Setting Up Agent-Approved Key Recovery Schemes - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 3. Setting up Key Archival and Recovery
var keyTransportCert =
MIIDbDCCAlSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA6MRgwFgYDVQQKEw9Eb21haW4gc28gbmFtZWQxHjAcBgNVBAMTFUNlcnRpZmljYXRl
BTsU5A2sRUwNfoZSMs/d5KLuXOHPyGtmC6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO/
vhFwTufJHWKXFN3V4pMbHTkqW/x5fu/3QyyUre/5IhG0fcEmfvYxIyvZUJx+aQBW437ATD99Kuh+I+FuYdW
+SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk+9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y/6ycUdSyPZGGc76a0HrKOz
+lwVFulFStiuZIaG1pv0NNivzcj0hEYq6AfJ3hgxcC1h87LmCxgRWUCAwEAAaN5MHcwHwYDVR0jBBgwFoAURShCYtSg
+Oh4rrgmLFB/
Fg7X3qcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vY2x5ZGUucmR1LnJlZGhhdC5jb206OTE4MC9jYS9vY3NwMA4GA1UdD
wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEAFYz5ibujdIXgnJCbHSPWdKG0T
+FmR67YqiOtoNlGyIgJ42fi5lsDPfCbIAe3YFqmF3wU472h8LDLGyBjy9RJxBj+aCizwHkuoH26KmPGntIayqWDH/
UGsIL0mvTSOeLqI3KM0IuH7bxGXjlION83xWbxumW/kVLbT9RCbL4216tqq5jsjfOHNNvUdFhWyYdfEOjpp/
UQZOhOM1d8GFiw8N8ClWBGc3mdlADQp6tviodXueluZ7UxJLNx3HXKFYLleewwIFhC82zqeQ1PbxQDL8QLjzca
+IUzq6Cd/t7OAgvv3YmpXgNR0/xoWQGdM1/YwHxtcAcVlskXJw5ZR0Y2zA==;

3.3. Setting up Agent-Approved Key Recovery Schemes

Key recovery agents collectively authorize and retrieve private encryption keys and associated
certificates in a PKCS #12 package. To authorize key recovery, the required number of recovery
agents access the DRM agent services page and use the Authorize Recovery button to enter each
authorization separately.
In key recovery authorization, one of the key recovery agents informs all required recovery agents
about an impending key recovery. All recovery agents access the DRM key recovery page. One of
the agents initiates the key recovery process. The DRM returns a notification to the agent includes
a recovery authorization reference number identifying the particular key recovery request that the
agent is required to authorize. Each agent uses the reference number and authorizes key recovery
separately.
The page that the first agent used to initiate the key recovery request keeps refreshing until all agents
required to authorize have performed the authorization. It is important that the first agent does not
close this browser session until the authorization is complete. Otherwise, the key recovery request
needs to be started again.
When all of the authorizations are entered, the DRM checks the information. If the information
presented is correct, it retrieves the requested key and returns it along with the corresponding
certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
The key recovery agent scheme configures the DRM to recognize to which group the key recovery
agents belong and specifies how many of these agents are required to authorize a key recovery
request before the archived key is restored.
To set up agent-initiated key recovery, edit two parameters in the DRM configuration:
• Set the number of recovery managers to require to approve a recovery.
• Set the group to which these users must belong.
These parameters are set in the DRM's CS.cfg configuration file.
1. Stop the server before editing the configuration file.
service pki-kra stop
2. Open the DRM's CS.cfg file.
vim /var/lib/pki-kra/conf/CS.cfg
72