Renew or Migrate the Cryptography Keys
As ftadmin, use the migrationKeySetTool.sh script to renew the key set or migrate to an HSM slot.
Command usage is:
<ACTIVID_HOME>/ActivID_AS/bin/migrationKeySetTool.sh [-d <domain1,domain2,...> | -m | -c <domain1,domain2,...> | -k <domain1,domain2,...> ]
Where the options are:
- -d – renew the key set with a service interruption
You must specify the domains.
This operation requires a service interruption as the database is encrypted in a single operation that does not timeout.
Note: It is strongly recommended using the silent key set renewal option instead to minimize the service interruption. - -m – migrate to a specific external HSM slot
The migration concerns all existing domains.
This operation requires a service interruption as the database is encrypted in a single operation that does not timeout.
-
-c - modify the key configuration manually
You must specify the domains.
-
-k - renew the key set silently without a service interruption
You must specify the domains.
This operation does not require a service interruption as the database is encrypted progressively, where each operation will timeout after 120 minutes (default).
You can switch from a shared key set to a domain-specific key set.
If you want to move from shared keys to domain-specific keys
- As Audit records will be deleted during the operation, you must back up the database and verify that the latest audit records have been archived.
- You must know the password(s) for the security domain(s) as you will be prompted for them during the process.
- The expected key set is available. If necessary, create the new key set.
Renew the Key Set
In order to use a new set of keys, you must define the new key level in the cryptographic configuration.
This tool allows you to switch to the shared keys index immediately following that currently used, or switch to a defined domain keys index.
You can renew the key set in a single operation (with a service interruption) or progressively (without a service interruption).
Renew the Keys with a Service Interruption
- Stop the ActivID AS services.
- As ftadmin, run the following command to update the cryptographic configuration (for example, for the ONLINEBANK and ENTERPRISE domains):
Copysu ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/migrationKeySetTool.sh -d ONLINEBANK,ENTERPRISE"
Working in SOFT mode.
Validate the specified domains:
--> Keys will be migrated for ONLINEBANK
--> Keys will be migrated for ENTERPRISE
You are about to migrate to a new key set.
This is a very sensitive operation and might take a long time.
The ActivlD applications will be unavailable during the entire process.
Important: All ActivlD AS services MUST be stopped.
In addition, as the entire database will be modified, make sure that you have created a backup.
Make sure that the new set of keys is available and accessible before you begin.
If an error occurs during the migration, please refer to the indicated log file.
If an error does occur, you might be required to restore the backup of the database to return to the functional configuration.
Do you really want to migrate the key set (y/n)? [n]: y
- Enter y to proceed.
CopySecurity Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection successful
Domain: ‘ENTERPRISE’
Password:
Checking connection ... connection successful
Do you confirm the Security Domain settings (y/n)? [n]: y
- When prompted, enter the password(s) for the security domain(s) and then enter y to confirm the settings.
Security Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection successful
Domain: ‘ENTERPRISE’
Password:
Checking connection ... connection failed
Connection failed. Do you want to retry or exit (r/e)? [r]: r
Enter r to retry, and then enter the correct password(s).
If you enter e to exit, the operation is canceled.
CopyCurrent configuration for targeted domains:
Using specific shared keys index value 1 for domain ONLINEBANK
Do you want to switch to domain keys for ONLINEBANK (y/n)? [n]:
Using specific shared keys index value 1 for domain ENTERPRISE
Do you want to switch to domain keys for ENTERPRISE (y/n)? [n]:
-
By default, the configuration is updated to the next level of the shared key set (in this example, index 2).
- If you want to use the next level of the shared key set, press Enter for each domain.
- If you want to switch to domain-specific key set, enter y.
CopyCurrent configuration for targeted domains:
Using specific shared keys index value 1 for domain ONLINEBANK
Do you want to switch to specific domain keys for ONLINEBANK (y/n)? [n]: y
Please enter next specific domain key set for ONLINEBANK [1]:
CopyPlease make sure the following listed key set is available.
Required keys to migrate domain ONLINEBANK:
HID-IA-4T.AUDIT.ONLINEBANK.2
HID-IA-4T.DSIGN.ONLINEBANK.2
HID-IA-4T.CREDS.ONLINEBANK.2
HID-IA-4T.SYS.ONLINEBANK.2
HID-IA-4T.SESSION.ONLINEBANK.2
Required keys to migrate domain ENTERPRISE:
HID-IA-4T.AUDIT.ENTERPRISE.2
HID-IA-4T.DSIGN.ENTERPRISE.2
HID-IA-4T.CREDS.ENTERPRISE.2
HID-IA-4T.SYS.ENTERPRISE.2
HID-IA-4T.SESSION.ENTERPRISE.2
Please confirm you really want to migrate the keys (y/n)? [n]: y
- Enter y to confirm the operation.
The script then re-encrypts and re-signs the data and updates the signatures of the database tables.
