Este contenido no está disponible en el idioma seleccionado.

27.4. Usage

This procedure rewraps the keys stored in one Certificate System 7.1 KRA and stores them in a Certificate System 8.1 KRA. This is not the only use case; the tool can be run on the same instance as both the source and target, to rewrap existing keys, or it can be used simply to copy keys from multiple KRA instances into a single instance without rewrapping the keys at all.

Prepare the new KRA instance and machine.
1. Install and configure a new Red Hat Certificate System 8.1 KRA instance.
  Important
  Set the storage key size and type to 2048-bit and RSA.
2. Stop the new KRA.
  [root@newkra ~]# service pki-kra stop
  
  Copy to Clipboard Toggle word wrap
3. Create a data directory to store the exported key data from the old KRA.
  [root@newkra ~]# mkdir -p /export/pki
  Copy to Clipboard Toggle word wrap
4. Export the public storage certificate for the new KRA to a flat file in the new data directory:
  [root@newkra ~]# certutil -L -d /var/lib/pki-kra/alias/ -n "storageCert cert-pki-kra" -a > /export/pki/newKRA.cert
  Copy to Clipboard Toggle word wrap
5. Stop the Directory Server instance for the new KRA, if it is on the same machine.
  >[root@newkra ~]# service dirsrv stop
  
  Copy to Clipboard Toggle word wrap
6. Export the configuration information for the new KRA.
  [root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/db2ldif -n newkra.example.com-pki-kra -a /export/pki/newkra.ldif
  
  Copy to Clipboard Toggle word wrap
  Important
  Be sure that the LDIF file contains a single, blank line at the end.

Export and prepare the key data from the old KRA instance.

Create a data directory to store the exported key data.
```
mkdir -p /export/pki
```
```
[root@oldkra ~]# mkdir -p /export/pki
```
Copy to Clipboard Toggle word wrap
Export the information from the original KRA instance using a tool like [root@oldkra ~]# db2ldif. This is done as part of the 7.1 to 8.1 migration steps in the KRA chapter of the Migration Guide.

Copy the LDIF for the exported data into the data directory, and update the data file for change the archiving CA.

cp /path/to/rhcs80-pki-kra.ldif /export/pki
sed -i -e "s/^archivedBy: kra_trusted_agent/archivedBy: CA/g" alpha.ldif

[root@oldkra ~]# cp /path/to/rhcs80-pki-kra.ldif /export/pki

[root@oldkra ~]# sed -i -e "s/^archivedBy: kra_trusted_agent/archivedBy: CA/g" alpha.ldif

Copy to Clipboard

Toggle word wrap

Stop all of the Certificate System servers on the machine.

Copy the NSS databases to the data directory. For example, for a 7.1 KRA:

cp -p /opt/redhat-cs/alias/cert-instance-kra-cert8.db /export/pki/cert8.db
cp -p /opt/redhat-cs/alias/cert-instance-kra-key3.db /export/pki/key3.db
cp -p /opt/redhat-cs/alias/secmod.db /export/pki/secmod.db

[root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-cert8.db /export/pki/cert8.db
	
[root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-key3.db /export/pki/key3.db

[root@oldkra ~]# cp -p /opt/redhat-cs/alias/secmod.db /export/pki/secmod.db

Copy to Clipboard

Toggle word wrap

Copy the KRATool to the machine with the old KRA instance and pull in all its dependencies. For 7.x systems, include the nsutil.jar and cmsutil.jar files (these files are already available in 8.0 systems). For example:

mkdir -p /usr/share/pki/java-tools
mkdir -p /usr/share/java/pki
cd /usr/share/java/pki
sftp root@newkra.example.com

[root@oldkra ~]# mkdir -p /usr/share/pki/java-tools

[root@oldkra ~]# mkdir -p /usr/share/java/pki

[root@oldkra ~]# cd /usr/share/java/pki

[root@oldkra ~]# sftp root@newkra.example.com
sftp> cd /usr/share/java/pki
sftp> get nsutil.jar
sftp> get cmsutil.jar
sftp> get cstools.jar
sftp> lcd /usr/share/pki/java-tools
sftp> cd /usr/share/pki/java-tools
sftp> get KRATool.cfg
sftp> lcd /usr/bin
sftp> cd /usr/bin
sftp> get KRATool
sftp> quit

Copy to Clipboard

Toggle word wrap

Important

The machine must have Java 1.6.0 installed.

