Tech ONTAP Blogs

BlueXP Backup and Recovery July 2024 Release

jacoba
NetApp
2,163 Views

BlueXP Backup and Recovery July 2024 Release

 

BlueXP Backup and Recovery Integration with AWS IAM Roles Anywhere

 

With the July 2024 release,  BlueXP Backup and Recovery service has included support for AWS IAM Roles Anywhere service in Technology Preview mode. This applies to backing up Cloud Volumes ONTAP to AWS and backing up on-premises ONTAP data to AWS.

What is AWS IAM Roles Anywhere?

 

IAM Roles Anywhere enables secure interaction between your external applications and AWS APIs by leveraging IAM roles, similar to how workloads running directly on AWS utilize IAM roles. This service provides temporary credentials for your on-premises infrastructure, including servers, containers, and other compute environments. By adopting IAM Roles Anywhere, you can eliminate the need for long-term AWS access keys and secret keys. This enhances security by reducing the risk of long-term credential exposure and simplifies the operational management of these credentials, including rotation and maintenance. This document serves as a step-by-step guide to assist you in deploying IAMRA and accessing AWS S3 for ONTAP backup and recovery using BlueXP

 

jacoba_0-1721324873551.png

Advantages:-

  1. Integration with Enterprise PKI: IAM Roles Anywhere integrates with your existing enterprise public key infrastructure (PKI) or AWS Private Certificate Authority. You can use industry-standard X.509 certificates to authenticate.
  2. Temporary Credentials: Your non-AWS workloads (such as servers, containers, and applications) can use the same IAM policies and roles you use within AWS. These workloads receive automatically-rotating, short-lived credentials, reducing reliance on long-term credentials.
  3. Anywhere Access: Whether it’s on-premises, hybrid, or multi-cloud, IAM Roles Anywhere grants secure access to AWS services and resources.
  4. Operational Efficiency: By eliminating the need to manage long-term credentials, you reduce operational complexity and costs.

How Do I Configure AWS IAM Roles Anywhere

 

jacoba_0-1721631639207.png

 

Step 1: Create AWS Private Certificate Authority :

Establish a certificate authority to issue certificates for your resources.

 

Step 2: Create a Trust Anchor: 

Generate a trust anchor (root certificate) for your certificate authority.

 

Step 3: Create a Role with a Trust Policy:

Configure the created role trust policies for Roles Anywhere. This allows workloads that have authenticated with Roles Anywhere Trust Anchor to assume roles.

 

Step 4:- Configure a Profile:

Create a profile to apply your roles to a roles session policy. The profile permissions are enforced on the role session when one or more roles are assumed by your non-AWS workload.

 

Step 5:- Generate Private Certificate

Generate the necessary Private Certificate (certificate.pem & private_key.pem) for your role.

 

Step 6:-  Use the AWS Signing Helper to get session tokens

Leverage the signing helper to acquire temporary security credentials. Your external applications or compute platforms will need to request AWS to assume the IAM role. As part of this request, they will provide the necessary identity verification information, such as certificates or tokens issued by your trusted identity provider.

 

Step 7:-  Use session credentials to get access to AWS resources

Upon successful verification of the identity, AWS will issue short-term credentials to the application. These credentials include an access key ID, a secret access key, and a session token, which the application can use to authenticate requests to AWS services.

 

Step 8: Manage Credential Lifecycle 

The short-term credentials will have a limited lifetime, so your application or management tools will need to handle the lifecycle of these credentials. This includes monitoring credential expiration and automatically requesting new credentials as needed.

 

BlueXP Backup and Recovery Integration with AWS IAM Roles Anywhere

 

jacoba_1-1721328791787.png

 

In this section, we will try to understand BlueXP backup and Recovery integration with AWS IAM Roles anywhere.

 

1. Set Up Trust and Roles:

  • Create the trust anchor, appropriate roles for IAM Roles Anywhere, and a profile in your AWS account.

2. Deploy the BlueXP Connector:

  • Install the BlueXP connector in your on-premise data center.
  • Create a folder named “/root/netapp/cbs-iamra” on the connector host for IAM Roles Anywhere deployment.

3. Create Additional Folders:

  • Also create a folder named “/root/.aws/credential"

 

>mkdir netapp
 
> cd netapp
 
>mkdir cbs-iamra
 
Make sure we should have directory
/root/netapp/cbs-iamra/
 
and make file as.
/root/.aws/credential

 

4. Ensure CBS Container Access:

  • Edit the config.json file in the “/opt/application/netapp/service-manager-2” folder to include the necessary entry to make sure that the “/root/netapp/cbs-iamra” folder is accessible within the CBS container.

