Product Documentation
In the fourth step of the process, which occurs on the New StrongKey Tellaro node, the process completes the key-migration process for the domain keys migrated in the previous step.
- Login as 'strongauth' into the StrongKey Tellaro
- Startup 2 shell windows
- In Window2, go the /usr/local/strongauth/<payara-version>/glassfish/domains/domain1/logs directory
shell> aslgOrshell> cd /usr/local/strongauth/<payara-version>/glassfish/domains/domain1/logs - In Window2, run the tail -f command on the server.log file
shell> tail -f server.log - In Window1, execute the KMTool.sh
shell> KMTool.sh - Using KeyCustodian flash-drives, set the PINs for the required minimum number of Key Custodians to authorize access to the TPM.
Select a domain to migrate the key to and use the Domain Administrator's Credentials to authorize the migration of the Encryption Domain Key.
Using the MigKey file generated in Step #3, import the Migration Key Blob.
Repeat these steps for each domain key to be imported. - In Window 1, restart the Payara application server
If using payara6, use the following command: shell> sudo systemctl restart payara If using payara5, use the following command: shell> sudo service glassfishd restart
- In Window1, execute the KC-SetPINTool.sh
shell> KC-SetPINTool.sh - Using the KeyCustodian flash-drives, set the PINs for the required minimum number of Key Custodians to activate the cryptographic hardware module on the appliance, ensuring there are no errors in Window1 or Window2
- Now that the Encryption Domain Keys have been imported, the node is ready to accept cryptographic requests. In order for Ping requests to function properly, a first dummy record must be encrypted on this node for each domain.
In Window1, change directory to the /usr/local/strongauth/topaz directory:
shell> cd ~/topaz - In Window1, execute the sakaclient.jar client application as follows for every domain-id (DID). This command will encrypt one credit-card number (with a dummy number of 1111222233334444) and then attempt to decrypt the returned value immediately:
shell> java -jar /usr/local/strongauth/topaz/sakaclient.jar https://<FQDN>:8181 <domain-id> <username> <password> B 33334444 1Ensure the token returned is the first token for SID of the new server. - In Window1, verify Ping requests work for every domain-id (DID):
shell> pingsaka.sh <did> - Restore the LDAP users as root.
- Open a new terminal and login as "root"
- Stop the LDAP server and make copies of the following directories:
shell> systemctl stop slapd #Make copies of existing config files shell> cp -r /etc/openldap/slapd.d /etc/openldap/slapd.0 shell> cp -r /var/lib/ldap /var/lib/ldap.0
- Remove the contents of /etc/openldap/slapd.d and /var/lib/ldap:
shell> rm -r /etc/openldap/slapd.d/* shell> rm -r /var/lib/ldap/*
- Restore the configuration.ldif first:
shell> slapadd -F /etc/openldap/slapd.d -n 0 -l /usr/local/strongauth/dbdumps/config-<date>.ldif - Change the ownership and restart slapd:
shell> chown -R ldap:ldap /etc/openldap/slapd.d shell> chown -R ldap:ldap /var/lib/ldap shell> systemctl restart slapd
- Add the database.ldif to the directory and restart slapd
shell> slapadd -F /etc/openldap/slapd.d -n 2 -l /usr/local/strongauth/dbdumps/databackup-<date>.ldif shell> systemctl restart slapd
- Log out as root
- In Window1 as "strongauth" user, verify Authentication requests work for every domain using the user registered in Step #1.
shell> java -jar /usr/local/strongauth/topaz/skfsclient.jar A <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <origin> <authcounter> <crossorigin> - This concludes the installation and configuration of Data Recovery StrongKey Tellaro node. Now, this new node should be shutdown and stored at a safe location accessible only with certain privileges.