For 7.1 KRAs. Create a symlink from the older ldapjdk.jar file to the new 8.x location.

ln -s /opt/redhat-cs/bin/cert/jars/ldapjdk.jar /usr/share/java/ldapjdk.jar

[root@oldkra ~]# ln -s /opt/redhat-cs/bin/cert/jars/ldapjdk.jar /usr/share/java/ldapjdk.jar

Copy to Clipboard

Toggle word wrap

Open the data directory.
```
cd /export/pki
```
```
[root@oldkra ~]#cd /export/pki
```
Copy to Clipboard Toggle word wrap
Copy the file with the public storage key from the new KRA machine to the old KRA machine. For example:
```
sftp root@newkra.example.com
```
```
[root@oldkra ~]# sftp root@newkra.example.com
sftp> cd /export/pki
sftp> get newKRA.cert
sftp> quit
```
Copy to Clipboard Toggle word wrap
If necessary, edit the default KRATool.cfg file to use with the tool. The default file can also be used without changes.

Run the KRATool; all of these parameters should be on a single line.

KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg"

[root@oldkra ~]# KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg"
        -source_ldif_file /export/pki/rhcs80-pki-kra.ldif
        -target_ldif_file /export/pki/old2newKRA.ldif
        -log_file /export/pki/kratool.log
        -source_pki_security_database_path /export/pki
        -source_storage_token_name 'Internal Key Storage Token'
        -source_storage_certificate_nickname 'storageCert cert-pki-kra'
        -target_storage_certificate_file /export/pki/newKRA.cert
        -append_id_offset 100000000000
        -source_kra_naming_context "oldkra.example.com-pki-kra"
        -target_kra_naming_context "newkra.example.com-pki-kra"
        -process_requests_and_key_records_only

Copy to Clipboard

Toggle word wrap

The command prompts for the password to the token stored in the original databases.

When it is done, the command creates the file specified in -target_ldif_file, old2newKRA.ldif.

Copy the LDIF file over to the new KRA machine. For example:
```
scp /export/pki/old2newKRA.ldif root@newkra.example.com:/export/pki
```
```
[root@oldkra ~]# scp /export/pki/old2newKRA.ldif root@newkra.example.com:/export/pki
```
Copy to Clipboard Toggle word wrap
Important
Be sure that the LDIF file contains a single, blank line at the end.

If multiple KRA instances are being merged, then their data can be merged into a single import operation. Perform step 2 for every KRA which will be merged.
Specify unique values for the -target_ldif_file to create separate LDIF files, and specify unique -append_id_offset values so that there are no collisions when the LDIF files are concatenated.
On the new KRA machine, import the LDIF file with the old key data.
1. Open the data directory.
  [root@newkra ~]# cd /export/pki
  Copy to Clipboard Toggle word wrap
2. Concatenate the new KRA configuration LDIF file and every exported LDIF for the old KRA instances. For example:
  [root@newkra ~]# cat newkra.ldif old2newKRA.ldif > combined.ldif
  Copy to Clipboard Toggle word wrap
3. Import the LDIF into the Directory Server database for the Certificate System 8.1 KRA instance.
  [root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/ldif2db -n newkra.example.com-pki-kra -i /export/pki/combined.ldif
  Copy to Clipboard Toggle word wrap
4. Start the Directory Server instance for the new KRA.
  [root@newkra ~]# service dirsrv start
  
  Copy to Clipboard Toggle word wrap
5. Start the new KRA.
  [root@newkra ~]# service pki-kra start
  
  Copy to Clipboard Toggle word wrap

Este contenido no está disponible en el idioma seleccionado.

27.4. Usage

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links