Protecting Salesforce with Commvault

System administrators are seeing more and more business processes becoming reliant on SaaS solutions. Salesforce is; to many organisations the lifeblood of their CRM & Sales lifecycle, providing efficiencies of customer management essential to an effective organisation.

The mistake many companies make is to assume that just because a solution is “in the cloud” it has the same level of protection as their on-premise systems. In many cases this assumption is false; data is very often replicated (such as the multi-zone replication of AWS S3), but rarely has any sort of historical recovery points. Salesforce for example at the time of writing only holds 2 weeks worth of restore points; any changes or deletions not spotted within this time are likely permanent. Other considerations are the fees charged by Salesforce in the event you do have to roll-back. This will easily run into thousands of dollars ($10k is what i’ve read), money that could be saved through the configuration of a Salesforce agent.

This capability is still relatively new and may be simplified in later releases. This guide is written with Commvault v11 SP11 in mind. The configuration presently is made up of the following components:

  • Commserve
  • MediaAgent
  • Salesforce Virtual Client (pseudoclient)
  • Cloud Connector (Linux)
  • SQL Server (Optional but required for restoration to Salesforce instance)

Data Flow

Not everything is protected as the data protection is limited to what is made available via the Salesforce API. For a list of items that are not protected check out books online here. The high level steps required to implement the Salesforce backup are as follows:

  1. Ensure you have a supported version of Salesforce
  2. Ensure you have sufficient capacity license available on your Commcell
  3. Configure a Connected App in Salesforce (click here for a guide).
  4. Install the cloud connector on a linux VM
  5. Create a MSSQL database on a seperate DB server for use by the cloud connector
  6. Create the Salesforce pseudoclient.
  7.   Backup!

Obviously this guide is no substitute for the official documentation, however hopefully it will aide in testing out the Salesforce backup functionality for yourself. During my testing I used a free salesforce developer account available here.

Required information

During the configuration of the Commvault Salesforce pseudoclient you will need to complete the following fields:

  • Client Name: The name which appears in the Commvault Console
  • Instance Name: Usually the same as the client name.
  • Backup Client: The linux proxy with “Cloud Apps” installed
  • Storage Policy: The storage policy through which data will be stored.
  • Number of Data Backup Streams: Start with 1 and scale if required.
  • Salesforce login URL: https://login.salesforce.com (You may use a custom URL here if configured)
  • Username: Your salesforce service account
  • Password: As described
  • API Token: The salesforce security token, this can be reset once the service account has been created.
  • Consumer Key: Associated with the Salesforce connected App
  • Consumer Secret: Associated with the Salesforce connected App
  • Download to Cache Path: This should be a folder on the Cloud Connector, plan for 120% of the total salesforce data.
  • Database Type: SQL Server (You can also use PostGreSQL)
  • Database Host: The database server containing the database preconfigured for use by the Commvault salesforce agent. I had difficulty when using DNS names here, try IP if DNS doesn’t work.
  • Server Instance Name: As described
  • DB Name: Name of the SQL database set up on the SQL Server
  • Database Port: 1433
  • Username:sysadmin user for the configured database
  • Password: As described.

Sizing

As described above; you will need to plan for both the Cloud Connector cache and SQL server storage. Required storage is as follows:

In addition to this you should consider the amount of back-end storage required. This should be planned in the same way planning for any additional client is performed.

Creating a Connected App

  1. Login to Salesforce using your administrator account
  2. Click Setup
  3. On the left select Build then Create –> Apps
  4. Scroll down to Connected Apps and click New
  5. Completed the required fields, ensure “Enabled OAuth Settings” is enabled.
  6. OAuth Scope should be “Full Access”
  7. Callback URL should be “https://test.salesforce.com/services/oauth2/token” if you are using a test account. If this is a production config it would be “https://login.salesforce.com/services/oauth2/token”
  8. Click Save and then click the connected app name, note the following fields:
    1. Consumer Key
    2. Consumer Secret
    3. Callback URL
      1. Commvault requires this during setup, minus the /services/oauth2/token

ConnectedApp.PNG

Generating the API Key

The API key is associated with the administration account (service account) used by Commvault to connect to Salesforce. To generate it:

  1. Login as the service account.
  2. Click the username at the top of the screen, select “My Settings”
    mysettings
  3. On the left of the screen, select “Reset My Security Token”
  4. Click the button to reset the token, it will be sent to the email address registered to the service account.

Configure the Pseudoclient

You should now have all the components and details required to create a Salesforce pseudoclient (also described as a virtual client). In addition to the items configured above you should have a Linux client installed with the Cloud Apps package, sufficient space on that client for the cached salesforce data & a SQL server with a preconfigured SQL database (and associated credentials).

Steps are as follows:

  1. From the CommCell console, Create a new Salesforce client.
    newclient1
  2. Complete the details on each tab, use the “Required Information” section above if you need clarification on any of the fields. Be sure to Test Connection on the “Connection Details” and “Backup Options” tabs.
  3. Your new client will appear as displayed below. Right click on the default subclient to adjust what is to be protected. You’ll notice the defaultbackupset reflects the name of the service account used.
    completedclient
  4. In the Contents page of the default subclient you have the option to include metadata, selecting this option will give you access to the metadata view when performing a “browse & restore”.

Standard vs Metadata views

Not being a Salesforce administrator I cant provide much insight into the significance of these two views, I can however provide screenshots of the different browse and restore results:

Objects:

Objects

Metadata:

metadata

Next Steps

Now it’s time to run a backup operation which can be performed by right clicking on the default subclient and choosing backup. You’ll notice an incremental backup is automatically performed following the completion of the full backup. Once this has completed you can test the solution by deleting accounts/opportunities etc and testing the restoration process.

If you are restoring directly to Salesforce you’ll notice the requirement for a configured database. The screenshot below shows the restore options window when restoring directly from the most recent database sync.

restore-db.PNG

If you are restoring from another restore point, you may need to restore from Media, as shown in the screenshot below:

restore-media.PNG

You’ll notice this clears the database details. All restores to Salesforce require a staging database (be that MSSQL or PostGreSQL). You would need to create and specify a SQL database to restore to (from media), prior to that data being restored to your Salesforce instance.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s