Security

The utilities used for managing cryptographic keys, certificates, etc. are stored in the <dms-folder>/app/bin folder (.sh for Linux, .bat for Windows).

app/

├── bin

│ ├── certedit.sh

│ ├── dbputil.sh

│ ├── tokedit.sh

The /security folder contains information about security configurations:

  • /cfg/dstk.ini contains the DSTK (Data Secure Toolkit) configuration. The DSTK provides the infrastructure (PKI) and services (via cryptographic libraries) necessary for implementing a modern standards-based public key cryptographic system. The default configuration suits all the use cases. Thus, no modification is needed.

  • /securitystore contains the Token DB, the Password DB, and the Certificates DB configured in dstk.ini.

Create Token DB

During the installation, a new Token Db must be created with the utilities dbputil.sh and tokedit.sh.

The path and format of the Token Db are preset in the dstk.ini file via the following properties in the MyToken section:

  • Cryptosystem: PKCS12. Name: <DMS_HOME>/app/security/securitystore/keystore/token.p12

DB Password Creation

Before proceeding to create the TokenDB, a password must be created and recorded in the Password Database.

Syntax: dbputil.sh add -p

When requested by dbputil, enter the password interactively.

Token DB Creation

Run the following command:

Syntax: tokedit.sh create -p

When requested by tokedit, enter the password interactively.

Migration of keys and certificates

Export from Spazio

In Spazio, keys and certificates can be configured in the following files:

.ini file
File Sections

dstk.ini

  • CDB - Certificates DataBase

  • MyToken - User's personal token information: the database containing the keys can be configured in the property Name of this section. If not specified, the default value is $HOME/.dstk/token.sdb

  • SSL Security Configuration: the database containing the keys used by SSL can be configured in the TokenName property of this section. If not specified, the one configured in MyToken.Name

  • SSH Security Configuration: The TokenName property in this section allows the database containing the keys used by SSH to be configured. If not specified, the one configured in MyToken.Name will be used.

pps.ini

  • global: in the CryptoSysPar property, the database containing the keys can be configured.

ssl.ini

All ProtocolName sections may contain TokenName.

ssh.ini

All ProtocolName sections may contain TokenName.

Export Keys

The keys are stored in the token database, which can have different formats (sdb, jks, pkcs12). In the configuration files mentioned above, the path to the token database can be specified.

Below are the sections and the properties to be checked:

.ini file
Section
Property

dstk.ini

MyToken

Name

SSL

TokenName

SSH

TokenName

pps.ini

global

CryptoSysPar

ssl.ini

<Custom Section>

TokenName

may contain several TokenNames in different sections; for example, it could contain several client connections with different Token DB

ssh.ini

<Custom Section>

TokenName

may contain several TokenNames in different sections; for example, it could contain several client connections with different Token DB

Export Utilities

Keys/certificates present in the tokens specified in the configuration files can be exported using the tokedit utility.

With tokedit you can export the keys present in the token database set in the Name property of the MyToken section of the dstk.ini file with the p12exp command.

Syntax: tokedit P12EXP <TYPE> <FILEOUT> <PASSWORD>

Parameter
Description / Value

TYPE

Type of export for PKCS#12.

2: all components present in the token (certificate/public key pairs, CA certificates, private keys and data)

PASSWORD

Password to secure the exported data. If this parameter is omitted, the user will be prompted to enter it. The allowed length range is 8-64 chars. Legal characters are: uppercase A-Z, lowercase a-z, numbers 0-9, period (.), forward slash (/), underscore (_). NOTE: this password is used to encrypt the object being exported. You will then need to import the object again.

FILEOUT

Path name of PKCS#12 file.

NOTE: if the file already exists, it will be rewritten without any additional warning.

To enable correct import in Data Mover Smart, the file name must consist of:

<configuration_file_name>-<section>.p12

E.g. DSTK-SSL.ini (section SSL of DSTK.INI)

With Tokedit, you can also check the list of tokens in the Token DB.

Syntax: tokedit LIST [objType]

Parameter
Description / Value

ObjType (Not mandatory)

To limit the list to one particular type of object, specify one of the following values (either numerical or text values can be used, uppercase or lowercase):

0 or data

List data objects

1 or certificate

List X.509 certificates

2 or public_key

List RSA public keys

3 or private_key

List RSA private keys

4 or secret_key

List all object types

5

List all object types (default)

0 or data

List data objects

1 or certificate

List X.509 certificates

2 or public_key

List RSA public keys

3 or private_key

List RSA private keys

4 or secret_key

List all object types

5

List all object types (default)

Find below the steps to be taken to export the keys:

  1. Identify all the cryptographic tokens used by the Spazio installation (they may be more than 1 and of different format)

  2. For each cryptographic token identified on the Spazio installation execute the tokedit P12EXP command

Example 1

Identified cryptographic tokens:

.ini file
Token DB

dstk.ini

[ MyToken] → Name

Actions to be performed:

#

1

Export the keys and certificates in the MyToken section with the tokedit command

E.g. TOKEDIT P12EXP 2 dstk-mytoken.p12 Pwd12345

Example 2

Identified cryptographic tokens:

.ini file
Token DB

dstk.ini

[ MyToken] → Name

[ SSH] → TokenName

Actions to be performed:

#

1

Export the keys and certificates in the MyToken section with the tokedit command

E.g. TOKEDIT P12EXP 2 dstk-mytoken.p12 Pwd12345

2

Export keys and certificates in the TokenDB of the SSH section

2.1

Make a copy of the dstk.ini file

2.2

Edit the MyToken section of the dstk.ini file by setting the following values:

