Overview of cloning a master key
The cloning procedure outlines how to clone a master key from one
coprocessor to another coprocessor by using the Cryptographic Node
Management (CNM) utility.
Note: Ensure that the CNM utility is at
the same level on all systems involved in the cloning procedure.
The master-key cloning procedure makes no assumption about which
server contains the coprocessors used for:
- Share administration (SA node)
- Master-key source (CSS coprocessor share-signing node)
- Master-key target (CSR coprocessor share-receiving node)
Note: Cloning of AES master keys is not supported.
The SA key can reside in the same coprocessor as either the CSS or the CSR key, or it can reside in a separate coprocessor node. Any of the coprocessors can reside together in the same sever if multiple coprocessors with CCA are available.
The procedure ignores operator actions to log on and log off, because these steps depend on the specific roles in use at your installation. You can switch between coprocessors when you are using more than one coprocessor within a server.
The procedure is divided into several phases as outlined in Table 1.
| Phase | Node | Task |
|---|---|---|
| 1 | SA | Establish the share administration node. Create the SA database, generate the SA key, and store its public key and hash into the SA database. |
| 2a | Source | Establish the source node. Generate the CSS key and add the public key to the SA database. Install the SA public key. |
| 2b | SA | Certify the CSS key and store the certificate into the SA database. |
| For each target node, repeat phase 3 procedures. | ||
| 3a | Target | Establish the target node. Create a CSR database, generate a CSR key, and add the public key to the CSR database for this node. Install the SA public key. |
| 3b | SA | Certify the CSR key and store the certificate into the CSR database for the target node. |
| 3c | Source | Obtain shares and the current master-key verification information. |
| 3d | Target | Install shares and confirm the new master-key. Set the master key. |
Before starting the master-key cloning procedure, it is suggested that you complete the forms found in table Table 2 and Figure Figure 1.
| Task | Node | Profile | Role | Responsible individual |
|---|---|---|---|---|
| Audit access controls | SA | |||
| Generate SA key | SA | |||
| Register SA-key hash | SA | |||
| Register SA key | SA | |||
| Audit access controls | CSS | |||
| Generate CSS key | CSS | |||
| Obtain CSS master key | CSS | |||
| Register SA-key hash | CSS | |||
| Register SA key | CSS | |||
| Certify CSS key | SA | |||
| Audit access controls | CSR1 | |||
| Generate CSR key | CSR1 | |||
| Register SA-key hash | CSR1 | |||
| Register SA key | CSR1 | |||
| Certify CSR1 key | SA | |||
| Obtain shares | CSS | |||
| Install shares | CSR1 | |||
| Verify CSR new | CSR1 | |||
| Set CSR master key | CSR1 | |||
| Audit access controls | CSR2 | |||
| Generate CSR key | CSR2 | |||
| Register SA-key hash | CSR2 | |||
| Register SA key | CSR2 | |||
| Certify CSR2 key | SA | |||
| Obtain shares | CSS | |||
| Install shares | CSR2 | |||
| Verify CSR new | CSR2 | |||
| Set CSR master key | CSR2 |
