Restoring the backup file of an earlier version of IBM Security Guardium Key Lifecycle Manager (V2.5, 2.6, 2.7, 3.0, or 3.0.1)

Use the graphical user interface, the REST interface, or the migration restore script to restore the backup file of IBM Security Guardium Key Lifecycle Manager version 2.5 or later to a system with IBM Security Guardium Key Lifecycle Manager version 4.2, across operating systems. After restoring the file, data migration to the system with IBM Security Guardium Key Lifecycle Manager V4.2 is complete.

Before you begin

  • Ensure that you have the backup file of the IBM Security Guardium Key Lifecycle Manager version from which you want to migrate the data. Also, ensure that you have the password that you used to create the backup file.
    Note: You must have the required IBM Security Guardium Key Lifecycle Manager user role to run the backup and restore operations.
  • Ensure that IBM Security Guardium Key Lifecycle Manager, V4.2 is installed on the system to which you want to restore the backup file.

About this task

Before you start a restore task, isolate the system for maintenance. Take a backup of the existing system. You can later use this backup to bring the system back to original state if any issues occur during the restore process.

The directory names and the .bat and .sh file names vary depending on the version of IBM Security Guardium Key Lifecycle Manager that you are restoring from.
IBM Security Guardium Key Lifecycle Manager version Directory with restore utility (sklmv##) Restore utility file name (restoreV##.bat/ restoreV##.sh
3.0.1 sklmv301
  • restoreV301.bat
  • restoreV301.sh
3.0 sklmv30
  • restoreV30.bat
  • restoreV30.sh
2.7 sklmv27
  • restoreV27.bat
  • restoreV27.sh
2.6 sklmv26
  • restoreV26.bat
  • restoreV26.sh
2.5 sklmv25
  • restoreV25.bat
  • restoreV25.sh

Procedure

  1. Log in to the system where IBM Security Guardium Key Lifecycle Manager V4.2 is installed as the non-administrator or non-root user who is the owner of the Db2 and WebSphere Application Server Liberty services (for example, sklmdb40).
  2. Copy the backup file from the system from which you want to migrate the data in the SKLM_DATA directory.
    You can copy the backup file to any directory in the SKLM_DATA directory as well. In the following example, the backup file for IBM Security Guardium Key Lifecycle Manager V2.5 is stored directly in the SKLM_DATA directory:
     C:\Program Files\IBM\WebSphere\AppServer\products\sklm\data\sklm_v2.5.0.3_20170429013250-0400_migration_backup.jar
    For the definition of SKLM_DATA, see Definitions for HOME and other directory variables.
  3. Restore the backup file by using any of the following methods:
    • Graphical user interface
      1. Log in to the graphical user interface as an authorized user, for example, SKLMAdmin.
      2. On the Welcome page, click Administration > Backup and Restore.
      3. Click Browse to specify the backup file location under the SKLM_DATA directory.
      4. Click Display Backups to display the backup files that you want to restore.
      5. In the Backup and Restore table, select a backup file.
      6. Click Restore From Backup.
      7. On the Restore Backup page, specify the backup password that you used to create the backup file.
      8. Click Restore Backup.
      9. Restart IBM Security Guardium Key Lifecycle Manager server.
    • REST interface
      1. Open a REST client.
      2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
      3. Run Backup Run Restore REST Service. For example.
        POST https://localhost:port/SKLM/rest/v1/ckms/restore
{"backupFilePath":"SKLM_DATA/sklm_v2.5.0.3_20170429013250-0400_migration_backup.jar",
"password":"myBackupPwd"}
      4. Restart IBM Security Guardium Key Lifecycle Manager server.
      Note: By using the REST interface, you cannot restore roles, users, and groups from IBM Security Guardium Key Lifecycle Manager backup file.
    • Migration restore script
      1. Locate the IBM Security Guardium Key Lifecycle Manager restore utilities.
        Windows
        SKLM_INSTALL_HOME\migration\utilities\sklmv##

        For example, the default location of IBM Security Guardium Key Lifecycle Manager V2.5 restore utilities is C:\Program Files\IBM\SKLMV40\migration\utilities\sklmv25.

        Linux®
        SKLM_INSTALL_HOME/migration/utilities/sklmv##
        For example, the default location of IBM Security Guardium Key Lifecycle Manager V2.5 restore utilities is /opt/IBM/SKLMV40/migration/utilities/sklmv25.
      2. Edit the restore.properties file in the sklmv## directory to configure its properties.
        Note: On Windows operating system, the restore.properties file that you use for restore operations must not contain the property keys and values with leading or trailing spaces.
        The following example shows the updated file for IBM Security Guardium Key Lifecycle Manager V2.5:
        Windows
        WAS_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer
JAVA_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer\\java\8.0
BACKUP_PASSWORD=passw0rd123
DB_PASSWORD=db2_password
RESTORE_FILE=SKLM_DATA\\sklm_v2.5.0.3_20170429013250-0400_migration_backup.jar
WAS_USER_PWD=wasadmin_password
RESTORE_USER_ROLES=y
#pkcs11_config=C:\\luna.cfg
        Linux
        WAS_HOME=/opt/IBM/WebSphere/AppServer
JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/8.0
BACKUP_PASSWORD=passw0rd123
DB_PASSWORD=db2_password
RESTORE_FILE=SKLM_DATA/sklm_v2.5.0.3_20170429013250-0400_migration_backup.jar
WAS_USER_PWD=wasadmin_password
RESTORE_USER_ROLES=y
#pkcs11_config=/luna.cfg
        Note:
        • To log in to IBM Security Guardium Key Lifecycle Manager by using the user credentials that are specified during product installation, set the RESTORE_USER_ROLES property as n . Setting the property to n ensures that user ID and the password are not overwritten with the user credentials of the earlier version.
        • If IBM Security Guardium Key Lifecycle Manager is configured with HSM, uncomment the #pkcs11_config property and specify the correct path of luna.cfg file as the value.
        • On Windows operating system, when you specify path in the properties file, use either / or \\ as a path separator. The following example shows the path in IBM Security Guardium Key Lifecycle Manager V2.5 properties file:
          C:\\sklmv25_restore
          Or
          C:/sklmv25_restore
      3. Open a command line and run the restore utility.
        Windows
        Go to the SKLM_INSTALL_HOME\migration\utilities\sklmv## directory and run the following command:
        restoreV##.bat
        For example, for V2.5, run the following command:
        restoreV25.bat
        Linux
        1. Go to the SKLM_INSTALL_HOME/migration/utilities/sklmv## directory.
        2. Check whether the restoreV##.sh file has executable permissions. If not, give permissions by running the following command: 
          chmod 755 restoreV##.sh
          For example, for IBM Security Guardium Key Lifecycle Manager v2.5: 
          chmod 755 restoreV25.sh
        3. Run the following command:
          restoreV##.sh
          For example, for IBM Security Guardium Key Lifecycle Manager v2.5: 
          restoreV25.sh
      4. If you have rollover tasks that are scheduled for LTO key groups and 3592 certificates, manually restore them. For instructions, see Restoring rollover certificates and key groups.
      5. Restart the IBM Security Guardium Key Lifecycle Manager server.
    Note: For greater security, change the IBM Security Guardium Key Lifecycle Manager User password soon after the data migration process.

What to do next

Complete the post-upgrade tasks.