Renew the Keys Silently (without a Service Interruption)
To minimize the service interruption, you can silently re-encrypt the database with the new keys using the progressive renewal option.
As this operation times out after 120 minutes, you can repeat the encryption of the database until all the existing records are encrypted with the new keys.
Set the Key Set Configuration
The renewal operation requires that the current key set configuration is correct.
- As ftadmin, run the following command to check/update the cryptographic configuration (for example, for the ONLINEBANK domain):
Copysu ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/migrationKeySetTool.sh -c ONLINEBANK"
Working in HSM mode.
Validate the specified domains:
--> Keys will be migrated for ONLINEBANK
You are about to manually update the keys configuration.
Important: ActivID AS services needs to be restarted to use new configuration.
In addition, as the database will be modified, make sure that you have created a backup.
Make sure that the new set of keys is available and accessible before you begin.
If an error occurs during the migration, please refer to the indicated log file.
Do you really want to manually update keys configuration (y/n)? [n]: y
- Enter y to proceed.
CopyCurrent configuration for targeted domains:
Be careful: you are going to set manually the keys index to use for each domain.
You will be asked later to confirm or not the new configuration
Domain ONLINEBANK:
CURRENT_INDEX_STANDARD: 1
CURRENT_INDEX_DOMAIN: 0
Do you want to use domain keys for ONLINEBANK (y/n)? [n]:
Please enter next key set index for ONLINEBANK [1]: 2
By default, the configuration is updated to the next level of the shared key set (in this example, index 2).
- If you want to use the next level of the shared key set, press Enter for each domain.
- If you want to switch to domain-specific key set, enter y.
CopyCurrent configuration for targeted domains:
Using specific shared keys index value 1 for domain ONLINEBANK
Do you want to switch to specific domain keys for ONLINEBANK (y/n)? [n]: y
Please enter next specific domain key set for ONLINEBANK [1]:In this example, ONLINEBANK should be encrypted with the new set of shared keys (index level 2).
CopyReset map values
checkKeyStore returns 0
Soft keystore mode.
Reset map values
checkKeyStore returns 0
Keys checking successfully ended.
keystatus 0
Please make sure the following listed key set is available.
Required keys to migrate domain ONLINEBANK:
HID-IA-4T.AUDIT.2
HID-IA-4T.DSIGN.2
HID-IA-4T.CREDS.2
HID-IA-4T.SYS.2
HID-IA-4T.SESSION.2
New configuration has been set up. Please restart the server to use the new cryptographic configuration.
- Restart ActivID AS to use the new key set configuration.
Re-Encrypt the Database with the New Key Set
Once the current configuration is validated and loaded by the server, you can start the progressive re-encryption of the database records.
- As ftadmin, run the following command to start the progressive encryption of the database for the ONLINEBANK domain:
Copysu ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/migrationKeySetTool.sh -k ONLINEBANK"
Working in HSM mode.
Validate the specified domains:
--> Keys will be migrated for ONLINEBANK
You are about to migrate in progressive mode.
This is a very sensitive operation and might take a long time.
The ActivID applications will stay available during the entire process.
If an error occurs during the migration, please refer to the indicated log file.
Do you really want to migrate to current keys set in progressive mode (y/n)? [n]: y
- Enter y to proceed.
CopySecurity Domain settings:
Domain: 'ONLINEBANK'
Password:
Checking connection ... connection successful
- When prompted, enter the password(s) for the security domain(s) and then enter y to confirm the settings.
Note: If the password for one or more domains is incorrect, an error message is displayed.CopySecurity Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection failed
Connection failed. Do you want to retry or exit (r/e)? [r]: rEnter r to retry, and then enter the correct password(s).
If you enter e to exit, the operation is canceled.
CopyCurrent configuration for targeted domains:
Configuration for domain ONLINEBANK
Current standard index: 2
Current domain index: 0
Please make sure the following listed key set is available.
Required keys to migrate domain ONLINEBANK:
HID-IA-4T.AUDIT.2
HID-IA-4T.DSIGN.2
HID-IA-4T.CREDS.2
HID-IA-4T.SYS.2
HID-IA-4T.SESSION.2
Migrating HSM keys (renewal with expiration time case)...
Migrating keys (renewal with expiration time case) in mode HSM
You are working in mode HSM.
You are ready to start migrating the database.
You want to migrate only records not already encrypted/signed by the current key configuration and limit this operation to 120 minute(s).
Please confirm you want to perform the migration (y/n)? [n]: y
- Enter y to confirm the operation.
CopyStarting migration (renewal with expiration time set to 120 minutes case)
Keys have been migrated with success.
- Repeat the encryption operation (the -k option) until all the records in the database are using the new keys.
Confirm the status by checking the configuration - the encryption for each table must be 100%.
Migrate from SOFT Mode to HSM Mode
To migrate to HSM cryptography, you can specify the required slot in the cryptographic configuration. The key level index will be reset to 1 in the cryptographic configuration.
