Data Restore

In the event of a disaster or data loss, you can restore the backed up data to the PAM360 database. To restore the data, PAM360 provides scripts.

In the following sections, you will learn in detail, the steps for data restoration for the below databases:

PAM360 with PostgreSQL
1.1 Windows

1.2 Linux
PAM360 with MS SQL Server

1. Steps Required for PAM360 with PostgreSQL

The following steps are applicable for the default installation of PAM360 with PostgreSQL as the backend database.

Important Notes:

Stop PAM360 server before trying to restore data. If restoration is done while the server is running, it may lead to data corruption.

Data backed up from PAM360 running on Windows can be restored only in Windows.

While restoring the back up, ensure that you re-install the same PAM360 build that was present earlier. For example: If you had PAM360 build 4500 previously, then install the same again.

Make sure you start and stop the service once each time before using the restoreDB command.

1.1 For Windows

Navigate to the <PAM360_Installation_Directory>/bin folder.
Execute the script 'restoreDB.bat <backup file name> -p <Key path>'. Enter your backup file name in .ezip format. Note that the backup file and the pam360_key.key file should be located in the same folder under the same path inside the PAM360 server.
Open the <PAM360_Installation_Folder>/conf folder, edit the manage_key.conf file, and specify the location of pam360_key.key (AES 256 encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline.
The backed up contents would be restored to the PAM360 DB.Now, execute the command updateserverconf.bat. In the pop-up that appears, enter the default certificate name as Server.keystore and password as passtrix. This action will apply the default SSL certificate that comes with the product to your PAM360 server.
To add your trusted SSL certificate to your PAM360 server, follow these steps:
1. Login to the PAM360 web interface using an administrator account and go to Admin >> Configuration >> PAM360 Server.
2. Here, browse for your trusted certificate, enter the necessary certificate details, and save the changes. Now, your PAM360 server will be encrypted using the trusted SSL certificate you provided.

1.2 For Linux

Navigate to the <PAM360_Installation_Directory>/bin folder.
Execute the script 'sh restoreDB.sh <backup file name> -p <Key path>'. Enter your backup file name in .ezip format. Note that the backup file and the pam360_key.key file should be located in the same folder under the same path inside the PAM360 server.
Open the <PAM360_Installation_Folder>/conf folder, edit the manage_key.conf file, and specify the location of pam360_key.key (AES 256 encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline.
The backed up contents would be restored to the PAM360 DB.Now, execute the command updateserverconf.sh. In the pop-up that appears, enter the default certificate name as Server.keystore and password as passtrix. This action will apply the default SSL certificate that comes with the product to your PAM360 server.

Note: Before executing the updateserverconf.sh command, ensure that x11 is enabled on your PAM360 server.

To add your trusted SSL certificate to your PAM360 server, follow these steps:
1. Login to the PAM360 web interface using an administrator account and go to Admin >> Configuration >> PAM360 Server.
2. Here, browse for your trusted certificate, enter the necessary certificate details, and save the changes. Now, your PAM360 server will be encrypted using the trusted SSL certificate you provided.

2. Steps Required for PAM360 with MS SQL Server

2.1 Prerequisite

PAM360 uses SQL server's encryption mechanism to encrypt the data. The encryption master key will be stored under <PAM360 Installation Folder>/conf directory with the name masterkey.key. For security reasons, during installation of MS SQL, we recommend moving the encryption key from the default location to a secure location and use it while performing disaster recovery.

2.2 Procedure

Step 1

Install another instance of PAM360 with MS SQL server as the backend. You are now specifying a new instance of MS SQL server where the backup has to be restored. Ensure that the new instance of MS SQL server is configured with SSL. For details, refer steps 10.1.1 to 10.1.3 under MS SQL Configuration.

Step 2

Copy the PAM360 backup file from the SQL server. By default, it will be present under the <MSSQL_installation_folder>/Backup folder with a file name in the following format: pam360backup_pam360version_backupdate-time.bak (For example, pam360backup_4500_110721-1159.bak). Click here to learn more about taking backups of your PAM360 data. The backups taken from the MS SQL database will be stored as a .bak file in the host, where the SQL server is running.

Step 3

Launch "Microsoft SQL Server Management Studio" (in the machine where the backed up data are to be restored - that is, another instance of SQL server) and connect to the Database Engine.

Step 4

Right-click on Databases and the click Restore Database from the displayed menu.

Step 5

In the Restore Database window, choose the option From device and click [...] button to browse the PAM360 backup file.