Name: value of the TokenName of the SSH section

CryptoSystem: value of the Cryptosystem of the SSH section

2.3

Export with the tokedit command

E.g. TOKEDIT P12EXP dstk-ssh.p12 Pwd12345

2.4

restore the original dstk.ini file

Example 3

Identified cryptographic tokens:

.ini file
Token DB

dstk.ini

[ MyToken] → Name

ssh.ini

[Section1] → TokenName

[Section2] → TokenName

Actions to be performed:

#

1

Export the keys and certificates in the MyToken section with the tokedit command

E.g. TOKEDIT P12EXP 2 dstk-mytoken.p12 Pwd12345

2

Exporting TokenDB keys and certificates in the ssh.ini file

2.1

Make a copy of the dstk.ini file

2.2

Export the keys and certificates in the TokenDB in Section1

2.3

Modify the MyToken section of the dstk.ini file by setting the following values:

  • Name: value of the TokenName of the Section1 section of the ssh.ini file

  • CryptoSystem: value of the Cryptosystem of the Section1 section of the ssh.ini file

2.4

Export with the tokedit command

E.g. TOKEDIT P12EXP ssh-section1.p12 Pwd12345

2.5

Export the keys and certificates in the TokenDB of Section2: re-execute 2.3 and 2.4 replacing Section1 with Section2

2.6

restore the original dstk.ini file

Export Certificates

X.509 public key certificates, SSH keys (Host keys and User keys) must be exported from Spazio and imported into Data Mover Smart.

The BULK_EXPORT command of the DSTK utility called certedit is used to perform this task.

Syntax:

certedit BULK_EXPORT <DIRNAME> [DB=CA|USR|PKHOST|PKUSR]

Export ALL Certificates, the SSH Host Keys and the SSH User Key from CDB into an external directory. When this command is specified on PKHOST or PKUSR storage, a full OpenSSH public key file is exported.

Parameter
Mandatory
Description / Value

DIRNAME

Y

Full path of directory where the certificates will be exported.

DB

N

DB=CA|USR|PKHOST|PKUSR Action is performed against CA-Store, USR-DB, User’s or CA Public Key 'CDBName' configured in the [CDB] Section of dstk.ini.

To export ALL Certificates, the SSH Host Keys and the SSH User Key run the following commands:

certedit BULK_EXPORT <DIRNAME> (export ALL Certificates)

certedit BULK_EXPORT <DIRNAME> DB=PKUSR (export SSH User Key)

certedit BULK_EXPORT <DIRNAME> DB=PKHOST (export SSH Host Keys)

Example

Below is an example for exporting all certificates in the /home/user/certificates directory

certedit BULK_EXPORT /home/user/certificates

certedit BULK_EXPORT /home/user/certificates DB=PKUSR

certedit BULK_EXPORT /home/user/certificates DB=PKHOST

Import to Data Mover Smart

In Data Mover Smart there is a single Token DB for the storage of keys.

Import Key

In p12 files, keys can be imported with the import-p12 command of tokedit.sh (tokenedit.bat for Windows).

Syntax: tokedit.sh import-p12 [command options]

Command option
Description / Value

--pwd, -p

The password to access the p12 file.

-in, -i

The path of the P12 input file

Example

To import dstk-mytoken.p12 exported with password Pwd12345, use this command:

./tokedit.sh import-p12 –i dstk-mytoken.p12 -p Pwd12345

Warning! If there are 2 labels with the same name in several p12 files, importing the second file generates an error. In this case, the labels must be renamed with the rename command of the tokedit utility.

Syntax:

tokedit.sh rename [command options]

Command option
Description / Value

--label, -l

The old entry label

--new-label

The new entry label

Since the token database labels set in the Name property of the MyToken section of the dstk.ini file can be renamed with tokedit, the following operations must be performed:

#

1

Make a copy of the dstk.ini file

2

Set Name of section MyToken

[MyToken]

...

Name=<path>/dstk-ssh.p12

3

Rename label

tokedit.sh rename –l label1 --new-label label1-new

4

restore the original dstk.ini file

After renaming, the p12 file can be imported.

Import Certificate

You can import X.509 public key certificates, SSH keys (Host keys and User keys) into a directory with the bulk_import command of the certedit.sh file (certedit.bat for Windows).

Syntax:

certedit.sh bulk_import [command options]

Command option
Mandatory
Description / Value

--in, -i

Y

Path of directory containing files to import.

--db, -d

N

Database to query. Accepted values are: "ca", "usr", "pkhost", "pkusr", "rev", and "pgp". Default [ca]

--format, -f

N

File format. Accepted values are:

0 for DER, 1 for PEM, 7 for PKCS#7 PEM, 9 for automatic encoding detection, 10 for OpenSSH public key file, 11 for Secure SHell (SSH) Public Key File, 13 for PGP/GPG Binary or ASCII Armor format.

When operating on PGP, it is optional to specify the format since only format 13 is allowed.

To import ALL Certificates, the SSH Host Keys and the SSH User Key run the following commands:

./certedit.sh bulk_import –i <PATH_DIR> (import ALL Certificates)

./certedit.sh bulk_import –i <PATH_DIR> -d pkhost –f 9 (import SSH Host Keys)

./certedit.sh bulk_import –i <PATH_DIR> -d pkusr –f 9 (import SSH User Keys)

Example

Find below an example for importing all certificates from /home/user/certificates directory:

./certedit.sh bulk_import –i /home/user/certificates

./certedit.sh bulk_import –i /home/user/certificates -d pkhost –f 9

./certedit.sh bulk_import –i /home/user/certificates -d pkusr –f 9

PreviousRestore a previous Data Mover Smart versionNextLogging

Last updated