Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 184

Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
The TKS also generates a session key for the DRM to use to transport the server-generated private
key securely back to the token.
The server transport key delivers the session key in two different forms to the TPS:
• The session key wrapped with server transport key which the DRM uses to wrap the generated
private key for token
• The session key wrapped with token's KEK which the token uses to unwrap the private key
generated on DRM
The TPS then forwards the session key to the DRM, wrapped with the KEK and the server transport
key, along with the server-side key generation request.
To import the DRM transport key into the TKS certificate database:
1. Retrieve the DRM transport certificate from the issuing CA, and save it to file.
2. Import the transport certificate into the TKS security databases in the /var/
lib/subsystem_name/alias directory. In the TKS Console, click Subsystem Keys and
Certificates in the left navigation panel. In the Local Certificates tab, click Add, and paste in the
certificate information.
Alternatively, use the certutil to import the certificate.
certutil -d . -P cert-db-prefix -A -n DRM Transport -t ,, -a -i certfilename
3. Stop the TKS.
service pki-tks stop
4. Edit the CS.cfg file by adding the DRM transport certificate information to the following
parameter:
tks.drm_transport_cert_nickname=DRM Transport
5. Restart the TKS.
service pki-tks start
5.7.5.4. Step 4: Configuring the TPS to Generate and Archive Keys
1. Stop the TPS.
service instance_ID stop
2. Edit the following parameters in the TPS CS.cfg file to use the appropriate DRM connection
information:
conn.drm.totalConns=1
conn.drm1.hostport=DRM_HOST:DRM_SSLPORT
conn.drm1.clientNickname=Server-Cert
conn.drm1.servlet.GenerateKeyPair=/kra/GenerateKeyPair
162