Step 6

In the Specify Backup window that opens up, choose the option File as the Backup media and click Add.

Step 7

In the Locate Backup File window, select the PAM360 backup file and click OK.

Step 8

Now, in the Restore Database window, select the database where the backup is to be restored and specify it in the To database field.
Under Select the backup sets to restore, select the required Restore column.
Click OK to start the restoring the database.
Upon completion of the restoration, a status window pops-up.

Step 9

Now, you need to restore the Master Key. As mentioned in the prerequisite section above, by default, the encryption master key will be stored under <PAM360 Installation Folder>/conf directory in the file named masterkey.key. For security reasons, if you have moved the file to some other secure location, identify that. Open the masterkey.key file and copy the password.

Step 10

Connect to the SQL server in which you have restored the PAM360 backup file.
Open Microsoft SQL Server Management Studio and connect the database engine.
Execute the following queries:
use write_the_name_of the restored_database;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'type_the_master_key_password';
alter master key regenerate with encryption by password = 'type_the_master_key_password';

Example:

use passtrix;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'secret';
alter master key regenerate with encryption by password = 'secret';

Execution of the above queries will help decrypt the data.

Step 11

Navigate to <PAM360_Installation_Folder>/conf folder, edit manage_key.conf and specify the location of pam360_key.key (encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline.

Important Notes:

Perform database restore of the .bak file and execute the above queries to set the master key using the same account with which PAM360 connects to the database.

However, if you are using a different account to restore the database in SQL studio and to execute the Alter master key queries, then execute the additional queries given below to provide required permissions for the PAM360 account to read the master key.

GRANT VIEW DEFINITION ON CERTIFICATE::PMP_CERT TO [user]
GRANT VIEW DEFINITION ON SYMMETRIC KEY::PMP_SYM_KEY TO [user]
GRANT CONTROL ON CERTIFICATE::PMP_CERT TO [user]

The [user] in the above queries refers to the actual login name of the account used by PAM360 to connect to the SQL database. You can find this account's name in the JDBC URL present in the <PAM360_Installation_Folder>/conf/database_params.conf file, unless the account uses Windows authentication.

Execute the queries given below to verify the correct names of the CERTIFICATE and SYMMETRIC KEY:

