KMS Module replaceAnsiX9241Key Mechanics

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

The replaceAnsiX9241Key (RDK) operation is used for persistent, secure storage of ANSI X-924.1 keys in SAKA. The web service receives a CCEncryptedAnsiX9241KeyType object (along with other parameters to authenticate and authorize the transaction) that contains all the metadata necessary to store the key. While behaving similarly to the storeAnsiX9241Key web service, this web service additionally marks another—previously stored—ANSI key as “retired,” so the newly stored ANSI key can replace it.

There are two methods for replacing a key on the appliance using the values from the CCEncryptedAnsiX9241KeyType element. The first involves assembling the key from a set of key components that were previously loaded through the loadKeyComponent web service. The second method is to decrypt an encrypted key using a previously stored key as the wrapping key.

The web service will automatically know which method of key replacement you are attempting based on whether the ParentToken value of the CCEncryptedAnsiX9241KeyType object is NULL or not.

The RDK web service operation requires four parameters:

DID	The unique encryption domain identifier.
username	The username (service credential) within the encryption domain with the authorization to call this web service. The user requires the Key Management Administrator privilege and the encryption privilege at minimum to execute this operation. If the ANSI key is a wrapped key, then the decryption privilege is also required to recover the wrapping key.
password	The password of the username to authenticate the credential of the requester.
encansikey	The CCEncryptedAnsiX9241KeyType object that contains the key component and metadata.

When SAKA receives the request, it verifies the credentials presented against its internal database—or an optional LDAP directory server—and determines their authorization to request the replaceAnsiX9241Key service by verifying if they are a member of the KMAAuthorized and EncryptionAuthorized groups. If using LDAP, this group and its members must be created in the LDAP directory as a distinct task of the SAKA installation process; when using the internal database on the SAKA, this group is created automatically.

If the requester is authorized, SAKA parses the CCEncryptedAnsiX9241KeyType object. Depending on what parameters are specified, the code will branch into one of two paths:

If a ParentToken is specified, the appliance will make an additional check to verify if the user is a member of the DecryptionAuthorized group. If authorized, the wrapping key will be recovered from secure storage for use in this transaction. The wrapping key is used to decrypt the provided EncryptedKey data.
If a ParentToken is not specified, the appliance will search it's internal maps for Key Components associated with the key specified by the KeyName. If the necessary key components are found, the key is assembled from these components (and the components are subsequently erased).

Once the appliance has assembled/decrypted the ANSI key, a KCV is calculated and compared with the provided KCV. If they do not match, the integrity of the key cannot be confirmed and the request will fail. If the integrity of the key is confirmed, the key is ready to be securely stored. Within a single transaction, the to-be-replaced token is marked as “retired.” The replacement key is then encrypted and stored by the appliance. If either action in this two-phase transaction fails, the entire transaction is rolled back.

Once the ANSI key is successfully stored, the following values will be returned, either as a JSON or XML string; in the case of SOAP, the JSON or XML string is embedded in the objectContent attribute of the CCReturnObject object:

DID	The unique encryption domain identifier for the domain that serviced this request.
SRID	A unique request identifier for this transaction.
Token	The token reference to this encrypted ANSI key.
KeyName	The identifier used to reference this key in the request.