Introduction
This document describes basic concept of script creation to save a configuration from Cisco Secure Email and Web Manager (SMA).
Prerequisites
Requirements
Note: This article is a proof-of-concept and provided as an example basis. While these steps have been successfully tested, this article is intended primarily for demonstration and illustration purposes. Custom scripts are outside of the scope and supportability of Cisco. The Cisco Technical Assistance Center cannot write, update, or troubleshoot custom external scripts at any time. Before you attempt and construct any scripts, ensure that you have scripting knowledge when you construct the final script.
Cisco recommends that you have knowledge of these topics:
Manual Configuration File Backup
The configuration backup can be saved manually either with the use of command saveconfig
or mailconfig
from the CLI, or through the SMA GUI > System Administration > Configuration File
.
Mask passphrases does not allow the appliance to load configuraiton, as the appliance cannot hash form of the passwords for the local administrative accounts in the configuration file.
To have an effective backup that is able to be loaded and applied to an SMA, it is best to Encrypt passphrases.
Afterwards it is expected a notification that file has been saved in the configuration on respective machine.
sma01.local> saveconfig
Choose the passphrase option:
1. Mask passphrases (Files with masked passphrases cannot be loaded with loadconfig command)
2. Encrypt passphrases
[1]> 2
The file M100V-420DF14148D16EXXXXXX-BF70C4XXXXXX-20230419T103106.xml
has been saved in the configuration directory on machine "sma01.local".
How Can I Automate or Script Configuration File Backups?
The desired outocme is to access the appliance, issue a command to generate the current configuration, and save it remotely or send a mail copy, without any user intervention.
To accomplish this task with efficient way, you must:
- Generate an SSH keypair, without the need to enter manually a password.
- Create a script to login to the appliance, save the config, and send it to remotely or by mail.
Note: Similar logic can be applied in any OS scripting language such as VB or batch scripts for Windows.
Generate an SSH Keypair
For this it is required to create a Private/Public RSA key(s). This can be accomplished with the use of:
ssh-keygen -b 2048 -t rsa -f ~/.ssh/<NAME>
Script to save configuration to a Specified Host
This is an example of a script that can be used to:
- Log in on SMA via SSH.
- Save the config for encrypt passphrases.
- Send the output on remote host with Secure Copy Protocol (SCP) protocol.
The script contain variables, which must be modified based on the business needs.
- HOSTNAME is the Fully Qualified Domain Name (FQDN) or IP address of the SMA.
- USERNAME is the preconfigured username account on the SMA.
- BACKUP_PATH is the desired directory that you must save the configuration.
Note: Before any construction ensure you have scripting knowledge and good understanding of these variables.
Once the script created, make it executable and run the script.
chmod +x sma_backup.sh
./sma_backup.sh
#!/usr/bin/env bash
#
# Simple script to save the SMA config, then copy locally via SCP.
#
# $HOSTNAME can be either FQDN or IP address.
HOSTNAME= [FQDN/IP ADDRESS of SMA]
#
# $USERNAME assumes that you have preconfigured SSH key from this host to your SMA.
USERNAME=admin
#
# $BACKUP_PATH is the directory location on the local system.
BACKUP_PATH= [/local/path/as/desired]
#
# $FILENAME contains the actual script that calls the SMA and issues the 'saveconfig 2' command.
# The rest of the string removes the unnecessary part and isolates the name of the configuration file <model>-<serial number>-<timestamp>.xml.
#
FILENAME=$(ssh -q $USERNAME@$HOSTNAME 'saveconfig 2' | awk '/xml/ {print $3}')
#
# Notification that new generated config file saved locally.
echo
echo "Processing SMA config ${FILENAME}"
#
# SCP saves the configuration to the respective folder that has been defined under "BACKUP_PATH"
scp -q ${USERNAME}@${HOSTNAME}:/configuration/${FILENAME} ${BACKUP_PATH}
#
# Notification that configuration saved properly on the desired folder.
echo "Saving ${FILENAME} under path ${BACKUP_PATH}"
#
# </SCRIPT>
#
The output of the script must have this format:
etrianti@linux:~$ ./sma_backup.sh
Processing SMA config M100V-420DF14148D16EXXXXXX-BF70C4XXXXXX-20230419T103106.xml
Saving M100V-420DF14148D16EXXXXXX-BF70C4XXXXXX-20230419T103106.xml under path /home/etrianti/
Schedule Your Task to Run on a Regular Basis (UNIX/Linux)
Use cron (UNIX/Linux) to kick off the job regularly. Cron is driven by a crontab (cron table) file, a configuration file that specifies shell commands to run periodically on a given schedule. The crontab files are stored where the lists of jobs and other instructions to the cron daemon are kept.
UNIX/Linux cron config file typically is in this format:
minute (0-59), hour (0-23, 0 = midnight), day (1-31), month (1-12), weekday (0-6, 0 = Sunday), command
A good example entry to run this script every day at 1:00 AM looks like:
00 01 * * * /home/etrianti/sma_backup.sh
Troubleshoot
- Use
cli_logs
to review whether the script took place correctly and evaluate what has been performed:
User <admin> login
defines that user was able to log in successfully on SMA.
executed batch command: 'saveconfig 2'
reveals the command which has been executed on the script to save the configuration.
scp -f /configuration/<SMA_configuration>
defines the configuration that fetched from SMA
Example of a successful call of the script:
sma01.local> tail cli_logs
Press Ctrl-C to stop.
Thu Apr 20 12:25:33 2023 Info: PID 61539: User admin login from 10.61.94.7 on 172.16.200.30
Thu Apr 20 12:25:34 2023 Info: PID 61539: User admin executed batch command: 'saveconfig 2'
Thu Apr 20 12:25:39 2023 Info: PID 61582: User admin login from 10.61.94.7 on 172.16.200.30
Thu Apr 20 12:25:39 2023 Info: PID 61582: User admin executed batch command: 'scp -f /configuration/M100V-420DF14148D16EXXXXXX-BF70C4XXXXXX-20230419T103106.xml'
- Add command
set -x
in the top of the script, to enable debug mode in bash and confirm script run properly. The command set
allows you to enable certain flags in your Bash script so that the script has certain behaviors and characteristics.
Caution: SMA with "welcome" message configured under CLI > adminaccessconfig for appliance administration login
, does not allow script to run SCP. In this case welcome message must be removed, while there is no issue with the banner message.
Related Information