Data Restore

In the event of a disaster or data loss, you can restore the backed up data to the PAM360 database. To restore the data, PAM360 provides scripts.

In the following sections, you will learn in detail, the steps for data restoration for the below databases:

  1. PAM360 with PostgreSQL
  2. PAM360 with MS SQL Server

1. PostgreSQL Database

The following steps are applicable to PAM360 installations using the bundled PostgreSQL database.

Important Notes:

  1. Stop the PAM360 server before restoring the data. Restoring data while the server is running may lead to data corruption.
  2. Database backups created from a PAM360 installation on a Windows machine can only be restored on another PAM360 installation on a Windows machine.
  3. Ensure that the PAM360 build number on the machine where you are restoring the database backup matches the build number on the machine where the backup was originally generated.
  4. Start and stop the PAM360 service once before executing the restoreDB.bat (Windows) or restoreDB.sh (Linux) command.

Generate the database backup using the appropriate procedure based on the encryption method in use:

  1. PAM360 Encryption
  2. Encryption using HSMs
  3. Custom Encryption

1.1 PAM360 Encryption

  1. Navigate to the <PAM360_Installation_Directory>/bin folder and execute the following command depending on the OS type of the machine where PAM360 is installed in your environment.
    • Windows - restoreDB.bat <Backup file path> -p <Key path>
    • Linux - sh restoreDB.sh <Backup file path> -p <Key path>

    Notes:

    1. Enter the backup file path in the .ezip format.
    2. The backup file and the pam360_key.key file should be located in the same directory inside the PAM360 server.
  2. Navigate to the <PAM360_Installation_Directory>/conf folder, open the manage_key.conf file, and specify the path to the pam360_key.key file.
  3. Execute the following command:
    • Windows - updateServerConf.bat
    • Linux - updateServerConf.sh

    Note: Before executing the updateServerConf.sh command, ensure that x11 is enabled on your PAM360 server.

  4. In the pop-up that appears, enter the default certificate name as server.keystore and the password as passtrix. This action will apply the default SSL certificate bundled with the product to your PAM360 server.
  5. Follow these steps to add your trusted SSL certificate to your PAM360 server:
    • Login to your PAM360 account with administrator credentials and navigate to Admin >> Server Settings >> PAM360 Server.
    • Locate the SSL certificate, enter the necessary certificate details, and save the changes. PAM360 server will be encrypted using the provided SSL certificate.

1.2 Encryption using HSMs

  1. Navigate to the <PAM360_Installation_Directory>/bin folder and execute the following command depending on the OS type of the machine where PAM360 is installed in your environment.
    • Windows - restoreDB.bat <Backup file path> -p <Key path>
    • Linux - sh restoreDB.sh <Backup file path> -p <Key path>

    Notes:

    1. Enter the backup file path in the .ezip format.
    2. The backup file and the pam360_key.key file should be located in the same directory inside the PAM360 server.
  2. Navigate to the <PAM360_Installation_Directory>/conf folder, open the manage_key.conf file, and specify the path to the pam360_key.key file.
  3. Copy the pmped.conf file located in the <PAM360_Installation_Directory>/conf folder on the server where the database backup was taken, and paste it into the same location on the server where the database is being restored. The database will be restored with the previously saved data.
  4. Copy the following jar files located in the <PAM360_Installation_Directory>lib folder on the server where the database backup was taken, and paste them into the same location on the server where the database is being restored.
    • Entrust nShield HSM - ncipherKM.jar
    • SafeNet Luna HSM - LunaProvider.jar
  5. Additionally, if you are using the SafeNet Luna HSM in your environment, you should copy the following library files located in the <PAM360_Installation_Directory>/lib/native folder on the server where the database backup was taken, and paste them into the same location on the server where the database is being restored.
    • Windows - LunaAPI.dll
    • Linux - libLunaAPI.so
  6. Execute the following command:
    • Windows - updateServerConf.bat
    • Linux - updateServerConf.sh

    Note: Before executing the updateServerConf.sh command, ensure that x11 is enabled on your PAM360 server.

  7. In the pop-up that appears, enter the default certificate name as server.keystore and the password as passtrix. This action will apply the default SSL certificate bundled with the product to your PAM360 server.
  8. Follow these steps to add your trusted SSL certificate to your PAM360 server:
    • Login to your PAM360 account with administrator credentials and navigate to Admin >> Server Settings >> PAM360 Server.
    • Locate the SSL certificate, enter the necessary certificate details, and save the changes. PAM360 server will be encrypted using the provided SSL certificate.

1.3 Custom Encryption

  1. Copy the jar files created during the custom encryption configuration from the <PAM360_Installation_Directory>/lib folder on the server where the database backup was taken, and paste them into the same location on the server where the database is being restored.
  2. Navigate to the <PAM360_Installation_Directory>/bin folder and execute the following command depending on the OS type of the machine where PAM360 is installed in your environment.
    • Windows - restoreDB.bat <Backup file path> -p <Custom Encryption Key>
    • Linux - sh restoreDB.sh <Backup file path> -p <Custom Encryption Key>

    Notes:

    1. For PAM360 builds before 8000, use the following commands:
      1. Windows - restoreDB.bat <Backup file path> -p <Key path>
      2. Linux - sh restoreDB.sh <Backup file path> -p <Key path>
    2. Enter the backup file path in the .ezip format.
    3. The backup file and the pam360_key.key file should be located in the same directory inside the PAM360 server.
  3. Copy the pmped.conf file located in the <PAM360_Installation_Directory>/conf folder on the server where the database backup was taken, and paste it into the same location on the server where the database is being restored. The database will be restored with the previously saved data.
  4. Execute the following command:
    • Windows - updateServerConf.bat
    • Linux - updateServerConf.sh

    Note: Before executing the updateServerConf.sh command, ensure that x11 is enabled on your PAM360 server.

  5. In the pop-up that appears, enter the default certificate name as server.keystore and the password as passtrix. This action will apply the default SSL certificate bundled with the product to your PAM360 server.
  6. Follow these steps to add your trusted SSL certificate to your PAM360 server:
    • Login to your PAM360 account with administrator credentials and navigate to Admin >> Server Settings >> PAM360 Server.
    • Locate the SSL certificate, enter the necessary certificate details, and save the changes. PAM360 server will be encrypted using the provided SSL certificate.

2. Steps Required for PAM360 with MS SQL Server

2.1 Prerequisite

PAM360 uses SQL server's encryption mechanism to encrypt the data. The encryption master key will be stored under <PAM360 Installation Folder>/conf directory with the name masterkey.key. For security reasons, during installation of MS SQL, we recommend moving the encryption key from the default location to a secure location and use it while performing disaster recovery.

2.2 Procedure

Step 1

Install another instance of PAM360 with MS SQL server as the backend. You are now specifying a new instance of MS SQL server where the backup has to be restored. Ensure that the new instance of MS SQL server is configured with SSL. For details, refer steps 10.1.1 to 10.1.3 under MS SQL Configuration.

Step 2

Copy the PAM360 backup file from the SQL server. By default, it will be present under the <MSSQL_installation_folder>/Backup folder with a file name in the following format: pam360backup_pam360version_backupdate-time.bak (For example, pam360backup_4500_110721-1159.bak). Click here to learn more about taking backups of your PAM360 data. The backups taken from the MS SQL database will be stored as a .bak file in the host, where the SQL server is running.

Step 3

Launch "Microsoft SQL Server Management Studio" (in the machine where the backed up data are to be restored - that is, another instance of SQL server) and connect to the Database Engine.

Step 4

Right-click on Databases and the click Restore Database from the displayed menu.

Step 5

In the Restore Database window, choose the option From device and click [...] button to browse the PAM360 backup file.

Step 6

In the Specify Backup window that opens up, choose the option File as the Backup media and click Add.

Step 7

In the Locate Backup File window, select the PAM360 backup file and click OK.

Step 8

  1. Now, in the Restore Database window, select the database where the backup is to be restored and specify it in the To database field.
  2. Under Select the backup sets to restore, select the required Restore column.
  3. Click OK to start the restoring the database.
  4. Upon completion of the restoration, a status window pops-up.

Step 9

Now, you need to restore the Master Key. As mentioned in the prerequisite section above, by default, the encryption master key will be stored under <PAM360 Installation Folder>/conf directory in the file named masterkey.key. For security reasons, if you have moved the file to some other secure location, identify that. Open the masterkey.key file and copy the password.

Step 10

  1. Connect to the SQL server in which you have restored the PAM360 backup file.
  2. Open Microsoft SQL Server Management Studio and connect the database engine.
  3. Execute the following queries:

    use write_the_name_of the restored_database;
    OPEN MASTER KEY DECRYPTION BY PASSWORD = 'type_the_master_key_password';
    alter master key regenerate with encryption by password = 'type_the_master_key_password';

Example:

use passtrix;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'secret';
alter master key regenerate with encryption by password = 'secret';

Execution of the above queries will help decrypt the data.

Step 11

Navigate to <PAM360_Installation_Folder>/conf folder, edit manage_key.conf and specify the location of pam360_key.key (encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline.

Caution: From PAM360 build 8000 onwards, it is mandatory to retain the pam360_key.key file in the file path specified in the manage_key.conf file for a seamless operation. PAM360 continuously accesses this file to ensure uninterrupted operation. If the pam360_key.key file is not available in the specified path, the service may not startup or certain features such as database backup will not function.

Important Notes:

    1. Perform database restore of the .bak file and execute the above queries to set the master key using the same account with which PAM360 connects to the database.
    2. However, if you are using a different account to restore the database in SQL studio and to execute the Alter master key queries, then execute the additional queries given below to provide required permissions for the PAM360 account to read the master key.

      GRANT VIEW DEFINITION ON CERTIFICATE::PMP_CERT TO [user]
      GRANT VIEW DEFINITION ON SYMMETRIC KEY::PMP_SYM_KEY TO [user]
      GRANT CONTROL ON CERTIFICATE::PMP_CERT TO [user]

    3. The [user] in the above queries refers to the actual login name of the account used by PAM360 to connect to the SQL database. You can find this account's name in the JDBC URL present in the <PAM360_Installation_Folder>/conf/database_params.conf file, unless the account uses Windows authentication.
    4. Execute the queries given below to verify the correct names of the CERTIFICATE and SYMMETRIC KEY:

      select * from sys.certificates
      select * from sys.symmetric_keys

 
Top