Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 4. Setting up key archival and recovery
This chapter explains how to setup the Key Recovery Authority (KRA), previously known as Data Recovery Manager (DRM), to archive private keys and to recover archived keys for restoring encrypted data.
See 4.4 "Supported Hardware Security Modules" in the Planning, Installation and Deployment Guide (Common Criteria Edition).
When the KRA is installed, it joins a security domain, and is paired up with the CA. At such time, it is configured to archive and recover private encryption keys. However, if the KRA certificates are issued by an external CA rather than one of the CAs within the security domain, then the key archival and recovery process must be set up manually.
For more information, see 12.1 Manually Setting up Key Archival in the Planning, Installation and Deployment Guide (Common Criteria Edition).
4.1. Configuring agent-approved key recovery in the console
While the number of key recovery agents can be configured in the Console, the group to use can only be set directly in the CS.cfg file. The Console uses the Key Recovery Authority Agents Group by default.
Open the KRA’s console. For example:
pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:8443/kra
# pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:8443/kraCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteTo configure
pkiconsole, please refer to 7.13.6 "Configure pkiconsole login with client authentication" in the Planning, Installation and Deployment Guide (Common Criteria Edition).pkiconsoleis being deprecated and will be replaced by a new browser-based UI in a future major release. Althoughpkiconsolewill continue to be available until the replacement UI is released, we encourage using the command line equivalent ofpkiconsoleat this time, as the pki CLI will continue to be supported and improved upon even when the new browser-based UI becomes available in the future.- Click the Key Recovery Authority link in the left navigation tree.
Enter the number of agents to use to approve key recover in the Required Number of Agents field.
For more information on how to configure agent-approved key recovery in the CS.cfg file, see 12.3.1 Configuring Agent-Approved Key Recovery in the Command Line in the Planning, Installation and Deployment Guide (Common Criteria Edition).
4.2. Testing the key archival and recovery setup
To test whether a key can be successfully archived:
- Create and enroll a CRMF request by following Section 11.3.2.1.1, “Enrolling for a user certificate”.
- Confirm that the key has been archived. In the KRA’s agent services page, select Show completed requests. If the key has been archived successfully, there will be information about that key. If the key is not shown, check the logs, and correct the problem. If the key has been successfully archived, close the browser window.
Test whether an archived key can be recovered successfully:
- Open the KRA’s agent services page, and click the Recover Keys link. Search for the key by the key owner, serial number, or public key. If the key has been archived successfully, the key information will be shown.
- Click .
- In the form that appears, enter the base-64 encoded certificate that corresponds to the private key to recover; use the CA to get this information. If the archived key was searched for by providing the base-64 encoded certificate, then the certificate does not have to be supplied here.
- Only "Async Recovery" is supported. Make sure that the Async Recovery checkbox is selected.
- Depending on the agent scheme, a specified number of agents must authorize this key recovery. Have the agents search for the key to recover and then to approve the initiated recovery.
- Once all the agents have authorized the recovery, the next screen requests a password to encrypt the PKCS #12 file with the certificate.
The next screen returns a link to download a PKCS #12 blob containing the recovered key pair. Follow the link, and save the blob to file.
ImportantOpening the PKCS #12 file directly from the browser in the
gcr-viewerutility can fail in certain situations. To work around the problem, download the file and manually open it ingcr-viewer.- For more information on Key Archival and Recovery, see 2.4.5 Archiving, Recovering, and Rotating Keys in the Planning, Installation and Deployment Guide (Common Criteria Edition).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}