Web Restore is a web-based service that allows users to browse, select and restore data backed up to cloud storage.
If you are using Acronis Cloud, Web Restore service is provided to your end users by Acronis. If you use Acronis Storage Gateway, you either need to apply some network changes (providing inbound access through TCP port 44445 from Acronis Cyber Protect Cloud to Acronis Storage Gateway), or you need to install it on a dedicated server and register in Acronis Cyber Protect Cloud environment to offer Web Restore functionality to your end users. We recommend setting up a dedicated Web Restore server, because otherwise data will be transferred from the storage to the end user through Acronis Cyber Protect Cloud. This article describes installation of Web Restore.
Preparing for installation
1. You can install Web Restore service on the machine hosting Acronis Storage Gateway or prepare a dedicated physical or virtual machine that meets the following hardware and software requirements:
- Latest CentOS 7 for x86_64
- 12+ GB of RAM
- 100+ GB of free disk space for /tmp
2. Configure hostname:
hostnamectl set-hostname serverhostname.com
Check configuration:
hostname
hostname --ip-address
ping -c 3 $HOSTNAME
If ping $HOSTNAME does not work, you need add host name in /etc/hosts and/or /etc/resolv.conf
3. Make sure the system locale is en_US.UTF-8 by issuing:
locale
This output indicates that the locale is en_US.UFT-8:
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
Otherwise set the locale to en_US.UTF-8 by issuing:
echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
reboot
Incorrect locale affects work with Unicode strings in archive-reader.
4. Set OS Time Zone to UTC by issuing:
rm -rf /etc/localtime && ln -s /usr/share/zoneinfo/UTC /etc/localtime
Synchronize time by issuing:
yum -y install ntpdate
ntpdate pool.ntp.org
Icon
You can install ntpd to automatically synchronize time.
Check time and Time Zone:
date
Output should be like:
Wed Jan 4 12:10:22 UTC 2017
Installing Web Restore
1. Install repository:
rpm -U http://dl.acronis.com/u/cloud/repositories/web-restore/wbr-repo-1.0.0-RE...
2. Install OpenJDK 1.8:
yum install -y java-1.8.0
alternatives --auto java
Verify installation:
/usr/bin/java -version
Output should be like:
# openjdk version "1.8.0_111"
# OpenJDK Runtime Environment (build 1.8.0_111-b15)
# OpenJDK 64-Bit Server VM (build 25.111-b15, mixed mode)
3. Install archive reader:
3.1 Clean yum cache to get latest packages versions
yum clean all
3.2 Install the latest version:
yum install -y archive-reader-installer
Install a specific version:
yum install -y archive-reader-installer-<version>
For example:
# yum install -y archive-reader-installer-7.0-401
3.3. Verify installation:
/usr/bin/archive-reader --version
/usr/bin/storage-proxy --version
4. Install Web Restore package:
4.1. Clean yum cache to get the latest package version:
yum clean all
4.2. Install the latest version:
yum install -y wbr-msp
4.3. Install a specific version:
yum install -y wbr-msp-<version>
For example:
yum install -y wbr-msp-6.0.406
In this case you should manually rename and replace *.rpm.save files.
4.4. Verify installation:
cat /opt/wbr/version.txt
5. Configure Web Restore:
5.1. Add or change RPC address in the rpc.service.url parameter in /opt/wbr/application-msp-prod.properties:
nano /opt/wbr/application-msp-prod.properties
For example:
rpc.service.url=https://baas.acronis.com/api/1/rpc
5.2. Optionally, you can change Java heap memory limit (JAVA_OPTS) in /opt/wbr/wbr.conf:
nano /opt/wbr/wbr.conf
For example, set 2048Mb:
JAVA_OPTS='-Xmx2048m ...
Note: A very low -Xmx value can lead to the "Out Of Memory Error" error under heavy load.
