Appendix A. Backup and Restore using Keys in PKCS#11

This topic outlines the backup/restore procedures using an external PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 security provider.

Backup

On both the EP and its partner server:

  1. Install and configure your external security provider.

    If needed, create a partition in the external security provider.
    Set up the pkcs11_java.cfg file.

  2. Generate backup/restore key (br_key) and store it in the pfx file.

  3. Import the pfx file to the security provider.

    keytool -importkeystore -srckeystore [pfx-file] -destalias [key-name] -srcstoretype pkcs12 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg [pkcs11_java.cfg] -keystore NONE -storetype PKCS11 -storepass [slot_pwd] -srcstorepass [source password] -alias [key-name]

  4. Perform the EKMClosedEnterprise Key Management - previous name of the product. Service Restart (refer to EKM Service Management).
  5. Backup the CORE database encrypting it with the key stored in the security provider's key store.

    /opt/ekm/bin/ekm_backup.sh -p SunPKCS11-[partition] -t PKCS11 -w [password] -n br_key -a RSA/ECB/PKCS1Padding

Restore

On servers designated to be an EP and its partner server restore the corresponding backup files.

  1. Install and configure your external security provider.

    Set up the pkcs11_java.cfg file.

  2. Restore the database.
  3. /opt/ekm/bin/ekm_restore.sh -b ~/backup.tar.gz -p SunPKCS11-[partition] -t PKCS11 -n br_key -a RSA/ECB/PKCS1Padding -w [password]