Schedule Automatic VCSA Backups

Whilist evaluating the backup and restore methods for a 6.5 deployment, I came across the PowerShell functions Brian Graf put together to backup perform a file based backup of the VCSA via the new VAMI RESTful API. Thanks Brian!

Grab the script here: https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/Backup-VCSA

After some initial testing in the lab, the script worked a treat. Logically for me the next step was to schedule the script to run from a management server. If you’ve seen the script, you would ahve noticed that the password needs to be stored in a variable, as a specifc format as Brian had called out. For me this wasn’t going to work, the secuirty folk would have beat me across the head if I had passwords written in plain text within the script. Having used the New-VICredentialStoreItem command in the past to save the credentials, I figured there should be a way to do something similar with the password variables in the script. After some google-fu, here is what I put together to get it working.

Firstly, we need to setup a couple things before running the script:

The script requires you to authenticate against the VAMI for the VCSA (or the PSC) using the SSO domain credentails, so saving these credentials is first. Luckily enough there is a PowerCLI commandlet that will do this for us. It is as simple as below:

Connect-CisServer 10.1.1.120 -User "administrator@vsphere.local" -Password "bla" -SaveCredentials

The important thing to note here is that this should be run in the context of the account that you wish to run the scheduled task under.

Next we need to create two encrypted files containing the passwords, one for the backup encryption password and the other for the backup target. This can be done with the below command:

“YourSuperSecretPassword" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "D:\ScriptsBackupVCSA.vma” 

Ok, so we have our encrypted passwords. As mentioned before, we now need to pull these into variables in the script so that we can make utilize Brian’s backup function.

For the backup target location, I am using the vMA I had available in the environment. Here is how we pull in that credential into a variable.

$getVmaPass = Get-Content “D:ScriptsBackupVCSA.vma”

Next we need to convert the varaible to a secure string format:

$SecurePassword = ConvertTo-SecureString $getVmaPass

Now we decrypt it into plain text:

$BSTR =[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$LocationPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

Now if you run $LocationPassword in your PowerCLI session, you will see your password stored as a string. Now as Brian calls out, the API needs it in a particular format, which is “VMware.VimAutomation.Cis.Core.Types.V1.Secret”.

I have just added Out-Null to the end of the line so that the password is not spat into the PowerCLI output / transcript.
[VMware.VimAutomation.Cis.Core.Types.V1.Secret]$LocationPassword ” Out-Null
Now we just repeat the same script, but changing the variables to pull in the backup encruption password:

$getBackupPass = Get-Content "D:ScriptsBackupVCSA.bu"
$SecurePassword = ConvertTo-SecureString $getBackupPass
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$BackupPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
[VMware.VimAutomation.Cis.Core.Types.V1.Secret]$BackupPassword | Out-Null

We now have our two variables that we can now pass through to make our API call. Please note that this wont stop anyone from who knows what theyre doing to decrpt the files, however its better than keeping the variables in plain text.

Below is the entire script all put together which you can place into a scheduled task. You can use this on an external PSC also, you just need to change he backup type from -FullBackup to -CommonBackup.

<#
.SYNOPSIS

  Perform Backup of the VMware Vitual Center Server Appliance

.DESCRIPTION

  Performs a file based backup of the VCSA or External PSC
  This script utilizes the Backup-VCSA module found here:
  https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/Backup-VCSA

Assumptions:
  BackupVCSA module has been placed in the appropriate modules directory
  SSO Credentials for the appliance have been saved in the context of the acccount that is running the script:
  "Connect-CisServer 10.1.1.120  -User "administrator@vsphere.local" -Password "bla" -SaveCredentials"
  Passwords for backup and appliance have been stored as secure string to file using:
  "secret" " ConvertTo-SecureString -AsPlainText -Force  ConvertFrom-SecureString " Out-File "D:\some\dir\secret.file"

.PARAMETER none
.INPUTS none
.OUTPUTS

  Backup files will be stored on the vMA:
  vma01:/workspace/backups/vcsa/vcsa-yyyy-MM-dd-hh-mm

.NOTES

  Version:        1.0

  Author:        vKARPS

  Creation Date:  26/10/17

.EXAMPLE

  ./BackupVCSA_prd.ps1

#>

#Start Transcript
Start-Transcript -path  D:\Scripts\BackupVCSA_prd.log -Force

#Connect to VAMI on VCSA
Connect-CisServer 10.1.1.120

#Get credential for vMA
$getVmaPass = Get-Content "D:\Scripts\BackupVCSA_prd.vma"
$SecurePassword = ConvertTo-SecureString $getVmaPass
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$LocationPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
[VMware.VimAutomation.Cis.Core.Types.V1.Secret]$LocationPassword | Out-Null

#Get Credential for Backup
$getBackupPass = Get-Content "D:\Scripts\BackupVCSA_prd.bu"
$SecurePassword = ConvertTo-SecureString $getBackupPass
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$BackupPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
[VMware.VimAutomation.Cis.Core.Types.V1.Secret]$BackupPassword | Out-Null

#Set Comment for the backup
$Comment = "VCSA Backup $((Get-Date).ToString('yyyy-MM-dd-hh-mm'))"

#Setup Backup Target
$LocationType = "SCP"
$location = "10.1.1.100/workspace/backups/vcsa/vcsa-$((Get-Date).ToString('yyyy-MM-dd-hh-mm'))"
$LocationUser = "vi-admin"

#Initiate backup -CommonBackup is configuration only as PSC does not contain performance statistics
Backup-VCSAToFile -BackupPassword $BackupPassword -LocationType $LocationType -Location $location -LocationUser $LocationUser -LocationPassword $LocationPassword -Comment $Comment -ShowProgress -FullBackup

#Set variables to 0
$getVmaPass, $getBackupPass,$SecurePassword,$BSTR,$BackupPassword,$LocationPassword,$LocationType,$location,$LocationUser,$Comment = 0

#Disconnect from VAMI
Disconnect-cisserver -confirm:$false
Stop-Transcript

Ive noticed a little bug with the editor I am using, the ” (pipe) between commandlets it being switched to a ” in the code. I will look at fixing this later in the week. I should really get around to setting up a GitHub account hey…

If youre reading this and cringing and know a better way (especially in storing the passwords), please get in touch as I would be keen to learn something from you.

Anyway, hope you find this helpful.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s