 

 

"composeOverrides": {
    "cloudmanager_cbs": [
      {
        "property": "volumes",
        "value": [
            "/var/run:/var/run",
            "/etc/hosts:/etc/hosts",
            "/root/netapp/cbs-iamra:/opt/netapp/cbs/server/cbs-iamra",
            "/tmp:/opt/netapp/shared:rshared"
        ]
      }
    ]
  }

 

5. Prepare for Certificate Issuance:

  •  Create an “iamra.json” file under the “/root/netapp/cbs-iamra” folder.
  • Restart the BlueXP Backup and Recovery container.

 

> cd /root/netapp/cbs-iamra

> touch iamra.json

> docker restart cloudmanager_cbs

 

6. Issue a Private Certificate:

  • Use the “aws acm-pca” command with the "issue-certificate" parameter to create a private certificate.
  • The command will return the ARN of the issued certificate.

 

aws acm-pca issue-certificate \
      --validity Type=DAYS,Value=10 
      --signing-algorithm "SHA256WITHRSA" \
      --csr fileb://csr.pem \
      --template-arn arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \
      --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566

Response:-

{
   "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
} 

 

Download the certificate locally using the appropriate command.

 

aws acm-pca get-certificate \
      --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \
      --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID | \
      jq -r .'Certificate' > cert.pem

 

Make sure that the 2 files generated are stored in the directory "/root/netapp/cbs-iamra" folder.

 

7.Manage Certificate Renewal

Create certificate renewal scripts to generate a new certificate and secret key just before the certificate expiration time.

 

8. Install aws_signing_helper

  • Download and install the “aws_signing_helper” package in the “/root/netapp/cbs-iamra” folder.
  • This utility obtains temporary security credentials from AWS IAM Roles Anywhere. The helper manages the process of creating a signature with the certificate and calling the endpoint to obtain session credentials; it returns the credentials to the calling process in a standard JSON format.

 

Install package in : /root/netapp/cbs-iamra/  and install aws_signing_helper
>wget https://rolesanywhere.amazonaws.com/releases/1.1.1/X86_64/Linux/aws_signing_helper

> sudo apt-get install unzip 
 
> Install awscli
curl " https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

> unzip awscliv2.zip

> sudo ./aws/install
 
> apt-get install jq

 

9. Generate Access Credentials:

  • Use the  aws_signing_helper to generate the required  access key id, secret  access key , and session token

 

$ ./aws_signing_helper credential-process \
      --certificate /path/to/certificate \
      --private-key /path/to/private-key \
      --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID \
      --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID \
      --role-arn arn:aws:iam::account:role/role-name-with-path

Output:-

{
                    "Version":1,
                    "AccessKeyId": String,
                    "SecretAccessKey": String,
                    "SessionToken": String,
                    "Expiration": Timestamp
                } 

 

 

  • --certificate (string):- Path to certificate file
  • --endpoint (string):- The IAM Roles Anywhere endpoint for the region. For a list of endpoints, see Service endpoints and quotas.
  • --region (string):-Signing region.
  • --private-key (string):- Path to private key file.
  • --profile-arn (string):- Profile to pull policies from.
  • --role-arn (string):- Target role to assume.
  • --trust-anchor-arn (string):- Trust anchor to to use for authentication.

 

10. Token Management:

  • Create scripts to generate a new token before it expires.

11. Scheduled Tasks:

  • Set up a cron job to execute the certificate and token generation scripts at appropriate intervals.

12. Ready to Go:

  •  With these steps completed, users can now use BlueXP Backup and Recovery service with IAM Roles Anywhere integration.

 

FlexGroup folder or directory restore now available

Previously, only FlexVol volumes directories could be restored, but you couldn't restore FlexGroup folders or directories. With ONTAP 9.15.1, the support for FlexGroup folder restores was added, and using the BlueXP Backup and Restore “Browse and restore” feature, you can now restore FlexGroup directories.

 

With this release, support for FlexGroup folder restore is a technology preview.