select * from sys.certificates
select * from sys.symmetric_keys


Data Restore In the event of a disaster or data loss, you can restore the backed up data to the PAM360 database. To restore the data, PAM360 provides scripts. In the following sections, you will learn in detail, the steps for data restoration for the below databases: PAM360 with PostgreSQL 1.1 Windows 1.2 Linux PAM360 with MS SQL Server 1. Steps Required for PAM360 with PostgreSQL The following steps are applicable for the default installation of PAM360 with PostgreSQL as the backend database. Important Notes: Stop PAM360 server before trying to restore data. If restoration is done while the server is running, it may lead to data corruption. Data backed up from PAM360 running on Windows can be restored only in Windows. While restoring the back up, ensure that you re-install the same PAM360 build that was present earlier. For example: If you had PAM360 build 4500 previously, then install the same again. Make sure you start and stop the service once each time before using the restoreDB command. 1.1 For Windows Navigate to the <PAM360_Installation_Directory>/bin folder. Execute the script 'restoreDB.bat <backup file name> -p <Key path>'. Enter your backup file name in .ezip format. Note that the backup file and the pam360_key.key file should be located in the same folder under the same path inside the PAM360 server. Open the <PAM360_Installation_Folder>/conf folder, edit the manage_key.conf file, and specify the location of pam360_key.key (AES 256 encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline. The backed up contents would be restored to the PAM360 DB.Now, execute the command updateserverconf.bat. In the pop-up that appears, enter the default certificate name as Server.keystore and password as passtrix. This action will apply the default SSL certificate that comes with the product to your PAM360 server. To add your trusted SSL certificate to your PAM360 server, follow these steps: Login to the PAM360 web interface using an administrator account and go to Admin >> Configuration >> PAM360 Server. Here, browse for your trusted certificate, enter the necessary certificate details, and save the changes. Now, your PAM360 server will be encrypted using the trusted SSL certificate you provided. 1.2 For Linux Navigate to the <PAM360_Installation_Directory>/bin folder. Execute the script 'sh restoreDB.sh <backup file name> -p <Key path>'. Enter your backup file name in .ezip format. Note that the backup file and the pam360_key.key file should be located in the same folder under the same path inside the PAM360 server. Open the <PAM360_Installation_Folder>/conf folder, edit the manage_key.conf file, and specify the location of pam360_key.key (AES 256 encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline. The backed up contents would be restored to the PAM360 DB.Now, execute the command updateserverconf.sh. In the pop-up that appears, enter the default certificate name as Server.keystore and password as passtrix. This action will apply the default SSL certificate that comes with the product to your PAM360 server. Note: Before executing the updateserverconf.sh command, ensure that x11 is enabled on your PAM360 server. To add your trusted SSL certificate to your PAM360 server, follow these steps: Login to the PAM360 web interface using an administrator account and go to Admin >> Configuration >> PAM360 Server. Here, browse for your trusted certificate, enter the necessary certificate details, and save the changes. Now, your PAM360 server will be encrypted using the trusted SSL certificate you provided. 2. Steps Required for PAM360 with MS SQL Server 2.1 Prerequisite PAM360 uses SQL server's encryption mechanism to encrypt the data. The encryption master key will be stored under <PAM360 Installation Folder>/conf directory with the name masterkey.key. For security reasons, during installation of MS SQL, we recommend moving the encryption key from the default location to a secure location and use it while performing disaster recovery. 2.2 Procedure Step 1 Install another instance of PAM360 with MS SQL server as the backend. You are now specifying a new instance of MS SQL server where the backup has to be restored. Ensure that the new instance of MS SQL server is configured with SSL. For details, refer steps 10.1.1 to 10.1.3 under MS SQL Configuration. Step 2 Copy the PAM360 backup file from the SQL server. By default, it will be present under the <MSSQL_installation_folder>/Backup folder with a file name in the following format: pam360backup_pam360version_backupdate-time.bak (For example, pam360backup_4500_110721-1159.bak). Click here to learn more about taking backups of your PAM360 data. The backups taken from the MS SQL database will be stored as a .bak file in the host, where the SQL server is running. Step 3 Launch "Microsoft SQL Server Management Studio" (in the machine where the backed up data are to be restored - that is, another instance of SQL server) and connect to the Database Engine. Step 4 Right-click on Databases and the click Restore Database from the displayed menu. Step 5 In the Restore Database window, choose the option From device and click [...] button to browse the PAM360 backup file. Step 6 In the Specify Backup window that opens up, choose the option File as the Backup media and click Add. Step 7 In the Locate Backup File window, select the PAM360 backup file and click OK. Step 8 Now, in the Restore Database window, select the database where the backup is to be restored and specify it in the To database field. Under Select the backup sets to restore, select the required Restore column. Click OK to start the restoring the database. Upon completion of the restoration, a status window pops-up. Step 9 Now, you need to restore the Master Key. As mentioned in the prerequisite section above, by default, the encryption master key will be stored under <PAM360 Installation Folder>/conf directory in the file named masterkey.key. For security reasons, if you have moved the file to some other secure location, identify that. Open the masterkey.key file and copy the password. Step 10 Connect to the SQL server in which you have restored the PAM360 backup file. Open Microsoft SQL Server Management Studio and connect the database engine. Execute the following queries: use write_the_name_of the restored_database; OPEN MASTER KEY DECRYPTION BY PASSWORD = 'type_the_master_key_password'; alter master key regenerate with encryption by password = 'type_the_master_key_password'; *Example:* use passtrix; OPEN MASTER KEY DECRYPTION BY PASSWORD = 'secret'; alter master key regenerate with encryption by password = 'secret'; Execution of the above queries will help decrypt the data. Step 11 Navigate to <PAM360_Installation_Folder>/conf folder, edit manage_key.conf and specify the location of pam360_key.key (encryption master key). PAM360 requires the pam360_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline. Important Notes: Perform database restore of the .bak file and execute the above queries to set the master key using the same account with which PAM360 connects to the database. However, if you are using a different account to restore the database in SQL studio and to execute the Alter master key queries, then execute the additional queries given below to provide required permissions for the PAM360 account to read the master key. GRANT VIEW DEFINITION ON CERTIFICATE::PMP_CERT TO [user] GRANT VIEW DEFINITION ON SYMMETRIC KEY::PMP_SYM_KEY TO [user] GRANT CONTROL ON CERTIFICATE::PMP_CERT TO [user] The [user] in the above queries refers to the actual login name of the account used by PAM360 to connect to the SQL database. You can find this account's name in the JDBC URL present in the <PAM360_Installation_Folder>/conf/database_params.conf file, unless the account uses Windows authentication. Execute the queries given below to verify the correct names of the CERTIFICATE and SYMMETRIC KEY: *select from sys.certificates select * from sys.symmetric_keys**