5.3. Optionally, you can change Web Restore context (server.context-path=/wr):
nano /opt/wbr/application-msp-prod.properties
# http://<hostname>:8080/wr
server.context-path=/wr
#
# or, http://<hostname>:8080/
server.context-path=
After changing this configuration, restart Web Restore service to apply changes:
systemctl restart wbr
6. Configure firewall.
If you want to access Web Restore from outside of your network, you should open Web Restore port (8080 by default).
Configuring IPTables:
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
service iptables save
service iptables restart
Configuring FirewallD:
yum install firewalld
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reload
Note: Web Restore uses the unencrypted HTTP protocol.
7. Verify configuration:
If you have opened 8080 port and use the default context, then you can open Web Restore by this link:
http://<hostname>:8080/wr
where <hostname> is an IP-address or host name of the server where Web Restore is installed, /wr - default context (you can change it).
Installing Notary
Acronis Notary proves that a file is authentic and unchanged since it was backed up. We recommend using this type of backup to protect legal document files or any other files that require proved authenticity. Acronis Notary saves fingerprints (hash codes) of the backed-up files in the Ethereum blockchain database. Acronis Notary uses Chainstack as a managed blockchain services provider for Ethereum nodes. The blockchain technology guarantees that the hash codes will not be changed. At any time, you can make sure that the backup content has not been modified by fraudulent software.
1. Open application-msp-prod.properties:
nano /opt/wbr/application-msp-prod.properties
2. Set notary.enabled value to true:
notary.enabled=true
3. If need be, add the notary.certificate.signee parameter. It's value will be displayed on the certificate page in the Signee field.
notary.certificate.signee=companyname
4. Restart Web Restore to apply changes:
systemctl start wbr
# Notary ----------------------------------------------------------------------
notary.enabled=true
notary.service.url=https://notary-preview.acronis.com
notary.display.domain=notary-preview.acronis.com
notary.api.key=AbD9D958b0B2AA86Adcec85803Ed30B3
notary.certificate.signee=Acronis Notary
# -----------------------------------------------------------------------------
Installing ASign and Public Links
ASign is an service that allows multiple people to sign a file electronically. Public links service allows users to provide direct links to a file in a cloud backup.
1. Generate public link AES key.
AES key is random binary data, length is 128 bit (16 bytes) (for AES128)
dd if=/dev/urandom of=/etc/pki/tls/certs/ass/public-link.key bs=16 count=1
chown wbr:wbr /etc/pki/tls/certs/ass/public-link.key
chmod 760 /etc/pki/tls/certs/ass/public-link.key
Note: You should back up 'public-link.key' to a separate physical storage, because if you change or lost it, all public links stored in database will be broken!
2. Install MySQL-compatible database (MariaDB, MySQL, Percona Server).
You should install any MySQL compatible database, for example MariaDB:
2.1. Install the Stable version of MariaDB repository:
nano /etc/yum.repos.d/MariaDB.repo
# MariaDB 10.1 CentOS repository list - created 2017-02-14 13:01 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
2.2. Import MariaDB Signing Key:
rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
2.3. Install MariaDB:
yum clean all
yum install -y MariaDB-server MariaDB-client
2.4. Run MariaDB:
systemctl start mariadb
systemctl enable mariadb
2.5. Verify installation:
systemctl status mariadb
3. Configure database server
3.1. Open the configuration file:
nano /etc/my.cnf
3.2. Add mysqld section:
[mysqld]
max_connections=1024
default-time-zone='+00:00'