The script will get the targeted slot, check if the slot is PIN protected and, if so, prompt for the PIN, and then check the keys and migrate.
The following example illustrates how to migrate from Software Cryptographic Mode to slot 0 of an External HSM.
- Stop the ActivID AS services.
- As ftadmin, run the following command to migrate the cryptographic configuration.
Copysu ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/migrationKeySetTool.sh -m"
Working in SOFT mode.
Validate the specified domains:
--> Keys will be migrated for ONLINEBANK
You are about to migrate to a new key set.
This is a very sensitive operation and might take a long time.
The ActivlD applications will be unavailable during the entire process.
Important: All ActivlD AS services MUST be stopped.
In addition, as the entire database will be modified, make sure that you have created a backup.
Make sure that the new set of keys is available and accessible before you begin.
If an error occurs during the migration, please refer to the indicated log file.
If an error does occur, you might be required to restore the backup of the database to return to the functional configuration.
Do you really want to migrate the key set (y/n)? [n]: y
- Enter y to proceed.
CopySecurity Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection successful
Do you confirm the Security Domain settings (y/n)? [n]: y
- When prompted, enter the password(s) for the security domain(s) and then enter y to confirm the settings.
Security Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection successful
Domain: ‘ENTERPRISE’
Password:
Checking connection ... connection failed
Connection failed. Do you want to retry or exit (r/e)? [r]: r
Enter r to retry, and then enter the correct password(s).
If you enter e to exit, the migration operation is can celled.
CopyPlease make sure the following listed key set is available.
Required keys to migrate domain ONLINEBANK:
HID-IA-4T.AUDIT.1
HID-IA-4T.DSIGN.1
HID-IA-4T.CREDS.1
HID-IA-4T.SYS.1
HID-IA-4T.SESSION.1
Please confirm you really want to migrate the keys (y/n)? [n]: y
- Enter y to proceed.
CopyHSM Settings:
Type (NCIPHER/NCIPHER_EMV/SAFENET)? []: NCIPHER
Driver Home Directory [/opt/nfast]:
Slot Number [0]:
Operator PIN (or type enter if keys are module protected):
Please confirm you want to migrate to cryptographic slot 0 (y/n)? [n]: y
- Enter y to proceed.
CopyMigrating keys...
Keys have been migrated with success.The script then re-encrypts and re-signs the data and updates the signatures of the database tables.
Migrate to a Different Slot of an External HSM
To change the HSM slot, you can specify the required slot in the cryptographic configuration. The key level index will be reset to 1 in the cryptographic configuration.
The script will get the targeted slot, check if the slot is PIN protected and, if so, prompt for the PIN, and then check the keys and migrate.
The following example illustrates how to migrate from slot 0 to slot 1 of an external HSM.
- Stop the ActivID AS services.
- As ftadmin, run the following command to migrate the cryptographic configuration.
Copysu ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/migrationKeySetTool.sh -m"
Working in HSM mode.
Validate the specified domains:
--> Keys will be migrated for ONLINEBANK
You are about to migrate to a new key set.
This is a very sensitive operation and might take a long time.
The ActivlD applications will be unavailable during the entire process.
Important: All ActivlD AS services MUST be stopped.
In addition, as the entire database will be modified, make sure that you have created a backup.
Make sure that the new set of keys is available and accessible before you begin.
If an error occurs during the migration, please refer to the indicated log file.
If an error does occur, you might be required to restore the backup of the database to return to the functional configuration.
Do you really want to migrate the key set (y/n)? [n]: y
- Enter y to proceed.
CopySecurity Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection successful
Do you confirm the Security Domain settings (y/n)? [n]: y
- When prompted, enter the password(s) for the security domain(s) and then enter y to confirm the settings.
Security Domain settings:
Domain: ‘ONLINEBANK’
Password:
Checking connection ... connection successful
Domain: ‘ENTERPRISE’
Password:
Checking connection ... connection failed
Connection failed. Do you want to retry or exit (r/e)? [r]: r
Enter r to retry, and then enter the correct password(s).
If you enter e to exit, the migration operation is canceled.
CopyPlease make sure the following listed key set is available.
Required keys to migrate domain ONLINEBANK:
HID-IA-4T.AUDIT.1
HID-IA-4T.DSIGN.1
HID-IA-4T.CREDS.1
HID-IA-4T.SYS.1
HID-IA-4T.SESSION.1
Please confirm you really want to migrate the keys (y/n)? [n]: y
- Enter y to proceed.
CopyPlease enter the cryptographic slot to use [0]: 1
Is the slot password protected (y/n)? [n]: y
Please enter the password for cryptographic slot 1:
Please confirm you want to migrate to cryptographic slot 1 (y/n)? [n]: y
-
Enter y to proceed.
CopyMigrating keys...
Keys have been migrated with success.The script then re-encrypts and re-signs the data and updates the signatures of the database tables.
See also: