Class KRATool

java.lang.Object
com.netscape.cmstools.KRATool

public class KRATool extends Object
The KRATool class is a utility program designed to operate on an LDIF file to perform one or more of the following tasks:
     (A) Use a new storage key (e. g. - a 2048-bit key to replace a
         1024-bit key) to rewrap the existing triple DES symmetric key
         that was used to wrap a user's private key.

         STARTING INVENTORY:

             (1) a KRATOOL configuration file containing KRA LDIF record
                 types and the processing status of their associated fields

             (2) an LDIF file containing 'exported' KRA data
                 (referred to as the "source" KRA)

                 NOTE:  If this LDIF file contains data that was originally
                        from a KRA instance that was prior to RHCS 8, it
                        must have previously undergone the appropriate
                        migration steps.

             (3) the NSS security databases associated with the data
                 contained in the source LDIF file

                 NOTE:  If the storage key was located on an HSM, then the
                        HSM must be available to the machine on which the
                        KRATool is being executed (since the RSA private
                        storage key is required for unwrapping the
                        symmetric triple DES key).  Additionally, a
                        password may be required to unlock access to
                        this key (e. g. - which may be located in
                        the source KRA's 'password.conf' file).

             (4) a file containing the ASCII BASE-64 storage certificate
                 from the KRA instance for which the output LDIF file is
                 intended (referred to as the "target")

         ENDING INVENTORY:

             (1) all items listed in the STARTING INVENTORY (unchanged)

             (2) a log file containing information suitable for audit
                 purposes

             (3) an LDIF file containing the revised data suitable for
                 'import' into a new KRA (referred to as the "target" KRA)

         KRATool PARAMETERS:

             (1) the name of the KRATOOL configuration file containing
                 KRA LDIF record types and the processing status of their
                 associated fields

             (2) the name of the input LDIF file containing data which was
                 'exported' from the source KRA instance

             (3) the name of the output LDIF file intended to contain the
                 revised data suitable for 'import' to a target KRA instance

             (4) the name of the log file that may be used for auditing
                 purposes

             (5) the path to the security databases that were used by
                 the source KRA instance

             (6) the name of the token that was used by
                 the source KRA instance

             (7) the name of the storage certificate that was used by
                 the source KRA instance

             (8) the name of the file containing the ASCII BASE-64 storage
                 certificate from the target KRA instance for which the
                 output LDIF file is intended

             (9) OPTIONALLY, the name of a file which ONLY contains the
                 password needed to access the source KRA instance's
                 security databases

            (10) OPTIONALLY, choose to change the specified source KRA naming
                 context to the specified target KRA naming context

            (11) OPTIONALLY, choose to ONLY process CA enrollment requests,
                 CA recovery requests, CA key records, TPS netkeyKeygen
                 enrollment requests, TPS recovery requests, and
                 TPS key records

         DATA FIELDS AFFECTED (using default config file values):

             (1) CA KRA enrollment request

                 (a) dateOfModify
                 (b) extdata-requestnotes

             (2) CA KRA key record

                 (a) dateOfModify
                 (b) privateKeyData

             (3) CA KRA recovery request

                 (a) dateOfModify
                 (b) extdata-requestnotes (NEW)

             (4) TPS KRA netkeyKeygen (enrollment) request

                 (a) dateOfModify
                 (b) extdata-requestnotes (NEW)

             (5) TPS KRA key record

                 (a) dateOfModify
                 (b) privateKeyData

             (6) TPS KRA recovery request

                 (a) dateOfModify
                 (b) extdata-requestnotes (NEW)

     (B) Specify an ID offset to append to existing numeric data
         (e. g. - to renumber data for use in KRA consolidation efforts).

         STARTING INVENTORY:

             (1) a KRATOOL configuration file containing KRA LDIF record
                 types and the processing status of their associated fields

             (2) an LDIF file containing 'exported' KRA data
                 (referred to as the "source" KRA)

                 NOTE:  If this LDIF file contains data that was originally
                        from a KRA instance that was prior to RHCS 8, it
                        must have previously undergone the appropriate
                        migration steps.

         ENDING INVENTORY:

             (1) all items listed in the STARTING INVENTORY (unchanged)

             (2) a log file containing information suitable for audit
                 purposes

             (3) an LDIF file containing the revised data suitable for
                 'import' into a new KRA (referred to as the "target" KRA)

         KRATool PARAMETERS:

             (1) the name of the KRATOOL configuration file containing
                 KRA LDIF record types and the processing status of their
                 associated fields

             (2) the name of the input LDIF file containing data which was
                 'exported' from the source KRA instance

             (3) the name of the output LDIF file intended to contain the
                 revised data suitable for 'import' to a target KRA instance

             (4) the name of the log file that may be used for auditing
                 purposes

             (5) a large numeric ID offset (mask) to be appended to existing
                 numeric data in the source KRA instance's LDIF file

             (6) OPTIONALLY, choose to change the specified source KRA naming
                 context to the specified target KRA naming context

             (7) OPTIONALLY, choose to ONLY process CA enrollment requests,
                 CA recovery requests, CA key records, TPS netkeyKeygen
                 enrollment requests, TPS recovery requests, and
                 TPS key records

         DATA FIELDS AFFECTED (using default config file values):

             (1) CA KRA enrollment request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestnotes
                 (e) requestId

             (2) CA KRA key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (3) CA KRA recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

             (4) TPS KRA netkeyKeygen (enrollment) request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestid
                 (e) extdata-requestnotes (NEW)
                 (f) requestId

             (5) TPS KRA key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (6) TPS KRA recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

     (C) Specify an ID offset to be removed from existing numeric data
         (e. g. - to undo renumbering used in KRA consolidation efforts).

