|
Packit |
8681c6 |
README for the CCA secure-key token migration utility
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The CCA secure-key token migration utility consists of two programs:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcscca_migrate.sh A shell script that invokes the pkcscca_migrate utility.
|
|
Packit |
8681c6 |
The script does some data location validation, token
|
|
Packit |
8681c6 |
validation and token data backup. It is recommended that
|
|
Packit |
8681c6 |
this script be used to perform the migration.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcscca_migrate A utility that will migrate all of the CCA token data to
|
|
Packit |
8681c6 |
the new CCA master key.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
To use the migration utility, make sure that there are no applications actively
|
|
Packit |
8681c6 |
using the PKCS#11 interface to the CCA secure-key token by stopping any
|
|
Packit |
8681c6 |
applications that use the PKCS#11 interface to the CCA secure-key token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Using the pkcsconf utility, find/verify the slot number of the CCA secure-key
|
|
Packit |
8681c6 |
token:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsconf -s
|
|
Packit |
8681c6 |
pkcsconf -t
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The CCA secure-key token will have "(CCA)" at the end of the slot description
|
|
Packit |
8681c6 |
and the token information will identify the token as the "IBM CCA Token."
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Once you have determined the proper slot number of the CCA secure-key token,
|
|
Packit |
8681c6 |
invoke the CCA secure-key token migration script:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcscca_migrate.sh --slot-id X
|
|
Packit |
8681c6 |
where "X" is the slot number of the CCA secure-key token
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Optionally, you can specify the "--dry-run" and/or "-v" options on the script
|
|
Packit |
8681c6 |
invocation.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
--dry-run This will cause the migration utility to perform all of the
|
|
Packit |
8681c6 |
steps in the migration but will not commit the changes needed to
|
|
Packit |
8681c6 |
run under the new CCA master key. Any errors encountered will be
|
|
Packit |
8681c6 |
reported.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
-v This will increase the verbosity of the migration utility.
|
|
Packit |
8681c6 |
Multiple "-v" arguments can be specified to increase the amount
|
|
Packit |
8681c6 |
of verbose information displayed.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Using the pkcscca_migrate.sh script will create a backup copy of the CCA
|
|
Packit |
8681c6 |
secure-key token data in the openCryptoki main data store directory. Should any
|
|
Packit |
8681c6 |
errors be encountered during the migration, the original data will be restored.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Here is a description of the steps involved in the migration:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The script will check to see if you are running as root or that you are a
|
|
Packit |
8681c6 |
member of the "pkcs11" group. If neither of these is the case, the script
|
|
Packit |
8681c6 |
will exit.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The script will look for the pkcsconf utility in two locations:
|
|
Packit |
8681c6 |
/usr/lib/pkcs11/methods or /usr/sbin. If the utility is not found, the
|
|
Packit |
8681c6 |
script will exit.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The script will look for the CCA token data store in two locations:
|
|
Packit |
8681c6 |
/etc/pkcs11/ccatok or /var/lib/opencryptoki/ccatok. If the data store is
|
|
Packit |
8681c6 |
not found, the script will exit.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The script will then validate the slot number:
|
|
Packit |
8681c6 |
- If a slot number has been supplied as an argument to the script, it
|
|
Packit |
8681c6 |
will be verified as a valid slot number.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- If a slot number was not supplied as an argument to the script, then
|
|
Packit |
8681c6 |
the pkcsconf utility will be used to display a list of valid slots.
|
|
Packit |
8681c6 |
You must then choose the slot you wish to migrate.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The Security Office (SO) pin and the User pin are both required for the
|
|
Packit |
8681c6 |
migration. You will be prompted for both of these pins.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The selected slot information will be displayed and you will be prompted
|
|
Packit |
8681c6 |
to verify that you want to perform the migration.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The current CCA token data store will be backed up in the current
|
|
Packit |
8681c6 |
directory. Be sure that you have write access to the current directory. If
|
|
Packit |
8681c6 |
the backup file cannot be created, the script will exit.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- The migration utility, pkcscca_migrate, will be invoked to perform the
|
|
Packit |
8681c6 |
actual migration. Any errors encountered will be reported.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- Should an error have been encountered during the migration, the CCA token
|
|
Packit |
8681c6 |
data store will be restored from the backup that was created earlier.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- If no errors have been encountered, then the migration has been
|
|
Packit |
8681c6 |
successful.
|