Backing up and restoring Crypto Express Network API for Secure Execution Enclaves

​ You can use the export and import API to backup and restore, or upgrade Crypto Express Network API for Secure Execution Enclaves. You must ensure that when you want to import data from the previous appliance, the current LPAR must be similar to the previous one, including its IP address. The export and import APIs are supported from version 1.1.2, and later.

Using the Crypto Express Network API for Secure Execution Enclaves for backup

  1. Export data of current appliance

    Use the /api/com.ibm.zaci.system/appliance-configuration/export:POST REST API to export the data of the current appliance.

    The exported data includes the following configurations:

    C16server mTLS configuration
    C16client certificate access permission configuration
    Rsyslog configuration
    Monitoring configuration
    ILMT configuration
    etc.
    
  2. Import data from the previous appliance

    Use the /api/com.ibm.zaci.system/appliance-configuration/import?apply_now=false:POST REST API to import data from the previous appliance.

  3. Trigger to restore data on current appliance

    Use the /api/com.ibm.zaci.system/appliance-configuration:PUT REST API to trigger to restore after import data of previous appliance.

Sample scripts

You can use the following shell script that is provided as an example, to export and then import setting of Crypto Express Network API for Secure Execution Enclaves for restore and upgrade.

After the scripts are completed, the mTLS connection can be created successfully and Rsyslog server can receive logs.

export_import.ini

src_server_ip="<>"
src_server_user="<>"
src_server_pass="<>"
export_description="<>"
dst_server_ip="<>"
dst_server_user="<>"
dst_server_pass="<>"

export.sh

#!/bin/bash -xe

echo "---> start to export/import...."

mypath=$(dirname $0)
cd ${mypath}

source ./export_import.ini

echo "source server ip:${src_server_ip}"
echo "srouce server user:${src_server_user}"
echo "destination server ip:${dst_server_ip}"
echo "destination server user:${dst_server_user}"

#---------------------------------------------
# get auth token of source server
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
   "kind": "request",
   "parameters":{
      "user":"${src_server_user}",
      "password":"${src_server_pass}"
   }
}
EOF
)

auth_token=$(curl -k -X POST https://${src_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)

echo "---> auth_token: [${auth_token}]"

#---------------------------------------------
# get appliance status
response=$(curl -k -X GET https://${src_server_ip}/api/com.ibm.zaci.system/appliance -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" | jq .)
echo "---> response: [${response}]"

#---------------------------------------------
# accept license manually
echo "---> request api: /software-license:"
req_json=$(cat << EOF
{
   "kind": "request",
   "parameters":{
      "accept": true
   }
}
EOF
)

#response=$(curl -k -X PUT https://${src_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" | jq -r .)
response=$(curl -k -X PUT https://${src_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}")
echo "---> response: [${response}]"

#---------------------------------------------
# export data
echo "---> request api: /appliance-configuration/export:"
req_json=$(cat << EOF
{
   "kind": "request",
   "parameters":{
      "description":"${export_description}"
   }
}
EOF
)
rm -f export.data
curl -k -X POST https://${src_server_ip}/api/com.ibm.zaci.system/appliance-configuration/export -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/octet-stream' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" -o ${export_description}.data

import.sh

#!/bin/bash -xe

echo "---> start to export/import...."

mypath=$(dirname $0)
cd ${mypath}

source ./export_import.ini

echo "source server ip:${src_server_ip}"
echo "srouce server user:${src_server_user}"
echo "destination server ip:${dst_server_ip}"
echo "destination server user:${dst_server_user}"

#---------------------------------------------
# get auth token of destination server
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
   "kind": "request",
   "parameters":{
      "user":"${dst_server_user}",
      "password":"${dst_server_pass}"
   }
}
EOF
)

auth_token=$(curl -k -X POST https://${dst_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
echo "---> auth_token: [${auth_token}]"

#---------------------------------------------
# accept license manually
echo "---> request api: /software-license:"
req_json=$(cat << EOF
{
   "kind": "request",
   "parameters":{
      "accept": true
   }
}
EOF
)

response=$(curl -k -X PUT https://${dst_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" | jq -r .)
echo "---> response: [${response}]"

#---------------------------------------------
# delete data
req_resp=$(curl -k -X DELETE https://${dst_server_ip}/api/com.ibm.zaci.system/appliance-configuration -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json; version = 1.0' -H "Authorization: Bearer ${auth_token}" | jq -r .)
echo "${req_resp}"

#---------------------------------------------
# upload data but not trigger reboot

req_resp=$(curl -k -X POST https://${dst_server_ip}/api/com.ibm.zaci.system/appliance-configuration/import?apply_now=false -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/octet-stream' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -T ./${export_description}.data | jq -r .)
echo "${req_resp}"

#---------------------------------------------
# import data and trigger reboot

req_resp=$(curl -k -X PUT https://${dst_server_ip}/api/com.ibm.zaci.system/appliance-configuration -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json; version = 1.0' -H "Authorization: Bearer ${auth_token}" | jq -r .)
echo "${req_resp}"

sleep 20

#---------------------------------------------
# checking if the destination server started up
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
   "kind": "request",
   "parameters":{
      "user":"${dst_server_user}",
      "password":"${dst_server_pass}"
   }
}
EOF
)

wait_network_ready() {
    max_tries=120
    index=1 ; while [[ $index -le $max_tries ]] ; do
        ((index = index + 1)) ;
        echo "tring to check if destination server start up ..."
        auth_token=$(curl -k -X POST https://${dst_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
        if [[ ${#auth_token} -gt 0 ]]; then
            echo "system is up ..."
            echo "$ping_res"
            return 0
        fi;
        echo "$ping_res"
        echo "destination server is not up, continue checking..."
        sleep 5
    done
    echo "waiting for destination server ready timeout..."
    return 1
}
wait_network_ready