You can export all of your certificates, trusted root files, rewriter.cfg, and all files in sys:\etc\custom to the .nas file. Sys:\etc\custom is meant for custom rewriter configuration use. The behavior of the export command is controlled by the following set export ? commands.
syntax1: set export certificate = <no|yes|auto>
- enables / disables the export of certificates into
the NAS file.
- no = disable
- yes = enable, take the certificates from the
backup dir
- auto= enable, export the certs to the backup,
then include
syntax2: set export trustedroot = <no|yes>
- enables / disables the export of trusted roots
the NAS file.
- no = disable
- yes = enable, take the trustedroots from SYS:
syntax3: set export password = <password>
- sets the password for the certificates export in case
auto is enabled.
This password is not exported to the .nas file.
Certificates and trusted roots were not included as defaults in previous versions; however, the sys:etc\proxy\rewriter.cfg and all files in sys:etc\custom are now included. This allows you to export your entire configuration in a single, convenient location inside one file.
This setting is not available from the Proxy Administration Tool. It is stored in the .nas file.
IMPORTANT:If you export a .nas file from a machine that has a trusted root configured on the Access Control tab, the .nas environment does not work when you restore the file. To prevent this issue, do not export the current.nas file unless you set the export trustedroot=yes and make it the default setting.
If you import an iChain 2.2 .nas file that contains password management servlet information to an iChain 2.3 server, the password information might be lost because the SNMP files change. If this occurs, you need to reboot.
You can import iChain 2.3 .nas files with the same information , and the password information is not lost.
The .nas file format is shown as follows:
# iChain(r) Configuration file # # Build: iChain 2.3 (2.3.222d) # Date: Wed Dec 10 12:10:29 MST 2003 # File: abc.nas # # ====================== WARNING ====================== # This file contains security sensitive information! # - LDAP usernames and passwords # - Certificates # - Trusted roots # - IP addresses and infrastructure information # # PLEASE TREAT THIS FILE WITH EXTREME CAUTION # # ====================== WARNING ====================== # clear accelerator . . . < All kinds of settings - as before > . . set export certificate=auto set export trustedroot=on . . . < All kinds of settings - as before > . set prompt=$G . . . < All kinds of settings - as before > . restore initialize restore begin \etc\proxy\rewriter.cfg restore end # # This section contains the Trusted roots of the iChain server # They will be restored and automatically active. # restore trustedroot begin 175TR 1285 FF1A9CC1 *8G0CG205XCG273fe030YX0YY0vY0K5UY5ma9EGKDQpGiN7ODGgH1C(NLxeKY0XA8Gj069CgcK8cA4l *8GXutj0XX05510G9Dn1wG0O623L0ah0pHJlIRdXRk9RwXRK9RFkRXCAWZH1n1FG0j623L0aA0p6lKG *8GYIgiIbtIfJ8GU0Nj9Go9Gn9oL9nL9qn9GGGQN1jn9oG9no9Ln9tq9nGAGQ9GD8nw8GO063GLaxLY *8G30hp2HlRIdRXkR9wRXKR9FRkXPCWIZ18nF8Gj063GLa0Ap26gIibItfHJGW2X92G0j619gYc8cgO *8Gadct0jX0XX0504320XF10GW2X0AYW2X0X0hjO2pnpR5pjaSTW5a)tmErI)4pgnj4NoMZE5W2mhN) *8G5ShtZS3eOy2wDaWDf)o0TOiTqkpj09hUOsrXRejhTYXJE5p5hOOXMEesXO1Hl9Giy2qZL0Qa(Z7T *8G6QKzuBYqyuY44jY3GZrcbC(2TBDT8(eEE)rjhlRgMZHP0xlyJqhJul)UedWqemUphhd4KloHffmL *8GdxoX03e)243AYeXIAJuc(spCeKZ7Wl6Y1QN4gohgPOQ4YQlR1BxaBMyU)rGfRn9Jjs5WD)h9jVaL *8Ge0r9k9eIlngyMCBVP6JTNHycDlplnUZpCHEVXns2cVsZ8Ae6kc7dIMgPHD(iY2UJELhKb(ALVwtP *8G9OO3aqPLQTc8OZVCJJCNBVIGBrI3Bza(nmY7cl9WeHwbgY03jfNndgWISB0Y30X05X3W2Y1IG16P *8GAW2Y1kG0A623L0Tk0a30aX1XG0C623L1TZ0a58G3WWX1XG0F623L0Tp0XX00a15G03X7XV8GkC2n *8Gh063GLT0FX0X00aa03Y0X6CG26XF06hS0cG8Xdcu8tX09a0XX0X04a25XRCG25XN0aY0X00XX0Ie *8GCuVp2TERFsR5CPCWJJ5R3rRI9RKvAW1RKKRI9RYrRK5B8KPjf2sZReKRKm9QlBlaR5sR5CRFmkv3 *8GjR5IBEkRFsR5CPCER3FPjlRI5RmFRp9RKFRIvBlXRKKRI9RYrRK5PplR35RIKRXKRKIQpVPsnN88 *8Gk9GEReKPjGW2XL800wX0X08Ge8G60YX0XY2Xc8Ge8G60YX0XY0XA0YXT9X0wX0X08Ge8G60YXjIy *8GF0XY2Xc8Ge8G60YX0XY0XA0YXT9Y06Y0XO0XXzV3W2X5a0GuY0XY0YY70V0YX0030j0WW0000LDX *8Gm00000000000003940W00000000010G1OG0mY0X00YeV)V)VV)VV)VV0XX00Y0a6(G)H8G1OGMGv *8GH0mY0X00YeV)V)VV)VV)VV0XX00Y0a6(G)L8XGuY0XY0YY70V0YX0030j0GW0000000000000G1H *8GI00003920W00000000010G1OG0mY0X00YeV)V)VV)VV)VV0XX00Y0a5UY5naG1OG0mY0X00Yezuh *8GpV)V)VV)VV)VV0XX00Y0a5UY5raYHEGGiY0XY0YY70V0YX0030j0dWV)VV)VV)VV)VV)VV039IuD *8GK40W)VV)VV)VVvVG1IG0mY0X00YeV)V)VV)VV)VV0XXvVG1IG0mY0X00YeV)V)VV)VV)VV0XXw8W *8GrvVG0j619gYc8dct0jX0X50504320XX00HLbvm6OvcVUmXAc1O5KnAqTrHIcVHB1iNibnh19i9PS *8GseY5l6bU0kz(moySMuItkin6BdPofyqxZePj1EVUk0kVUZxPmz23XEDqInRmaZlKE7jyV7At89Dn *8GNUAvTF9QOBjvkUdapNaXVZIWgI(fzzwXDLmkjT)NF4iwBltC8iroTkO0HjcV9CqgDVNja6lTBlNx *8GOZca4AGM29sN6dQ1WzCS5xDW0sX)fA71YV4AEHuEz8KAJ8xQmh)Y(W65X)VabCzi3)K10VanPxEm *8GvKbE8gFdJtuBXikGS)xty2FloG(6U606UO0X9zoObodaWB)bioyL4sQ8(FnTgepr2X77jSOYFiez *8bwneQ)87kOhe0TZ1huqdYiZdJ492lHWB0pOmOwTHAXbi8P6lNGEbhD4m0w0ORh restore trustedroot end apply
The .nas file has the following new commands:
restore trustedroot begin name size crc data . . . restore trusted root end
and
restore trustedroot begin name size crc data
.
.
.
restore trusted root end
and
restore certificate begin name size crcdata . . . data restore certificate end
Also updated are:
restore begin filenamedata...**BLANK_LINE** . data restore end
where **BLANK_LINE** is inserted when a blank line is found. This is a limitation of the parser.
The certificate and trusted root data are protected by a double CRC (cyclic redundancy code). A CRC is calculated on a line-by-line basis, as well as on the entire file. If either of the CRCs do not match, or the resulting file size does not match, the file is not restored to its original location. In such a case, the old file is left in place.
The trusted root is restored to sys:\ and is available for immediate use. The certificate date is restored to the backup directory on the sys: volume and is not immediately active so that it does not overwrite active certificates. It can be restored either by using the Proxy Administration Tool in the Certificate Maintenance tab, or by using the following instructions as outlined in the .nas file if the server contains a certificate:
# # This section contains the Certificates of the iChain server. # *.pfx files will be restored to the backup directory. # To activate them you need to restore the certificates using # the certificate restore option on the certificate menu. # # If you want to automate this process, please include the # following commands after the last “Restore Certificate End” # command, before the apply. (without the “#”) # # add certificate name <name> # set certificate name <name> target=disk, action=restore, # action=<password> # # where <name> is the name of the certificate # and <password> is the certificate password. # Repeat this for every certificate in the list. # # WARNING: In that case, anyone can dupe your server. # This is a security risk!!! #
WARNING:This allows automated staging setups or lab setups. If you use this feature in production environments, you must guard this file since it contains all information needed to clone your iChain server.
The Get EXPORT PASSWORD command is not exported to the .nas file for security reasons.
You can use the pound sign (#) and semi-colon (;) to start a comment line in the file. Anything containing these characters is ignored, except if they are specified between a restore certificate|trustedroot begin and restore |certificate|trustedroot end specifier.