In the fourth step of the process, which occurs on the New SAKA node, the process completes the key-migration process for the domain keys migrated in the previous step.
- Login as 'strongauth' into the SAKA
- Startup 2 shell windows
- In Window2, go the /usr/local/strongauth/<payara-version>/glassfish/domains/domain1/logs directory
shell> cd /usr/local/strongauth/<payara-version>/glassfish/domains/domain1/logs
- In Window2, run the tail -f command on the server.log file
shell> tail -f server.log
- In Window1, change directory to /usr/local/strongauth/bin
shell> cd ~/bin
- In Window1, execute the KMTool.sh
shell> ./KMTool.sh
- Using the Red, Green and Blue flash-drives, set the PINs for the three Key Custodians to authorize access to the TPM. Select a domain to migrate the key ro and use the Domain Administrator's Credentials to authorize the migration of the Encryption Domain Key. Using the MigKey file generated in step E-3-7, import the Migration Key Blob. Repeat these steps for each domain key to be imported.
- Now that the Encryption Domain Keys have been imported, the node is ready to accept cryptographic requests. In order for Ping requests to function properly, a first dummy record must be encrypted on this node for each domain.
In Window1, change directory to the /usr/local/strongauth/topaz directory:
shell> cd ~/topaz
- In Window1, execute the sakaclient.jar client application as follows. This command will encrypt one credit-card number (with a dummy number of 1111222233334444) and then attempt to decrypt the returned value immediately:
shell> java -jar sakaclient.jar https://saka03.<domain-name>:8181 <domain-id> <username> <password> B 33334444 1
Ensure the token returned is equivalent to the one configured in step E-1-5. If not, the record may have already existed in the appliance. Try modifying sending a new request with a different token until the expected token is generated.
- In Window1, verify Ping requests work for every domain
shell> pingsaka.sh <did>
- The new node is fully-operational and ready for transactions. Further replication tests may be performed to ensure replication is functioning as expected. If the appliances in this cluster have any scheduled jobs, the Domain Administrator should add them to this node now.