How To
Summary
This document describes how to backup/replicate your DCM environment.
Steps
There are three main items comprising your DCM environment. When backing up, migrating, or replicating your DCM environment; you should ensure the following items are included and restored/replicated properly to your new IBM i server.
1. The DCM certificate store files containing your TLS certificates.
1. The DCM certificate store files containing your TLS certificates.
The certificate store files are all located in the following IFS location:
This directory can be backed up/migrated/replicated with the following SAV (save) and RST (restore) CL commands.
/QIBM/UserData/ICSS/Cert
This directory can be backed up/migrated/replicated with the following SAV (save) and RST (restore) CL commands.
CRTSAVF FILE(QGPL/DCMIFS)
SAV DEV('/QSYS.LIB/QGPL.LIB/DCMIFS.FILE') OBJ(('/QIBM/UserData/ICSS/Cert')) DTACPR(*HIGH) PVTAUT(*YES)
RST DEV('/QSYS.LIB/QGPL.LIB/DCMIFS.FILE') OBJ(('/QIBM/UserData/ICSS/Cert')) PVTAUT(*YES)
2. The certificate store system password stash.
The certificate store system password is used by IBM i OS applications (Telnet,FTP,Host Servers,HTTP,etc.) to authenticate to the DCM certificate stores (*SYSTEM and Local CA). This password stash is needed to keep the passwords in sync between the DCM certificate stores in the IFS and the system password hash managed by the OS. Failure to save and restore the certificate store system password stash along with the DCM certificate stores in the IFS, may result in the loss of your TLS certificates! Please refer to the following URL for more information on this.
===================================
To save the certificate store system password stash,you can use either the SAVSYS or SAVSECDTA commands.
To restore the DCM password stash,use the following restore user profile command:
RSTUSRPRF USRPRF(*NONE) SECDTA(*DCM)
NOTE: The above command requires your IBM i server to be in restricted state (ENDSBS *ALL).
3. The user index containing the TLS certificate to IBM i application assignments.
The TLS certificate to IBM i application assignments are stored in the following user index object:
QUSRSYS/QYCDCERTI
This can be saved with the SAVOBJ command and restored with the RSTOBJ command.
CRTSAVF FILE(QGPL/DCMUSRIDX)
SAVOBJ OBJ(QYCDCERTI) LIB(QUSRSYS) DEV(*SAVF) SAVF(QGPL/DCMUSRIDX) PVTAUT(*YES)
RSTOBJ OBJ(QYCDCERTI) SAVLIB(QUSRSYS) DEV(*SAVF) SAVF(QGPL/DCMUSRIDX) PVTAUT(*YES)
4. NOTE: For IBM i 7.2 and 7.3 ONLY, you will need to run the following command to migrate your IBM i Local CA information.
Run the following command on the IBM i command line:
CALL QICSS/QYCUMIGREX
This call will migrate the local CA information to the new format that IBM i 7.2 and 7.3 uses (since the OS now supports more than one Local CA).
5. (OPTIONAL) - All DCM Application IDs are stored under the exit point, QIBM_QSY_CERT_APPS, in the QUSRSYS/QUSEXRGOBJ object. WARNING!!! The QUSRSYS/QUSEXRGOBJ object contains information for ALL exit points. If this object is migrated, ALL exit point information is also migrated. Use caution when migrating/replication this object since this will migrate/replicate ALL exit point information which might negatively affect your IBM i server if not handled properly.
If you want to migrate/replicate your DCM application ID information, you will need to save and restore/replicate this object.
This can be saved with the SAVOBJ command and restored with the RSTOBJ command.
CRTSAVF FILE(QGPL/DCMAPPS)
SAVOBJ OBJ(QUSEXRGOBJ) LIB(QUSRSYS) DEV(*SAVF) SAVF(QGPL/DCMAPPS) PVTAUT(*YES)
RSTOBJ OBJ(QUSEXRGOBJ) SAVLIB(QUSRSYS) DEV(*SAVF) SAVF(QGPL/DCMAPPS) PVTAUT(*YES)
The following document provides more information regarding the backup and recovery of your DCM environment.
IBM Documentation - Backup and recovery considerations for DCM data
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 August 2022
UID
ibm16614285