Secure restore

You can use the secure restore facility to import a secure backup to the same or a different appliance.

The secure backup contains the configuration information of the appliance. This includes both appliance users and MQ users, together with their passwords, but does not include MQ queue manager configuration or data (which is backed up by using the mqbackup command). . The information is secured by a user-supplied certificate stored on the appliance (see Creating a certificate for a secure backup). Both the certificate and the certificate's private key are required for a secure restore.

The contents of a secure backup includes the following files:
  • Manifest file in xml format that includes the following details:
    • The firmware version and build used to create the backup.
    • The date and time when the backup was created.
    • The MTM (machine type and model) of the appliance that was backed up.
    • The serial number of the appliance that was backed up.
    • The list of the .tgz files that comprise the backup, their size and their checksum.
    • Ephemeral keys used as inputs to encrypt the backup.
    • A digital signature of the manifest used to confirm its integrity.
  • Some or all of the following tar files:
    root.tgz
    A backup of core configuration and data.
    config.tgz
    A backup of configuration in the config: folder.
    cert.tgz
    A backup of keys and certificates in the cert: folder.
    local.tgz
    A backup of files in the local: folder.
    password-map.tgz
    A backup of passwords used by the system configuration.
    sharedcert.tgz
    A backup of certificates in the sharedcert: folder.
    mq-users.tgz
    A backup of the messaging users and groups.
The following limitations apply when restoring a secure backup:
  • You must restore onto an appliance that has been reinitialized (had a factory reset performed). See Factory reset.
  • You can only restore a backup to an appliance that has exactly the same V.R.M.F version number.
  • You can restore a backup image from an M2002 appliance to an M2002, or to an M2003.
  • You can restore a backup image from an M2003 appliance to an M2002, or to an M2003.
  • A secure backup includes the network configuration for the Ethernet ports. If the backup is restored on a different appliance then the network configuration might not be valid. You can login to the appliance by using the serial port to fix the network settings that are incorrect. (This also applies to other settings that might need changing, such as system name.)
  • Secure backups do not include the passwords for IPMI users. You must restore these manually.
  • On restoration, the default admin user's password is set to admin. You are required to change this when you next log in as admin.

You can use the secure backup to migrate from one appliance to another, which can be the same or a different hardware model (where supported). Note that queue manager details and high availability and disaster recovery configurations have to be migrated separately.

You can complete a secure restore by using the command line interface, the web UI, or the REST interface.