click ok).  Make sure to click the Restore check box.  Change the "To database" to SCSPDB and click OK. (**For DCS also restore the UMC database.**)

5.  Click on New Query and open the file you saved "SCSPusers.txt" and copy the text from this into the new query window. Click Execute.  It should say the SA and administrator account already exists.  

6.  Right click on your instance in Microsoft SQL Server Management Studio and choose Restart. 

7.  Navigate to your Security Logins.  Your scsp_ops, scsp_plugin and scspdba accounts should be there. (You may need to click on the refresh button for them to appear.)

8.  Navigate to the following locations and rename the following files to something like agent-certold.ssl server-certold.ssl etc...

<install directory>\symantec\critical system protection\server\agent-cert.ssl
<install directory>\symantec\critical system protection\server\server-cert.ssl
<install directory>\symantec\critical system protection\server\ui-cert.ssl
<install directory>symantec\critical system protection\server\tomcat\conf\server.xml

Rename the the below for DCS:SA server: 

<install directory>\Symantec\Data Center Security Server\Server\agent-cert.ssl
<install directory>\Symantec\Data Center Security Server\Server\sss.ssl
<install directory>\Symantec\Data Center Security Server\Server\umcserver.ssl
<install directory>\Symantec\Data Center Security Server\Server\server-cert.ssl
<install directory>\Symantec\Data Center Security Server\Server\rootkey.ssl
<install directory>\Symantec\Data Center Security Server\Server\tomcat\conf\server.xml
<install directory>\Symantec\Data Center Security Server\Server\tomcat\conf\quartz.properties
<install directory>\Symantec\Data Center Security Server\Server\umc\ssl\umcCA\certs (backup the entire certs folder)

9. Once you have renamed all of these, copy the backed up versions of these files to the same location in the same directory. 

10.  Start the Symantec Critical System Protection Server (or the Data Center Security Server Manager) Service, wait a few minutes. 

11.  Login to the Management Console and verify connectivity.

 

Applies To

Windows 2003/2008/2012/2019

SQL 2005/2012/2016/2019