7.6.4.1. Case I: Security Databases to Security Databases Migration

7.6.4.1. Case I: Security Databases to Security Databases Migration

  1. Remove all the security databases in the new Certificate System which will receive migrated data. 

    rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

  2. Log into the old server as the Certificate System user for that machine.

  3. To migrate a master key from the old TKS instance, do the following:

    1. Open the old Certificate System configuration file.

      If the migration is from CMS 7.0, open the CMS.cfg in the old Certificate System config directory. If the migration is from Certificate System 7.1, open the CS.cfg file in the old Certificate System config/ directory.

    2. Write down or note the exact value for the tks.mk_mappings. line, which has the following format. 

      tks.mk_mappings.#tks_master_key_version_number
 #01=internal:tks_master_key_version_name

      A tks.mk_mappings value looks like the following example: 

      tks.mk_mappings.#02#01=internal:tks_master_key_v2

      In this example, 02 is the tks_master_key_version_ number, and tks_master_key_v2 is the tks_master_key_version_name.

  4. Copy the certificate and key security databases from the old server to the new server. 

    cp old_server_root/alias/cert-old_TKS_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_TKS_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

  5. Log into the new server as the Certificate System user, and open the Certificate System alias/ directory. 

    cd /var/lib/instance_ID/alias/

  6. Log in as root, and set the file user and group to the Certificate System user and group. 

    su

chown user:group cert8.db

chown user:group key3.db

  7. Log out as root. As the Certificate System user, change the permissions on the files. 

    chmod 00600 cert8.db

chmod 00600 key3.db

  8. List the certificates in the security databases using the certutil command. In this example, -L lists the certificates. 

    certutil -L -d .

Server-Cert cert-old_TKS_instance cu,cu,cu
caSigningCert cert-old_TKS_instance CT,c,
tksTransportCert cert-old_TKS_instance CT,C,

  9. Open the CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  10. If server-side keygen has been enabled, edit the tks.drm_transport_cert_nickname attribute to reflect the new TKS instance. 

    tks.drm_transport_cert_nickname=
 tksTransportCert cert-old_TKS_instance

  11. If a master key was migrated from an old TKS instance, edit the new Certificate System CS.cfg, and insert the "tks.mk_mappings.#tks_master_key_version_number#01=internal:tks_master_key_version_name" value from the old Certificate System CS.cfg file. Be sure to use the proper tks_master_key_version_number and tks_master_key_version_name values.

    NOTE

    The caSigningCert is not referenced in the CS.cfg file.

  12. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

Server-Cert cert-old_TKS_instance