TOC PREV NEXT INDEX

CHAPTER 23 Secure Data Sync

23.1 Introduction

Secure Data Sync is an asymmetric replication product that allows for data synchronization between one or many Data Protection Units (DPU) to a single Data Protection Vault (DPV). This allows an organization to move critical data to an off-site location which protects against the loss of data in the event of a disaster.

The Secure Data Sync architecture is essentially a multi-level client server design. All satellite DPUs would synchronize with the DPV on a regular basis. The DPUs act as servers for the clients connected to it. The DPV acts as a server for the DPUs.

A user can choose which DPU clients' data to replicate to the DPV. It may be one critical client or all clients backing up data to the DPU. The number of clients that will be part of the sychronization schedule will most likely be determined by the amount of data to be replicated, the bandwidth of the network connection and the time available to perform the synchronization process.

FIGURE 107. Typical Secure Data Sync Design

A few of the advantages of Secure Data Sync are:

1. Secure offsite protection of data from all DPUs to the DPV.
2. Since the paradigm for synchronization is block based, the data transferred to the DPV is only the changes since the last synchronization. This greatly reduces the bandwith utilization which would have been an overhead if all the data was transferred from the DPUs to the DPV.

It is important to note that Secure Data Sync is a disaster recovery solution. The data on the DPV is available for complete recovery in the event of a disaster. The data on the DPV can also be moved to tape for long-term archiving purposes. File and Bare Metal restores will continue to be initiated from the DPU.
TABLE 26. DPU and DPV Applications and Capacity Requirements
Product Applications Minimum Recommended Capacity
DPU File level backup and restore, bare metal crash recovery Three times the total space needed to hold a master backup of all clients
DPV Disaster recovery and file level archiving One and a half times the total space needed to hold a master backup of all clients being synchronized

23.1.1 Basic Overview:

This section briefly describes the multilevel hierarchy and operation of the Secure Data Sync. Consider a situation where there are four networks. Each network has a DPU which backups clients on the network. These clients can be running different operating systems. Some or all of these clients can have their data which has been backed up to the DPU synchronized to the DPV.
The architecture is client centric. When the administrator registers the clients on the DPU, he can specify the priority of client and also specify whether the data of the client should be synchronized to the DPV. The priority ranges from 0-1000, with 1000 indicating the highest priority. The priority field makes sure that the clients with a higher priority are synchronized before the other clients. Any data backed up from that client to the DPU is then synchronized to the DPV. If the master backup is done to the DPU all the files are synchronized to the DPV. If there is no prior backup synchronized to the DPV, this operation is more time consuming than the subsequent synchronizations. The synchronization process on the DPU is monitored by the sync engine.
In all subsequent synchronizations the block based scheme transfers only the data that has changed since the last synchronization. The data is stored on the DPV in a directory with the name of the client. This is explained in further detail in the Setup section. Hence, the data on the DPV for a particular client is a consolidated backup of the last master backup and the last incremental backup. This data on the DPV is the current running master on the client.
It is important to give careful consideration to disk capacity available on the DPU(s) and the DPV. Typically you will want the DPU capacity to be at least three times the amount needed to hold the master backups of all the client serviced by the DPU. The DPV capacity should be at least one and a half times the amount needed to hold the master backups of all clients that will be synchronized to the DPV.

23.2 How to Setup

To setup Secure Data Sync, you need to specify your settings for securesync in the master.ini file. This file is normally present in the /usr/bp/bpinit/ directory on the DPU.

Edit the section [securesync] as shown below:

[securesync]
AutoSyncEnabled="Yes"
TemporarySpaceLocation=/tmp/wrk
BlockOutPeriods="22-7,1012"
CheckIntervalSeconds=3600
SyncTo="spider.unitrends.com:/store
SiteName="HomeOffice"
SyncReportUseHtml=No
SyncReportMailTo=sync_admin@unitrends.com
SyncReportSubject=%s Sync Report
SyncReportTime=18:30
LastReportTime=

Description of example above:

AutoSyncEnabled Means that synchronization is enabled. This value can be Yes or No. By changing this setting you can activate/inactivate the sync engine instead of stopping or starting the program itself.

