Encryption Key Manager, Version 2.1 backup and restore - README

Use the IBM Security Guardium Key Lifecycle Manager, Version 2.7 backup utility to create Encryption Key Manager, Version 2.1 backup files.

1. Copy the Encryption Key Manager folder and all other necessary files to a system where IBM Security Guardium Key Lifecycle Manager, Version 2.7 is installed.
2. Ensure that the KeyManagerConfig.properties file and the following files that are mentioned in the KeyManagerConfig.properties file are copied.
   Note: You must edit the KeyManagerConfig.properties configuration file in Encryption Key Manager folder to specify absolute paths of keystore and other data files as shown in the following example.

   Admin.ssl.keystore.name=C\:/EKM21/test.keys.ssl
   Admin.ssl.truststore.name=C\:/EKM21/test.keys.ssl
   TransportListener.ssl.truststore.name=C\:/EKM21/test.keys.ssl
   TransportListener.ssl.keystore.name=C\:/EKM21/test.keys.ssl
   config.keystore.file=C\:/EKM21/test.keys.jceks
   config.drivetable.file.url=FILE\:C\:/EKM21/filedrive.table
   Audit.handler.file.directory=C\:/audit 
   Audit.metadata.file.name=C\:/EKM21/metadata/EKMData.xml
   config.keygroup.xml.file=FILE\:C\:/EKM21/KeyGroups.xml

3. Locate backup utilities folder in the system where version 2.7 is installed.

   Windows

   <SKLM_INSTALL_HOME>\migration\utilities\ekm21

   Default location is C:\Program Files\IBM\SKLMV27\migration\utilities\ekm21.

   Linux

   <SKLM_INSTALL_HOME>/migration/utilities/ekm21

   Default location is /opt/IBM/SKLMV27/migration/utilities/ekm21.

4. Edit backup.properties in the backup utilities folder to configure properties as shown in the following example. You must set values for all the properties, except for the BACKUP_DIR property (optional).

   If you do not specify the value for BACKUP_DIR, the backup file is created in the backup subfolder under the same directory from where you run the backup utility.

   Note: On Windows operating system, the backup.properties file that you use for backup operations must not contain the property keys and values with leading or trailing spaces.

   Windows

   KLM_VERSION=2.1
   BACKUP_DIR=C:\\ekm_backup
   EKM_HOME=C:\\EKM21
   BACKUP_PASSWORD=passw0rd123
   JAVA_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer\\java\8.0 

   Linux

   KLM_VERSION=2.1
   BACKUP_DIR=/ekm_backup
   EKM_HOME=/EKM21
   BACKUP_PASSWORD=passw0rd123
   JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/8.0

   Note: On Windows system, when you specify path in the properties file, use either "/ " or "\\" as path separator as shown in following example.

   C:\\ekm_backup

   Or

   C:/ekm_backup

5. Open a command prompt and run the backup utility.

   Windows

   Go to the <SKLM_INSTALL_HOME>\migration\utilities\ekm21 directory and run the following command:

   backupEKM21.bat

   Linux

   Go to the <SKLM_INSTALL_HOME>/migration/utilities/ekm21 directory and run the following command:

   backupEKM21.sh

You can restore the Encryption Key Manager, Version 2.1 cross-platform backup files on a system with IBM Security Guardium Key Lifecycle Manager, Version 2.7 by using graphical user interface, command-line interface, REST interface, or the migration restore script.

1. Log on to the system where IBM Security Guardium Key Lifecycle Manager, Version 2.7 is installed.
2. Copy the backup file, for example sklm_vEKM21_20160420113253+0530_backup.jar, from Encryption Key Manager, Version 2.1 system to a directory of your choice.
3. Restore the backup file by using any of the following methods.

