Migrating from Gemalto SafeNet KeySecure to Thales CipherTrust Manager key servers

You can migrate from Gemalto SafeNet KeySecure key servers to Thales CipherTrust Manager key servers non-disruptively with the management GUI or the command-line interface. The command-line interface must be used to view the unique ID of the encryption key.

Prerequisites

Before you migrate key servers, ensure that you complete the following tasks.
Update system to supported level
The system must be updated to a level that includes support for Thales CipherTrust Manager key servers.
Migrate encryption keys from Gemalto SafeNet KeySecure to Thales CipherTrust Manager key servers
The encryption key that the system uses must be migrated from the SafeNet KeySecure servers to the Thales CipherTrust Manager key servers. Use the svcinfo lsencryption to view the keyserver_pmk_uid that identifies the encryption key. The Thales CipherTrust Manager documentation covers migrating encryption keys from SafeNet KeySecure servers toThales CipherTrust Manager servers. You must use these instructions to migrate these encryption keys before you can complete the rest of the migration.
Configure system certificates on the system

IBM Storage Virtualize uses certificates to establish a secure connection to encryption key servers. Certificates must be configured before migrating to Thales CipherTrust Manager.

SafeNet KeySecure supports self-signed IBM Storage Virtualize certificates. Thales CipherTrust Manager does not support self-signed certificates, so the IBM Storage Virtualize certificate must be signed by a certificate authority (CA).

The IBM Storage Virtualize certificate can be signed by the system's root CA or by a trusted third-party CA. If the certificate is signed by the system's root CA, the root certificate must be added as an external certificate authority in Thales CipherTrust Manager. If the certificate is signed by a trusted third-party CA, the third-party root certificate must be added as an external certificate authority.

The root certificate must also be installed on the SafeNet KeySecure servers to ensure that the system can communicate with the SafeNet KeySecure servers when the new signed system certificate is installed.

If Thales CipherTrust Manager is configured to require a username in KMIP client certificates, then the username should be included in the IBM Storage Virtualize certificate.

Download the key server certificate
Download the key server certificate that is used with the KMIP interface in Thales CipherTrust Manager to your local workstation. You need to upload this certificate to the system during migration.
Create a Thales CipherTrust Manager username
By default, Thales CipherTrust Manager is configured to require a username in the 'common name' field of the client's SSL certificate. On Thales CipherTrust Manager, ensure that the following tasks are completed for this username.
  1. Create a user with this username.
  2. Ensure that this user owns the encryption key that was migrated to the Thales CipherTrust Manager key servers.
  3. Ensure that this user is added to the Key Users group.
After you complete these prerequisites, you can use either the management GUI or the CLI to migrate key servers.

Using the management GUI

To migrate key servers, complete the following steps.
Note: Do not regenerate new encryption keys on the system until after the migration is completed.
  1. In the management GUI, select Settings > Security > Encryption.
  2. On the Encryption page, verify that all the SafeNet KeySecure key servers are online.
  3. On the Certificate page, under Key Server certificate authority , click Update Certificate, and select the key server certificate. This key server certificate was downloaded to your local system from the KMIP interface in Thales CipherTrust Manager as part of the prerequisites.
  4. Right-click one of the non-primary SafeNet KeySecure key servers and select Remove.
  5. Select Add Key Server and add the key server details for the first CipherTrust Manager key server. Ensure that Make Primary Key Server is selected.
    Note: A certificate does not need to be added if the certificate authority was updated in Step 3.
  6. Repeat steps 4 and 5 until all of the SafeNet KeySecure key servers are replaced byThales CipherTrust Manager key servers.
    Note: Do not select Make Primary Key Server for the remaining server.
  7. The migration is complete. If necessary, you can rekey encryption keys on the system.

Using the CLI

To migrate to Thales CipherTrust Manager key servers, complete the following steps.
Note: Do not create new encryption keys on the system until after the migration is completed.
  1. Enter the following command to verify that the SafeNet KeySecure key servers are online.
    lskeyserver
  2. Copy the server certificate that is used for the Thales CipherTrust Manager KMIP interface to the /tmp directory on the system.
     scp ciphertrust_manager_CA.crt superuser@spectrum-v-node1.company.com:/tmp
  3. Enter the following command to specify the server certificate on the system.
    chkeyserverciphertrustmanager -sslcert /tmp/ciphertrust_manager_CA.crt
  4. Enter the following command to remove one of the non-primary SafeNet KeySecure key servers.
    rmkeyserver 3
    where 3 is the identifier for the key server.
  5. Enter the following command to add the first Thales CipherTrust Manager key server.
    mkkeyserver -name name -ip ip_address_or_domain_name
    where name is the name of the Thales CipherTrust Manager key server and ip_address_or_domain_name is either the IP address or fully qualified domain name of the key server. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers.
  6. Enter the following command to change the primary key server to the Thales CipherTrust Manager server to be the primary key server.
    chkeyserver -primary name
    where name is the name of the Thales CipherTrust Manager key server.
  7. Repeat steps 4 and 5 until all of the SafeNet KeySecure key servers are replaced by Thales CipherTrust Manager key servers. The migration is now complete. You can now rekey the encryption keys on the Thales CipherTrust Manager key servers.