Whilist evaluating the backup and restore methods for a 6.5 deployment, I came across the PowerShell functions Brian Graf put together to backup perform a file based backup of the VCSA via the new VAMI RESTful API. Thanks Brian!
Grab the script here: https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/Backup-VCSA
After some initial testing in the lab, the script worked a treat. Logically for me the next step was to schedule the script to run from a management server. If you’ve seen the script, you would ahve noticed that the password needs to be stored in a variable, as a specifc format as Brian had called out. For me this wasn’t going to work, the secuirty folk would have beat me across the head if I had passwords written in plain text within the script. Having used the New-VICredentialStoreItem command in the past to save the credentials, I figured there should be a way to do something similar with the password variables in the script. After some google-fu, here is what I put together to get it working.
Firstly, we need to setup a couple things before running the script:
The script requires you to authenticate against the VAMI for the VCSA (or the PSC) using the SSO domain credentails, so saving these credentials is first. Luckily enough there is a PowerCLI commandlet that will do this for us. It is as simple as below:
Connect-CisServer 10.1.1.120 -User "email@example.com" -Password "bla" -SaveCredentials
The important thing to note here is that this should be run in the context of the account that you wish to run the scheduled task under.
Next we need to create two encrypted files containing the passwords, one for the backup encryption password and the other for the backup target. This can be done with the below command:
“YourSuperSecretPassword" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "D:\ScriptsBackupVCSA.vma”
Ok, so we have our encrypted passwords. As mentioned before, we now need to pull these into variables in the script so that we can make utilize Brian’s backup function.
For the backup target location, I am using the vMA I had available in the environment. Here is how we pull in that credential into a variable.
$getVmaPass = Get-Content “D:ScriptsBackupVCSA.vma”
Next we need to convert the varaible to a secure string format:
$SecurePassword = ConvertTo-SecureString $getVmaPass
Now we decrypt it into plain text:
$BSTR =[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword) $LocationPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Now if you run $LocationPassword in your PowerCLI session, you will see your password stored as a string. Now as Brian calls out, the API needs it in a particular format, which is “VMware.VimAutomation.Cis.Core.Types.V1.Secret”.
I have just added Out-Null to the end of the line so that the password is not spat into the PowerCLI output / transcript.
[VMware.VimAutomation.Cis.Core.Types.V1.Secret]$LocationPassword ” Out-Null
Now we just repeat the same script, but changing the variables to pull in the backup encruption password:
$getBackupPass = Get-Content "D:ScriptsBackupVCSA.bu" $SecurePassword = ConvertTo-SecureString $getBackupPass $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword) $BackupPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) [VMware.VimAutomation.Cis.Core.Types.V1.Secret]$BackupPassword | Out-Null
We now have our two variables that we can now pass through to make our API call. Please note that this wont stop anyone from who knows what theyre doing to decrpt the files, however its better than keeping the variables in plain text.
Below is the entire script all put together which you can place into a scheduled task. You can use this on an external PSC also, you just need to change he backup type from -FullBackup to -CommonBackup.
<# .SYNOPSIS Perform Backup of the VMware Vitual Center Server Appliance .DESCRIPTION Performs a file based backup of the VCSA or External PSC This script utilizes the Backup-VCSA module found here: https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/Backup-VCSA Assumptions: BackupVCSA module has been placed in the appropriate modules directory SSO Credentials for the appliance have been saved in the context of the acccount that is running the script: "Connect-CisServer 10.1.1.120 -User "firstname.lastname@example.org" -Password "bla" -SaveCredentials" Passwords for backup and appliance have been stored as secure string to file using: "secret" " ConvertTo-SecureString -AsPlainText -Force ConvertFrom-SecureString " Out-File "D:\some\dir\secret.file" .PARAMETER none .INPUTS none .OUTPUTS Backup files will be stored on the vMA: vma01:/workspace/backups/vcsa/vcsa-yyyy-MM-dd-hh-mm .NOTES Version: 1.0 Author: vKARPS Creation Date: 26/10/17 .EXAMPLE ./BackupVCSA_prd.ps1 #> #Start Transcript Start-Transcript -path D:\Scripts\BackupVCSA_prd.log -Force #Connect to VAMI on VCSA Connect-CisServer 10.1.1.120 #Get credential for vMA $getVmaPass = Get-Content "D:\Scripts\BackupVCSA_prd.vma" $SecurePassword = ConvertTo-SecureString $getVmaPass $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword) $LocationPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) [VMware.VimAutomation.Cis.Core.Types.V1.Secret]$LocationPassword | Out-Null #Get Credential for Backup $getBackupPass = Get-Content "D:\Scripts\BackupVCSA_prd.bu" $SecurePassword = ConvertTo-SecureString $getBackupPass $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword) $BackupPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) [VMware.VimAutomation.Cis.Core.Types.V1.Secret]$BackupPassword | Out-Null #Set Comment for the backup $Comment = "VCSA Backup $((Get-Date).ToString('yyyy-MM-dd-hh-mm'))" #Setup Backup Target $LocationType = "SCP" $location = "10.1.1.100/workspace/backups/vcsa/vcsa-$((Get-Date).ToString('yyyy-MM-dd-hh-mm'))" $LocationUser = "vi-admin" #Initiate backup -CommonBackup is configuration only as PSC does not contain performance statistics Backup-VCSAToFile -BackupPassword $BackupPassword -LocationType $LocationType -Location $location -LocationUser $LocationUser -LocationPassword $LocationPassword -Comment $Comment -ShowProgress -FullBackup #Set variables to 0 $getVmaPass, $getBackupPass,$SecurePassword,$BSTR,$BackupPassword,$LocationPassword,$LocationType,$location,$LocationUser,$Comment = 0 #Disconnect from VAMI Disconnect-cisserver -confirm:$false Stop-Transcript
Ive noticed a little bug with the editor I am using, the ” (pipe) between commandlets it being switched to a ” in the code. I will look at fixing this later in the week. I should really get around to setting up a GitHub account hey…
If youre reading this and cringing and know a better way (especially in storing the passwords), please get in touch as I would be keen to learn something from you.
Anyway, hope you find this helpful.