character-set-server=utf8
collation-server=utf8_bin
init-connect='SET NAMES utf8'
max_allowed_packet=256M
3.3. Apply changes:
systemctl restart mariadb
3.4. Verify configuration:
mysql
SHOW VARIABLES LIKE 'time_zone';
SHOW VARIABLES LIKE 'max_connections';
4. Create database:
mysql
CREATE DATABASE IF NOT EXISTS webrestore_sharings DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
CREATE DATABASE IF NOT EXISTS webrestore_logs DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
CREATE TABLE IF NOT EXISTS webrestore_sharings.PUBLIC_LINK (
ID INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY
,SUBACCOUNT_ID BIGINT
,MIGRATION_ID INTEGER NULL
,USER_ID BIGINT NOT NULL
,BOX_NAME VARCHAR(256) NOT NULL
,BOX_DISPLAY_NAME VARCHAR(256) NOT NULL
,PATH VARCHAR(1000) NOT NULL
,ENCRYPTION_KEY VARCHAR(1000)
,PUBLISH_DATE TIMESTAMP NOT NULL
,SUBSCRIPTION_MODE INTEGER NOT NULL
,STATUS INTEGER NOT NULL
,STORAGE_ADDRESS VARCHAR(1000) NOT NULL
,DATACENTER_ID BIGINT
,ACCESS_TOKEN VARCHAR(1000)
,MACHINE_ID VARCHAR(128)
,BRAND_ID BIGINT
,CONTENT_VERSION VARCHAR(64),
INDEX USER_ID_INDEX (USER_ID),
INDEX BRAND_ID_INDEX (BRAND_ID)
) DEFAULT CHARSET = UTF8
DEFAULT COLLATE = utf8_general_ci;
CREATE TABLE IF NOT EXISTS webrestore_logs.PUBLIC_LINK_HIT (
ID INTEGER NOT NULL
,HIT_COUNT INTEGER NOT NULL
) DEFAULT CHARSET = UTF8
DEFAULT COLLATE = utf8_bin;
5. Add user:
Note: change "user_name" and "user_password"!
mysql
CREATE USER "user_name"@"%" IDENTIFIED BY "user_password";
CREATE USER "user_name"@"%.%.%.%" IDENTIFIED BY "user_password";
CREATE USER "user_name"@"localhost" IDENTIFIED BY "user_password";
GRANT ALL PRIVILEGES ON webrestore_sharings.* TO "user_name"@"%.%.%.%" IDENTIFIED BY "user_password" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON webrestore_sharings.* TO "user_name"@"localhost" IDENTIFIED BY "user_password" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON webrestore_logs.* TO "user_name"@"%.%.%.%" IDENTIFIED BY "user_password" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON webrestore_logs.* TO "user_name"@"localhost" IDENTIFIED BY "user_password" WITH GRANT OPTION;
FLUSH PRIVILEGES;
6. Configure Web Restore: configure the "Data Base Configuration" and "Esign service" sections in application-msp-prod.properties.
6.1. Open application-msp-prod.properties:
nano /opt/wbr/application-msp-prod.properties
6.2. Make sure that 'esign.enabled' is set to 'true':
esign.enabled=true
6.3. Uncomment (remove '#') all 'datasource.*' properties, change '*.username' and '*.password':
# Data Base Configuration -----------------------------------------------------
datasource.common.url=jdbc:mysql://127.0.0.1/webrestore_sharings?autoReconnect=true&connectionCollation=utf8_general_ci&characterEncoding=utf8
datasource.common.username=user_name
datasource.common.password=user_password
...
datasource.link.url=jdbc:mysql://127.0.0.1/webrestore_logs?autoReconnect=true&connectionCollation=utf8_general_ci&characterEncoding=utf8
datasource.link.username=user_name
datasource.link.password=user_password
...
# -----------------------------------------------------------------------------
6.4. Restart Web Restore to apply changes:
systemctl start wbr
6.5. Set up database backup.
Integrating Web Restore with a web proxy
To ensure secure data transfer between Web Restore and client software, configure a front end server that will work as a web proxy.
The following is an example of the Nginx web server configuration.
Prerequisites
Nginx is installed as described on the official product help page at http://wiki.nginx.org/Install. The steps below are tested to work with the above default installation guide only. If you are using existing nginx installation or obtained it from other sources, it may require additional configuration steps to work with Web Restore service.
