15.2.4. Step 4: Migrating Security Databases

15.2.4. Step 4: Migrating Security Databases

NOTE

In order to recover the archived keys stored in the 6.1 (SP4) DRM, obtain a migration patch from Red Hat services. This patch will recover the PIN needed to access the storage token where the DRM private key resides.

Do the following to migrate the Certificate Management System 6.1 (SP4) DRM data to the Certificate System 7.3 DRM databases:

NOTE

For more information on migrating security databases to HSM, see Section 7.5.2.2, “Case II: Security Databases to HSM Migration”.

Log into server.example.com as the Certificate System user, and do the following:

  1. Remove the 7.3 DRM security databases which will receive migrated data. 

    rm /var/lib/rhpki-kra/alias/cert8.db

rm /var/lib/rhpki-kra/alias/key3.db

  2. Copy the certificate and key security databases from the old server to the new server. 

    cp /usr/netscape/servers/alias/cert-drm-alpha-cert8.db
 /var/lib/rhpki-kra/alias/cert8.db

cp /usr/netscape/servers/alias/cert-drm-alpha-key3.db
 /var/lib/rhpki-rhpki-kra/alias/key3.db

  3. Log into the new server hosting server.example.com as the Certificate System user, and open the Certificate System alias/ directory. 

    cd /var/lib/rhpki-kra/alias

  4. Log in as root, and set the file user and group to the new server Certificate System user and group. 

    su

chown pkiuser:pkiuser cert8.db

chown pkiuser:pkiuser key3.db

  5. Log out as root. As the Certificate System user, change the permissions on the file. 

    chmod 00600 cert8.db

chmod 00600 key3.db

  6. List the certificates stored in the old security databases by using the certutil command. In this example, -L lists the certificates. 

    certutil -L -d .

Server-Cert cert-drm cu,cu,cu
caSigningCert cert-drm cT,c,
kraStorageCert cert-drm u,u,u
kraTransportCert cert-drm u,u,u

  7. Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix. 

    pk12util -o ServerCert.p12 -n "Server-Cert cert-drm" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o kraStorageCert.p12 -n "kraStorageCert cert-drm" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o kraTransportCert.p12 -n "kraTransportCert cert-drm" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

    NOTE

    For this example, the old security databases do not contain any additional public/private key pairs.

  8. Export the public key using the certutil tool; -L lists the certificate, -n sets the name of the file and the old prefix, and -a outputs the information to a base-64 file. 

    certutil -L -n "caSigningCert cert-drm" -d . -a > caSigningCert.b64

    NOTE

    In this example, the old security databases did not contain any additional public keys.

  9. Delete the old security databases. 

    rm cert8.db

rm key3.db

  10. Register the new HSM in the new token database. 

    modutil -nocertdb -dbdir . -add "epsilon" -libfile /usr/lib/libepsilon.so

  11. Identify the new HSM slot name. 

    modutil -dbdir . -nocertdb -list

    This reveals the rho, tau, and phi slots for the different subsystems. The tau slot is used for the DRM.

  12. Create new security databases. 

    certutil -N -d .

  13. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM. 

    pk12util -i ServerCert.p12 -d . -h tau

Enter Password or Pin for "tau":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . -h tau

Enter Password or Pin for "tau":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . -h tau

Enter Password or Pin for "tau":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  14. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

  15. Set the trust bits on the public/private key pairs that were imported into the new HSM. 

    certutil -M -n "tau:Server-Cert cert-drm" -t "cu,cu,cu" -d . -h epsilon

certutil -M -n "tau:kraStorageCert cert-drm" -t "u,u,u" -d . -h epsilon

certutil -M -n "tau:kraTransportCert cert-drm" -t "u,u,u" -d . -h epsilon

  16. Import the public key from the base-64file into the new HSM, and set the trust bits. 

    certutil -A -n "tau:caSigningCert cert-drm" 
-t "CT,c," -d . -h epsilon -i caSigningCert.b64

  17. Optionally, delete the base-64 file. 

    rm caSigningCert.b64

  18. Open the CS.cfg configuration file. 

    cd /var/lib/rhpki-kra/conf/

vi CS.cfg

  19. Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes for the new DRM and HSM information. 

    kra.storageUnit.nickname=tau:kraStorageCert cert-drm
kra.transportUnit.nickname=tau:kraTransportCert cert-drm

    NOTE

    The caSigningCert is not referenced in the CS.cfg file.

  20. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

tau:Server-Cert cert-drm