TemporarySpaceLocation Working directory that is used for internal purposes. This derectory should be present on the system.

WARNING. The directory should not contain any important information. All files present will be removed by securesync.

CheckIntervalSeconds Time interval in seconds between synchronizing. For example, CheckIntervalSeconds=1800 means 30 minutes. The product will wait for the specified amount of time before scanning for data to replicate.

SyncTo specifies the remote host and directory, where all backups are being synchronized. DPV's hostname and directory name must be separated by ":" For example, SyncTo = "dpv:/backups", where dpv is the name of the remote host and backups is the directory where all the backups are synchronized.

BlockOutPeriods This variable specifies the interval(s) when syncs are blocked (disabled). Use 24-hours style. You can specify one or more intervals. For example BlockOutPeriods="19-8" means that securesync will be passive since 7 p.m. till 8 a.m. BlockOutPeriods="22-2,6-14" means that securesync will be passive since 10 p.m. to 2 a.m. and since 6 a.m. to 2 p.m.

SiteName The name of organization served by DPU. The unique character string without spaces. This variable is used as subdirectory name on remote host.

SyncReportUseHtml May be set to "Yes" or "No". If it is "Yes", the reports will be generated in HTML format. If it is set to "No" only plain text reports are generated. This setting will depend on whether the email browser is capable of reading HTML code.

SyncReportMailTo The e-mail address of the person who receives reports. You can specify two or more addresses separated with commas without spaces. For example

SyncReportMailTo=root,boss@domain.com,john@yahoo.com

SyncReportSubject The subject field for e-mail with the reports.

LastReportTime This is for internal use. Do not edit.

SyncReportTime The time of day when the report should be sent.

LastTimeStamp This is for internal use. Do not edit.

NOTICE: If you have changed any of these values, except AutoSyncEnabled, and the program is already running, you need to stop the program and start again. You do this using the process monitor menu selection under the Routines section. You don't need to do anything if you've changed AutoSyncEnabled variable.The program checks this value automatically.

23.3 Configuring clients.

Two fields pertaining to synchronization are added to the client dialog: Priority and Syncable
· Priority
The clients are assigned a priority between 0-1000 with 1000 being the maximum priority. This feature is added to prevent starvation of a client from being synchronized with the DPV. If a client is of a greater importance than some others then it can be assigned a priority greater than the others. The priority assigned to a client is called the actual priority. This value is constant. However, the algorithm for the synchronization then calculates an effective priority, based on its actual priority and the last time the client was synchronized. If a client has never been synchronized its effective priority is increased. This scheme ensures that all clients are synchronized in a timely manner. This feature allows important clients to always be synchronized while less important clients are synchronized only if bandwith permits.
· Syncable

This field should be checked if the client is going to be synchronized to the DPV. All the backups for the client will be synchronized. If this field is not checked the client is ignored during synchronization.

FIGURE 108. Configuring clients.

23.4 Data Secure Sync Requirements

Before you start Data Secure Sync the first time, you need to perform the following steps on the DPU and DPV.

a) Setup secure communications.

1. On DPU login as "root" user and run

/usr/bp/bin/keygen

This will create the file /tmp/<hostname>.key where hostname is the name of your DPU.

2. Transfer the file /tmp/<hostname>.key to the DPV machine and put it to /tmp directory of DPV.

3. On DPV as root run command

/usr/bp/bin/keyinstall /tmp/<hostname>.key

4. Now go back to your DPU and run as root:

/usr/bp/bin/keygen -t <hostname>

Where <hostname> is the name of your DPV. This will test secure connection between DPU and DPV. You will see the prompt like this:

The authenticity of host 'host.domain.com (66.103.182.9)' can't be established.
DSA key fingerprint is cf:0c:c1:ac:aa:b8:a2:7c:2a:12:68:64:b9:51:1d:aa.
Are you sure you want to continue connecting (yes/no)?

