Backing up data with password-based encryption when HSM is configured

You must set the enablePBEInHSM=true property in the SKLMConfig.properties file to back up data with password-based encryption when Hardware Security Module (HSM) is configured.

Before you begin

Ensure that IBM® Security Key Lifecycle Manager is configured to use HSM for storing the master key by using steps in the Configuring HSM parameters topic.

About this task

When HSM is configured, during the backup process, the master key in HSM encrypts the backup key. HSM-based encryption is the default method for the backups when HSM is configured to store the master key. For information about HSM-based encryption, see HSM-based encryption for backups. Your role must have the permission to back up files.

Note: Backup success messages are system wide. Two administrators might run backup tasks that overlap in time. During this interval, the administrator who starts a second task that fails might see a false success message from the first backup task.

Procedure

  1. Set the enablePBEInHSM=true property in the <SKLM_HOME>/config/SKLMConfig.properties file.
    Command-line interface
    1. Go to the WAS_HOME/bin directory. For example,
      Windows
      cd drive:\Program Files\IBM\WebSphere\AppServer\bin
      Linux
      cd /opt/IBM/WebSphere/AppServer/bin
    2. Start the wsadmin interface by using an authorized user ID, such as SKLMAdmin. For example,
      Windows
      wsadmin.bat -username SKLMAdmin -password mypwd -lang jython
      Linux
      ./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
    3. Run the tklmConfigUpdateEntry CLI command to set enablePBEInHSM property in the SKLMConfig.properties configuration file.
      print AdminTask.tklmConfigUpdateEntry ('[-name enablePBEInHSM
 -value true]')
    REST interface
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run Update Config Property REST Service to set enablePBEInHSM property in the SKLMConfig.properties configuration file. Pass the user authentication identifier that you obtained in Step b along with the request message as shown in the following example.
      PUT https://localhost:<port>/SKLM/rest/v1/configProperties
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "enablePBEInHSM" : "true"}
  2. Go to the appropriate page or directory for backing up data.
    Graphical user interface
    1. Log on to the graphical user interface.
    2. On the Welcome page, click Administration > Backup and Restore.
    Command-line interface
    1. Go to the WAS_HOME/bin directory.
    2. Start the wsadmin interface by using an authorized user ID, such as SKLMAdmin.
    REST interface
    Open a REST client.
  3. Create a backup file.
    You can run only one backup or restore task at a time.
    Graphical user interface
    1. On the Backup and Restore table, the Backup repository location field displays the default <SKLM_DATA> directory path, where the backup file is saved, for example, C:\Program Files\IBM\WebSphere\AppServer\products\sklm\data. For the definition of <SKLM_DATA>, see Definitions for HOME and other directory variables. Click Browse to specify a backup repository location under <SKLM_DATA> directory.

      Directory path in the Backup repository location field changes based on the value that you set for the tklm.backup.dir property in the SKLMConfig.properties file.

    2. Click Create Backup.
    3. On the Create Backup page, specify information such as a value for the encryption password and backup description. A read-only backup file location is displayed in the Backup location field. Ensure that you retain the encryption password for future use in case you restore the backup.
    4. Click Create Backup.
    Command-line interface
    Type tklmBackupRun, the backup location, password, and any other necessary information to create a backup file as shown in the following example.
    print AdminTask.tklmBackupRun 
	('[-backupDirectory C:\\sklmbackup1 -password myBackupPwd]')
    REST interface
    Run Backup Run REST Service by sending the HTTP POST request as shown in the following example.
    POST https://localhost:<port>/SKLM/rest/v1/ckms/backups
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupDirectory":"/sklmbackup1","password":"myBackupPwd"}
  4. A message indicates that the backup file was created, or that the backup operation succeeded.

    The time stamp on a backup file has a Greenwich Mean Time (GMT) offset represented in RFC 822 format. The file name contains a +hhmm or -hhmm element to specify a timezone ahead of or behind GMT. For example, a file name might be sklm_v4.0.0_20170123144220-0800_backup.jar, where -0800 indicates that the timezone is eight hours behind GMT.

What to do next

Do not edit a file in the backup JAR file. The file that you attempt to edit becomes unreadable. You must connect to the same HSM and the master key for backup and restore operations irrespective of whether you use HSM-based encryption or password-based encryption.