How To Use the  FlexGroup folder restore in preview mode

 

The FlexGroup Directory Restore feature is disabled by default. However, it can be enabled by following the steps below

 

Enable the feature by setting the flag:-

 

  • Login to the connector
  • Run "sudo su"
  • Run "docker volume ls | grep cbs"
    • Output: local service-manager-2_cloudmanager_cbs_volume"
  • The volume name would differ between dark site and cloud deployments
  • Obtain the mount for the volume by executing "docker volume inspect service-manager-2_cloudmanager_cbs_volume | grep Mountpoint"
    • Output: "Mountpoint": "/var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data"
  • The Mount point would differ between cloud deployment and darksite/private deployment. In this example, it's a cloud deployment
  • cd to the Mountpoint directory. Run "cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data"
  • cd to docker volume obtained in earlier steps
    • cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data
  • Execute "cd cbs_config". cbs_config directory exists already.
  • Create a config file as shown below with then name development-customer.json or production-customer.json or darksite-customer.json based on the deployment environment.

 

{
    "feature-flags":
     {
        "flexgroup-volume-directory-restore" : true
     }
}

 

  • After the above mentioned changes are done, make sure to restart the cloudmanager_cbs container.

 

> docker restart cloudmanager_cbs

 

 

The following configurations are not supported:-

  • FlexGroup to Flex Volume Directory Restore
  • FlexVolume to Flex Group Volume Directory Restore
  • Directory Restore is not allowed from local snapshots
  • Restoring directories having Luns/vdisks: FlexGroup doesn't support Luns/Vdisks today so even directory restore is also not going to support LUNs/vdisks.
  • Multiple directory restores at the same time to a volume at any time
  • File Restore from FlexGroup volume not supported for ONTAP_S3.

 

Restore volumes less than 1 GB

 

With this release, you can now restore volumes that you created in ONTAP that are less than 1 GB. The minimum volume size that you can create using ONTAP is 20 MB.

Understanding DataLock and Ransomware Scan Costs

 

The DataLock and Ransomware Scan feature offers robust protection for your backup files, safeguarding them from unauthorized modifications or deletions for a set duration, and alerts customers in the event of a ransomware attack on their cloud backups. This added layer of security is instrumental in defending your files against ransomware threats. However, activating this feature may lead to extra charges for the customer. To ensure that the customer is informed about the potential charges, the following steps have been implemented.

 

  • Updated TCO Calculator:- The TCO calculator has been updated to show the cost incurred by DataLock and Ransomware Scan feature when enabled. TCO Calculator
  • Understanding TCO Calculation: A comprehensive blog post has been released that elucidates the method of calculating costs when activating the BlueXP Backup and Recovery service. Click on the link for more details: Understanding BlueXP Backup and Recovery DataLock and Ransomware Feature TCO
  • Tips on how to mitigate DataLock costs:- For details about DataLock and tips on how to mitigate the associated costs, refer to the following link:
  • Option to Disable Ransomware Scan:- Previously, enabling the policy for DataLock and Ransomware Scan activated both features at once, preventing users from disabling Ransomware Scan without also turning off DataLock, potentially incurring extra cloud provider charges. Now, users can disable Ransomware Scan while maintaining DataLock, offering more control over security settings and cost management.

Security Enhancements

 

  • BlueXP Backup and Recovery service now performs server-side certificate verification for all services it communicates with in the cloud, such as object-store and serverless databases. Additionally, it offers an optional feature to verify certificates for ONTAP and Storage Grid. This enhances security by ensuring that CBS only connects with authenticated services.
  • Qualification of Tamperproof snapshots with BlueXP Backup and Recovery workflows.

 

Performance Improvements

 

  • Introduced volume filter in the Search and Restore workflow to improve the search performance.
  • Fixed several SnapDiff API call issues to increase the Search and Restore performance.
  • Implemented several fixes to improve the dashboard loading performance


Issues Fixed

 

  • Implemented fixes for unique bucket creation in Private mode
  • Introduced metering changes in BlueXP Backup and Restore to ensure customers are not double charged when Ransomware Protection as a Service is enabled.
  • Qualified support for MySQL 8.x version on the connector
  • Fixed multiple support issues.

 

Try It Out!

 

Now that you’ve read about this feature, we hope it entices you to go ahead try out this new preview feature .

If you would like more information, contact us [John Andathethu, Jacob (Jacob.A@netapp.com), Shweta Datha (shweta.datha@netapp.com)] and we would be happy to answer your questions.

 

 

 

 

 

 

 

 

Comments
Public