Server-Side Key Generation And Archival Of Encryption Keys - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Hide thumbs Also See for CERTIFICATE SYSTEM 7.2 - ADMINISTRATION:
Table of Contents

Advertisement

</VirtualHost>
3. Restart the TPS instance.
/etc/init.d/rhpki-tps restart
4. Open the Enterprise Security Client, and reset the TPS information so that it connects to the TPS
over SSL.
BROWSER_URL=https://server.example.com:7890/cgi-bin/esc.cgi?action=settingspage
TPS_HOST_PORT=7890
TPS_HOST_USES_SSL=yes

7.5.2. Server-Side Key Generation and Archival of Encryption Keys

NOTE
There is the option when the TPS instance is configured to set up a DRM to perform
server-side key generation and key archival and recovery. If this was enabled when
the TPS instance as configured, then it is not necessary to configure it manually in the
CS.cfg. If, however, the DRM information has changed or the DRM was not configured
during the installation process, then the procedure described in this section can be used to
set up the DRM.
The global platform environment prevents removing private keys from the smart card. For encryption
keys, it is often necessary to back up the key material for later recovery, which means the keys
should be generated outside the smart card and then imported. The keys are generated in the DRM
subsystem, where the keys can also be archived. The TPS, TKS, and DRM must all be configured to
generate and archive encryption keys.
To configure server-side key generation for the TPS, do the following:
1. Set up the TPS subsystem as one of the DRM recovery agents.
a. Open the DRM Console
b. In the Configuration tab, select Users and Groups.
c. In the Users tab, click Add, and create the new user; give this user a name such as TPS
Recovery Agent. Add this user to the Data Recovery Manager Agents group.
d. Select the TPS user, click Certificates, and import the TPS server certificate.
2. Set up the TKS with the DRM transport key.
After generating the keys, the DRM encrypts the keys with a key transport key (KTK) before
sending them to the smart card. This key is generated on the TKS and transmitted to the DRM
through the TPS. The KTK is encrypted with the public key in the DRM's transport certificate, so
the DRM transport certificate must be installed on the TKS.
a. Retrieve the DRM transport certificate from the issuing CA, and save it to file.
Server-Side Key Generation and Archival of Encryption Keys
157

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 7.2 - ADMINISTRATION and is the answer not in the manual?

Table of Contents