Web Restore is a web-based service that allows users to browse, select and restore data backed up to cloud storage.

If you are using Acronis Cloud, Web Restore service is provided to your end users by Acronis. If you use Acronis Storage Gateway, you either need to apply some network changes (providing inbound access through TCP port 44445 from Acronis Cyber Protect Cloud to Acronis Storage Gateway), or you need to install it on a dedicated server and register in Acronis Cyber Protect Cloud environment to offer Web Restore functionality to your end users. We recommend setting up a dedicated Web Restore server, because otherwise data will be transferred from the storage to the end user through Acronis Cyber Protect Cloud. This article describes installation of Web Restore.

Preparing for installation

1. You can install Web Restore service on the machine hosting Acronis Storage Gateway or prepare a dedicated physical or virtual machine that meets the following hardware and software requirements:

• Latest CentOS 7 for x86_64
• 12+ GB of RAM
• 100+ GB of free disk space for /tmp

2. Configure hostname:

hostnamectl set-hostname serverhostname.com

Check configuration:
hostname
hostname --ip-address
ping -c 3 $HOSTNAME

If ping $HOSTNAME does not work, you need add host name in /etc/hosts and/or /etc/resolv.conf

3. Make sure the system locale is en_US.UTF-8 by issuing:

locale

This output indicates that the locale is en_US.UFT-8:
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

Otherwise set the locale to en_US.UTF-8 by issuing:
echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
reboot

Incorrect locale affects work with Unicode strings in archive-reader.

4. Set OS Time Zone to UTC by issuing:

rm -rf /etc/localtime && ln -s /usr/share/zoneinfo/UTC /etc/localtime

Synchronize time by issuing:
yum -y install ntpdate
ntpdate pool.ntp.org
Icon

You can install ntpd to automatically synchronize time.

Check time and Time Zone:
date

Output should be like:
Wed Jan  4 12:10:22 UTC 2017

Installing Web Restore

1. Install repository:

rpm -U http://dl.acronis.com/u/cloud/repositories/web-restore/wbr-repo-1.0.0-RE...

2. Install OpenJDK 1.8:

yum install -y java-1.8.0
alternatives --auto java

Verify installation:
/usr/bin/java -version

Output should be like:
# openjdk version "1.8.0_111"
# OpenJDK Runtime Environment (build 1.8.0_111-b15)
# OpenJDK 64-Bit Server VM (build 25.111-b15, mixed mode)

3. Install archive reader:

3.1 Clean yum cache to get latest packages versions
yum clean all

3.2 Install the latest version:
yum install -y archive-reader-installer

Install a specific version:
yum install -y archive-reader-installer-<version>

For example:
# yum install -y archive-reader-installer-7.0-401

3.3. Verify installation:
/usr/bin/archive-reader --version
/usr/bin/storage-proxy --version

4. Install Web Restore package:

4.1. Clean yum cache to get the latest package version:
yum clean all

4.2. Install the latest version:
yum install -y wbr-msp

4.3. Install a specific version:
yum install -y wbr-msp-<version>

For example:
yum install -y wbr-msp-6.0.406

4.4. Verify installation:
cat /opt/wbr/version.txt

5. Configure Web Restore:

5.1. Add or change RPC address in the rpc.service.url parameter in /opt/wbr/application-msp-prod.properties:
nano /opt/wbr/application-msp-prod.properties

For example:
rpc.service.url=https://baas.acronis.com/api/1/rpc

5.2. Optionally, you can change Java heap memory limit (JAVA_OPTS) in /opt/wbr/wbr.conf:
nano /opt/wbr/wbr.conf

For example, set 2048Mb:
JAVA_OPTS='-Xmx2048m ...
Note: A very low -Xmx value can lead to the "Out Of Memory Error" error under heavy load.

