System /Etc/Subsystem_Name Directory; Tks_Master_Key_Version_Number #01= Old_Hsm_Slot_Name:tks_Master_Key_Version_Name; Line. A Tks.mk_Mappings Value Looks Like The Following; Tks.mk_Mappings.#02#01=Mu:tks_Master_Key_V2 - Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual

Migration guide 7.x to 8.0

page of 124

/ 124
Contents
Table of Contents
Bookmarks

Table of Contents

Server-Cert cert-old_TKS_instance

7.1.4. Option 4: HSM to HSM Migration

1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be

portable, such as a PKCS #12 file.

WARNING

Changing either the instance name or the fully-qualified domain name is not

supported for migration. The fully-qualified domain name of the host machine for the

new instance must be the same as the fully-qualified domain name of the original

instance. Likewise, the new instance name must also be the same as the original

instance name.

The instance and domain information has to be the same for both instances because

the certificate and key material — among other instance and database information —

has to be the same.

The pk12util tool provided by Certificate System cannot extract public/private key pairs from an

HSM because of requirements in the FIPS 140-1 standard which protect the private key. To extract

this information, contact the HSM vendor. The extracted keys should not have any dependencies,

such as nickname prefixes, on the HSM.

2. Log into the 7.x server as the Certificate System user for that machine.

3. Migrate the master key from the 7.x TKS instance. (Depending on your installation, there may not

be any master key information stored in the 7.x TKS instance.)

a. Open the Certificate System 7.x configuration file.

• If the migration is from Certificate System 7.1, open the CS.cfg file in the Certificate

System config directory.

• If the migration is from Certificate System 7.2 or 7.3, open the CS.cfg file in the Certificate