Migrate DKE source keys from local to external CipherTrust Manager
Caution
External CipherTrust Manager as key source for DKE is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
This section describes steps to export DKE keys from the local CipherTrust Manager to the external CipherTrust Manager.
This minimum supported version is CipherTrust Manager 2.20.0.
Prerequisites
-
Only a user with the admin role can perform the migration. The clients of the external CipherTrust Manager domain must have the following permissions on the external CipherTrust Manager domain:
All Clients,Domain Backup Admins,Domain Restore Admins, andKey Admins. -
The migration process will migrate the DKE endpoints associated with the current domain where the migration is executed.
-
The external CipherTrust Manager connection must be created and the domain must be added to CCKM before the migration starts.
-
It's recommended to use a fresh external CipherTrust Manager domain for migration .
-
Key names must be unique within the external CipherTrust Manager domain. Migration will fail if duplicate key names exist.
Migrate DKE source keys from local to external CipherTrust Manager
Note
The user who performs the migration becomes the owner of the migrated keys.
The steps below apply to the root domain only. To perform migration on a child domain, refer to Migration to Child Domain.
Generate RSA Key Pair
DKE key migration requires an RSA key pair generated on the local CipherTrust Manager. This key pair is required for secure data transfer during the migration. The public key encrypts the data, and the private key decrypts it on the external CipherTrust Manager.
To generate an RSA key pair, run the ksctl keys create command:
./ksctl-linux-amd64 keys create --name <rsa-key-name> --alg <key-algorithm> --size <key-size>
Here,
-
--name: Name for the RSA key pair. -
--alg: Algorithm for the RSA key pair. -
--size: Size for the key pair.
Example:
./ksctl-linux-amd64 keys create --name rsa-key --alg RSA --size 4096
Output:
{
"id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"uri": "kylo:kylo:vault:keys:rsa-key-v0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.519466Z",
"name": "rsa-key",
"updatedAt": "2021-05-07T03:55:47.519466Z",
"usage": "sign",
"usageMask": 3,
"meta": {
"ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61"
},
"version": 0,
"algorithm": "RSA",
"size": 4096,
"unexportable": false,
"undeletable": false,
"neverExported": true,
"neverExportable": false,
"emptyMaterial": false,
"publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a",
"sha1Fingerprint": "878bcd84e81c4170",
"sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75",
"objectType": "Private Key",
"activationDate": "2021-05-07T03:55:43.229267Z",
"state": "Active",
"aliases": [
{
"alias": "rsa-key",
"type": "string",
"index": 0
}
],
"links": [
{
"id": "6dc578f7-1864-43a7-899a-5035d54f1772",
"uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.531762Z",
"updatedAt": "2021-05-07T03:55:47.531762Z",
"type": "publicKey",
"source": "kylo:kylo:vault:keys:rsa-key-v0",
"sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"target": "kylo:kylo:vault:keys:rsa-key-pub-v0",
"targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395",
"index": 0
}
],
"uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3",
"muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca"
}
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1" is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395" under "links" is the public key ID.
Create Migration Data
Create the migration data for the DKE key type. Specify --key-type as dke and --key-source as cm.
Run the command:
./ksctl-linux-amd64 migrations create --key-type dke --key-source cm --public-key-id <public-key-id>
Here,
-
--key-type: Specifydkeas the key type. -
--key-source: Specifycmas the key source.
Example:
./ksctl-linux-amd64 migrations create --key-type dke --key-source cm --public-key-id c9b6922153e74c1f9be4bf9344ebf8eed827aa281be947a2b249b57f9f0c5d1c
Output:
{
"status": "In progress"
}
Get the uploadID
After you have initiated the creation of migration data for the DKE key source, get the uploadID by running the ksctl migrations status command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "",
"overall_status": "",
"source": "CCKM",
"users_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"groups_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"groups_members_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"keys_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"keys_links_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"ldap_server_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"ldap_user_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"ldap_group_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"local_ca_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"certificate_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"external_ca_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pdb_connections_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pdb_err_rep_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_client_profile_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_shared_access_policy_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_file_server_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_local_rule_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_network_share_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_network_rule_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_rule_local_apg_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_cluster_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_cluster_rule_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cte_client_domain_sharing_status": null,
"cte_client_group_domain_sharing_status": null,
"cckm_microsoft_dke_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_azure_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_aws_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_dsm_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_sf_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_gcp_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_generate_migration": {
"status": "Completed",
"uploadID": "b9444dbc-b069-44c0-b20b-394b076f2d10"
}
}
Note down the "uploadID" value, "b9444dbc-b069-44c0-b20b-394b076f2d10". It is required when applying the migration data.
Apply Migration Data
Note
-
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
-
After migration, all the source keys of DKE endpoints from the current domain of CipherTrust Manager will be migrated to the external CipherTrust Manager domain provided by the user.
To apply the migration data, run the command:
./ksctl-linux-amd64 migrations apply --id <uploadID> --private-key-id <private-key-id> --externalcm-connection <externalcm-connection> --externalcm-domain-id <--externalcm-domain-id> --migrateDKESourceKeys
Here,
-
--id: uploadID returned in Check Status of uploadID. -
--private-key-id: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID. -
--migrateDKESourceKeys: Used to execute the CCKM DKE keys migration. This is an optional parameter and is used only while migrating the CCKM DKE keys.
Example:
./ksctl-linux-amd64 migrations apply --id f915a761-9fa8-449d-a969-122601ef244e --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1 --externalcm-connection extcmconnection12 --externalcm-domain-id f915a761-9fa8-449d-a111-122601ef244e --migrateDKESourceKeys
Output:
{
"id": "f915a761-9fa8-449d-a969-122601ef244e",
"file_size": 70697,
"created_at": "2022-11-28T04:24:28.004216933Z",
"status": "In progress",
"checksum_sha256": "8b5839e47dfbb68b9dadb1f31e416321a5033db2b7956ddc03e07748e58258a8",
"product": "CCKM"
}
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "de8581ea-ba0a-4b2d-bc7b-2f782e2058c5",
"overall_status": "Completed",
"source": "CCKM",
"users_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"groups_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"groups_members_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"keys_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"keys_links_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"ldap_server_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"ldap_user_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"ldap_group_status": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"local_ca_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"certificate_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"external_ca_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pdb_connections_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pdb_err_rep_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_client_profile_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_shared_access_policy_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_file_server_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_local_rule_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_network_share_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_network_rule_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_rule_local_apg_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_cluster_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"pf_cluster_rule_status": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cte_client_domain_sharing_status": null,
"cte_client_group_domain_sharing_status": null,
"cckm_microsoft_dke_keys": {
"status": "Completed",
"num_processed": 1,
"num_failed": 0,
"num_ignored": 0
},
"cckm_azure_keys": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_aws_keys": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_dsm_keys": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_sf_keys": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_gcp_keys": {
"status": "Not started",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0
},
"cckm_generate_migration": {}
}
In the sample output above, "overall_status": "Completed" indicates that migration of DKE Keys from local CipherTrust Manager to external CipherTrust Manager is successful.
