Backing Up/Restoring TIM SSL Application Private Keys.

Document ID : KB000014344
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Customers often have the following scenarios about TIM and their application SSL private keys:

1) Moving SSL private key to another TIM which will be monitoring the same application using identical private keys and ports.

Note: Different IP addresses or ports will require different private keys.

2) Needing to back up SSL keys before an upgrade and restore them afterwards.

The documentation has an indirect way to do both scenarios but no explicit directions are included.

Notes:

1. These private keys are NOT kept on the EM.

2. The private keys in APM 9.7-10.x are stored in /opt/ca/APM/tim/config/webservers and encrypted with a key compiled into the TIM Binaries, which makes the keys usable through all TIM installations and versions.

3. A good overview on TIM and private keys can be found in this community post: https://communities.ca.com/thread/99822426

Question:

I want to do either of the following:

  1) Backing up/restoring TIM SSL Private Keys for an upgrade.

  2) Migrating Application SSL Private Keys from one TIM to another

 In both cases, the same application with identical IP addresses and ports will be used.

 How may I do this?

Environment:
All supported APM TIM/MTP TIM releases.
Answer:

There are two approaches whether for an install/upgrade/migration:

Approach #1 Backup/Restore the entire TIM Configuration directory (/opt/ca/APM/tim/config/)

1. After being logged into the TIM/MTP UNIX Console:

    - cd <TIM_HOME>/etc/wily/cem/tim


2. At the command line enter:  tar cf /tmp/timconfig.tar config


3. Then save the /tmp/timconfig.tar file to another computer over the network.
    - If you have a Linux or UNIX computer on your network, then use scp to copy the file to the remote computer:
      scp /tmp/timconfig.tar remote-user@remote-host:~/timconfig.tar
    - If you have a Windows desktop on your network, you can use WinSCP to copy over the tar file from the TIM

After the install/upgrade takes place:

1. Stop the TIM
2. Make a backup of /opt/ca/APM/tim/config/ with the updated files.

3.Restore the original configuration files to /opt/ca/APM/tim/config/
  - cd <TIM_HOME>/etc/wily/cem/tim/config
  - tar xvf timconfig.tar to extract the files.

4. Start the TIM.

Note that this approach
- Propagates any TIM configuration issues before the upgrade
- Does not take advantage of any changes in the configuration files due to  bug fixes or adding new functionality.

- Without the restart the TIM will not be aware of the changed keys.


Approach #2 Backup/Restore Just the Private Keys (/opt/ca/APM/tim/config/webservers)

1. After being logged into the TIM/MTP UNIX Console, enter the following:
- cd <TIM_HOME>/etc/wily/cem/tim/config
- tar cf /tmp/timsslkeys.tar webservers
- Save the /tmp/timsslkeys.tar file to another computer over the network.
Notes:
1. If you have a Linux or UNIX computer on your network, you can use scp to copy the file to the remote computer:
scp /tmp/timsslkeys.tar remote-user@remote-host:~/timsslkeys.tar
2.  If you have a Windows desktop on your network, you can use WinSCP to copy over the tar file from the TIM

After the install/upgrade takes place:
- Restore the original configuration files to /opt/ca/APM/tim/config/
  cd <TIM_HOME>/etc/wily/cem/tim/config/webservers
  tar xvf timsslkeys.tar

3. Restart the TIM so that the new keys are recognized.

Additional Information:

https://docops.ca.com/ca-apm/10-5/en/installing/apm-installation-and-upgrade/upgrade-apm/prepare-for-upgrade  -- What is included in the documentation on backing up key TIM configuration information