Slusarski
ADSM.ORG Member
Welcome
I have a problem with the two TSM servers (two separate locations) with encryption through EKM (implemented by the library.)
Each of these sites performs backup and restore of the retention to 5 years. TSM with EKM works OK in every one location separately.
The problem starts because now I have to provide the ability to trace data from the location of the TSM #1 with EKM#1 to TSM#2 with EKM#2. Disaster recovery form TSM#1 to TSM#2.
According to the IBM procedure I have to move symmetric key for EKM keystore from EKM#1 to EKM#2
I do this as follows:
On the (TSM#1) EKM #1:
Export a cert / public key from the destination keystore.
This does not copy the private key used to Perform the decryption. Also, does not remove Exporting keys from the keystore.
If the alias "mykeywrapper 'does not exist create it using;
1-1) Keytool-genkey-keystore alias mykeywrapper mytargetkeystore.jck-storepass "password"-storetype jceks
1-2) Export the cert / public key
Keytool -export -alias -file mykeywrapper symkeycert.crt -keystore EKMKeys.jck -storepass "password"-storetype jceks
I copied the file symkeycert.crt to the EKM# 2
2-1). Import the cert / public key into the symmetric key source keystore.
Keytool -import -alias mykeywrapper -file symkeycert.crt -keystore mysourcekeystore.jck -storepass "password"-storetype jceks
2-2) Using Keytool with exportseckey, export the symmetric key (s).
Keytool -exportseckey -keyalias mykeywrapper -alias key000000000000000001 -keystore mysourcekeystore.jck -storepass "password" -KeyPass "password"-storetype jceks-exportfile myexportedkeys.file
I get a message:
0 secret keys have been Imported
Keytool error: java.lang.Exception: secret key not Imported, alias key0000000000
00000000 already exists
Of course it is because in step 1-1) had to create it.
Do you have any idea?
There is to default instalation of EKMs so they all have key start from key000000000000.
I can not delete kays because is every location is data written with 5 years retention.
Please help !!!!
Marek
I have a problem with the two TSM servers (two separate locations) with encryption through EKM (implemented by the library.)
Each of these sites performs backup and restore of the retention to 5 years. TSM with EKM works OK in every one location separately.
The problem starts because now I have to provide the ability to trace data from the location of the TSM #1 with EKM#1 to TSM#2 with EKM#2. Disaster recovery form TSM#1 to TSM#2.
According to the IBM procedure I have to move symmetric key for EKM keystore from EKM#1 to EKM#2
I do this as follows:
On the (TSM#1) EKM #1:
Export a cert / public key from the destination keystore.
This does not copy the private key used to Perform the decryption. Also, does not remove Exporting keys from the keystore.
If the alias "mykeywrapper 'does not exist create it using;
1-1) Keytool-genkey-keystore alias mykeywrapper mytargetkeystore.jck-storepass "password"-storetype jceks
1-2) Export the cert / public key
Keytool -export -alias -file mykeywrapper symkeycert.crt -keystore EKMKeys.jck -storepass "password"-storetype jceks
I copied the file symkeycert.crt to the EKM# 2
2-1). Import the cert / public key into the symmetric key source keystore.
Keytool -import -alias mykeywrapper -file symkeycert.crt -keystore mysourcekeystore.jck -storepass "password"-storetype jceks
2-2) Using Keytool with exportseckey, export the symmetric key (s).
Keytool -exportseckey -keyalias mykeywrapper -alias key000000000000000001 -keystore mysourcekeystore.jck -storepass "password" -KeyPass "password"-storetype jceks-exportfile myexportedkeys.file
I get a message:
0 secret keys have been Imported
Keytool error: java.lang.Exception: secret key not Imported, alias key0000000000
00000000 already exists
Of course it is because in step 1-1) had to create it.
Do you have any idea?
There is to default instalation of EKMs so they all have key start from key000000000000.
I can not delete kays because is every location is data written with 5 years retention.
Please help !!!!
Marek
