Replication configuration files

You can run IBM Security Guardium Key Lifecycle Manager replication as a standalone task. A valid replication configuration file must be available to start the automated replication process when the new keys are added.

IBM Security Guardium Key Lifecycle Manager uses properties in the SKLM_HOME\config\ReplicationSKLMConfig.properties configuration file to control the replication process.

For the definition of SKLM_HOME, see Definitions for HOME and other directory variables.

You can use the IBM Security Guardium Key Lifecycle Manager graphical user interface or REST interface to change properties of the replication configuration file.

You can classify each system as:
  • Master - the primary system that is being replicated.
  • Clone - the secondary system that is being copied to.
The replication file of the master system can specify up to 20 clones. Each clone system is identified through an IP address or host name, and a port number. You can replicate IBM Security Guardium Key Lifecycle Manager environments to multiple clone servers in a manner that is independent of operating systems and directory structure of the server.
Notes:
  • Scheduled replication takes place only when the new keys, and devices are added or modified on the master system.
  • There can be only one master system with a maximum of 20 clones. Multiple masters are not supported.

You can use the IBM Security Guardium Key Lifecycle Manager replication program to schedule automatic backup operation. You must configure properties only for the master server to back up data at regular intervals.

Master configuration file sample

replication.role=master
replication.auditLogName=replication.log
replication.MaxLogFileSize=1000
replication.Incremental.CheckFrequency=60
replication.Incremental.MaxBackupNum=10
replication.MaxBackupNum=10
replication.MaxLogFileNum=3
replication.BackupDestDir=C:\\IBM\WebSphere\\Liberty\\products\\sklm\\restore
backup.ClientIP1=myhost1
backup.ClientPort1=2222
backup.EncryptionPassword=password
backup.ReleaseKeysOnSuccessfulBackup=false
backup.CheckFrequency=24
backup.TLSCertAlias=ssl_cert
replication.MasterListenPort=1111
  • master is the default replication role. Specify role by using the replication.role parameter.
  • Specify at least one clone with the backup.ClientIPn and backup.ClientPortn parameters to replicate data to the clone server. n is an integer value between 1 to 5. For automatically backing up master server data at regular intervals, you need not specify the clone IP address and port.
  • Ensure that the specified ports are available and are not currently in use by IBM Security Guardium Key Lifecycle Manager or by any other processes.
  • Configure replication to run at frequent intervals by using replication.Incremental.CheckFrequency parameter. When you specify this parameter, incremental replication is enabled.
  • You can specify a maximum of 20 clone systems.
  • The backup.TLSCertAlias parameter must specify a certificate that exists on the master and all clone systems.
  • Specify a password to encrypt and decrypt backups. This password becomes obfuscated in the replication configuration file after IBM Security Guardium Key Lifecycle Manager reads it for the first time.

Clone configuration file sample

replication.role=clone
replication.MasterListenPort=1111
replication.BackupDestDir=C:\\IBM\WebSphere\\Liberty\\products\\sklm\\restore
replication.MaxLogFileSize=1000
replication.MaxBackupNum=3
replication.MaxLogFileNum=4
restore.ListenPort=2222
  • On the clone system, specify the parameter value replication.role=clone.
  • The restore.ListenPort parameter must specify the port number that is specified in the backup.ClientIPn parameter on the master system.
For complete details of all the available replication configuration parameters, see Replication configuration properties.