Restoring a backup file

A restore returns the IBM Security Key Lifecycle Manager server to a known state, by using backed-up production data, such as the IBM Security Key Lifecycle Manager key materials and other critical information.

Before you begin

Consider the following guidelines before you restore HSM-based encryption backups:
  • Ensure that the same HSM partition is present with all its key entries intact on the system where the backup file is restored.
  • Master key that was used for the backup key encryption must be intact to restore the backup file. If the master key is refreshed, all the older backups are inaccessible or unusable.
  • You must connect to the same HSM and the master key for backup and restore operations irrespective of whether you use HSM-based encryption or password-based encryption.

When you run backup operation, the manifest file is created along with the backup archive. Before you restore the backup files, ensure that the backup manifest file lists all the IBM Security Key Lifecycle Manager data files in the archive.

About this task

You can use the Backup and Restore page to restore a backup file. Alternatively, you can use the tklmBackupRunRestore command or Backup Run Restore REST Service to restore the file. Your role must have a permission to restore files.. IBM Security Key Lifecycle Manager creates backup files in a manner that is independent of operating systems and directory structure of the application. You can restore the backup files to an operating system that is different from the one it was backed up from.

Before you start a restore task, isolate the system for maintenance. Take a backup of the existing system. You can later use this backup to bring the system back to original state if any issues occur during the restore process. IBM Security Key Lifecycle Manager server automatically restarts after the restore process is complete. Verify the environment before you bring the IBM Security Key Lifecycle Manager server back into production.

Procedure

  1. Go to the appropriate page or directory:
    Graphical user interface
    1. Log on to the graphical user interface.
    2. On the Welcome page, click Administration > Backup and Restore.
    Command-line interface
    1. Go to the WAS_HOME/bin directory. For example,
      Windows
      cd drive:\Program Files\IBM\WebSphere\AppServer\bin
      Linux
      cd /opt/IBM/WebSphere/AppServer/bin
    2. Start the wsadmin interface by using an authorized user ID, such as SKLMAdmin. For example,
      Windows
      wsadmin.bat -username SKLMAdmin -password mypwd -lang jython
      Linux
      ./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
      REST interface
      • Open a REST client.
  2. Restore a selected backup file. Only one backup or restore task can run at a time. If you restore a file to a replica computer, copy the file to that computer by using media such as a disk, or electronic transmission.
    Graphical user interface
    1. On the Backup and Restore table, select a backup file that is listed in the table.
    2. Click Restore from Backup.
      Note:
      • If you applied a fix pack on distributed systems, do not attempt to restore the backup files that were created before the fix pack application.
    3. On the Restore Backup page, specify the encryption password that was used to create the backup file.
      Note: If HSM-based encryption is used for the backups, you need not specify the password.
    4. Click Restore Backup.
    Command-line interface

    Type tklmBackupRunRestore and specify the necessary information such as the path and backup file name. Specify the encryption password that was used to create the backup file. For example, type:

    print AdminTask.tklmBackupRunRestore 
	('[-backupFilePath /opt/mysklmbackups/sklm_v3.0.0.0_20170705235417-1200_backup 
		-password myBackupPwd]')
    Note: If HSM-based encryption is used for the backups, you need not specify the password.
    REST interface
    1. Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    2. To run Backup Run Restore REST Service, send the HTTP POST request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
      POST https://localhost:<port>/SKLM/rest/v1/ckms/restore
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupFilePath":"/opt/mysklmbackups/sklm_v2.7.0.0_20160705235417-1200_
backup.jar","password":"myBackupPwd"}
    Note: If HSM-based encryption is used for the backups, you need not specify the password.
  3. A message indicates that the restore operation succeeded.

Results

The IBM Security Key Lifecycle Manager server automatically restarts after a backup file is restored when the autoRestartAfterRestore property value is true (default value) in the SKLMConfig.properties file.
Note: After automatic restart of the IBM Security Key Lifecycle Manager server, the windows WebSphere® Application Server service status is not refreshed and is shown as stopped.

What to do next

Note: After data restoration, ensure that the path for the properties in the SKLMConfig.properties, datastore.properties, and ReplicationSKLMConfig.properties files are correct before you proceed with your next task.

Determine whether the server is at the expected state. For example, you might examine the keystore to see whether a certificate that had problems before the backup file restore is now available for use.