Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide Table Of ContentsPrevious ChapterNext ChapterBook Index


C H A P T E R  6
Migrating Keys From Version 1.x Realms

The realmparse command migrates keys from Sun Crypto Accelerator 1000 1.x realms. This command takes realm files from the Sun Crypto Accelerator 1000 1.x product and lists and migrates the key and certificate objects into a PKCS#11 token presented by the Solaris Cryptographic Framework.

In most cases, the full path to a Sun Crypto Accelerator 1000 1.x realm file must be provided with the realmparse command. The exception is the list subcommand with the -t / --token flag which lists available destination tokens for key and certificate objects presented by the Solaris Cryptographic Framework.

The realmparse utility has two subcommands that can be used. The list subcommand lists available destination PKCS#11 tokens, users that exist within a Sun Crypto Accelerator 1000 1.x realm file, or objects associated with a specific user.

The migrate subcommand moves objects from a realm file to a PKCS#11 token chosen by the administrator using the token's label. If no certificate name is specified using the -c / --certname option, all objects associated with the realm user are migrated using the same PKCS#11 attributes that were asserted in the realm file.

If the -c / --certname option is used, only those objects with the CKA_LABEL PKCS#11 attribute matching the value provided is migrated. Additionally the -n / --newname option changes the CKA_LABEL value supplied for these objects in the destination token. This option is used when two or more realm users have certificates and keys with the same label.

realmparse Options

TABLE 6-1 describes the subcommands and options for the realmparse command.


Note - Certain shells interpret the ? character when using -? option on the command line. To avoid this, use the escape character (\) directly in front of the ?. For example in the C shell, the command is changed to realmparse -\?.



TABLE 6-1 realparse Options

Option

Description

With no Subcommands

 

-? / --help

Displays basic help for this command.

-V / --version

Displays version information for this command.

With the list Subcommand

 

-p / --passfile file

Takes the full path to a file containing the realm user's password. If this option is not specified then the application prompts for the password. This option must be used with the -u / --user option.

-t / --token

Displays the PKCS#11 tokens available in the system through the Solaris Cryptographic Framework. This option, when used with the list subcommand, should be used by itself, and does not require a realm file to be specified.

-u / --user realmuser

Lists objects in the realm associated with the user realmuser.

-v / --verbose

Provides more detailed information when listing a specific realm user's key and certificate objects. This option must be used with the -u / --user option.

With the migrate Subcommand

 

-c / --certname name

Looks for certificates and keys with the label name and migrates them. All other objects owned by that realm user will not be migrated. The name parameter is case-sensitive.

-n / --newname name

For the migrated objects, changes the label from that provided with the -c / --certname option to name. This new name will become the value for the CKA_LABEL attribute for the objects in the destination PKCS#11 token. This option must be used with the -c / --certname option.

-p / --passfile file

This option takes the full path to a file containing the realm user's password. If this option is not specified then the application will prompt for the password. This option must be used with the
-u / --user option.

-t / --token label

Uses the PKCS#11 token label as the destination for all migrated objects. If a destination PKCS#11 token is not specified on the command line, you are prompted for one.

-u / --user realmuser

Accesses objects in the realm associated with the user realmuser.

-w / --p11passfile file

Takes the full path to a file containing the password for the PKCS#11 token specified with the -t / --token option. If this option is not specified, you are prompted for the password.

-v / --verbose

Provides more detailed information during the migration process.


Examples Using the realmparse Command

This section provides examples of using the realmparse command with subcommands and options.

Listing All Available PKCS#11 Tokens

The following command lists all available PKCS#11 tokens. 


example% /opt/SUNWconn/cryptov2/bin/realmparse list -t

Token Label                      			Writeable?

---------------------------------------------------------

dca/0 Crypto Accel Sym 2.0          No

dca/0 Crypto Accel Asym 2.0         No

Sun Software PKCS#11 Softtoken   	Yes

---------------------------------------------------------

Migrating All Objects Associated With a Realm User to the Sun Software PKCS#11 Softtoken

You must execute the pktool setpin command before migrating objects with realmparse-- for example: 


% pktool setpin

Enter new PIN:

Re-enter new PIN:

The following command migrates all objects associated with a realm user sample-user to the Sun Software PKCS#11 Softtoken. These objects are retrieved from the realm file /tmp/oldrealm. 


example% realmparse migrate -u "sample-user" -t "Sun Software PKCS#11 Softtoken" /tmp/oldrealm 

Enter realm user password:

Enter PKCS#11 password:

All objects were migrated successfully.

 



  Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide 819-0425-11 Table Of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.