5.3. Optionally, you can change Web Restore context (server.context-path=/wr):
nano /opt/wbr/application-msp-prod.properties
 
# http://<hostname>:8080/wr
server.context-path=/wr
#
# or, http://<hostname>:8080/
server.context-path=

After changing this configuration, restart Web Restore service to apply changes:
systemctl restart wbr

6. Configure firewall.

If you want to access Web Restore from outside of your network, you should open Web Restore port (8080 by default).

Configuring IPTables:
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
service iptables save
service iptables restart

Configuring FirewallD:
yum install firewalld
systemctl enable firewalld
systemctl start firewalld

firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reload

Note: Web Restore uses the unencrypted HTTP protocol.

7. Verify configuration:

If you have opened 8080 port and use the default context, then you can open Web Restore by this link:
http://<hostname>:8080/wr
where <hostname> is an IP-address or host name of the server where Web Restore is installed, /wr - default context (you can change it).

Installing Notary

Acronis Notary proves that a file is authentic and unchanged since it was backed up. We recommend using this type of backup to protect legal document files or any other files that require proved authenticity. Acronis Notary saves fingerprints (hash codes) of the backed-up files in the Ethereum blockchain database. Acronis Notary uses Chainstack as a managed blockchain services provider for Ethereum nodes. The blockchain technology guarantees that the hash codes will not be changed. At any time, you can make sure that the backup content has not been modified by fraudulent software.

1. Open application-msp-prod.properties:

nano /opt/wbr/application-msp-prod.properties

2. Set notary.enabled value to true:

notary.enabled=true

3. If need be, add the notary.certificate.signee parameter. It's value will be displayed on the certificate page in the Signee field.

notary.certificate.signee=companyname

4. Restart Web Restore to apply changes:

systemctl start wbr

Installing ASign and Public Links

ASign is an service that allows multiple people to sign a file electronically. Public links service allows users to provide direct links to a file in a cloud backup.

1. Generate public link AES key.

AES key is random binary data, length is 128 bit (16 bytes) (for AES128)
dd if=/dev/urandom of=/etc/pki/tls/certs/ass/public-link.key bs=16 count=1
chown wbr:wbr /etc/pki/tls/certs/ass/public-link.key
chmod 760 /etc/pki/tls/certs/ass/public-link.key

Note: You should back up 'public-link.key' to a separate physical storage, because if you change or lost it, all public links stored in database will be broken!

2. Install MySQL-compatible database (MariaDB, MySQL, Percona Server).

You should install any MySQL compatible database, for example MariaDB:

2.1. Install the Stable version of MariaDB repository:
nano /etc/yum.repos.d/MariaDB.repo

# MariaDB 10.1 CentOS repository list - created 2017-02-14 13:01 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

2.2. Import MariaDB Signing Key:
rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB

2.3. Install MariaDB:
yum clean all
yum install -y MariaDB-server MariaDB-client

2.4. Run MariaDB:
systemctl start mariadb
systemctl enable mariadb

2.5. Verify installation:
systemctl status mariadb

3. Configure database server

3.1. Open the configuration file:
nano /etc/my.cnf

3.2. Add mysqld section:
[mysqld]
max_connections=1024
default-time-zone='+00:00'
character-set-server=utf8
collation-server=utf8_bin
init-connect='SET NAMES utf8'
max_allowed_packet=256M

3.3. Apply changes:
systemctl restart mariadb

3.4. Verify configuration:
mysql

SHOW VARIABLES LIKE 'time_zone';
SHOW VARIABLES LIKE 'max_connections';

4. Create database:

mysql

CREATE DATABASE IF NOT EXISTS webrestore_sharings DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
CREATE DATABASE IF NOT EXISTS webrestore_logs DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
 
