Migrating from Gemalto SafeNet KeySecure to Thales CipherTrust Manager key servers
You can migrate from Gemalto SafeNet KeySecure key servers to Thales CipherTrust Manager key servers non-disruptively with the management GUI or the command-line interface. The command-line interface must be used to view the unique ID of the encryption key.
Prerequisites
- Update system to supported level
- The system must be updated to a level that includes support for Thales CipherTrust Manager key servers.
- Migrate encryption keys from Gemalto SafeNet KeySecure to Thales CipherTrust Manager key servers
- The encryption key that the system uses must be migrated from the SafeNet KeySecure servers to the Thales CipherTrust Manager key servers. Use the svcinfo lsencryption to view the keyserver_pmk_uid that identifies the encryption key. The Thales CipherTrust Manager documentation covers migrating encryption keys from SafeNet KeySecure servers toThales CipherTrust Manager servers. You must use these instructions to migrate these encryption keys before you can complete the rest of the migration.
- Configure system certificates on the system
-
IBM Storage Virtualize uses certificates to establish a secure connection to encryption key servers. Certificates must be configured before migrating to Thales CipherTrust Manager.
SafeNet KeySecure supports self-signed IBM Storage Virtualize certificates. Thales CipherTrust Manager does not support self-signed certificates, so the IBM Storage Virtualize certificate must be signed by a certificate authority (CA).
The IBM Storage Virtualize certificate can be signed by the system's root CA or by a trusted third-party CA. If the certificate is signed by the system's root CA, the root certificate must be added as an external certificate authority in Thales CipherTrust Manager. If the certificate is signed by a trusted third-party CA, the third-party root certificate must be added as an external certificate authority.
The root certificate must also be installed on the SafeNet KeySecure servers to ensure that the system can communicate with the SafeNet KeySecure servers when the new signed system certificate is installed.
If Thales CipherTrust Manager is configured to require a username in KMIP client certificates, then the username should be included in the IBM Storage Virtualize certificate.
- Download the key server certificate
- Download the key server certificate that is used with the KMIP interface in Thales CipherTrust Manager to your local workstation. You need to upload this certificate to the system during migration.
- Create a Thales CipherTrust Manager username
- By default, Thales CipherTrust Manager is configured
to require a username in the 'common name' field of the client's SSL certificate. On Thales CipherTrust Manager, ensure that the following tasks
are completed for this username.
- Create a user with this username.
- Ensure that this user owns the encryption key that was migrated to the Thales CipherTrust Manager key servers.
- Ensure that this user is added to the Key Users group.
Using the management GUI
- In the management GUI, select .
- On the Encryption page, verify that all the SafeNet KeySecure key servers are online.
- On the Certificate page, under Key Server certificate authority , click Update Certificate, and select the key server certificate. This key server certificate was downloaded to your local system from the KMIP interface in Thales CipherTrust Manager as part of the prerequisites.
- Right-click one of the non-primary SafeNet KeySecure key servers and select Remove.
- Select Add Key Server and add the key server details for the first
CipherTrust Manager key server. Ensure that Make Primary Key Server is
selected.Note: A certificate does not need to be added if the certificate authority was updated in Step 3.
- Repeat steps 4 and 5 until all of the SafeNet KeySecure key servers are replaced byThales CipherTrust Manager key servers. Note: Do not select Make Primary Key Server for the remaining server.
- The migration is complete. If necessary, you can rekey encryption keys on the system.
Using the CLI
- Enter the following command to verify that the SafeNet KeySecure key servers are
online.
lskeyserver
- Copy the server certificate that is used for the Thales CipherTrust Manager KMIP interface to the
/tmp directory on the
system.
scp ciphertrust_manager_CA.crt superuser@spectrum-v-node1.company.com:/tmp
- Enter the following command to specify the server certificate on the
system.
chkeyserverciphertrustmanager -sslcert /tmp/ciphertrust_manager_CA.crt
- Enter the following command to remove one of the non-primary SafeNet KeySecure key
servers.
where 3 is the identifier for the key server.rmkeyserver 3
- Enter the following command to add the first Thales CipherTrust Manager key
server.
where name is the name of the Thales CipherTrust Manager key server and ip_address_or_domain_name is either the IP address or fully qualified domain name of the key server. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select . You can also use the mkdnsserver command to configure DNS servers.mkkeyserver -name name -ip ip_address_or_domain_name
- Enter the following command to change the primary key server to the Thales CipherTrust Manager server to be the primary key
server.
where name is the name of the Thales CipherTrust Manager key server.chkeyserver -primary name
- Repeat steps 4 and 5 until all of the SafeNet KeySecure key servers are replaced by Thales CipherTrust Manager key servers. The migration is now complete. You can now rekey the encryption keys on the Thales CipherTrust Manager key servers.