A restore returns the Guardium Key Lifecycle Manager server to
a known state, by using backed-up production data, such as the IBM Security Guardium Key Lifecycle Manager key
materials and other critical information.
Before you begin
- Consider the following guidelines before you restore backups that are encrypted based on
external master key store:
- Ensure that the same partition of the external master key store is present with all its key
entries intact on the system where the backup file is restored.
- Master key that was used for the backup key encryption must be intact to restore the backup
file. If the master key is refreshed, all the older backups are inaccessible or unusable.
- You must connect to the same external master key store and the master key for backup and restore
operations irrespective of the encryption method.
- When you run the backup operation, the manifest file is created along with the backup archive.
Before you restore the backup files, ensure that the backup manifest file lists all the IBM Security Guardium Key Lifecycle Manager data files in the archive.
- To restore a backup file from a standalone IBM Security Guardium Key Lifecycle Manager server to the primary master server of a
Multi-Master cluster, or vice versa, ensure that the enableHighScaleBackup
property in the SKLMConfig.properties configuration file does not exist or is
set to false.
About this task
You can use the Backup and Restore page to restore a backup file.
Alternatively, you can use the Backup Run Restore REST Service to restore the
file. Your role must have the permission to restore
files..
IBM Security Guardium Key Lifecycle Manager creates backup files in a manner that
is independent of operating systems and directory structure of the application. You can restore the
backup files to an operating system that is different from the one it was backed up from.
Before you start a restore task, isolate the system for
maintenance. Take a backup of the existing system. You can later use this backup to bring the system
back to original state if any issues occur during the restore process.
Procedure
-
Go to the appropriate page or directory:
- Graphical user interface
- Log on to the graphical user interface.
- On the Welcome page, click .
- REST interface
- Open the Swagger UI or a REST client.
-
Restore a selected backup file. Only one backup or restore
task can run at a time. If you restore a file to a replica computer,
copy the file to that computer by using media such as a disk, or electronic
transmission.
- Graphical user interface
- On the Backup and Restore table, select a backup file that
is listed in the table.
- Click Restore from Backup.
Note:
- If you applied a fix pack on distributed systems,
do not attempt to restore the backup files that were created before
the fix pack application.
- On the Restore Backup page, specify the encryption password that was used
to create the backup file.
Note: If encryption method for the backup is based on the external master
key store, you need not specify the password.
- Click Restore Backup.
- REST interface
- Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST
services. For more information about the authentication process, see Authentication process for REST services.
- To run Backup Run Restore REST Service, send
the HTTP POST request. Pass the user authentication identifier that
you obtained in
Step a
along with the request message
as shown in the following example.POST https://localhost:<port>/SKLM/rest/v1/ckms/restore
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupFilePath":"/opt/mysklmbackups/sklm_v2.7.0.0_20160705235417-1200_
backup.jar","password":"myBackupPwd"}
Note: If encryption method for the backup is based on the external master key store, you need not
specify the password.
-
A message indicates that the restore operation succeeded.
Results
The IBM Security Guardium Key Lifecycle Manager server
automatically restarts after a backup file is restored when the autoRestartAfterRestore property
value is true (default value) in the SKLMConfig.properties file.Note: After
automatic restart of the IBM Security Guardium Key Lifecycle Manager server,
the windows WebSphere Application Server Liberty service
status is not refreshed and is shown as stopped.
What to do next
Note: After data restoration, ensure that the path for the properties in
the SKLMConfig.properties, datastore.properties, and
ReplicationSKLMConfig.properties files are correct before you proceed with your
next task.
Determine whether the server is at the expected state. For example, you might examine the
keystore to see whether a certificate that had problems before the backup file restore is now
available for use.