CREATE TABLE IF NOT EXISTS webrestore_sharings.PUBLIC_LINK (
   ID INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY
  ,SUBACCOUNT_ID BIGINT
  ,MIGRATION_ID INTEGER NULL
  ,USER_ID BIGINT NOT NULL
  ,BOX_NAME VARCHAR(256) NOT NULL
  ,BOX_DISPLAY_NAME VARCHAR(256) NOT NULL
  ,PATH VARCHAR(1000) NOT NULL
  ,ENCRYPTION_KEY VARCHAR(1000)
  ,PUBLISH_DATE TIMESTAMP NOT NULL
  ,SUBSCRIPTION_MODE INTEGER NOT NULL
  ,STATUS INTEGER NOT NULL
  ,STORAGE_ADDRESS VARCHAR(1000) NOT NULL
  ,DATACENTER_ID BIGINT
  ,ACCESS_TOKEN VARCHAR(1000)
  ,MACHINE_ID VARCHAR(128)
  ,BRAND_ID BIGINT
  ,CONTENT_VERSION VARCHAR(64),
  INDEX USER_ID_INDEX (USER_ID),
  INDEX BRAND_ID_INDEX (BRAND_ID)
) DEFAULT CHARSET = UTF8
  DEFAULT COLLATE = utf8_general_ci;
 
CREATE TABLE IF NOT EXISTS webrestore_logs.PUBLIC_LINK_HIT (
   ID INTEGER NOT NULL
  ,HIT_COUNT INTEGER NOT NULL
) DEFAULT CHARSET = UTF8
  DEFAULT COLLATE = utf8_bin;

5. Add user:

Note: change "user_name" and "user_password"!

mysql

CREATE USER "user_name"@"%" IDENTIFIED BY "user_password";
CREATE USER "user_name"@"%.%.%.%" IDENTIFIED BY "user_password";
CREATE USER "user_name"@"localhost" IDENTIFIED BY "user_password";
 
GRANT ALL PRIVILEGES ON webrestore_sharings.* TO "user_name"@"%.%.%.%" IDENTIFIED BY "user_password" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON webrestore_sharings.* TO "user_name"@"localhost" IDENTIFIED BY "user_password" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON webrestore_logs.* TO "user_name"@"%.%.%.%" IDENTIFIED BY "user_password" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON webrestore_logs.* TO "user_name"@"localhost" IDENTIFIED BY "user_password" WITH GRANT OPTION;
 
FLUSH PRIVILEGES;

6. Configure Web Restore: configure the "Data Base Configuration" and "Esign service" sections in application-msp-prod.properties.

6.1. Open application-msp-prod.properties:
nano /opt/wbr/application-msp-prod.properties

6.2. Make sure that 'esign.enabled' is set to 'true':
esign.enabled=true

6.3. Uncomment (remove '#') all 'datasource.*' properties, change '*.username' and '*.password':
# Data Base Configuration -----------------------------------------------------
datasource.common.url=jdbc:mysql://127.0.0.1/webrestore_sharings?autoReconnect=true&connectionCollation=utf8_general_ci&characterEncoding=utf8
datasource.common.username=user_name
datasource.common.password=user_password
...
 
datasource.link.url=jdbc:mysql://127.0.0.1/webrestore_logs?autoReconnect=true&connectionCollation=utf8_general_ci&characterEncoding=utf8
datasource.link.username=user_name
datasource.link.password=user_password
...
# -----------------------------------------------------------------------------

6.4. Restart Web Restore to apply changes:
systemctl start wbr

6.5. Set up database backup.

Integrating Web Restore with a web proxy

To ensure secure data transfer between Web Restore and client software, configure a front end server that will work as a web proxy.

The following is an example of the Nginx web server configuration.

Prerequisites
Nginx is installed as described on the official product help page at http://wiki.nginx.org/Install. The steps below are tested to work with the above default installation guide only. If you are using existing nginx installation or obtained it from other sources, it may require additional configuration steps to work with Web Restore service.

Integration process

To integrate Web Restore with a Nginx web server:

1. Configure Nginx to redirect requests coming to standard ports 80 (HTTP) and 443 (HTTPS) to port 8080.

2. Create file proxy_settings in directory /etc/nginx.

3. Create file ssl_settings in directory /etc/nginx.

4. Create file error_page in directory /etc/nginx.

5. Remove the default configuration files (*.conf) from directory /etc/nginx/conf.d/.

6. Create the configuration file webrestore.conf in directory /etc/nginx/conf.d/.

In the #placeholder section, replace <WEB_RESTORE_IP_ADDRESS> with the IP address of the machine where Web Restore is installed. If the front-end server is installed on the same machine as Web Restore, specify 127.0.0.1.

