Using panel.exe for key storage re-encipher when changing the master key

Because all the key tokens are protected by the master key for the domain, a preexisting key storage must be re-enciphered when the master key is changed.

If the example group scheme is used, this is simple because the key storage files are owned by the group cca_admin and the user making the re-encipher call is also in group cca_admin. If this is not the case then, after changing the master key, the owner of key storage must log in and perform the re-enciphering. This can be done with the help of a program (using several verbs) or with /opt/IBM/CCA/panel.exe. Of course, as noted, the user of panel.exe must also be a member of cca_admin because of ownership of /usr/lib64/libcsulccamk.so.

Perform these steps for key storage re-encipher when changing the master key.

1. To re-encipher default key storage with panel.exe use:
   panel.exe default syntax

   
   /opt/IBM/CCA/bin/panel.exe --ks-type=AES --ks-reenc
   /opt/IBM/CCA/bin/panel.exe --ks-type=DES --ks-reenc
   /opt/IBM/CCA/bin/panel.exe --ks-type=PKA --ks-reenc
   

   panel.exe legacy syntax

   
   /opt/IBM/CCA/bin/panel.exe -t AES -r
   /opt/IBM/CCA/bin/panel.exe -t DES -r
   /opt/IBM/CCA/bin/panel.exe -t PKA -r
   

   Note: Re-encipher of combined key storage (CMB) is not supported with the legacy interface.
2. To re-encipher non-default key storage with panel.exe:
   • Export new versions of the environment variables specifying your key storage file locations.
   • Run the previously shown commands as you would for the default key storage, but ensure to do so in the session with the new environment variables.