Type full word "yes" here. Do not try to type "y" only. Then you will see the shell prompt (a pound sign following a blinking cursor) on DPV. Type "exit" and close the session. The first step is done.

It's possible that after running /usr/bp/bin/keygen -t <hostname> you will see the shell prompt immediately, without any questions. That's fine. Just type "exit" here.

Now your secure software is set up and ready to work. For your convenience keygen and keyinstall scripts generate brief help messages.

b) Prepare the remote directory.

On DPV create manually the directory <remote directory>/<sitename> where remote directory is the same name that you specified in variable SyncTo of file master.ini after the ":" character. Sitename is the same name that you specified in variable SiteName of file master.ini. See an example below.

c) Prepare local directory.

On the DPU create the working directory that you specified in variable TemporarySpaceLocation of file master.ini. Make sure that the location you have selected has as much room as your largest backup. Keep in the mind that the product removes all the files in that directory. Never put any valuable data in this temporary working directory!

An example:

Let's say the variables in master.ini file are as follows:

SyncTo="dpv.domain.com:/backups"
TemporarySpaceLocation="/tmp/wrk"
SiteName="my_company"

In this case you need to create /tmp/wrk directory on the DPU and /backups/my_company on the DPV. The internet name of the DPV must be dpv.domain.com.

Now you're ready to start Secure Data Sync.

23.5 Start and Stop

The Sync engine is started whenever tasker is started. Tasker is started from the Task menu. To stop the sync engine, use the Process monitor menu choice under Routines and kill the securesync process. You can also restart the sync engine by executing it manually. For example if /usr/bp/ is the installation directory of Backup Professional then the sync engine is started by typing /usr/bp/bin/securesync at the shell prompt.

TABLE 27. Configuration Settings, summary.
AutoSyncEnabled Are syncs enabled or not.
BlockOutPeriod Interval(s) when synchronization is not performed.
TemporarySpaceLocation Working directory.
CheckIntervalSeconds Time interval between syncs.
SyncTo Remote <host>:<path>
SiteName Site Name
SyncReportUseHtml Send reports in HTML format.
SyncReportMailTo Send the reports to this address.
SyncReportSubject Send the reports with this subject field.
SyncReportTime Time of day when the report should be sent.
Last ReportTime Do not edit! It's for private use
LastTimeStamp Do not edit! It's for private use.
.

23.6 Phase 1 Transfer

As mentioned above, if the files of a master backup are not present on the DPV, it takes a very long time to synchronize the backup. This is referred to as the Phase 1 Transfer. For example, if there is a T1 connection between the DPU and the DPV and the master backup is 10GB, then the amount of time for the transfer is over 15 hours. (Speed of T1 = 1.544Mbps) To prevent this overhead we strongly suggest the initial copy be performed using an alternate technique mentioned below. Unitrends Professional Services can work with you to determine the optimal procedure for the initial setup. Here are four procedures that can be followed:

23.6.1 Alternative 1

This alternative proposes to connect the DPV on the same network as the DPU and then perform the regular operation of synchronizing the master backups for the client connected to the DPU. Once that is done the DPV can be moved to the next site and connected to its network and perform the synchronization. Once all the sites are synchronized on the DPV, it can then be moved to its remote location and all the sites can then connect and synchronize to it. There are no special settings for this alternative. This alternative is practical if there are only a few sites. Beyond that, you might consider one of the following alternatives.

