System Recovery

The following sections explain how to recover the ActivID AS system following a critical error.

Note: The procedures must be executed as ftadmin.

ActivID AS applications use an internal system user to authenticate to the ActivID AS server. This user uses PKI credentials stored in the software keystore, <ACTIVID_HOME>/ActivID_AS/config/SYSUSERS.keystore.

There is one system user per Security Domain and node.

At installation, this system user is created by the ActivID ftinit user with the following characteristics:

  • User group − ActivID Setup (FTINIT)

  • Authentication record − System Static Login (AT_SYSLOG)

The system users are listed in the <ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties file.

Note: Any update of the activid.properties file requires that you restart the server.

Recover the Node System Users

The following procedure can be used to either recover the node system user (for example, if accidentally deleted) or to renew the user's self-signed certificate and keys using the following scripts located in the <ACTIVID_HOME>/ActivID_AS/bin folder:

  • recoverAdministratorUser.sh

  • configureSytemUser.sh

  1. If the ActivID AS administrator and/or setup users (ftadmin, ftinit) have been deleted, first recreate similar users using the following command as ftadmin:

    Copy 
    recoverAdministratorUser.sh -d <security domain>

  1. As ftadmin, execute following command to create the keys in the software keystore:

    Copy 
    configureSytemUser.sh -c createkeyscerts -d <Security Domain> -v <validity period (years)>

  1. Restart the ActivID AS Instance.

  2. As ftadmin, execute following command to import the corresponding user’s credentials into the ActivID AS database (ActivID AS must be up and running):

    Copy 
    configureSytemUser.sh -c importsysusers -d <Security Domain>

  1. When prompted, enter the credentials for the setup user (ftinit).

Recover the ActivID AS Application Configuration

The configureIDPData.sh script located in the <ACTIVID_HOME>/ActivID_AS/bin/ folder (re)configures the ActivID Authentication Portal (SAML IDP) and the Management Console or Self-Service Portal (SAML service providers).

This procedure can be used to either recover the SAML configuration or to renew the SAML IDP certificates and keys.

  1. If the ftinit user has been deleted, first recreate it.

  1. As ftadmin, execute the following command to create the SAML configuration in the ActivID AS database (ActivID AS must be up and running):

    Copy 
    configureIDPData.sh -c importdata -d <Security Domain>

  1. When prompted, enter the credentials for the setup user (ftinit).

Recover the ActivID AS Administrators

If the ActivID AS administrators that are used to administer the ActivID AS system are blocked or deleted, the recoverAdministratorUser.sh script located in the <ACTIVID_HOME>/ActivID_AS/bin/ folder allows recreating the ftadmin and ftinit users in the ActivID AS database for a domain.

Prerequisites:  

  • You know the domain database password (required by the script).

  • The ActivID AS server is running and operational.

  1. As ftadmin , use following command to recover the ActivID AS administrators:

    Copy 
    recoverAdministratorUser.sh -d <Domain Name>

    Where <Domain Name> is the name of security domain.

  2. When prompted, enter the administrator user/password for ftadmin.

  3. When prompted, enter the administrator user/password for ftinit.

  4. When prompted, enter the domain database password.

Recover an ActivID AS Node

Note: This procedure assumes that you have a failover strategy for the database and HSM.

With the exception of the <ACTIVID_HOME>/ActivID_AS/config/ActivID.keystore file (the ActivID AS software keystore), the ActivID AS applications installations can easily be recreated by running the setup and customizing the applications either manually or using a customization package.

  • If ActivID AS is configured to use a software keystore for database data encryption/signing, it is critical that you always have a backup of the latest version of the ActivID.keystore stored in a safe place in order to recover a node.

  • If ActivID AS is configured with an HSM, this is less critical as the ActivID.keystore only contains the SAML IDP certificates, but not the encryption/signing keys. To restore your system, you will have to reconfigure every service provider with the new SAML IDP metadata and certificates.

To recover a node:

  1. Install and configure the ActivID AS applications (refer to the ActivID AS installation guide for your application server available from the ActivID Customer Portal).

  1. When asked if it is the first Authentication Services installation, enter n and then enter the path of the backup of the ActivID.keystore file. Then, enter the keystore password when prompted.

  2. If necessary, apply the customization package.

  3. Start the application server.

  4. Perform the post-installation steps (refer to the ActivID AS installation guide for your application server available from the ActivID Customer Portal).

Note: It is strongly recommended that you always have a backup of the ActivID.keystore (and its password), as well as the latest customization package.