PKI backup and restore
Contents |
PKI backup and restore
Overview
The PKI generated by the master Appliance during federation lets Collectors securely communicate with the Engines through a TCP connection.
Failing to take a backup of the PKI items in the master Appliance (root certificate, private key, and customer key) before a full disaster occurrence, results in the need to re-create the PKI and re-distribute a new root certificate and a new customer key to all the deployed Collectors.
Manual backup
Once you have federated at least one slave Appliance, take a backup of the generated PKI:
- Open a web browser and log in to the Web Console of the master Appliance as admin.
- In the Appliance tab, select the Collector management section on the left-hand side menu.
- Under Collector default certificates at the bottom of the page, click the button BACKUP CERTIFICATE AND KEY to get a backup of the generated Root CA certificate and Customer Key. The backup file has the name root-ca-backup.tgz.
Restoring the PKI
To restore the backup of the PKI, we assume that you have a new master Appliance in place with the same network configuration as the original Appliance and a restored license.
Follow this procedure before federating any Engine back.
- Copy the backup file root-ca-backup.tgz to the master Appliance using any SCP tool.
- Download the following script for deploying the Customer Key and Root CA: deploy_rck.sh.
- Copy the script to the master Appliance using any SCP tool.
- Log in to the CLI of the master Appliance.
- Execute the script as root, passing the backup file as argument.
-
sudo sh deploy_rck.sh root-ca-backup.tgz
-
- Open a web browser and log in to the Web Console of the master Appliance as admin.
- If the new Appliance has a different DNS name from the original:
- In the Appliance tab, select the Network Parameters section on the left-hand side menu.
- Type in the External DNS name and the Internal DNS name of the new master Appliance.
- Select the Collector management section on the left-hand side menu.
- If you are running the Portal and the Engine in the same Appliance, click the button GENERATE CERTIFICATE that is displayed in red.
- If your Engines reside in separate slave Appliances, federate them now:
- Select the Federated appliances section on the left-hand side menu.
- Click ADD APPLIANCE to add a new slave and provide the necessary information.