• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM with EKM (encrytpion done by library)

Slusarski

ADSM.ORG Member
Joined
Apr 21, 2004
Messages
27
Reaction score
0
Points
0
Website
Visit site
Welcome
I have a problem with the two TSM servers (two separate locations) with encryption through EKM (implemented by the library.)
Each of these sites performs backup and restore of the retention to 5 years. TSM with EKM works OK in every one location separately.
The problem starts because now I have to provide the ability to trace data from the location of the TSM #1 with EKM#1 to TSM#2 with EKM#2. Disaster recovery form TSM#1 to TSM#2.
According to the IBM procedure I have to move symmetric key for EKM keystore from EKM#1 to EKM#2
I do this as follows:

On the (TSM#1) EKM #1:
Export a cert / public key from the destination keystore.
This does not copy the private key used to Perform the decryption. Also, does not remove Exporting keys from the keystore.
If the alias "mykeywrapper 'does not exist create it using;

1-1) Keytool-genkey-keystore alias mykeywrapper mytargetkeystore.jck-storepass "password"-storetype jceks

1-2) Export the cert / public key

Keytool -export -alias -file mykeywrapper symkeycert.crt -keystore EKMKeys.jck -storepass "password"-storetype jceks

I copied the file symkeycert.crt to the EKM# 2

2-1). Import the cert / public key into the symmetric key source keystore.

Keytool -import -alias mykeywrapper -file symkeycert.crt -keystore mysourcekeystore.jck -storepass "password"-storetype jceks

2-2) Using Keytool with exportseckey, export the symmetric key (s).

Keytool -exportseckey -keyalias mykeywrapper -alias key000000000000000001 -keystore mysourcekeystore.jck -storepass "password" -KeyPass "password"-storetype jceks-exportfile myexportedkeys.file

I get a message:

0 secret keys have been Imported
Keytool error: java.lang.Exception: secret key not Imported, alias key0000000000
00000000 already exists

Of course it is because in step 1-1) had to create it.
Do you have any idea?
There is to default instalation of EKMs so they all have key start from key000000000000.
I can not delete kays because is every location is data written with 5 years retention.

Please help !!!!
Marek
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 19 19.0%
  • Keep using TSM for Spectrum Protect.

    Votes: 61 61.0%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.0%
  • Other (please comement)

    Votes: 8 8.0%

Forum statistics

Threads
31,775
Messages
135,489
Members
21,762
Latest member
Rambug
Top