The second panel of KC-ReplaceTool is the Recreate a set of Key Custodians panel. This panel allows you to submit all the Key Custodian credentials from your current set to be reissued a new secret.
- Complete the fields as described below.
Keystore File |
The location of your keystore file |
Password |
The password to the keystore file |
- When finished, click Recreate. This action renames the current keystore to keycustodianN.bcfks.bak and creates a new keystores with the regenerated secret inside. The new keystore uses the same password as the original.
- If the new keystores is recreated successfully, KC-ReplaceTool will produce the following message: “Successfully updated keycustodian1! (1 of N).”
- Continue submitting keystores for this set until N keystores have been reissued. Once the process is over KC-ReplaceTool will produce the following message in the terminal: “Finished updating N Key Custodians. Process complete!”
NOTE: All of the keystores must be reissued. If the process is interrupted for any reason and not all of the keystores were reissued, delete any new bcfks files that were created. Then for each keystore that was reissued you must rename the keycustodianN.bcfks.bak file back to keycustodianN.bcfks and start the process over from the beginning. |
- The new Key Custodian keystores must be tested and verified to be functional. Before testing the keystores, restart the Payara Application server on each SAKA node using this command:
sudo service glassfishd restart
After the glassfish server on each node has restarted, use the newly reissued keystores to set pins on each node. After pins have been set, use this command to verify that each node is functioning correctly:
pingsaka.sh did
Where “did” represents the domain ID that you are testing on. Run this command for each domain on the server. If N is greater than K then repeat this step using different keystores to set pins, until all newly reissued keystores have been tested.
- Once this is complete, delete the keycustodianN.bcfks.bak files, and any other copy of the original Key Custodian keystores that may be backed up. Create a new set of backup copies of the new keystores.
- That concludes the process for recreating Key Custodians.