Backing up and restoring Crypto Express Network API for Secure Execution Enclaves
You can use the export and import API to backup and restore, or upgrade Crypto Express Network API for Secure Execution Enclaves. You must ensure that when you want to import data from the previous appliance, the current LPAR must be similar to the previous one, including its IP address. The export and import APIs are supported from version 1.1.2, and later.
Using the Crypto Express Network API for Secure Execution Enclaves for backup
-
Export data of current appliance
Use the
/api/com.ibm.zaci.system/appliance-configuration/export:POST
REST API to export the data of the current appliance.The exported data includes the following configurations:
C16server mTLS configuration C16client certificate access permission configuration Rsyslog configuration Monitoring configuration ILMT configuration etc.
-
Import data from the previous appliance
Use the
/api/com.ibm.zaci.system/appliance-configuration/import?apply_now=false:POST
REST API to import data from the previous appliance. -
Trigger to restore data on current appliance
Use the
/api/com.ibm.zaci.system/appliance-configuration:PUT
REST API to trigger to restore after import data of previous appliance.
Sample scripts
You can use the following shell script that is provided as an example, to export and then import setting of Crypto Express Network API for Secure Execution Enclaves for restore and upgrade.
After the scripts are completed, the mTLS connection can be created successfully and Rsyslog server can receive logs.
export_import.ini
src_server_ip="<>"
src_server_user="<>"
src_server_pass="<>"
export_description="<>"
dst_server_ip="<>"
dst_server_user="<>"
dst_server_pass="<>"
export.sh
#!/bin/bash -xe
echo "---> start to export/import...."
mypath=$(dirname $0)
cd ${mypath}
source ./export_import.ini
echo "source server ip:${src_server_ip}"
echo "srouce server user:${src_server_user}"
echo "destination server ip:${dst_server_ip}"
echo "destination server user:${dst_server_user}"
#---------------------------------------------
# get auth token of source server
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"user":"${src_server_user}",
"password":"${src_server_pass}"
}
}
EOF
)
auth_token=$(curl -k -X POST https://${src_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
echo "---> auth_token: [${auth_token}]"
#---------------------------------------------
# get appliance status
response=$(curl -k -X GET https://${src_server_ip}/api/com.ibm.zaci.system/appliance -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" | jq .)
echo "---> response: [${response}]"
#---------------------------------------------
# accept license manually
echo "---> request api: /software-license:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"accept": true
}
}
EOF
)
#response=$(curl -k -X PUT https://${src_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" | jq -r .)
response=$(curl -k -X PUT https://${src_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}")
echo "---> response: [${response}]"
#---------------------------------------------
# export data
echo "---> request api: /appliance-configuration/export:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"description":"${export_description}"
}
}
EOF
)
rm -f export.data
curl -k -X POST https://${src_server_ip}/api/com.ibm.zaci.system/appliance-configuration/export -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/octet-stream' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" -o ${export_description}.data
import.sh
#!/bin/bash -xe
echo "---> start to export/import...."
mypath=$(dirname $0)
cd ${mypath}
source ./export_import.ini
echo "source server ip:${src_server_ip}"
echo "srouce server user:${src_server_user}"
echo "destination server ip:${dst_server_ip}"
echo "destination server user:${dst_server_user}"
#---------------------------------------------
# get auth token of destination server
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"user":"${dst_server_user}",
"password":"${dst_server_pass}"
}
}
EOF
)
auth_token=$(curl -k -X POST https://${dst_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
echo "---> auth_token: [${auth_token}]"
#---------------------------------------------
# accept license manually
echo "---> request api: /software-license:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"accept": true
}
}
EOF
)
response=$(curl -k -X PUT https://${dst_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" | jq -r .)
echo "---> response: [${response}]"
#---------------------------------------------
# delete data
req_resp=$(curl -k -X DELETE https://${dst_server_ip}/api/com.ibm.zaci.system/appliance-configuration -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json; version = 1.0' -H "Authorization: Bearer ${auth_token}" | jq -r .)
echo "${req_resp}"
#---------------------------------------------
# upload data but not trigger reboot
req_resp=$(curl -k -X POST https://${dst_server_ip}/api/com.ibm.zaci.system/appliance-configuration/import?apply_now=false -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/octet-stream' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -T ./${export_description}.data | jq -r .)
echo "${req_resp}"
#---------------------------------------------
# import data and trigger reboot
req_resp=$(curl -k -X PUT https://${dst_server_ip}/api/com.ibm.zaci.system/appliance-configuration -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json; version = 1.0' -H "Authorization: Bearer ${auth_token}" | jq -r .)
echo "${req_resp}"
sleep 20
#---------------------------------------------
# checking if the destination server started up
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"user":"${dst_server_user}",
"password":"${dst_server_pass}"
}
}
EOF
)
wait_network_ready() {
max_tries=120
index=1 ; while [[ $index -le $max_tries ]] ; do
((index = index + 1)) ;
echo "tring to check if destination server start up ..."
auth_token=$(curl -k -X POST https://${dst_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
if [[ ${#auth_token} -gt 0 ]]; then
echo "system is up ..."
echo "$ping_res"
return 0
fi;
echo "$ping_res"
echo "destination server is not up, continue checking..."
sleep 5
done
echo "waiting for destination server ready timeout..."
return 1
}
wait_network_ready