7.4.2.2. Case II: Security Databases to HSM Migration

7.4.2.2. Case II: Security Databases to HSM Migration

  1. Remove all the security databases in the new Certificate System which will receive migrated data. 

    rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

  2. Copy the certificate and key security databases from the old server to the new server. 

    cp old_server_root/alias/cert-old_DRM_instance-cert7.db 
/var/lib/instance_ID/alias/cert7.db

cp old_server_root/alias/cert-old_DRM_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

  3. Log into the new server as the Certificate System user, and open the Certificate System alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root, and set the file user and group to the Certificate System user and group. 

    su 

chown user:group cert7.db

chown user:group key3.db

  5. Log out as root. As the Certificate System user, set the file permissions. 

    chmod 00600 cert7.db

chmod 00600 key3.db

  6. Use the certutil tool to list all of the old Certificate System certificates. In this example, -L lists the certificates, and -X forces them to be read/write. 

    certutil -L -X -d . 

Server-Cert cert-old_DRM_instance cu,cu,cu 
caSigningCert cert-old_DRM_instance cT,c, 
kraStorageCert cert-old_DRM_instance u,u,u 
kraTransportCert cert-old_DRM_instance u,u,u

    NOTE

    The certificate database is automatically converted from cert7.db to cert8.db.

  7. Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix. 

    pk12util -o ServerCert.p12 -n "Server-Cert cert-old_DRM_instance" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o kraStorageCert.p12 -n "kraStorageCert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o kraTransportCert.p12 -n "kraTransportCert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

    NOTE

    The old security databases may contain additional public/private key pairs; these can also be extracted using pk12util.

  8. Export the public/private key pairs of each entry in the Certificate System databases using the certutil tool; -L lists the named certificate, -n sets the name of the file and the old prefix, and -a saves the output to a base-64 file. 

    certutil -L -n "caSigningCert cert-old_DRM_instance" -d . -a > caSigningCert.b64

    NOTE

    The old security databases may contain additional public keys; these can also be extracted using the certutil tool.

  9. Delete the old security databases. 

    rm cert7.db

rm cert8.db

rm key3.db

  10. Register the new HSM in the new token database. 

    modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/new_HSM_library

  11. Identify the new HSM slot name. 

    modutil -dbdir . -nocertdb -list

  12. Create new security databases. 

    certutil -N -d .

  13. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM. 

    pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  14. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

  15. Set the trust bits on the public/private key pairs that were imported into the new HSM. 

    certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

  16. Import the public key from the base-64 file into the new HSM, and set the trust bits. 

    certutil -A -n new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64

  17. Optionally, delete the base-64 file. 

    rm caSigningCert.b64

  18. Open the CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  19. Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new DRM information. 

    kra.storageUnit.nickname=
 new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 new_HSM_slot_name:kraTransportCert cert-old_DRM_instance

    NOTE

    The caSigningCert is not referenced in the CS.cfg file.

  20. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.confnew_HSM_slot_name:Server-Cert cert-old_DRM_instance