| At the target node |
|
|
|
| 3a.1 |
Target |
Audit the appropriateness of the access controls. |
|
| 3a.2 |
Target |
Perform time synchronization and ensure that the fcv_td2k.crt authorization
is installed. |
|
| 3a.3 |
Target |
Confirm the coprocessor serial number:
- Click Crypto Node > Status.
- Click Adapter.
- Note the coprocessor serial number, click Cancel.
|
|
| 3a.4 |
Target |
Ensure the existence of a (temporary) master key. |
|
| 3a.5 |
Target |
If not already established, enter the environment
ID (EID):
- Click Crypto Node > Set environment ID > Crypto
Node.
- Enter the EID (for example, CSR1 NODE and extend with spaces to
16 entered characters).
- Click Load.
|
|
| 3a.6 |
Target |
If not already established, set the number m and n shares
values:
- Click Crypto Node > Share Administration > Set
Number of Shares.
- Set the maximum and minimum number of required shares.
- Click Load.
|
|
| 3a.7 |
Target |
Using the facilities of your operating system,
erase the csr.db data file. |
|
| 3a.8 |
Target |
Generate the CSR key:
- Click Crypto Node > Share Administration > Create
Keys > CSR Key.
- Enter the CSR key label (for example, CSR1.KEY).
- Confirm the coprocessor serial number.
- Select the key size.
- Provide the CSR database name and location (for example, CSR1.DB).
- Click Create.
|
|
| 3a.9 |
Target |
Register the SA public-key hash:
- Click Crypto Node > Share Administration > Register
Share Administration > SA-Key Hash.
- Enter the SA database file name and location, click Next.
- Enter the SA public key label (or accept the default).
- Enter the SA key hash, click Register.
|
|
| 3a.10 |
Target |
Register the SA public-key:
- Click Crypto Node > Share Administration > Register
Share Administration > SA Key.
- Enter the SA database file name and location, click Next.
- Enter the SA public key label (or accept the default), click Register.
|
|
| At the SA node |
|
|
|
| 3b.1 |
SA |
Certify the CSS key (as required):
- Click Crypto Node > Share Administration > Certify
Keys > CSS Key.
- Enter the name and path for the SA database, click Next.
- Confirm the CSS key label, the coprocessor serial number, and
the SA environment ID.
- Click Certify.
|
|
| 3b.2 |
SA |
Certify the CSR key:
- Click Crypto Node > Share Administration > Certify
Keys > CSS Key.
- Enter the name and path for the SA and CSR databases, click Next.
- Confirm the SA key label, CSR key label, and the SA environment
ID.
- Enter the CSR serial number.
- Click Certify.
|
|
| At the source node |
|
|
|
| 3c.1 |
Source |
Obtain at least the number of m and n shares.
Perform the following substep for each share. Note that logon and
logoff might be required to obtain each share.
- Click Crypto Node > Share Administration > Get
Share.
- Select the share. Note that if you are obtaining an additional
set(s) of shares, the Distributed messages might not be meaningful.
- Enter the name and path for the SA and CSR databases, click Next.
- Confirm the CSS key label, CSS coprocessor serial number, and
the CSR coprocessor serial number.
- Click Get Share.
Repeat as required.
|
|
| At the target node |
|
|
|
| 3d.1 |
Target |
Install the number of m and n shares. Perform
the following for each share and observe the response. The response
indicates when enough shares have been installed to form the new master
key. Note that logon and logoff might be required to install each
share.
- Click Crypto Node > Share Administration > Load
Share.
- Select the share.
- Enter the name and path for the CSR and SA databases, click Next.
- Confirm the CSS key label, the CSS coprocessor serial number,
and the CSR coprocessor serial number.
- Click Load Share.
Observe the response. Loading sufficient shares completes
the new master-key.
Repeat as required.
|
|
| 3d.2 |
Target |
Confirm the new master key:
- Click Master Key > Verify > New.
- Click Compare or select the file or click OK or click
Cancel
|
|
| 3d.3 |
Target |
Erase the csr.db data file.
This is not a security problem but rather to avoid complications while
doing master key cloning operation. |
|
| 3d.4 |
Target |
As appropriate, set the master key:
- Click Master Key > Set.
- Click OK.
|
|