Backup and Recovery Connection Profiles

The following topics describe connection profiles for backup and recovery services:

ConnectionProfile:AWS BackupLink copied to clipboard

AWS Backup enables you to back up and restore your data to the Amazon cloud.

For more information about this plug-in, see Control-M for AWS Backup.

The following examples show how to define a connection profile for an AWS Backup job:

  • This JSON defines an authentication based on an AWS access key and secret:

    CopyCopied to clipboard 
    {
       "AWS_BACK": 
       {
          "Type": "ConnectionProfile:AWS Backup",
          "AWS Backup URL": "https://backup.{{AWSRegion}}.amazonaws.com.",
          "AWS Region": "us-east-1",
          "Authentication": "Secret",
          "AWS Access Key": "ZKIATY7B2LKB2JQ85I6D",
          "AWS Secret": "*****",
          "Connection Timeout": "20",
          "Description": "",
          "Centralized": true
       }
    }

  • This JSON defines an authentication based on an AWS IAM role from inside an Amazon EC2 virtual machine (instance).

    CopyCopied to clipboard 
    {
       "AWS_BAK_IAM": 
       {
          "Type": "ConnectionProfile:AWS Backup",
          "AWS Backup URL": "https://backup.{{AWSRegion}}.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication": "NoSecret",
          "IAM Role": "arn:aws:iam::122343212345:role/Amazon12SSMRoleForInstancesQuickSetup",
          "Connection Timeout": "20",
          "Description": "",
          "Centralized": true
       }
    }

The following table describes the AWS Backup connection profile parameters.

Parameter

Description

AWS Backup URL

Determines the authentication endpoint for AWS Backup, based on the following format:

https://backup.{{AWS_Region}}.amazonaws.com

For more information about regional endpoints available for the AWS Batch service, refer to the AWS documentation.

AWS Region

Determines the AWS region where the job is located.

us-east-2

Authentication

Determines one of the following authentication methods:

  • Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • NoSecret: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS Access Key

Defines the access key assigned to the account with the relevant permissions to the AWS service.

AWS Secret

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

You can use Secrets in Code to hide this value in the code.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:AWS DataSyncLink copied to clipboard

AWS DataSync enables you to enables you to move large amounts of data between on-premises storage and AWS storage services, as well as between AWS storage services.

For more information about this plug-in, see Control-M for AWS DataSync.

The following examples show how to define a connection profile for an AWS DataSync job:

  • This JSON defines an authentication based on an AWS access key and secret:

    CopyCopied to clipboard 
    {
       "DATASYNC": 
       {
          "Type": "ConnectionProfile:AWS DataSync",
          "AWS Logs URL": "https://logs.AwsRegion.amazonaws.com",
          "AWS DataSync URL": "https://datasync.AwsRegion.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication": "Secret",
          "AWS Access Key": "ZKIATY7B2LKB2JQ85I6D",
          "AWS Secret": "*****",
          "Connection Timeout": "20",
          "Description": "",
          "Centralized": true
       }
    }

  • This JSON defines an authentication based on an AWS IAM role from inside an Amazon EC2 virtual machine (instance).

    CopyCopied to clipboard 
    {
       "DATASYNC": 
       {
          "Type": "ConnectionProfile:AWS DataSync",
          "AWS Logs URL": "https://logs.AwsRegion.amazonaws.com",
          "AWS DataSync URL": "https://datasync.AwsRegion.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication": "NoSecret",
          "IAM Role": "arn:aws:iam::122343212345:role/Amazon12SSMRoleForInstancesQuickSetup",
          "Connection Timeout": "30",
          "Description": "",
          "Centralized": true
       }
    }

The following table describes the AWS DataSync connection profile parameters.

Parameter

Description

AWS Logs URL

Defines the AWS Logs URL, based on the following format:

https://logs.{{AwsRegion}}.amazonaws.com

AWS DataSync URL

Determines the authentication endpoint for AWS DataSync, based on the following format:

https://datasync.{{AwsRegion}}.amazonaws.com

AWS Region

Determines the AWS region where the job is located.

us-east-2

Authentication

Determines one of the following authentication methods:

  • Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • NoSecret: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS Secret

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

You can use Secrets in Code to hide this value in the code.

AWS Access Key

Defines the access key assigned to the account with the relevant permissions to the AWS service.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 30

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:Azure BackupLink copied to clipboard

Azure Backup enables you to back up and restore your data in the Microsoft Azure cloud.

For more information about this plug-in, see Control-M for Azure Backup.

The following examples show how to define a connection profile for an Azure Backup job:

  • This JSON defines an authentication using an Azure service principal:

    CopyCopied to clipboard 
    {
       "ABK_CCP_SERVICE_PRINCIPAL": 
       {
          "Type": "ConnectionProfile:Azure Backup",
          "Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1j",
          "Authentication Method": "service",
          "Azure Management URL": "https://management.azure.com",
          "Azure Login URL": "https://login.microsoftonline.com", 
          "Tenant ID": "92b796c5-5839-40a6-8dd9-c1fad320c68c",
          "Client Secret": "*****",
          "Application ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b8",
          "Connection Timeout": "50",
          "Description": "",
          "Centralized": true
       }
    }

  • This JSON defines an authentication using a managed identity.

    CopyCopied to clipboard 
    {
       "ABK_CCP_MANAGED_IDENTITY ": 
       {
          "Type": "ConnectionProfile:Azure Backup",
          "Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1j",
          "Authentication Method": "identity",
          "Azure Management URL": "https://management.azure.com",
          "Specify Managed Identity Client ID": "&client_id=",
          "Managed Identity Client ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b8",
          "Connection Timeout": "50",
          "Description": "",
          "Centralized": true
       }
    }

Managed Identity authentication is based on an Azure token that is valid, by default, for 24 hours. Token lifetime can be extended by Azure.

The following table describes the Azure Backup connection profile parameters.

Parameter

Description
Subscription ID

Defines the Azure account ID of your organization.

You can retrieve the subscription ID from the Subscription menu in the Azure portal.
Authentication Method

Determines one of the following authentication methods:

  • identity: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if the Control-M/Agent is installed on-premises or with another (non-Azure) cloud vendor.

  • service: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if the Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

Azure Management URL

Defines the Azure service endpoint that enables you to perform API calls and retrieve the token for authentication.

Default: https://management.azure.com
Specify Managed Identity Client ID

(Managed identity authentication) Determines whether the managed identity is specified by the Managed Identity Client ID parameter.

This parameter must be included when you use the Managed Identity authentication method and there are multiple managed identities defined on your Azure VM.

Valid Values:

  • "&client_id=": The Managed Identity Client ID parameter contains the managed identity used for authentication. You must specify this value when your Azure VM has multiple managed identities.

  • "": The Managed Identity Client ID parameter does not contain a managed identity value. The managed identity is automatically retrieved from the Azure VM.

Managed Identity Client ID

(Managed identity authentication) Defines the client ID of the managed identity used for access.

This parameter requires a value only if there are multiple managed identities defined on your Azure VM and you included the Specify Managed Identity Client ID parameter.

If there is only one managed identity, it is detected automatically.

Azure Login URL

(Service Principal) Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Default: https://login.microsoftonline.com

Tenant ID

(Service Principal) Defines the Azure tenant ID for your organization.

Client Secret

(Service Principal) Defines the password associated with the Service Principal/registered application.

You can use Secrets in Code to hide this value in the code.

Application ID

(Service Principal) Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 50

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.