Restoring a backup file

A restore returns the Guardium Key Lifecycle Manager server to a known state, by using backed-up production data, such as the IBM Security Guardium Key Lifecycle Manager key materials and other critical information.

Before you begin

  • Consider the following guidelines before you restore backups that are encrypted based on external master key store:
    • Ensure that the same partition of the external master key store is present with all its key entries intact on the system where the backup file is restored.
    • Master key that was used for the backup key encryption must be intact to restore the backup file. If the master key is refreshed, all the older backups are inaccessible or unusable.
    • You must connect to the same external master key store and the master key for backup and restore operations irrespective of the encryption method.
  • When you run the backup operation, the manifest file is created along with the backup archive. Before you restore the backup files, ensure that the backup manifest file lists all the IBM Security Guardium Key Lifecycle Manager data files in the archive.
  • To restore a backup file from a standalone IBM Security Guardium Key Lifecycle Manager server to the primary master server of a Multi-Master cluster, or vice versa, ensure that the enableHighScaleBackup property in the SKLMConfig.properties configuration file does not exist or is set to false.

About this task

You can use the Backup and Restore page to restore a backup file. Alternatively, you can use the Backup Run Restore REST Service to restore the file. Your role must have the permission to restore files.. IBM Security Guardium Key Lifecycle Manager creates backup files in a manner that is independent of operating systems and directory structure of the application. You can restore the backup files to an operating system that is different from the one it was backed up from.

Before you start a restore task, isolate the system for maintenance. Take a backup of the existing system. You can later use this backup to bring the system back to original state if any issues occur during the restore process.

Procedure

  1. Go to the appropriate page or directory:
    Graphical user interface
    1. Log on to the graphical user interface.
    2. On the Welcome page, click Administration > Backup and Restore.
    REST interface
    Open the Swagger UI or a REST client.
  2. Restore a selected backup file. Only one backup or restore task can run at a time. If you restore a file to a replica computer, copy the file to that computer by using media such as a disk, or electronic transmission.
    Graphical user interface
    1. On the Backup and Restore table, select a backup file that is listed in the table.
    2. Click Restore from Backup.
      Note:
      • If you applied a fix pack on distributed systems, do not attempt to restore the backup files that were created before the fix pack application.
    3. On the Restore Backup page, specify the encryption password that was used to create the backup file.
      Note: If encryption method for the backup is based on the external master key store, you need not specify the password.
    4. Click Restore Backup.
    REST interface
    1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    2. To run Backup Run Restore REST Service, send the HTTP POST request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
      POST https://localhost:<port>/SKLM/rest/v1/ckms/restore
      Content-Type: application/json
      Accept : application/json
      Authorization: SKLMAuth authId=139aeh34567m
      Accept-Language : en
      {"backupFilePath":"/opt/mysklmbackups/sklm_v2.7.0.0_20160705235417-1200_
      backup.jar","password":"myBackupPwd"}
    Note: If encryption method for the backup is based on the external master key store, you need not specify the password.
  3. A message indicates that the restore operation succeeded.

Results

The IBM Security Guardium Key Lifecycle Manager server automatically restarts after a backup file is restored when the autoRestartAfterRestore property value is true (default value) in the SKLMConfig.properties file.
Note: After automatic restart of the IBM Security Guardium Key Lifecycle Manager server, the windows WebSphere Application Server Liberty service status is not refreshed and is shown as stopped.

What to do next

Note: After data restoration, ensure that the path for the properties in the SKLMConfig.properties, datastore.properties, and ReplicationSKLMConfig.properties files are correct before you proceed with your next task.

Determine whether the server is at the expected state. For example, you might examine the keystore to see whether a certificate that had problems before the backup file restore is now available for use.