Token Key Service; Overview; Using Master Keys - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 9.

Token Key Service

The Certificate System Token Management System consists of three components, the Token
Processing System (TPS), the Token Key Service (TKS), and the Enterprise Security Client. This
chapter explains the TKS, which manages the master keys required set up a secure communication
channel between the TPS and the client.

9.1. Overview

A TKS manages the master and transport keys required to generate and distribute keys for smart
cards or tokens. A master key is a Triple DES symmetric key stored either in software or hardware
token. When supplied with the token CUID, a TKS can derive the corresponding three symmetric keys
authentication key, Mac key, and key encryption key (KEK)
secrets between the Certificate System and the token without having to store these symmetric keys on
the server.
The Certificate System TPS subsystem uses the TKS subsystem to generate the token keys the TPS
uses to communicate with the Enterprise Security Client. The TPS communicates with the TKS over
SSL. The TKS provides the security between tokens and the TPS since the security relies on the
relationship between the master key and the token keys.
The functions provided by the TKS include the following:
• Helps establish a secure channel (signed and encrypted) between the token and TPS.
• Provides proof of presence for the security token during enrollment.
• Supports key changeover when the master key changes on the TKS. Tokens with older keys get
new token keys.
• Helps generate a symmetric session key for the DRM to wrap (encrypt) the entity's private key for
(optional) server-side key generation, where the entity's encryption keys are generated on the DRM
NOTE
Because of the sensitivity of the data that the TKS manages, the TKS should be set
behind the firewall with restricted access.

9.2. Using Master Keys

Generate new master and transport keys using the tksTool utility. The transport key is used to send
the master key securely to the facility where the tokens are generated. Tokens that are generated with
a particular master key can only be used with that master key.
1. Open the TKS instance alias/ directory.
cd /var/lib/instance_ID/alias/
2. Generate the new master key. For example:
tksTool -M -n new_master -d /var/lib/rhpki-tks/alias -h token_name -p certDBPrefix
on each token. This effectively shares
217