Skip to Content
Technical Articles
Author's profile photo Mandy Krimmel

Cloud Integration – Backup/Restore using Keystore Monitor

With the Backup option in Keystore Monitor available with 18-August-2017 release (2.31*), you can backup your keys and certificates and restore them at a later point in time. This blog describes how to use this option and when a backup should be taken.

Backup of Keys and Certificates in Keystore Monitor

For connecting sender or receiver systems the tenant administrator needs to maintain keys and certificates in different systems; sender, receiver and the cloud integration tenant. The keystore monitor available in cluster 2.x in the cloud integration tenant can be used to execute the certificate management. For secure system management the tenant administrator should backup the own keys and certificates to be able to restore them in case of problems.

Keystore Monitor in Web

The keystore monitor is available in Operations View in Web. In section Manage Security, you find the Keystore monitor, where keys and certificates can be maintained. This is described in detail in blog ‘Keystore Monitor now available for Tenant Administrator’.

Back Up the Certificates and Key Pairs

To save the customer owned certificates and key pairs at a certain point in time the Back Up option can be used. You find this option in the upper side of the monitor.

All key pairs and certificates owned by the tenant administrator will be saved as backup keystore. The SAP owned entries will not be backed up, this is done by SAP separately.

There is always only one backup kept, when doing the next backup, it will overwrite the backup created before.

The recommendation is to always do a backup before you do changes in the keystore, so you are able to reset the keystore if the changes would cause issues in runtime.

Check the Certificates and Keys in the Backup

The backup keystore can be checked in the backup screen in the keystore monitor, for this select the Backup tab. The saved certificates and key pairs are shown together with the timestamp the backup was taken.

Restore the Certificates and Keys from Backup

In case you encounter issues after the latest keystore changes you may restore the keystore entries. Use the Restore option in the monitor. All keys and certificates from backup will overwrite the currently active keystore.

Be aware, that also newly created entries are overwritten, the currently active keystore will be replaced completely with the backup keystore. Only the SAP owned entries are kept.

Authorizations

To secure the use of Keystore Monitor in Web, two roles are available.

With the role NodeManager.read the user is able to see the entries in keystore and backup keystore and to download public content, but creation of entries and changes are not possible. For changing and doing backups and restores role NodeManager.deploysecuritycontent is required.

Role NodeManager.read is available in the group roles AuthGroup.IntegrationDeveloper and AuthGroup.ReadOnly, and role NodeManager.deploysecuritycontent is contained in group role AuthGroup.Administrator.

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Mandy,

       

      Excellent info. Do you know which role is necessary to do the backup?

      I'm trying to do the back up, but it says "You are not authorized to perform this operation".

       

      Thanks for your help!

      Kind regards,

      Patricio. -

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      Hi Patricio,

      same roles/authorizations apply as in keystore monitor mentioned in main blog: https://blogs.sap.com/2017/06/19/cloud-integration-keystore-monitor-now-available-for-tenant-administrator/

      For your reference:

      Authorizations

      To secure the use of Keystore Monitor in Web, two roles are available.

      With the role NodeManager.read the user is able to see the entries in keystore and to download public content, but creation of entries and changes are not possible. For changing role NodeManager.deploysecuritycontent is required.

      Role NodeManager.read is available in the group roles AuthGroup.IntegrationDeveloper and AuthGroup.ReadOnly, and role NodeManager.deploysecuritycontent is contained in group role AuthGroup.Administrator.

      That means for doing the backup the NodeManager.deploysecuritycontent role is necessary, which is contained in the Administratior group role.

      Best regards,

      Mandy

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      But I now also added this as additional information in this blog.

      Author's profile photo Former Member
      Former Member

      Thank you very much!

      Author's profile photo M. Bosch
      M. Bosch

      Hello,

      Thanks for ou blpog, but when performing a backup of the keystore we get message:
      Requested URL not found.

      I do have the mentioned roles, what could be the cause for this?

      Author's profile photo M. Bosch
      M. Bosch

      Ignore this command, you get this message if no own entries are added to the keystore.
      Once added a own alias backup works fine.