IBM Security Key Lifecycle Manager, Version 2.7

Encryption Key Manager, Version 2.1 backup and restore - README

The README file describes how to run backup and restore operations on Encryption Key Manager, Version 2.1 data.

Contents

Backing up Encryption Key Manager, Version 2.1 data
Restoring Encryption Key Manager, Version 2.1 backup files

Note: For greater security, change the IBM Security Key Lifecycle Manager User password soon after the data migration process.

Backing up Encryption Key Manager, Version 2.1 data

Use the IBM Security Key Lifecycle Manager, Version 2.7 backup utility to create Encryption Key Manager, Version 2.1 backup files.

Before you begin

You must install IBM Security Key Lifecycle Manager, Version 2.7 on a system.
Ensure that the Encryption Key Manager folder contains the configuration file, keystore files, other data files and folders that are related to drivetable, key groups, and metadata.

About this task

You can use the backup utility to create cross-platform backup files in a manner that is independent of operating systems and directory structure of the server. You can restore these cross-platform compatible backup files on a system with IBM Security Key Lifecycle Manager, Version 2.7 across operating systems.

Procedure

Copy the Encryption Key Manager folder and all other necessary files to a system where IBM Security Key Lifecycle Manager, Version 2.7 is installed.

Ensure that the KeyManagerConfig.properties file and the following files that are mentioned in the KeyManagerConfig.properties file are copied.

Note: You must edit the KeyManagerConfig.properties configuration file in Encryption Key Manager folder to specify absolute paths of keystore and other data files as shown in the following example.

Admin.ssl.keystore.name=C\:/EKM21/test.keys.ssl
Admin.ssl.truststore.name=C\:/EKM21/test.keys.ssl
TransportListener.ssl.truststore.name=C\:/EKM21/test.keys.ssl
TransportListener.ssl.keystore.name=C\:/EKM21/test.keys.ssl
config.keystore.file=C\:/EKM21/test.keys.jceks
config.drivetable.file.url=FILE\:C\:/EKM21/filedrive.table
Audit.handler.file.directory=C\:/audit 
Audit.metadata.file.name=C\:/EKM21/metadata/EKMData.xml
config.keygroup.xml.file=FILE\:C\:/EKM21/KeyGroups.xml

Locate backup utilities folder in the system where version 2.7 is installed.
Windows

<SKLM_INSTALL_HOME>\migration\utilities\ekm21
Default location is C:\Program Files\IBM\SKLMV27\migration\utilities\ekm21.

Linux

<SKLM_INSTALL_HOME>/migration/utilities/ekm21
Default location is /opt/IBM/SKLMV27/migration/utilities/ekm21.
Edit backup.properties in the backup utilities folder to configure properties as shown in the following example. You must set values for all the properties, except for the BACKUP_DIR property (optional).
If you do not specify the value for BACKUP_DIR, the backup file is created in the backup subfolder under the same directory from where you run the backup utility.

Note: On Windows operating system, the backup.properties file that you use for backup operations must not contain the property keys and values with leading or trailing spaces.
Windows
```
KLM_VERSION=2.1
BACKUP_DIR=C:\\ekm_backup
EKM_HOME=C:\\EKM21
BACKUP_PASSWORD=passw0rd123
JAVA_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer\\java\8.0 
```
Linux
```
KLM_VERSION=2.1
BACKUP_DIR=/ekm_backup
EKM_HOME=/EKM21
BACKUP_PASSWORD=passw0rd123
JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/8.0
```
Note: On Windows system, when you specify path in the properties file, use either "/ " or "\\" as path separator as shown in following example.
```
C:\\ekm_backup
```
Or
```
C:/ekm_backup
```
Open a command prompt and run the backup utility.
Windows
Go to the <SKLM_INSTALL_HOME>\migration\utilities\ekm21 directory and run the following command:
```
backupEKM21.bat
```
Linux
Go to the <SKLM_INSTALL_HOME>/migration/utilities/ekm21 directory and run the following command:
```
backupEKM21.sh
```

What to do next

Review the directory that contains backup files to ensure that the backup file exists. The backup files are created in the location that you specified for BACKUP_DIR in the backup.properties file.
Check the backup.log file for errors or exceptions. The backup.log file is created in the same directory where you run the backup utility. For a successful backup operation, ensure that there are no errors or exceptions in the log file.
Retain the backup password for future use in case you restore the backup.
Do not edit a file in the backup archive. The file that you attempt to edit becomes unreadable.

Restoring Encryption Key Manager, Version 2.1 backup files

You can restore the Encryption Key Manager, Version 2.1 cross-platform backup files on a system with IBM Security Key Lifecycle Manager, Version 2.7 by using graphical user interface, command-line interface, REST interface, or the migration restore script.

Before you begin

Install IBM Security Key Lifecycle Manager, Version 2.7 on a system. You must have the Encryption Key Manager backup file and ensure that you have the password that you used when the backup file was created.

