IBM® Security Guardium® Key Lifecycle Manager replication ensures availability of the key materials, configuration files, and other data on a server by having at least one copy or replica of the data on another server. Each server is available for data recovery when the other one fails. In replication, IBM Security Guardium Key Lifecycle Manager creates a backup of the data and copies it to the other server according to the configured schedule.
Master server is the primary system that is being backed up and replicated to one or more secondary servers, called clone servers. You must configure IBM Security Guardium Key Lifecycle Manager on the master and clone servers to schedule replication. New keys are created only on the master server. Clone servers can serve keys.
- IBM Security Guardium Key Lifecycle Manager database tables
- Truststore and keystore with the master key
- IBM Security Guardium Key Lifecycle Manager configuration files
Replication configurationTo schedule replication, you need to configure IBM Security Guardium Key Lifecycle Manager on the master and clone servers. You can configure one master and up to 20 clone servers. Cloning of the IBM Security Guardium Key Lifecycle Manager environment on the master server to the clone servers is independent of their operating systems and directory structure.
Replication configuration on IBM Security Guardium Key Lifecycle Manager container
You can configure replication on IBM Security Guardium Key Lifecycle Manager containers that are installed across multiple Kubernetes and Red Hat® OpenShift® clusters.
Types of replication
- Full replication
- Creates full backup of the data on the master server and then replicates the data to the clone
servers. By default, full replication runs every 24 hours (daily). It is triggered only when new
cryptographic objects are added to or modified on the master server.
For detailed instructions, see Enabling and configuring full replication.
- Incremental replication
- Replicates data from the master to the clone server incrementally with the delta changes. If you have frequent updates to the cryptographic objects in a master server, use incremental replication so that the clone servers always have almost up-to-date data. By default, incremental replication runs every 60 seconds (1 minute). You can configure this frequency based on your requirement. You must configure full replication before you can configure incremental replication. You can configure incremental replication when you configure full replication as well.
- For detailed instructions, see Enabling and configuring incremental replication.
You can use the graphical user interface or REST interface to configure full and incremental replication.
Automated backup configuration
To schedule automatic backups, you need to configure IBM Security Guardium Key Lifecycle Manager on the master server only. For instructions, see Scheduling automatic backups.
Replicating large amount of data
You can configure IBM Security Guardium Key Lifecycle Manager to replicate large amount of data. Before you begin, ensure that the master and clone servers are identical. The operating system, directory structures, and Db2® admin user must be the same on the master and clone servers. For more information, see Backing up large amount of data.
IBM Security Guardium Key Lifecycle Manager creates a cryptographic key to encrypt the backup files. Depending on the encryption method that is selected in configuration, when the automatic backup or replication operation runs, the cryptographic key is encrypted by a password or by the master key in the external master key store.For more information about the encryption methods for backup and replication, see Backup encryption methods for replication activities.