Backup and recovery considerations for DCM data

Use this information to learn how to ensure that important DCM data is added to your backup and recovery plan for your system.

The encrypted key database passwords that you use to access certificate stores in Digital Certificate Manager (DCM) are stored, or stashed, in a special security file on your system. When you use DCM to create a certificate store on your system, DCM automatically stashes the password for you. However, you need to manually ensure that DCM stashes certificate store passwords under certain circumstances.

An example of one such circumstance is when you use DCM to create a certificate for another iSeries system and you choose to use the certificate files on the target system to create a new certificate store. In this situation, you need to open the newly created certificate store and use the Changepassword task to change the password for the certificate store on the target system, which ensures that DCM stashes the new password. If the certificate store is an Other System Certificate Store, you should also specify that you want to use the Auto login option when you change the password. To learn more about using DCM to create certificates for other iSeries™ systems, see Use a Local CA to issue certificates for other iSeries systems.

Additionally, you must specify the Auto login option whenever you change or reset the password for an Other System Certificate Store.

To ensure that you have a complete backup of critical DCM data, you must do the following:

Another recovery consideration concerns the use of the SAVSECDTA operation and the potential for the current certificate store passwords to become out of sync with the passwords in the saved DCM password security file. If you change the password for a certificate store after you do a SAVSECDTA operation, but before you restore the data from that operation, the current certificate store password will be out of sync with the one in the restored file.

To avoid this situation, you must use the Change password task (under Manage Certificate Store in the navigation frame) in DCM to change certificate store passwords after you restore the data from a SAVSECDTA operation to ensure that you get the passwords back in sync. However, in this situation do not use the Reset Password button that displays when you select a certificate store to open. When you attempt to reset the password, DCM tries to retrieve the stashed password. If the stashed password is out of sync with the current password, the reset operation will fail. If you do not change certificate store passwords often, you may want to consider doing a SAVSECDTA every time you change these passwords to ensure that you always have the most current stashed version of the passwords saved in case you ever need to restore this data.

Related tasks
Use a Local CA to issue certificates for other iSeries systems