Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 172

Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
3. Generate the TKS master key on the HSM using the tkstool. (By default during installation, the
TKS master key is generated on the software token.) For example:
tkstool -M -n new_master -d /var/lib/pki-tks/alias -h nethsm
This generates a master key named new_master on the nethsm token for the pki-tks
instance.
For more information on using the tkstool, see the Certificate System Command-Line Tools
Guide.
4. Verify that the keys for the HSM have been added properly to the TKS database.
tkstool -L -d . -h nethsm
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
Enter Password or Pin for "NSS Certificate DB":
<0> new_master
5. Update the TKS instance's CS.cfg to contain the following values:
# useSoftToken tells whether to use software token or no. by default it's true,
# even if it's not settks.useSoftToken=false
# mk_mappings maps key version to key name on token name
# in this example, #02 is the version number, nethsm is the token name,
# and new_master is the key name
tks.mk_mappings.#02#01=nethsm:new_master
It is not necessary to change the defaultSlot value; it can remain the default value for the
software database:
tks.defaultSlot=Internal Key Storage Token
6. Restart the TKS instance.
service pki-tks restart
7. Update the CS.cfg for every Token Processing System (TPS) which uses the
edited TKS instance. Set the requiredVersion parameter and enable key
upgrade in all profiles with the parameters update.symmetricKeys.enable and
update.symmetricKeys.requiredVersion in the parameter name. For example:
# note that the "requiredVersion" needs to map with the version number
# specified in the mk_mappings parameter of TKS's CS.cfg
op.enroll.userKey.update.symmetricKeys.enable=true
op.enroll.userKey.update.symmetricKeys.requiredVersion=2
8. Restart the TPS instance.
service pki-tps restart
150