PKI backup and restore

Contents

PKI backup and restore

Overview

The PKI generated by the master Appliance during federation lets Collectors securely communicate with the Engines through a TCP connection.

Failing to take a backup of the PKI items in the master Appliance (root certificate, private key, and customer key) before a full disaster occurrence, results in the need to re-create the PKI and re-distribute a new root certificate and a new customer key to all the deployed Collectors.

Manual backup

Once you have federated at least one slave Appliance, take a backup of the generated PKI:

  1. Open a web browser and log in to the Web Console of the master Appliance as admin.
  2. In the Appliance tab, select the Collector security section on the left-hand side menu.
  3. Click the button DOWNLOAD under Certificate and key backup to get a backup of the generated Root CA certificate and Customer Key. The backup file has the name root-ca-backup.tgz.

Restoring the PKI

To restore the backup of the PKI, we assume that you have a new master Appliance in place with the same network configuration as the original Appliance and a restored license.

Follow this procedure before federating any Engine back.

  1. Copy the backup file root-ca-backup.tgz to the master Appliance using any SCP tool.
  2. Download the following script for deploying the Customer Key and Root CA: deploy_rck.sh.
  3. Copy the script to the master Appliance using any SCP tool.
  4. Log in to the CLI of the master Appliance.
  5. Execute the script as root, passing the backup file as argument.
    sudo sh deploy_rck.sh root-ca-backup.tgz
  6. Open a web browser and log in to the Web Console of the master Appliance as admin.
  7. If the new Appliance has a different DNS name from the original:
    1. In the Appliance tab, select the Network Parameters section on the left-hand side menu.
    2. Type in the External DNS name and the Internal DNS name of the new master Appliance.
  8. Select the Collector security section on the left-hand side menu.
  9. If you are running the Portal and the Engine in the same Appliance, click the button GENERATE CERTIFICATE that is displayed in red.
  10. If your Engines reside in separate slave Appliances, federate them now:
    1. Select the Federated appliances section on the left-hand side menu.
    2. Click ADD APPLIANCE to add a new slave and provide the necessary information.