You must set the enablePBEInHSM=true property
in the SKLMConfig.properties file to back up
data with password-based encryption when Hardware Security Module
(HSM) is configured.
Before you begin
Ensure that IBM® Security Key Lifecycle Manager is configured
to use HSM for storing the master key by using steps in the Configuring HSM parameters topic.
About this task
When
HSM is configured, during the backup process, the
master key in HSM encrypts the backup key. HSM-based encryption is
the default method for the backups when HSM is configured to store
the master key. For information about HSM-based encryption, see HSM-based encryption for backups. Your role must have the permission to back up
files.
Note: Backup success messages are system wide. Two administrators might
run backup tasks that overlap in time. During this interval, the administrator who starts a second
task that fails might see a false success message from the first backup task.
Procedure
-
Set the enablePBEInHSM=true property
in the <SKLM_HOME>/config/SKLMConfig.properties file.
- Command-line interface
- Go to
the
WAS_HOME/bin
directory. For example,
- Windows
cd drive:\Program Files\IBM\WebSphere\AppServer\bin
- Linux
cd /opt/IBM/WebSphere/AppServer/bin
- Start the wsadmin interface
by using an authorized
user ID, such as
SKLMAdmin
. For example,
- Windows
wsadmin.bat -username SKLMAdmin -password mypwd -lang jython
- Linux
./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
- Run the tklmConfigUpdateEntry CLI
command to
set enablePBEInHSM property in the SKLMConfig.properties configuration
file.
print AdminTask.tklmConfigUpdateEntry ('[-name enablePBEInHSM
-value true]')
- REST
interface
- Open a REST client.
- Obtain a unique
user authentication identifier to access IBM Security Key Lifecycle Manager REST
services. For more information about the authentication process, see Authentication process for REST services.
- Run Update Config Property REST Service to
set enablePBEInHSM property in the SKLMConfig.properties configuration
file. Pass the user authentication identifier that you obtained in
Step
b
along with the request message as shown in the following
example.PUT https://localhost:<port>/SKLM/rest/v1/configProperties
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "enablePBEInHSM" : "true"}
-
Go to the appropriate page or directory for backing
up
data.
- Graphical user interface
- Log on to the graphical user interface.
- On the Welcome page, click .
- Command-line
interface
- Go to the
WAS_HOME/bin
directory.
- Start the wsadmin interface by using an authorized
user ID, such as
SKLMAdmin
.
- REST interface
- Open a REST client.
-
Create a backup file.
You
can run only one backup
or restore task at a time.
- Graphical user interface
- On the Backup and Restore table, the Backup repository
location field displays the default <SKLM_DATA> directory path,
where the backup file is saved, for example, C:\Program
Files\IBM\WebSphere\AppServer\products\sklm\data. For the definition of
<SKLM_DATA>, see Definitions for HOME and other directory variables. Click
Browse to specify a backup repository location under
<SKLM_DATA> directory.
Directory path in the Backup repository
location field changes based on the value that you set for the
tklm.backup.dir property in the SKLMConfig.properties
file.
- Click Create Backup.
- On the Create Backup page, specify information such as a value for the
encryption password and backup description. A read-only backup file location is displayed in the
Backup location field. Ensure that you retain the encryption password for
future use in case you restore the backup.
- Click Create
Backup.
- Command-line
interface
- Type tklmBackupRun, the backup
location, password,
and any other necessary information to create a backup file as shown
in the following example.
print AdminTask.tklmBackupRun
('[-backupDirectory C:\\sklmbackup1 -password myBackupPwd]')
- REST interface
- Run Backup
Run REST Service by sending the
HTTP POST request as shown in the following example.
POST https://localhost:<port>/SKLM/rest/v1/ckms/backups
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupDirectory":"/sklmbackup1","password":"myBackupPwd"}
-
A message indicates that
the backup file was created, or
that the backup operation succeeded.
The
time stamp on a backup file has a Greenwich Mean Time (GMT) offset represented in RFC 822 format.
The file name contains a +hhmm or -hhmm element to specify a
timezone ahead of or behind GMT. For example, a file name might be sklm_v4.0.0_20170123144220-0800_backup.jar
, where
-0800 indicates that the timezone is eight hours behind GMT.
What to do next
Do not edit a file in the backup JAR file.
The file that
you attempt to edit becomes unreadable. You must connect to the same
HSM and the master key for backup and restore operations irrespective
of whether you use HSM-based encryption or password-based encryption.