The third panel of KC-ReplaceTool is the Create a new set of Key Custodians panel. This panel allows you to create a brand new set of Key Custodians separate from the previous set.
- Complete the fields as described below.
K |
The minimum number of Key Custodians needed to recreate the new secret. This value can be different from the original K value. |
N |
The number of Key Custodians that will be created to store this new secret. This value must be equal to or greater than the K value. |
USB Folder |
The USB location to write the new keystore. NOTE: It is critically important that this is a new USB and not the Key Custodian’s old USB! |
Password |
The password to the keystore file. This can be a different password than the original keystore file. |
Again |
Enter your password a second time to confirm |
- When finished, click Create to generate a new Key Custodian keystore. If the process works correctly, you will see a message indicating success: “Successfully wrote keycustodian1! (1 of N)”
- Continue submitting keystores for this set until N keystores have been created. Once the process is over KC-ReplaceTool will produce the following message: “Successfully wrote keycustodianN! (N of N)”
NOTE: The process is not completed until all keystores have been created. If the process is interrupted for any reason, delete all the newly created keystores and start the process over from the beginning. |
- The very last Key Custodian created is also given a file called new_kc.sql on their USB. Choose a SAKA node to source the sql file and run the test. Make sure to copy the new_kc.sql file to a location on the SAKA.
- Log into the server as strongauth.
- Create a mysql backup of the key_custodians table:
shell> mysqldump -u skles -p strongkeylite key_custodians > /usr/local/strongauth/dbdumps/key_custodians.db
- Log into the database:
shell> mysql -u skles -p strongkeylite
- Source the new_kc.sql file
mysql> source /path/to/new_kc.sql
- Log out of the database
mysql> exit
- Restart the Payara Application server on this node. Then, use the new set of Key Custodians to test whether the web services can be activated.
- Repeat this process starting from step 4 for every other SAKA node. If you have a N value greater than your K value, be sure that every Key Custodian is tested on at least one node.
- Once the process is completed, delete all remaining copies of the original keycustodianN.bcfks files. Create a new set of backup copies of the new versions of the keystores.