certificate expires, communications between Encryption Key Manager Servers and between the
Encryption Key Manager CLI Client and Encryption Key Manager Server may no longer work. Remove
the old expired certificate and create a new one as specified in this step.
keytool -keystore EKMKeys.jck -storetype jceks -genkey -alias ekmcert -keyAlg RSA -keysize 2048 –validity 1825
The keytool command prompts you for information it uses to create a certificate that allows your
Encryption Key Manager identification. The prompts, with sample responses, look similar to these:
What is your first and last name? [Unknown]: ekmcert
What is the name of your organizational unit?
What is the name of your organization? [Unknown]: Dell
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit? [Unknown]: US
Is CN=ekmcert, OU=EKM, O=Dell, L=Austin, ST=TX, C=US correct?(type "yes" or "no"):
Type yes and press Enter.
Step 2. Generate Encryption Keys
Note: Before using the keytool command for the first time in any session, run the updatePath script to
set the correct environment.
On Windows
Navigate to cd c:\ekm and click updatePath.bat
On Linux platforms
Navigate to /var/ekm and enter . ./updatePath.sh
Note: Specify . ./ (period space period forward slash) before the Linux shell command to
ensure that the shell will be able to find the script.
For LTO encryption, the Encryption Key Manager needs a number of symmetric keys to be pre-generated
and stored in a keystore. This keytool command generates 32 256-bit AES keys and stores them in the
keystore created in step 3. Run this command from the Encryption Key Manager directory to have the
keystore file created in that directory. The resulting keys will have the names key000000000000000000
through key00000000000000001f.
keytool –keystore EKMKeys.jck –storetype jceks –genseckey –keyAlg aes –keysize 256 –aliasrange key00-1f
This command prompts you for a keystore password to access the keystore. Enter the desired password
and press Enter. Press Enter again when prompted for a key password as that information is not needed.
Do not type in a new or different password. This will cause the key password to be the same as the
keystore password. Please note the keystore password entered here as it will be needed later when
starting the Encryption Key Manager.
Note: Once you have set the keystore password, do not change it unless it's security has been breached.
Changing the keystore password requires that all the password properties in the configuration file
be changed as well. The passwords are obfuscated to eliminate any security exposure.
Step 3. Start the Encryption Key Manager Server
To start the Encryption Key Manager server without the GUI, launch the startServer script:
On Windows
Navigate to cd c:\ekm\ekmserver and click startServer.bat
On Linux platforms
Navigate to /var/ekm/ekmserver and enter . ./startServer.sh
Note: Specify . ./ (period space period forward slash) before the Linux shell command to ensure that
the shell will be able to find the script.
6
[Unknown]: EKM
[Unknown]: Austin
[Unknown]: TX
Stampa la pagina