Backup and recovery considerations for DCM data

The encrypted key database passwords that you use to access certificate stores in Digital Certificate Manager (DCM) are stored, or stashed, in a special security file on your system. When you use DCM to create a certificate store on your system, DCM automatically stashes the password for you. However, you need to manually ensure that DCM stashes certificate store passwords under certain circumstances.

An example of one such circumstance is when you use DCM to create a certificate for another IBM® i model and you choose to use the certificate files on the target system to create a new certificate store. In this situation, you need to open the newly created certificate store and use the Changepassword task to change the password for the certificate store on the target system, which ensures that DCM stashes the new password. If the certificate store is an Other System Certificate Store, you should also specify that you want to use the Auto login option when you change the password.

Additionally, you must specify the Auto login option whenever you change or reset the password for an Other System Certificate Store.

To ensure that you have a complete backup of critical DCM data, you must do the following:
  • Use the save (SAV) command to save all .KDB and .RDB files. Every DCM certificate store is comprised of two files, one with a .KDB extension and one with a .RDB extension.
  • Use the save system (SAVSYS) command and the save security data (SAVSECDTA) command to save the special security file that contains the key database passwords for certificate store access. To restore the DCM password security file, use the restore user profiles (RSTUSRPRF) command and specify *ALL for the user profile (USRPRF) option.

Another recovery consideration concerns the use of the SAVSECDTA operation and the potential for the current certificate store passwords to become out of sync with the passwords in the saved DCM password security file. If you change the password for a certificate store after you do a SAVSECDTA operation, but before you restore the data from that operation, the current certificate store password will be out of sync with the one in the restored file.

To avoid this situation, you must use the Change password task (under Manage Certificate Store in the navigation frame) in DCM to change certificate store passwords after you restore the data from a SAVSECDTA operation to ensure that you get the passwords back in sync. However, in this situation do not use the Reset Password button that displays when you select a certificate store to open. When you attempt to reset the password, DCM tries to retrieve the stashed password. If the stashed password is out of sync with the current password, the reset operation will fail. If you do not change certificate store passwords often, you may want to consider doing a SAVSECDTA every time you change these passwords to ensure that you always have the most current stashed version of the passwords saved in case you ever need to restore this data.