You must set the enablePBEInHSM=true property
in the SKLMConfig.properties file to back up
data with password-based encryption when Hardware Security Module
(HSM) is configured.
About this task
When
HSM is configured, during the backup process, the
master key in HSM encrypts the backup key. HSM-based encryption is
the default method for the backups when HSM is configured to store
the master key. For information about HSM-based encryption, see HSM-based encryption for backups. Your role must have the permission to back up
files.
Note: Backup success messages are system wide. Two administrators might
run backup tasks that overlap in time. During this interval, the administrator who starts a second
task that fails might see a false success message from the first backup task.
Procedure
-
Set the enablePBEInHSM=true property in the SKLM_DATA/config/SKLMConfig.properties file.
- REST interface
-
- Open a REST client.
- Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the
authentication process, see Authentication process for REST services.
- Run the Update Config Property REST Service to set
enablePBEInHSM property in the SKLMConfig.properties
configuration file. Pass the user authentication identifier that you obtained in
Step
b along with the request message as shown in the following
example:PUT https://localhost:port/SKLM/rest/v1/configProperties
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "enablePBEInHSM" : "true"}
-
Go to the appropriate page or directory for backing
up
data.
- Graphical user interface
- Log on to the graphical user interface.
- On the Welcome page, click .
- REST interface
- Open a REST client.
-
Create a backup file.
You
can run only one backup
or restore task at a time.
- Graphical user interface
- On the Backup and Restore table, the Backup repository
location field displays the default SKLM_DATA directory path, where the backup file is saved.
For the definition of SKLM_DATA, see Definitions for HOME and other directory variables. Click Browse to specify a
backup repository location under the SKLM_DATA
directory.
Directory path in the Backup repository location field changes
based on the value that you set for the tklm.backup.dir property in the
SKLMConfig.properties file.
- Click Create Backup.
- On the Create Backup page, specify information such as a value for the
encryption password and backup description. A read-only backup file location is displayed in the
Backup location field. Ensure that you retain the encryption password for
future use in case you restore the backup.
- Click Create
Backup.
- REST interface
- Run the Backup Run REST Service by sending the HTTP POST request as shown in
the following
example.
POST https://localhost:port/SKLM/rest/v1/ckms/backups
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupDirectory":"/sklmbackup1","password":"myBackupPwd"}
-
A message indicates that
the backup file was created, or
that the backup operation succeeded.
The
time stamp on a backup file has a Greenwich Mean Time (GMT) offset represented in RFC 822 format.
The file name contains a +hhmm or -hhmm element to specify a
timezone ahead of or behind GMT. For example, a file name might be
sklm_v3.0.1.0_20170123144220-0800_backup.jar, where -0800 indicates that the
timezone is eight hours behind GMT.
What to do next
Do not edit a file in the backup JAR file.
The file that
you attempt to edit becomes unreadable. You must connect to the same
HSM and the master key for backup and restore operations irrespective
of whether you use HSM-based encryption or password-based encryption.