Technical Articles
Cloud Integration – Backup/Restore using Keystore Monitor
With the Backup option in Keystore Monitor available with 18-August-2017 release (2.31*), you can backup your keys and certificates and restore them at a later point in time. This blog describes how to use this option and when a backup should be taken.
Backup of Keys and Certificates in Keystore Monitor
For connecting sender or receiver systems the tenant administrator needs to maintain keys and certificates in different systems; sender, receiver and the cloud integration tenant. The keystore monitor available in cluster 2.x in the cloud integration tenant can be used to execute the certificate management. For secure system management the tenant administrator should backup the own keys and certificates to be able to restore them in case of problems.
Keystore Monitor in Web
The keystore monitor is available in Operations View in Web. In section Manage Security, you find the Keystore monitor, where keys and certificates can be maintained. This is described in detail in blog ‘Keystore Monitor now available for Tenant Administrator’.
Back Up the Certificates and Key Pairs
To save the customer owned certificates and key pairs at a certain point in time the Back Up option can be used. You find this option in the upper side of the monitor.
All key pairs and certificates owned by the tenant administrator will be saved as backup keystore. The SAP owned entries will not be backed up, this is done by SAP separately.
There is always only one backup kept, when doing the next backup, it will overwrite the backup created before.
The recommendation is to always do a backup before you do changes in the keystore, so you are able to reset the keystore if the changes would cause issues in runtime.
Check the Certificates and Keys in the Backup
The backup keystore can be checked in the backup screen in the keystore monitor, for this select the Backup tab. The saved certificates and key pairs are shown together with the timestamp the backup was taken.
Restore the Certificates and Keys from Backup
In case you encounter issues after the latest keystore changes you may restore the keystore entries. Use the Restore option in the monitor. All keys and certificates from backup will overwrite the currently active keystore.
Be aware, that also newly created entries are overwritten, the currently active keystore will be replaced completely with the backup keystore. Only the SAP owned entries are kept.
Authorizations
To secure the use of Keystore Monitor in Web, two roles are available.
With the role NodeManager.read the user is able to see the entries in keystore and backup keystore and to download public content, but creation of entries and changes are not possible. For changing and doing backups and restores role NodeManager.deploysecuritycontent is required.
Role NodeManager.read is available in the group roles AuthGroup.IntegrationDeveloper and AuthGroup.ReadOnly, and role NodeManager.deploysecuritycontent is contained in group role AuthGroup.Administrator.
Hi Mandy,
Excellent info. Do you know which role is necessary to do the backup?
I'm trying to do the back up, but it says "You are not authorized to perform this operation".
Thanks for your help!
Kind regards,
Patricio. -
Hi Patricio,
same roles/authorizations apply as in keystore monitor mentioned in main blog: https://blogs.sap.com/2017/06/19/cloud-integration-keystore-monitor-now-available-for-tenant-administrator/
For your reference:
Authorizations
To secure the use of Keystore Monitor in Web, two roles are available.
With the role NodeManager.read the user is able to see the entries in keystore and to download public content, but creation of entries and changes are not possible. For changing role NodeManager.deploysecuritycontent is required.
Role NodeManager.read is available in the group roles AuthGroup.IntegrationDeveloper and AuthGroup.ReadOnly, and role NodeManager.deploysecuritycontent is contained in group role AuthGroup.Administrator.
That means for doing the backup the NodeManager.deploysecuritycontent role is necessary, which is contained in the Administratior group role.
Best regards,
Mandy
But I now also added this as additional information in this blog.
Thank you very much!
Hello,
Thanks for ou blpog, but when performing a backup of the keystore we get message:
Requested URL not found.
I do have the mentioned roles, what could be the cause for this?
Ignore this command, you get this message if no own entries are added to the keystore.
Once added a own alias backup works fine.