How to configure the Schedule Backup for PAM with SCP and SFTP

Document ID : KB000047113
Last Modified Date : 22/06/2018
Show Technical Document Details

This document will help you to configure the Schedule Backup feature in PAM for SCP and SFTP destinations.

CA Privileged Access Manager has a built-in mechanism to create database backups on a regular basis. The backup files are stored externally.
Depending of the release you can store the logs to an SSH server using a public key authentication or via network file systems like NFS or CIFS which do not require such key authentication.

Note, backup to SFTP is available since PAM release 2.7






    CA PAM 2.7.x
    CA PAM 2.8.x
    Necessary information to configure scheduled backup is:
    1. Username for login user to the SSH server (best create a new user on the target SSH server , e.g. xsuite)
    2. Directory path where the backup files are stored to
    3. Protocol used for file transfer to SSH server, i.e. SCP or SFTP

    For the scheduled backup other information can be specified like frequency and what to do with old backup files.

    1) Login to PAM and navigate to Config->Database.
    2) On the page shown, select "Schedule Backup".
         The time entered is in UTC/GMT.
    3) The SSH server connection is configured to e.g.: xsuite@ 

    Please confirm the user on the SSH server needs to have full permissions to the target directory on this SSH server.

    4) Chose protocol as “sftp” or "scp".
    5) The public key corresponding to the private key used when connecting to the SSH server must be downloaded and installed on the SSH server.
        Best download both the RSA and DSA key to the SSH Server.
    6) Finally select “Save Schedule”.

    Preparation Steps on the SSH Target Server:

    1. Login to the UNIX destination server with the user created, e.g. xsuite.
    2. Create the file ~/.ssh/authorized_keys should it not exist under this user's home directory
    3. Add the public keys downloaded from each PAM Cluster instance you might have to this file.
      e.g. run this command in a user's shell on the target to append the relevant key to the key store

      cat dsa.key >> ~/.ssh/authorized_keys
      cat rsa.key >> ~/.ssh/authorized_keys
    4. Confirm the permissions of the ~/.ssh/authorized_keys file being set to 600.
    5. Confirm the owner of the ~/.ssh/authorized_keys file being xsuite in this case.
    6. Create a file store for the backup files, e.g. /backup-XsuiteA
      You might want to create separate folders for each PAM cluster instance.
      Best set the owner of the directory to the user xsuite.
    Additional Information:

    Please note that the public key (rsa.key) must be downloaded from each PAM Cluster instance using the UI of the Database Backup Scheduler (Config->Database: Schedule Backup).

    If you have configured a cluster and want to store backup files for all nodes in the same target folder then is recommended to schedule different times to execute the backup on each node. Else the name of the backup file are the same for the various nodes and may overwrite each other. 

    The file name nomenclature of the backups are:

    Database Backup File Name: "gkscheddb<date><Y%m%d%H%M%S> _ <DBVersion>"
    Configuration Backup File Name: "gkschedcfg<date><Y%m%d%H%M%S>_<PAMRelease>"

    Therefore it is recommended to store backups of each node in a separate target folder.

    Note, if the cluster on all nodes is in sync and good health the PAM database on all nodes are identical, hence a backup might only be performed on one of these nodes.

    However the PAM configuration might differ on each node, e.g due to the specific network configuration or different super/config user's password.

    Hence the recommendation to perform a backup of the configuration once there were changes.