Forum Discussion
hooleylist
Dec 18, 2007Cirrostratus
Hi,
Attached is the UCS backup and export script I was testing. It has some added functionality you wouldn't need on a GTM, but it should work as it is.
It runs on the BIG-IP and creates a UCS archive in the /var/local/ucs directory with the format: HOSTNAME_VERSION_DATE.ucs. It was written for a customer who was using ASM on some of their units. So it checks to see if another script which exports the ASM security policies to a separate tar archive is present on the unit. If it is, the policy export script is run. If it isn't present, then the UCS backup script just creates a UCS archive and attempts to SCP it to a remote server.
Here are the configuration requirements:
!/usr/bin/perl
BIG-IP configuration save and export
v1.0.5 - 06 Aug 2007
Objectives:
- Create a configuration backup of the BIG-IP to a UCS file
- Create a backup of the active ASM security policies if the unit has ASM enabled
- Copy the backup files to a remote host via SCP
Tested on BIG-IP and BIG-IP ASM versions: 9.2.4, 9.4.1
Configuration requirements:
1. SSH public key authentication must be configured so that the SCP user (defined by SCP_USER in this script)
can SSH/SCP from this BIG-IP to a remote SSHD server without password prompts.
By default, this script uses the existing root SSH private/public key pair from /var/ssh/root/
"identity" (private key) and "identity.pub" (public).
To configure password-less authentication, append the client "identity.pub" key from the BIG-IP
to the authorized_hosts file in the SCP server's SCP user home directory
~/.ssh/authorized_hosts
You could also generate your own key using the following steps:
a. On the BIG-IP, generate a new public and private key pair:
ssh-keygen -t rsa -b 2048 -C `hostname` -f ~/.ssh/`hostname`
(Do not enter a passphrase)
b. On the BIG-IP, change the permissions on the keys to root read/write access only:
chmod 600 ~/.ssh/`hostname`*
c. Copy the ~/.ssh/`hostname`.pub public key from the BIG-IP to the SCP server and
append the key to the ~/.ssh/authorized_keys file:
cat ~/.ssh/`hostname`.pub | ssh SCP_SERVER 'cat >> ~/.ssh/authorized_keys'
d. Verify public key authorization is configured so that you aren't prompted for a password:
ssh -i /path/to/ssh.key SCP_USERNAME@SCP_HOST
2. For units with ASM licensed, a copy of the all_policy_export.pl script should be saved
and configured in this script as:
ALL_POLICY_EXPORT_SCRIPT => '/path/to/all_policy_export.pl'
Aaron Hooley - (hooley at gmail dot com)
The ASM policy export script is in the codeshare (Click here).
I tested this quite a bit, but I'm no Perl expert. Let me know if you try it and run into any issues or have suggestions.
Thanks,
Aaron