7. Put the Web Restore certificate and certificate key files to the directory defined under ssl_certificate and ssl_certificate_key in file webrestore.conf (see above). In our example, the directory is /etc/web-certs/.

Both the certificate and certificate key can be created by using the openssl utility:
a. Generate a certificate key:
openssl genrsa -out webrestore.key
b. Generate a certificate based on the certificate key:
openssl req -new -x509 -key webrestore.key -out webrestore.crt
For more details about OpenSSL, refer to the official help page https://www.openssl.org/docs/

8. Make sure that Nginx can read and apply the settings from the configuration file webrestore.conf. The file /etc/nginx/nginx.conf must include the following record:
http {
include /etc/nginx/conf.d/*.conf;
}

9. Restart Nginx for the changes to take effect and enable service autostarting.
systemctl restart nginx.service
systemctl enable nginx.service

10. Configure TCP ports - close port 8080 and leave it only for localhost requests; open 443 and 80 for all interfaces.
a. Using iptables:
iptables -I INPUT -p tcp --dport 8080 -j DROP
iptables -I INPUT -i lo -p tcp --dport 8080 -j ACCEPT  
iptables -I INPUT -p tcp --dport 80 -j ACCEPT 
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
service iptables save
service iptables restart

b. Using firewalld:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i lo -p tcp --dport 8080 -j ACCEPT  
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT 
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 443 -j ACCEPT
firewall-cmd --reload

11. To validate that the web proxy is properly set up:

• Open http://<hostname>/wr and https://<hostname>/wr, where <hostname> is an IP-address or host name of the server where front-end server is installed. The login page should appear. http://<hostname>/wr (port 80) must redirect to https://<hostname>/wr (port 443)
• If the front-end server is installed on the same machine as Web Restore, open http://<hostname>:8080/wr, where <hostname> is an IP-address or host name of this machine. The service must be unavailable. Otherwise, skip this step.

Registering Web Restore

To enable your customers to use the newly deployed Web Restore installation instead of the default one, register this Web Restore installation in the Account management console.

1. Log in to the Account management console as an administrator.
2. Under Groups, select the group that will use the newly deployed Web Restore installation. A pane with the group details opens on the right.
3. Click Storage to display a list of storages assigned to the group.
4. Click the item that represents the storage to be associated with the new Web Restore installation. A pane with the storage properties opens.
5. Click WEB RESTORE ADDRESS and provide the address of the front end server either as https://XXX.XXX.XXX.XXX (specify the IP address) or https://<hostname> (specify the hostname)

1. Leave ARCHIVE SERVER ADDRESS empty. This is the URL for Archive Server which is still in development. 

Using Web Restore

Once a user wants to browse or recover their data and click Download in Cyber Protection console, they are forwarded to the Web Restore console and are requested to log in. The user needs to provide their Backup account credentials (the credentials used to log in to the Cyber Protection console).

Updating from Web Restore 6.x to 7.x

1. Note the RPC address of Web Restore 6.x:

cat /var/lib/tomcat/webapps/ROOT/WEB-INF/classes/msp/prev/web-app-config.properties | grep rpc

Example response:
acronis.url.rpc.server.enterprise=https://msptest2.acronis.com/api/1/rpc
where "https://msptest2.acronis.com/api/1/rpc" is the RPC address

2. Stop or remove Apache Tomcat:

chkconfig tomcat off
service tomcat stop

Alternatively, change its port 8080 to another one.

3. You can completely remove oldest packages.

Issue and note package names:
rpm -qa | grep wbr
rpm -qa | grep archiv
rpm -qa | grep tomcat

Remove:
rpm -e --nodeps <package name>

Now you can install new Web Restore as described above.