Note: You must have IBM Security Key Lifecycle Manager User role to run backup and restore operations.

About this task

You can restore Encryption Key Manager cross-platform compatible backup files on a system with IBM Security Key Lifecycle Manager, Version 2.7 across operating systems.

Before you start a restore task, isolate the system for maintenance. Take a backup of the existing system. You can later use this backup to bring the system back to original state if any issues occur during the restore process. IBM Security Key Lifecycle Manager server automatically restarts after the restore process is complete. Verify the environment before you bring the IBM Security Key Lifecycle Manager server back into production.

Procedure

Log on to the system where IBM Security Key Lifecycle Manager, Version 2.7 is installed.
Copy the backup file, for example sklm_vEKM21_20160420113253+0530_backup.jar, from Encryption Key Manager, Version 2.1 system to a directory of your choice.

Restore the backup file by using any of the following methods.

Graphical user interface	Log on to the graphical user interface as an authorized user, for example, `SKLMAdmin`. On the Welcome page, click Backup and Restore. In the Backup repository location field, specify full path of the directory that contains Encryption Key Manager backup file. To locate the directory, click Browse. Click Display Backups to display the backup files that you want to restore. In the Backup and Restore table, select a backup file. Click Restore From Backup. On the Restore Backup page, specify the backup password that you used to create the backup file. Click Restore Backup. Restart IBM Security Key Lifecycle Manager server.
Command-line interface	Go to the `WAS_HOME/bin` directory. For example, Windows `cd drive:\Program Files\IBM\WebSphere\AppServer\bin` Linux `cd /opt/IBM/WebSphere/AppServer/bin` Start the wsadmin interface by using an authorized user ID, such as `SKLMAdmin`. For example, Windows `wsadmin.bat -username SKLMAdmin -password mypwd -lang jython` Linux `./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython` Run the tklmBackupRunRestore CLI command by specifying the parameters such as the backup file name with its full path and backup password that you used to create the backup as shown in the following example. `print AdminTask.tklmBackupRunRestore ('[-backupFilePath /opt/mysklmbackups/sklm_vEKM21_20160420113253+0530_backup.jar -password myBackupPwd]')` Restart IBM Security Key Lifecycle Manager server.
REST interface	Open a REST client. Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST services. For more information about the authentication process, see http://www-01.ibm.com/support/knowledgecenter/SSWPVP_2.7.0/com.ibm.sklm.doc/reference/ref/ref_ic_rest_auth_service.html. To run Backup Run Restore REST Service, send the HTTP POST request with backup file name with its full path and backup password as parameters. Pass the user authentication identifier that you obtained in `Step b` along with the request message as shown in the following example. `POST https://localhost:<port>/SKLM/rest/v1/ckms/restore Content-Type: application/json Accept: application/json Authorization: SKLMAuth authId=139aeh34567m Accept-Language: en {"backupFilePath":"/opt/mysklmbackups/sklm_vEKM21_20160420113253+0530_backup.jar backup.jar","password":"myBackupPwd"}` Restart IBM Security Key Lifecycle Manager server.
Migration restore script	Locate the IBM Security Key Lifecycle Manager restore utilities. Windows <`SKLM_INSTALL_HOME`>\migration\utilities\ekm21 Default location is C:\Program Files\IBM\SKLMV27\migration\utilities\ekm21. Linux <`SKLM_INSTALL_HOME`>/migration/utilities/ekm21 Default location is /opt/IBM/SKLMV27/migration/utilities/ekm21. Edit restore.properties in the ekm21 folder to configure properties as shown in the following example: Note: On Windows operating system, the restore.properties file that you use for restore operations must not contain the property keys and values with leading or trailing spaces. Window `WAS_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer JAVA_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer\\java\8.0 BACKUP_PASSWORD=passw0rd123 DB_PASSWORD=sklmdb27 RESTORE_FILE=C:\\ekm_restore\sklm_vEKM21_20160424024117-0400_backup.jar WAS_USER_PWD=wasadmin RESTORE_USER_ROLES=n` Linux `WAS_HOME=/opt/IBM/WebSphere/AppServer JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/8.0 BACKUP_PASSWORD=passw0rd123 DB_PASSWORD=sklmdb27 RESTORE_FILE=/ekm_restore/20160424024117-0400_backup.jar WAS_USER_PWD=wasadmin RESTORE_USER_ROLES=n` Note: On Windows operating system, when you specify path in the properties file, use either "/ " or "\\ " as path separator as shown in the following example. `C:\\ekm_restore` Or `C:/ekm_restore` Open a command prompt and run the restore utility. Windows Go to the <`SKLM_INSTALL_HOME`>\migration\utilities\ekm21 directory and run the following command: `restoreEKM21.bat` Linux Go to the <`SKLM_INSTALL_HOME`>/migration/utilities/ekm21 directory and run the following command: `restoreEKM21.sh` Restart IBM Security Key Lifecycle Manager server.