There are two ways to use the KC Replacement Tool – both methods having different requirements. You can either recreate the secret protected in every existing keystore, or you can create an entirely new set of keystores all together.
You may find that one or more copies of a Key Custodian keystores have been lost, with the site deeming them as compromised. In this case, you may have backups of the missing keystores, which means that you are not hindered operationally. But, there may be an increased risk associated with pieces of the shared secret being missing. In this case, it would be most appropriate to recreate the secret using the keystores you already have. This would require that one copy of all Key Custodian keystores that have been issued are gathered in one place to be restored using the KC Replacement Tool. If you have multiple of the same keystore, say multiple copies keycustodian1.bcfks, only a single instance is required. If there is any Key Custodian keystore completely missing, then the next process would be required in order to create new keystores.
The second scenario is that all copies of a certain role are lost. For instance, every copy of keycustodian3.bcfks is missing. In this case, new Key Custodian keystores can be created as long as the site still has possession of at least enough Key Custodians to recreate the shared secret. That is to say, if you still possess a minimum number of keystores to meet your K value (the minimum number of KeyCustodians required to activate the appliance) you can use the tool to generate a new set of keystores to replace the old. If you do not have a minimum of K keystores available, please contact This email address is being protected from spambots. You need JavaScript enabled to view it. to talk about your options.
The KC Replacement Tool can be run from any location or device as long as it can run Java. These instructions assume that the tool is being run on a SAKA. Execute the /usr/local/strongauth/bin/KC-ReplaceTool.sh shell script from a terminal window. This will display the following window: