Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 150
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE:
- Administration manual (512 pages) ,
- Manual (108 pages) ,
- Reference manual (337 pages)
Table of Contents
Advertisement
2.
Log into the old server as the Certificate System user for that machine.
3.
To migrate a master key from the old TKS instance, do the following:
a.
Open the old Certificate System configuration file.
If the migration is from CMS 7.0, this is the CMS.cfg file in the old Certificate System conf/ directory. If the
migration is from Certificate System 7.1, this is the CS.cfg file in the old Certificate System config/ direct-
ory.
b.
Write
down
old_HSM_slot_name:tks_master_key_version_n
tks.mk_mappings.#tks_master_key_version_number#01=ame line. A tks.mk_mappings value looks
like the following:
tks.mk_mappings.#02#01=mu:tks_master_key_v2
In this example, 02 is the tks_master_key_version_ number, mu is the old_HSM_slot_name, and
tks_master_key_v2 is the tks_master_key_version_name.
4.
To migrate symmetric keys from the old TKS instance, two things are required:
•
A written copy of the original three session key shares to reproduce the symmetric transport key on the old TKS
instance.
•
Copies of all files (there is at least one) containing the wrapped master keys on the old HSM; for example,
tks_master_key_v2.txt.
NOTE
These files are created whenever the user generates a new master key using the tksTool -W option.
5.
Copy the extracted public/private key pairs from the old server to the new server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
6.
Extract the public key of the "old_HSM_slot_name:caSigningCert
"old_HSM_slot_name:tksTransportCert" cert-old_TKS_instance" from the old security databases and
save the base-64 encoded output to files called caSigningCert.b64 and tksTransportCert.b64, respect-
ively.
a.
Open the old Certificate System alias/ directory. cd old_server_root/alias
b.
Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
LD_LIBRARY_PATH=old_server_root/bin/cert/lib
export LD_LIBRARY_PATH
c.
Use the old Certificate System certutil tool to identify the old HSM slot name.
old_server_root/bin/cert/tools/certutil -U -d .
d.
Use the old Certificate System certutil tool to extract the public key of the following entries from the secur-
ity databases and save each base-64 output to a separate file.
old_server_root/bin/cert/tools/certutil -L
-n "old_HSM_slot_name:caSigningCert cert-old_TKS_instance"
-d . -h old_HSM_token_name -a > caSigningCert.b64
6.4. 7.0 and 7.1 Token Key Service
(TKS) Migration
or
note
the
exact
name=value
cert-old_TKS_instance" and
pair
for
the
Databases
Advertisement
Chapters
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Related Products for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE and is the answer not in the manual?
Questions and answers