1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0
  6. Manual

Option 3: Hsm To Security Databases Migration - Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual

Migration guide 7.x to 8.0
Hide thumbs
Table of Contents

Advertisement

Chapter 5. Migrating a DRM Instance to Certificate System 8.0
18. Import the public key from the base-64 file into the new HSM, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
-t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64
19. Optionally, delete the base-64 file.
rm caSigningCert.b64
20. Open the CS.cfg configuration file in the /var/lib/instance_ID/conf/ directory.
21. Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to
reflect the 8.0 DRM information.
kra.storageUnit.nickname=new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=new_HSM_slot_name:kraTransportCert cert-old_DRM_instance
NOTE
The caSigningCert is not referenced in the CS.cfg file.
22. In the same directory, edit the serverCertNick.conf file to contain the old certificate
nickname. For example:
new_HSM_slot_name:Server-Cert cert-old_DRM_instance

5.1.3. Option 3: HSM to Security Databases Migration

1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be
portable, such as a PKCS #12 file.
WARNING
Changing either the instance name or the fully-qualified domain name is not
supported for migration. The fully-qualified domain name of the host machine for the
new instance must be the same as the fully-qualified domain name of the original
instance. Likewise, the new instance name must also be the same as the original
instance name.
The instance and domain information has to be the same for both instances because
the certificate and key material — among other instance and database information —
has to be the same.
The pk12util tool provided by Certificate System cannot extract public/private key pairs from an
HSM because of requirements in the FIPS 140-1 standard which protect the private key. To extract
this information, contact the HSM vendor. The extracted keys should not have any dependencies,
such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 7.x server to the 8.0 server.
48

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0

Related Products for Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0

This manual is also suitable for:

Certificate system 8.0 - administration

Table of Contents