A restore returns the IBM Security Key Lifecycle Manager server to
a known state, by using backed-up production data, such as the IBM Security Key Lifecycle Manager key
materials and other critical information.
Before you begin
Consider the following guidelines before you restore HSM-based encryption backups:
- Ensure that the same HSM partition is present with all its key entries intact on the system
where the backup file is restored.
- Master key that was used for the backup key encryption must be intact to restore the backup
file. If the master key is refreshed, all the older backups are inaccessible or unusable.
- You must connect to the same HSM and the master key for backup and restore operations
irrespective of whether you use HSM-based encryption or password-based encryption.
When you run backup operation, the manifest file is created along with the backup archive. Before
you restore the backup files, ensure that the backup manifest file lists all the IBM Security Key Lifecycle Manager data files in the archive.
About this task
You can use the Backup and Restore page to restore a backup file.
Alternatively, you can use the tklmBackupRunRestore command or Backup
Run Restore REST Service to restore the file. Your role must have
a permission to restore files.. IBM Security Key Lifecycle Manager creates backup files in a manner that is
independent of operating systems and directory structure of the application. You can restore the
backup files to an operating system that is different from the one it was backed up from.
Before you start a restore
task, isolate the system for maintenance. Take a backup of the existing
system. You can later use this backup to bring the system back to
original state if any issues occur during the restore process. IBM Security Key Lifecycle Manager server automatically
restarts after the restore process is complete. Verify the environment
before you bring the IBM Security Key Lifecycle Manager server back into
production.
Procedure
- Go to the appropriate page or directory:
- Graphical user interface
- Log on to the graphical user interface.
- On the Welcome page, click .
- Command-line interface
- Go to the
WAS_HOME/bin
directory. For example,
- Windows
cd drive:\Program Files\IBM\WebSphere\AppServer\bin
- Linux
cd /opt/IBM/WebSphere/AppServer/bin
- Start the wsadmin interface by using an authorized
user ID, such as
SKLMAdmin
. For example,
- Windows
wsadmin.bat -username SKLMAdmin -password mypwd -lang jython
- Linux
./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
- REST interface
-
- Restore a selected backup file. Only one backup or restore
task can run at a time. If you restore a file to a replica computer,
copy the file to that computer by using media such as a disk, or electronic
transmission.
- Graphical user interface
- On the Backup and Restore table, select a backup file that
is listed in the table.
- Click Restore from Backup.
Note:
- If you applied a fix pack on distributed systems,
do not attempt to restore the backup files that were created before
the fix pack application.
- On the Restore Backup page, specify the encryption
password that was used to create the backup file.
Note: If HSM-based
encryption is used for the backups, you need not specify the password.
- Click Restore Backup.
- Command-line interface
Type tklmBackupRunRestore
and specify the
necessary information such as the path and backup file name. Specify
the encryption password that was used to create the backup file. For
example, type:
print AdminTask.tklmBackupRunRestore
('[-backupFilePath /opt/mysklmbackups/sklm_v3.0.0.0_20170705235417-1200_backup
-password myBackupPwd]')
Note: If
HSM-based encryption is used for the backups, you need not specify
the password.
- REST interface
- Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST
services. For more information about the authentication process, see Authentication process for REST services.
- To run Backup Run Restore REST Service, send
the HTTP POST request. Pass the user authentication identifier that
you obtained in
Step a
along with the request message
as shown in the following example.POST https://localhost:<port>/SKLM/rest/v1/ckms/restore
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"backupFilePath":"/opt/mysklmbackups/sklm_v2.7.0.0_20160705235417-1200_
backup.jar","password":"myBackupPwd"}
Note: If HSM-based encryption is used for the backups, you need
not specify the password.
- A message indicates that the restore operation succeeded.
Results
The IBM Security Key Lifecycle Manager server
automatically restarts after a backup file is restored when the autoRestartAfterRestore property
value is true (default value) in the SKLMConfig.properties file.Note: After
automatic restart of the IBM Security Key Lifecycle Manager server,
the windows WebSphere® Application Server service
status is not refreshed and is shown as stopped.
What to do next
Note: After data restoration, ensure that the path for the properties in
the SKLMConfig.properties, datastore.properties, and
ReplicationSKLMConfig.properties files are correct before you proceed with your
next task.
Determine whether the server is at the expected state. For example, you might examine the
keystore to see whether a certificate that had problems before the backup file restore is now
available for use.