         STARTING INVENTORY:

             (1) a KRATOOL configuration file containing KRA LDIF record
                 types and the processing status of their associated fields

             (2) an LDIF file containing 'exported' KRA data
                 (referred to as the "source" KRA)

                 NOTE:  If this LDIF file contains data that was originally
                        from a KRA instance that was prior to RHCS 8, it
                        must have previously undergone the appropriate
                        migration steps.

         ENDING INVENTORY:

             (1) all items listed in the STARTING INVENTORY (unchanged)

             (2) a log file containing information suitable for audit
                 purposes

             (3) an LDIF file containing the revised data suitable for
                 'import' into a new KRA (referred to as the "target" KRA)

         KRATool PARAMETERS:

             (1) the name of the KRATOOL configuration file containing
                 KRA LDIF record types and the processing status of their
                 associated fields

             (2) the name of the input LDIF file containing data which was
                 'exported' from the source KRA instance

             (3) the name of the output LDIF file intended to contain the
                 revised data suitable for 'import' to a target KRA instance

             (4) the name of the log file that may be used for auditing
                 purposes

             (5) a large numeric ID offset (mask) to be removed from existing
                 numeric data in the source KRA instance's LDIF file

             (6) OPTIONALLY, choose to change the specified source KRA naming
                 context to the specified target KRA naming context

             (7) OPTIONALLY, choose to ONLY process CA enrollment requests,
                 CA recovery requests, CA key records, TPS netkeyKeygen
                 enrollment requests, TPS recovery requests, and
                 TPS key records

         DATA FIELDS AFFECTED (using default config file values):

             (1) CA KRA enrollment request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestnotes
                 (e) requestId

             (2) CA KRA key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (3) CA KRA recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

             (4) TPS KRA netkeyKeygen (enrollment) request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestid
                 (e) extdata-requestnotes (NEW)
                 (f) requestId

             (5) TPS KRA key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (6) TPS KRA recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

 

KRATool may be invoked as follows:


    KRATool
    -kratool_config_file <path + kratool config file>
    -source_ldif_file <path + source ldif file>
    -target_ldif_file <path + target ldif file>
    -log_file <path + log file>
    [-source_pki_security_database_path <path to PKI source database>]
    [-source_storage_token_name '<source token>']
    [-source_storage_certificate_nickname '<source nickname>']
    [-target_storage_certificate_file <path to target certificate file>]
    [-source_pki_security_database_pwdfile <path to PKI password file>]
    [-append_id_offset <numeric offset>]
    [-remove_id_offset <numeric offset>]
    [-source_kra_naming_context '<original source KRA naming context>']
    [-target_kra_naming_context '<renamed target KRA naming context>']
    [-process_requests_and_key_records_only]

    where the following options are 'Mandatory':

    -kratool_config_file <path + kratool config file>
    -source_ldif_file <path + source ldif file>
    -target_ldif_file <path + target ldif file>
    -log_file <path + log file>

    AND at least ONE of the following are a 'Mandatory' set of options:

        (a) options for using a new storage key for rewrapping:

            [-source_pki_security_database_path
             <path to PKI source database>]
            [-source_storage_token_name '<source token>']
            [-source_storage_certificate_nickname '<source nickname>']
            [-target_storage_certificate_file
             <path to target certificate file>]

            AND OPTIONALLY, specify the name of a file which ONLY contains
            the password needed to access the source KRA instance's
            security databases:

            [-source_pki_security_database_pwdfile
             <path to PKI password file>]

            AND OPTIONALLY, rename source KRA naming context --> target
            KRA naming context:

            [-source_kra_naming_context '<source KRA naming context>']
            [-target_kra_naming_context '<target KRA naming context>']

            AND OPTIONALLY, process requests and key records ONLY:

            [-process_requests_and_key_records_only]

        (b) option for appending the specified numeric ID offset
            to existing numerical data:

            [-append_id_offset <numeric offset>]

            AND OPTIONALLY, rename source KRA naming context --> target
            KRA naming context:

            [-source_kra_naming_context '<source KRA naming context>']
            [-target_kra_naming_context '<target KRA naming context>']

            AND OPTIONALLY, process requests and key records ONLY:

            [-process_requests_and_key_records_only]

        (c) option for removing the specified numeric ID offset
            from existing numerical data:

            AND OPTIONALLY, rename source KRA naming context --> target
            KRA naming context:

            [-source_kra_naming_context '<source KRA naming context>']
            [-target_kra_naming_context '<target KRA naming context>']

            [-remove_id_offset <numeric offset>]

            AND OPTIONALLY, process requests and key records ONLY:

            [-process_requests_and_key_records_only]

        (d) (a) rewrap AND (b) append ID offset
            [AND OPTIONALLY, rename source KRA naming context --> target
            KRA naming context]
            [AND OPTIONALLY process requests and key records ONLY]

        (e) (a) rewrap AND (c) remove ID offset
            [AND OPTIONALLY, rename source KRA naming context --> target
            KRA naming context]
            [AND OPTIONALLY process requests and key records ONLY]

        NOTE:  Options (b) and (c) are mutually exclusive!

 
Version:
$Revision$, $Date$
Author:
mharmsen
  • Constructor Details

    • KRATool

      public KRATool()
  • Method Details

    • main

      public static void main(String[] args)
      The main KRATool method.

      Parameters:
      args - KRATool options