README for the CCA secure-key token migration utility
The CCA secure-key token migration utility consists of two programs:
pkcscca_migrate.sh A shell script that invokes the pkcscca_migrate utility.
The script does some data location validation, token
validation and token data backup. It is recommended that
this script be used to perform the migration.
pkcscca_migrate A utility that will migrate all of the CCA token data to
the new CCA master key.
To use the migration utility, make sure that there are no applications actively
using the PKCS#11 interface to the CCA secure-key token by stopping any
applications that use the PKCS#11 interface to the CCA secure-key token.
Using the pkcsconf utility, find/verify the slot number of the CCA secure-key
token:
pkcsconf -s
pkcsconf -t
The CCA secure-key token will have "(CCA)" at the end of the slot description
and the token information will identify the token as the "IBM CCA Token."
Once you have determined the proper slot number of the CCA secure-key token,
invoke the CCA secure-key token migration script:
pkcscca_migrate.sh --slot-id X
where "X" is the slot number of the CCA secure-key token
Optionally, you can specify the "--dry-run" and/or "-v" options on the script
invocation.
--dry-run This will cause the migration utility to perform all of the
steps in the migration but will not commit the changes needed to
run under the new CCA master key. Any errors encountered will be
reported.
-v This will increase the verbosity of the migration utility.
Multiple "-v" arguments can be specified to increase the amount
of verbose information displayed.
Using the pkcscca_migrate.sh script will create a backup copy of the CCA
secure-key token data in the openCryptoki main data store directory. Should any
errors be encountered during the migration, the original data will be restored.
Here is a description of the steps involved in the migration:
- The script will check to see if you are running as root or that you are a
member of the "pkcs11" group. If neither of these is the case, the script
will exit.
- The script will look for the pkcsconf utility in two locations:
/usr/lib/pkcs11/methods or /usr/sbin. If the utility is not found, the
script will exit.
- The script will look for the CCA token data store in two locations:
/etc/pkcs11/ccatok or /var/lib/opencryptoki/ccatok. If the data store is
not found, the script will exit.
- The script will then validate the slot number:
- If a slot number has been supplied as an argument to the script, it
will be verified as a valid slot number.
- If a slot number was not supplied as an argument to the script, then
the pkcsconf utility will be used to display a list of valid slots.
You must then choose the slot you wish to migrate.
- The Security Office (SO) pin and the User pin are both required for the
migration. You will be prompted for both of these pins.
- The selected slot information will be displayed and you will be prompted
to verify that you want to perform the migration.
- The current CCA token data store will be backed up in the current
directory. Be sure that you have write access to the current directory. If
the backup file cannot be created, the script will exit.
- The migration utility, pkcscca_migrate, will be invoked to perform the
actual migration. Any errors encountered will be reported.
- Should an error have been encountered during the migration, the CCA token
data store will be restored from the backup that was created earlier.
- If no errors have been encountered, then the migration has been
successful.