   Graphical user interface	Log on to the graphical user interface as an authorized user, for example, SKLMAdmin. On the Welcome page, click Backup and Restore. In the Backup repository location field, specify full path of the directory that contains Encryption Key Manager backup file. To locate the directory, click Browse. Click Display Backups to display the backup files that you want to restore. In the Backup and Restore table, select a backup file. Click Restore From Backup. On the Restore Backup page, specify the backup password that you used to create the backup file. Click Restore Backup. Restart IBM Security Guardium Key Lifecycle Manager server.
   Command-line interface	Go to the WAS_HOME/bin directory. For example, Windows cd drive:\Program Files\IBM\WebSphere\AppServer\bin Linux cd /opt/IBM/WebSphere/AppServer/bin Start the wsadmin interface by using an authorized user ID, such as SKLMAdmin. For example, Windows wsadmin.bat -username SKLMAdmin -password mypwd -lang jython Linux ./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython Run the tklmBackupRunRestore CLI command by specifying the parameters such as the backup file name with its full path and backup password that you used to create the backup as shown in the following example. print AdminTask.tklmBackupRunRestore ('[-backupFilePath /opt/mysklmbackups/sklm_vEKM21_20160420113253+0530_backup.jar -password myBackupPwd]') Restart IBM Security Guardium Key Lifecycle Manager server.
   REST interface	Open a REST client. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see http://www-01.ibm.com/support/knowledgecenter/SSWPVP_2.7.0/com.ibm.sklm.doc/reference/ref/ref_ic_rest_auth_service.html. To run Backup Run Restore REST Service, send the HTTP POST request with backup file name with its full path and backup password as parameters. Pass the user authentication identifier that you obtained in Step b along with the request message as shown in the following example. POST https://localhost:<port>/SKLM/rest/v1/ckms/restore Content-Type: application/json Accept: application/json Authorization: SKLMAuth authId=139aeh34567m Accept-Language: en {"backupFilePath":"/opt/mysklmbackups/sklm_vEKM21_20160420113253+0530_backup.jar backup.jar","password":"myBackupPwd"} Restart IBM Security Guardium Key Lifecycle Manager server.
   Migration restore script	Locate the IBM Security Guardium Key Lifecycle Manager restore utilities. Windows <SKLM_INSTALL_HOME>\migration\utilities\ekm21 Default location is C:\Program Files\IBM\SKLMV27\migration\utilities\ekm21. Linux <SKLM_INSTALL_HOME>/migration/utilities/ekm21 Default location is /opt/IBM/SKLMV27/migration/utilities/ekm21. Edit restore.properties in the ekm21 folder to configure properties as shown in the following example: Note: On Windows operating system, the restore.properties file that you use for restore operations must not contain the property keys and values with leading or trailing spaces. Window WAS_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer JAVA_HOME=C:\\Program Files\\IBM\\WebSphere\\AppServer\\java\8.0 BACKUP_PASSWORD=passw0rd123 DB_PASSWORD=sklmdb27 RESTORE_FILE=C:\\ekm_restore\sklm_vEKM21_20160424024117-0400_backup.jar WAS_USER_PWD=wasadmin RESTORE_USER_ROLES=n Linux WAS_HOME=/opt/IBM/WebSphere/AppServer JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/8.0 BACKUP_PASSWORD=passw0rd123 DB_PASSWORD=sklmdb27 RESTORE_FILE=/ekm_restore/20160424024117-0400_backup.jar WAS_USER_PWD=wasadmin RESTORE_USER_ROLES=n Note: On Windows operating system, when you specify path in the properties file, use either "/ " or "\\ " as path separator as shown in the following example. C:\\ekm_restore Or C:/ekm_restore Open a command prompt and run the restore utility. Windows Go to the <SKLM_INSTALL_HOME>\migration\utilities\ekm21 directory and run the following command: restoreEKM21.bat Linux Go to the <SKLM_INSTALL_HOME>/migration/utilities/ekm21 directory and run the following command: restoreEKM21.sh Restart IBM Security Guardium Key Lifecycle Manager server.