Configuring replication

IBM® Security Key Lifecycle Manager replication ensures availability of the key materials, configuration files, and other data on a server by having at least one copy or replica of the data on another server. Each server is available for data recovery when the other one fails. In replication, IBM Security Key Lifecycle Manager creates a backup of the data and copies it to the other server as per the configured schedule.

Master server is the primary system that is being backed up and replicated to one or more secondary servers, called clone servers. You must configure IBM Security Key Lifecycle Manager on the master and clone servers to schedule replication. New keys are created only on the master server. Clone servers can serve keys.

The following data in the master server is replicated to the clone server:
  • IBM Security Key Lifecycle Manager database tables
  • Truststore and keystore with the master key
  • IBM Security Key Lifecycle Manager configuration files

Replication configuration

To schedule replication, you need to configure IBM Security Key Lifecycle Manager on the master and clone servers. You can configure one master and up to 20 clone servers. Cloning of the IBM Security Key Lifecycle Manager environment on the master server to the clone servers is independent of their operating systems and directory structure.

Types of replication

You can configure automatic replication in two ways:
Full replication
Creates full backup of the data on the master server and then replicates the data to the clone servers. By default, full replication runs every 24 hours (daily). It is triggered only when new cryptographic objects are added to or modified on the master server.

For detailed instructions, see Enabling and configuring full replication.

Incremental replication
Replicates data from the master to the clone server incrementally with the delta changes. If you have frequent updates to the cryptographic objects in a master server, use incremental replication so that the clone servers always have almost up-to-date data. By default, incremental replication runs every 60 seconds (1 minute). You can configure this frequency based on your requirement. You must configure full replication before you can configure incremental replication. You can configure incremental replication when you configure full replication as well.

For detailed instructions, see Enabling and configuring incremental replication.

You can use the graphical user interface, command-line interface, or REST interface to configure full and incremental replication.

Automated backup configuration

To schedule automatic backups, you need to configure IBM Security Key Lifecycle Manager on the master server only. For instructions, see Scheduling automatic backups.

Replicating large amount of data

You can configure IBM Security Key Lifecycle Manager to replicate large amount of data. Before you begin, ensure that the master and clone servers are identical. The operating system, directory structures, and Db2® admin user must be the same on the master and clone servers. For more information, see Backing up large amount of data.

Backup protection

IBM Security Key Lifecycle Manager creates a cryptographic key to encrypt the backup files. Depending on the encryption method that is selected in configuration, when the automatic backup or replication operation runs, the cryptographic key is encrypted by a password or by the master key in HSM.

For more information about the encryption methods for backup and replication, see Backup encryption methods for replication activities.