Integration process
To integrate Web Restore with a Nginx web server:
1. Configure Nginx to redirect requests coming to standard ports 80 (HTTP) and 443 (HTTPS) to port 8080.
2. Create file proxy_settings in directory /etc/nginx.
3. Create file ssl_settings in directory /etc/nginx.
4. Create file error_page in directory /etc/nginx.
5. Remove the default configuration files (*.conf) from directory /etc/nginx/conf.d/.
6. Create the configuration file webrestore.conf in directory /etc/nginx/conf.d/.
In the #placeholder section, replace <WEB_RESTORE_IP_ADDRESS> with the IP address of the machine where Web Restore is installed. If the front-end server is installed on the same machine as Web Restore, specify 127.0.0.1.
7. Put the Web Restore certificate and certificate key files to the directory defined under ssl_certificate and ssl_certificate_key in file webrestore.conf (see above). In our example, the directory is /etc/web-certs/.
Both the certificate and certificate key can be created by using the openssl utility:
a. Generate a certificate key:
openssl genrsa -out webrestore.key
b. Generate a certificate based on the certificate key:
openssl req -new -x509 -key webrestore.key -out webrestore.crt
For more details about OpenSSL, refer to the official help page https://www.openssl.org/docs/
8. Make sure that Nginx can read and apply the settings from the configuration file webrestore.conf. The file /etc/nginx/nginx.conf must include the following record:
http {
include /etc/nginx/conf.d/*.conf;
}
9. Restart Nginx for the changes to take effect and enable service autostarting.
systemctl restart nginx.service
systemctl enable nginx.service
10. Configure TCP ports - close port 8080 and leave it only for localhost requests; open 443 and 80 for all interfaces.
a. Using iptables:
iptables -I INPUT -p tcp --dport 8080 -j DROP
iptables -I INPUT -i lo -p tcp --dport 8080 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
service iptables save
service iptables restart
b. Using firewalld:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i lo -p tcp --dport 8080 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 443 -j ACCEPT
firewall-cmd --reload
11. To validate that the web proxy is properly set up:
- Open http://<hostname>/wr and https://<hostname>/wr, where <hostname> is an IP-address or host name of the server where front-end server is installed. The login page should appear. http://<hostname>/wr (port 80) must redirect to https://<hostname>/wr (port 443)
- If the front-end server is installed on the same machine as Web Restore, open http://<hostname>:8080/wr, where <hostname> is an IP-address or host name of this machine. The service must be unavailable. Otherwise, skip this step.
Registering Web Restore
To enable your customers to use the newly deployed Web Restore installation instead of the default one, register this Web Restore installation in the Account management console.
- Log in to the Account management console as an administrator.
- Under Groups, select the group that will use the newly deployed Web Restore installation. A pane with the group details opens on the right.
- Click Storage to display a list of storages assigned to the group.
- Click the item that represents the storage to be associated with the new Web Restore installation. A pane with the storage properties opens.
- Click WEB RESTORE ADDRESS and provide the address of the front end server either as https://XXX.XXX.XXX.XXX (specify the IP address) or https://<hostname> (specify the hostname)
- Leave ARCHIVE SERVER ADDRESS empty. This is the URL for Archive Server which is still in development.
Using Web Restore
Once a user wants to browse or recover their data and click Download in Cyber Protection console, they are forwarded to the Web Restore console and are requested to log in. The user needs to provide their Backup account credentials (the credentials used to log in to the Cyber Protection console).
Updating from Web Restore 6.x to 7.x
1. Note the RPC address of Web Restore 6.x:
cat /var/lib/tomcat/webapps/ROOT/WEB-INF/classes/msp/prev/web-app-config.properties | grep rpc
Example response:
acronis.url.rpc.server.enterprise=https://msptest2.acronis.com/api/1/rpc
where "https://msptest2.acronis.com/api/1/rpc" is the RPC address
2. Stop or remove Apache Tomcat:
chkconfig tomcat off
service tomcat stop
Alternatively, change its port 8080 to another one.
3. You can completely remove oldest packages.
Issue and note package names:
rpm -qa | grep wbr
rpm -qa | grep archiv
rpm -qa | grep tomcat
Remove:
rpm -e --nodeps <package name>
Now you can install new Web Restore as described above.