Restore and failover of VCF Identity Broker (vIDB) to a different Management Domain in VCF Operations 9.x
search cancel

Restore and failover of VCF Identity Broker (vIDB) to a different Management Domain in VCF Operations 9.x

book

Article ID: 436356

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

Identify Broker backed up to SFTP.  VCF Operations is integrated with multiple Management Domains.
In the event vIDB failed on original workload domain, vIDB to be restored and recovered on a different Management Domain.

Environment

VCF Operations 9.0.x

Resolution

To recover VCF Identity Broker from the protected to the recovery VMware Cloud Foundation instance under planned circumstances, you deploy a new VCF Identity Broker instance in the recovery VMware Cloud Foundation instance, and restore the latest backup.

You must have a known good backup available for the restore.
VCF Identity Broker in the protected VMware Cloud Foundation instance must be powered off.
VCF SSO based logins will not work while VCF Identity Broker is offline. It is recommended to use a local VCF Operations user for this procedure.

  1. Deploy a new VCF Identity Broker instance in the recovery VMware Cloud Foundation instance.
    1. Log in to the VCF Operations interface at https://<vcf_operations_fqdn> with a user assigned the Administrator role.
    2. Navigate to Fleet Management > Lifecycle > VCF Management > Components.
    3. Click Add Component > identity broker.
    4. On the Deployment tab, select New Install and click Next.
    5. On the Certificate tab, select the VCF Identity Broker certificate and click Next.
    6. On the Infrastructure tab, select the management domain vCenter from the recovery VMware Cloud Foundation instance, and configure the remaining settings according to your VMware Cloud Foundation Planning and Preparation Workbook, and click Next.
    7. On the Network tab, configure the settings according to your VMware Cloud Foundation Planning and Preparation Workbook, and click Next.
    8. On the Components tab, configure the settings according to your VMware Cloud Foundation Planning and Preparation Workbook, and click Next.
    9. On the Precheck tab, click Run Precheck.
    10. When the precheck completes successfully, click Next.
    11. On the Summary tab, click Submit.
    12. Monitor the task on the tasks pane.

  2. Restore VCF Identity Broker from backup.
    1. Log in to the VCF Operations interface at https://<vcf_operations_fqdn> with a user assigned the Administrator role.
    2. Navigate to Fleet Management > Lifecycle > VCF Management > Components > identity-broker.

      Ensure you select the VCF Identity Broker instance in the recovery VMware Cloud Foundation instance.

    3. Click the horizontal ellipsis, and click Backup and Restore > Restore.
    4. On the Restore pane, select an option to restore VCF Identity Broker from a specific backup or the latest backup.
      • Restore from the latest backup on the cluster
      • Pass the backup path using vcf/backups/cluster-name/version/component-name/timestamp
      • Pass the backup path using vcf/backups/cluster-name/version/component-name/timestamp/<full-backup-file-path.tgz>
    5. Click Restore.
    6. Monitor the restore task from the Tasks panel

      NOTE:
      Do not make any changes to the VCF SSO configuration during the planned failover, as any changes will be lost. If any changes are made, you must take a manual backup of VCF Identity Broker and restore it to the VCF Identity Broker instance in the protected VMware Cloud Foundation instance, after it has been powered on.

  3.  Soft Delete VCF Identity Broker from Fleet Management and Import again. We need to do this to ensure there are no stale entries with respect to service accounts and service registry. 
    1. Log in to the VCF Operations interface at https://<vcf_operations_fqdn> with a user assigned the Administrator role.
    2. Navigate to Fleet Management > Lifecycle > VCF Management > Components.
    3. Delete VCF Identity Broker instance from the Fleet Manager components, ensuring you do not select the option  to delete the appliances
    4. Go back to Fleet Management > Lifecycle > VCF Management > Components. Click on Add Components and select Import
    5. In this pane, select or enter specific inputs being asked 
      1. Primary VIP 
      2. vmware-system-user password
      3. vCenter Server (where VCF Identity Broker is deployed)
      4. Accept Certificate
    6. Click on NEXT to review SUMMARY and submit the request to import VCF Identity Broker back into Fleet Management. 

 

Note: Step 3 also applies to VCF Automation when restoring from a backup. This step is essential for maintaining consistent service account information within VCF Operations.

Additional Information

Reference steps from Broadcom technical document: Initiate a Planned Recovery of VCF Identity Broker for Site Protection and Disaster Recovery for VMware Cloud Foundation

Powered by Wolken Software