With the Backup option in Keystore Monitor available with 18-August-2017 release (2.31*), you can backup your keys and certificates and restore them at a later point in time. This blog describes how to use this option and when a backup should be taken.
Backup of Keys and Certificates in Keystore Monitor
For connecting sender or receiver systems the tenant administrator needs to maintain keys and certificates in different systems; sender, receiver and the cloud integration tenant. The keystore monitor available in cluster 2.x in the cloud integration tenant can be used to execute the certificate management. For secure system management the tenant administrator should backup the own keys and certificates to be able to restore them in case of problems.
Keystore Monitor in Web
The keystore monitor is available in Operations View in Web. In section Manage Security, you find the Keystore monitor, where keys and certificates can be maintained. This is described in detail in blog ‘Keystore Monitor now available for Tenant Administrator’.
Back Up the Certificates and Key Pairs
To save the customer owned certificates and key pairs at a certain point in time the Back Up option can be used. You find this option in the upper side of the monitor.
All key pairs and certificates owned by the tenant administrator will be saved as backup keystore. The SAP owned entries will not be backed up, this is done by SAP separately.
There is always only one backup kept, when doing the next backup, it will overwrite the backup created before.
The recommendation is to always do a backup before you do changes in the keystore, so you are able to reset the keystore if the changes would cause issues in runtime.
Check the Certificates and Keys in the Backup
The backup keystore can be checked in the backup screen in the keystore monitor, for this select the Backup tab. The saved certificates and key pairs are shown together with the timestamp the backup was taken.
Restore the Certificates and Keys from Backup
In case you encounter issues after the latest keystore changes you may restore the keystore entries. Use the Restore option in the monitor. All keys and certificates from backup will overwrite the currently active keystore.
Be aware, that also newly created entries are overwritten, the currently active keystore will be replaced completely with the backup keystore. Only the SAP owned entries are kept.
To secure the use of Keystore Monitor in Web, two roles are available.
With the role NodeManager.read the user is able to see the entries in keystore and backup keystore and to download public content, but creation of entries and changes are not possible. For changing and doing backups and restores role NodeManager.deploysecuritycontent is required.
Role NodeManager.read is available in the group roles AuthGroup.IntegrationDeveloper and AuthGroup.ReadOnly, and role NodeManager.deploysecuritycontent is contained in group role AuthGroup.Administrator.