Configuring Symmetric Key Changeover - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
The new master key must be associated with the TKS keyset definition so that it can be used by
the TPS. This keyset also requires a mapping parameter for the new master key version in the
TPS CS.cfg file.
tks.defKeySet._000=##
tks.defKeySet._001=## Axalto default key set:
tks.defKeySet._002=##
tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=<tokenname>:<nickname>
tks.defKeySet._004=##
tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
tks.defKeySet.mk_mappings.#02#01=nethsm:new_master
5.6.5. Configuring Symmetric Key Changeover
When global platform-compliant smart cards are made, the manufacturer burns a set of symmetric
keys onto the token. The smart card user shares a master symmetric key with the manufacturer. The
smart card TKS is configured to use these symmetric keys. However, during enrollment, it is desirable
to replace these symmetric keys with a set that is not shared by the manufacturer to restrict the set of
entities that can manipulate the token.
NOTE
Changing the symmetric keys can render the smart cards unusable if the master key is
lost. Use key changeover in controlled conditions, and be aware of the implications of
erasing a TKS instance. This section contains information on returning the keys to the
factory state.
The TKS and TPS are configured for key changeover by enabling the appropriate parameters in the
CS.cfg file for both the enroll and format operations.
1. Stop the TKS instance. For example:
service pki-tks stop
2. Get the PIN to use to access the TKS's security databases. The internal PIN is the one used
for the security databases.
cat /var/lib/pki-tks/conf/password.conf
internal=649713464822
internaldb=secret12
replicationdb=-752230707
3. On the TKS instance, generate new keys to use for token-client communications. For example:
tkstool -M -n new_master -d /var/lib/pki-tks/alias
152
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers