Key Recovery Agent Scheme; Configuring Key Archival And Recovery Process - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 6. Data Recovery Manager
In key recovery authorization, one of the key recovery agents informs all required recovery agents
about an impending key recovery. All recovery agents access the DRM key recovery page. One of
the agents initiates the key recovery process. The DRM returns a notification to the agent includes
a recovery authorization reference number identifying the particular key recovery request that the
agent is required to authorize. Each agent uses the reference number and authorizes key recovery
separately.
The DRM informs the agent who initiated the key recovery process of the status of the authorizations.
NOTE
The page that the first agent used to initiate the key recovery request keeps refreshing
until all agents required to authorize have performed the authorization. It is important that
the first agent does not close this browser session until the authorization is complete.
Otherwise, the key recovery request needs to be started again.
When all of the authorizations are entered, the DRM checks the information. If the information
presented is correct, it retrieves the requested key and returns it along with the corresponding
certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
WARNING
The PKCS #12 package contains the private key. To minimize the risk of key compromise,
the recovery agent must use a secure method to deliver the PKCS #12 package and
password to the key recipient. The agent should use a good password to encrypt the
PKCS #12 package and set up an appropriate delivery mechanism.

6.5.2. Key Recovery Agent Scheme

The key recovery agent scheme configures the DRM to recognize to which group the key recovery
agents belong and specifies how many of these agents are required to authorize a key recovery
request before the archived key is restored.
These parameters set in the CS.cfg configuration file determine which group of users and how many
users recover keys:
kra.noOfRequiredRecoveryAgents=1
kra.recoveryAgentGroup=Data Recovery Manager Agents
This is the default key recovery agent scheme.
Editing these two parameters is all that is necessary to create a new scheme for the number of
required key recovery agents for a DRM and the agent group allowed to perform key recovery.

6.6. Configuring Key Archival and Recovery Process

When the DRM is configured, joins a security domain, and is issued a subsystem certificate by a
Certificate System CA, it is configured to archive and recover private encryption keys. However, if the
DRM certificates are issued by an external CA rather than one of the CAs within the security domain,
then the key archival and recovery process must be set up manually.
146