PKI backup and restore
Overview
The PKI generated by the primary Appliance during federation lets Collectors securely communicate with the Engines through a TCP connection.
Failing to take a backup of the PKI items in the primary Appliance (root certificate, private key, and customer key) before a full disaster occurrence, results in the need to re-create the PKI and re-distribute a new root certificate and a new customer key to all the deployed Collectors.
Manual backup
Once you have federated at least one secondary Appliance, take a backup of the generated PKI:
Open a web browser and log in to the Web Console of the primary Appliance as admin.
In the Appliance tab, select the Collector management section on the left-hand side menu.
Under Collector default certificates at the bottom of the page, click the button BACKUP CERTIFICATE AND KEY to get a backup of the generated Root CA certificate and Customer Key. The backup file has the name
root-ca-backup.tgz
.
Restoring the PKI
To restore the backup of the PKI, we assume that you have a new primary Appliance in place with the same network configuration as the original Appliance and a restored license.
Follow this procedure before federating any Engine back.
Copy the backup file
root-ca-backup.tgz
to the primary Appliance using any SCP tool.Download the following script for deploying the Customer Key and Root CA: deploy_rck.sh.
Copy the script to the primary Appliance using any SCP tool.
Log in to the CLI of the primary Appliance.
Execute the script as root, passing the backup file as argument.
BASHOpen a web browser and log in to the Web Console of the primary Appliance as admin.
If the new Appliance has a different DNS name from the original:
In the Appliance tab, select the Network Parameters section on the left-hand side menu.
Type in the External DNS name and the Internal DNS name of the new primary Appliance.
Select the Collector management section on the left-hand side menu.
If you are running the Portal and the Engine in the same Appliance, click the button GENERATE CERTIFICATE that is displayed in red.
If your Engines reside in separate secondary Appliances, federate them now:
Select the Federated appliances section on the left-hand side menu.
Click ADD APPLIANCE to add a new secondary and provide the necessary information.
RELATED TASKS
Last updated