6.13. 设置新主密钥
本节将描述在 Token Key Service(TKS)中设置新主密钥所需的步骤和配置。有关背景信息,请参阅 红帽认证系统规划、安装和部署指南。
过程 6.1. 创建新主密钥
- 获取访问 TKS 安全数据库所需的内部 PIN:
#cat /var/lib/pki/pki-tomcat/tks/conf/password.conf internal=649713464822 internaldb=secret12 replicationdb=-752230707 - 打开 TKS 实例
的别名/目录:#cd /var/lib/pki/pki-tomcat/alias - 使用 tkstool 程序生成新的 master 密钥。例如:
#tkstool -M -n new_master -d /var/lib/pki/pki-tomcat/alias -h <token_name> Enter Password or Pin for "NSS Certificate DB": Generating and storing the master key on the specified token . . . Naming the master key "new_master" . . . Computing and displaying KCV of the master key on the specified token . . . new_master key KCV: CA5E 1764 - 验证密钥是否已正确添加到数据库中:
#tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": <0> new_master
6.13.1. 生成和传输主密钥(主要 Ceremony)
如果主密钥将用于外部令牌或多个位置,则必须进行 嵌套,以便安全地传输到硬件令牌。tkstool 实用程序可用于生成传输密钥,然后用于将主密钥发送到生成令牌的设备。传输嵌套的 master 密钥的进程通常称为密钥 Ceremony。
注意
传输密钥只能用于生成的主密钥。
过程 6.2. 生成并传输 Wrapped 主密钥
- 获取访问 Token Key Service 安全数据库所需的内部 PIN:
#cat /var/lib/pki/pki-tomcat/tks/conf/password.conf internal=649713464822 internaldb=secret12 replicationdb=-752230707 - 打开 TKS 实例
别名/目录:#cd /var/lib/pki/pki-tomcat/alias - 创建名为 transport 的
传输密钥:#tkstool -T -d . -n transport注意tkstool 程序输出每个生成的三个会话键的密钥共享和 KCV 值。将这些文件保存到文件中,因为稍后会在这个流程中的新数据库中重新生成传输密钥,并在丢失密钥时重新生成密钥。 - 出现提示时,填写数据库密码。然后,根据屏幕的说明生成随机 seed。
A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Type the word "proceed" and press enter
- 下一提示将生成一系列会话密钥。按照屏幕说明操作,直到最终消息:
Successfully generated, stored, and named the transport key!
- 使用 transport 密钥生成并打包一个 master 密钥,并将其存储在名为
的文件:#tkstool -W -d . -n new_master -t transport -o file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key (for wrapping) from the specified token . . . Generating and storing the master key on the specified token . . . Naming the master key "new_master" . . . Successfully generated, stored, and named the master key! Using the transport key to wrap and store the master key . . . Writing the wrapped data (and resident master key KCV) into the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) - 将嵌套的 master 密钥复制到适当的位置或工具中。
- 如有必要,在 HSM 或设备中生成新安全数据库:
#tkstool -N -d <directory>或者,添加-I选项来生成与最初在新数据库中生成的键相同。以这种方式重新生成 transport 密钥需要您输入会话密钥共享和 KCV,用于这个过程早期生成的每个会话密钥。#tkstool -I -d <directory> -n verify_transport - 使用 transport 密钥来取消包装存储在 文件中的主密钥。提示时提供安全数据库 PIN:
#tkstool -U -d directory -n new_master -t verify_transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre-computed KCV value . . . master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to unwrap and store the master key on the specified token . . . Naming the master key "new_master" . . . Successfully unwrapped, stored, and named the master key! - 验证密钥是否已正确添加到数据库中:
#tkstool -L -d slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": <0> transport <1> new_master
