To enable replication, you need to configure settings on both master and clone
servers.
Before you begin
Ensure that the master and clone servers have a secure communication:
- On the master server, complete these steps:
- Create TLS certificate on the master server. If a TLS server certificate already exists, you can
skip this step.
- Export the private key of the TLS certificate. Run the Key Export REST Service. For example:
PUT https://master_server_host:port/SKLM/rest/v1/keys/export
{"alias":"SKLMTLSCertificate","fileName":"c:/SKLMTLSCertificate","type":"privatekey", "password":"password"}
- Copy the exported private key file of the master server to the SKLM_DATA folder of the clone server.
- On the clone server, complete these steps:
- Import the private key file of the master server. Run the Key Import REST Service. For example,
POST https://clone_server_host:port/SKLM/rest/v1/keys/import
{"alias":"SKLMTLSCertificate","fileName":"C:\Program Files\IBM\WebSphere\Liberty\products\sklm\data\SKLMTLSCertificate","type":"privatekey","usage":"SSLSERVER", "password":"password"}
- Specify the imported certificate as "in-use". Run the Update Config Property REST Service to update the
config.keystore.ssl.certalias
property.
PUT https://localhost:port/SKLM/rest/v1/configProperties
{ "config.keystore.ssl.certalias" : "SKLMTLSCertificate"}
Procedure
- Open a REST client.
(Configure replication on the master server)
- Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST APIs on the master server. For more
information about the authentication process, see Authentication process for REST services.
- Run the Update Replication Config Property REST Service on the master
server and specify values for the following mandatory properties:
- Set role to master.
- Specify the server certificate that you created.
- Provide at least one clone server and port number.
- Define a master listen port and specify a password.
Note: You need not specify the password when
IBM Security Guardium Key Lifecycle Manager is configured to use an external
master key store for storing the master encryption key. For information about encryption methods to
back up data for replication activities, see
Backup encryption methods for replication activities.
For details about all the available replication configuration parameters, see
Replication configuration properties.
A sample
request:
PUT https://master_server_host:port/SKLM/rest/v1/configProperties
{ "replication.role": "master", "backup.EncryptionPassword": "mypassword",
"backup.TLSCertAlias":"sklmTLSCertificate", "backup.ClientIP1": "myhostname",
"backup.ClientPort1": "2222", "replication.MasterListenPort": "1111" ,
"backup.CheckFrequency":"60","backup.DailyStartReplicationBackupTime"="23:00"}
Note: You
can configure incremental replication, if required. The sample request must include the additional
parameter to enable incremental replication. For example:
PUT https://master_server_host:port/SKLM/rest/v1/configProperties
{ "replication.role": "master", "backup.EncryptionPassword": "mypassword",
"backup.TLSCertAlias":"sklmTLSCertificate", "backup.ClientIP1": "myhostname",
"backup.ClientPort1": "2222", "replication.MasterListenPort": "1111",
"backup.CheckFrequency":"60","backup.DailyStartReplicationBackupTime"="23:00",
"replication.Incremental.Enable"="true"
The
ReplicationSKLMConfig.properties replication configuration file is created on
the master server in the same directory as the IBM Security Guardium Key Lifecycle Manager properties file. For example, C:\Program Files\IBM\WebSphere\Liberty\products\sklm\config\ReplicationSKLMConfig.properties.
- Start Replication server.
- Optional: To run replication immediately, run the Replication Now REST Service.
Replication is now configured on the master server.
(Configure replication on the clone server)
- Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services on the clone
server.
- Run the Update Replication Config Property REST Service on the clone
server and specify values for the following mandatory properties:
- Set role to clone.
- Specify the server certificate that you created
- Define a master listen port.
- Define a restore listen port. The port must be the same port number that is coded in the
corresponding backup.ClientPort parameter on the master server
For details of all the available replication configuration parameters, see
Replication configuration properties.
A sample
request:
PUT https://localhost:port/SKLM/rest/v1/configProperties
{ "replication.role": "clone", "backup.TLSCertAlias":"sklmTLSCertificate",
"restore.ListenPort": "2222", "replication.MasterListenPort": "1111" }
The
ReplicationSKLMConfig.properties replication configuration file is created on
the clone server in the same directory as the IBM Security Guardium Key Lifecycle Manager properties file. For example, C:\Program Files\IBM\WebSphere\Liberty\products\sklm\config\ReplicationSKLMConfig.properties.
- Start Replication server on the clone server.
Replication is now configured on the clone server.
Repeat these steps for every clone server that you want to configure.
Results
Replication is now configured on the master and clone servers. Data
is replicated based on the configured schedule.