Configuring Server-Side Key Generation And Archival Of Encryption Keys - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
Parameter
tokendb.defaultPolicy
Table 5.10. Token Database Preferences
5.7.5. Configuring Server-Side Key Generation and Archival of
Encryption Keys
NOTE
There is the option when the TPS instance is configured to set up a DRM to perform
server-side key generation and key archival and recovery. If this was enabled when
the TPS instance as configured, then it is not necessary to configure it manually in the
CS.cfg. If, however, the DRM information has changed or the DRM was not configured
during the installation process, then the procedure described in this section can be used to
set up the DRM.
The global platform environment prevents removing private keys from the smart card. For encryption
keys, it is often necessary to back up the key material for later recovery, which means the keys
should be generated outside the smart card and then imported. The keys are generated in the DRM
subsystem, where the keys can also be archived. The TPS, TKS, and DRM must all be configured to
support server-side generation and archival for encryption keys.
To configure server-side key generation for tokens enrolled through the token management system:
1. Configure the DRM to perform server-side key generation for the appropriate kinds of tokens.
2. Add the TPS to the DRM as a key recovery agent.
3. Import the DRM transport key into the TKS.
4. Configure the TPS to generate and archive keys.
160
Description
• tokendb.searchActivityResultTemplate
• tokendb.showAdminTemplate
• tokendb.doTokenTemplate
• tokendb.doTokenConfirmTemplate
• tokendb.revokeTemplate
• tokendb.editAdminTemplate
• tokendb.editAdminResultTemplate
• tokendb.searchAdminTemplate
• tokendb.searchAdminResultTemplate
The default policy to use. The valid values are PIN_RESET=YES|NO; and RE_ENROLL=Y