23.6.2 Alternative 2

The first alternative proposes that the disk storage attached to the DPV be connected to the DPU. Let the storage be called DPVStorage. The DPVStorage can be a single disk or a set of disks(disk array). The disk array can be attached to the DPU as an external SCSI device. The DPVStorage will be mounted on /dpv on the DPU. The "phase_one" is invoked which transfers the data to /dpv. A Replicated Backup record is created on the DPU to indicate what is present on the DPVStorage. This is explained in further detail in the next section. A directory with the site name is created in /dpv and a directory with the client name is created as a subdirectory to the sitename. Hence the directory structure on the DPVStorage is <Stem>/SiteName/ClientName/{data of ClientName}. This procedure is repeated for all the clients that are marked as syncable. If a certain client does not have a successful master the user to create one for the client. Once this process is done the DPVStorage has all the master backups for the syncable clients of the DPU. Then transfer the DPVStorage to the next DPU(Site) and perform the above procedure. Once all sites are covered the DPVStorage can is attached to the DPV. From that point on the synchronization of backups are done transparently without interruptions.

23.6.3 Alternative 3

This alternative proposes a similar kind of architecture as in Alternative 1. The DPVStorage is attached the DPU and then mounted on /dpv. For the initial setup phase the SyncTo variable in the securesync section of master.ini must be changed. Since the DPVStorage is mounted on /dpv, change the value to SyncTo= "/dpv". The "phase_one" is then executed which performs the synchronization of the last master backups of the clients to the DPVStorage. A Replicated Backup record is created similar to Alternative 2. Once all the clients are synchronized over to the DPVStorage from all the sites the DPVStorage is then attached to the DPV. Edit the master.ini file again to change the SyncTo variable to point to the appropriate location. Refer to the Setup section above.

23.6.4 Alternative 4

This alternative is the actual synchronization of the master backup over the wire to a remote site. If the DPV is already installed at the remote site then the synchronization takes place successfully, but with a considerable overhead as described before. We strongly recommend following one of the previous three alternatives.

23.7 Replicated Backup

A backup for a client is synchronized only if the following situations are satisfied.
1. The Sync engine is enabled in the master.ini
2. The client is set as Syncable.
3. The backup of the client is to disk

A synchronized backup is a backup record on the DPU which represents the data for the client on the DPV. A synchronized backup record is created when the data on the DPU is synchronized to the DPV. In short, it is a listing of the data on the DPV which comprises of a consolidation of the latest master backup with the latest incremental backup and the subsequent selective backups for the client. The data on the DPV is current at all times. However, to achieve this there are some precautions to be taken. If the backup of a client is done to tape on the DPU, it is not synchronized to the DPV. Hence if a master backup is performed to tape on the DPU and the subsequent incremental backups to disk, then the data on the DPV can get out of sync. If a master backup has to be performed to tape, we strongly suggest that you perform a selective backup of the entire machine(which is similar to a master backup) which ensures that all the backups synchronized to the DPV are in sync. At all times only one successful replicated backup exists for a given client, since it is updated everytime a sychronization is performed.
FIGURE 109. Replicated Backup

23.8 Reports

The user has an option to set the time the reports are generated. This setting is SyncReporttime and is in the securesync section of the master.ini file. The reports are generated daily at the specified time. A sample report is shown below:
FIGURE 110. Fig. Sample Report.

The report indicates the time at which it is generated. The Sync engine uptime indicates the amount of time the sync engine could connect to the DPV. Likewise, the Sync engine downtime indicates the amount of time the sync engine could not connect to the DPV. Total clients synchronized indicates the number of clients whose backups were successfully synchronized with the DPV. Files securely synchronized indicates the number of files that were synchronized. Likewise, the total data synchronized indicates the amount of data synchronized with the DPV. This does not indicate the actual amount of data transferred, which is comparatively less, since it does a block based synchronization and sends only the data that has changed. The Backlogs indicate the number of backups on the DPU that have not been synchronized with the DPV. If the number of backlogs is high then we suggest you increase the sync window or have a higher bandwidth for synchronization.


TOC PREV NEXT INDEX