Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
162
The TKS also generates a session key for the DRM to use to transport the server-generated private
key securely back to the token.
The server transport key delivers the session key in two different forms to the TPS:
• The session key wrapped with server transport key which the DRM uses to wrap the generated
private key for token
• The session key wrapped with token's KEK which the token uses to unwrap the private key
generated on DRM
The TPS then forwards the session key to the DRM, wrapped with the KEK and the server transport
key, along with the server-side key generation request.
To import the DRM transport key into the TKS certificate database:
1. Retrieve the DRM transport certificate from the issuing CA, and save it to file.
2. Import the transport certificate into the TKS security databases in the
/var/
lib/
subsystem_name
/alias
directory. In the TKS Console, click
Subsystem Keys and
Certificates
in the left navigation panel. In the
Local Certificates
tab, click
Add
, and paste in the
certificate information.
Alternatively, use the
certutil
to import the certificate.
certutil -d . -P
cert-db-prefix
-A -n
DRM Transport
-t
,,
-a -i
certfilename
3. Stop the TKS.
service pki-tks stop
4. Edit the
CS.cfg
file by adding the DRM transport certificate information to the following
parameter:
tks.drm_transport_cert_nickname=DRM Transport
5. Restart the TKS.
service pki-tks start
5.7.5.4. Step 4: Configuring the TPS to Generate and Archive Keys
1. Stop the TPS.
service
instance_ID
stop
2. Edit the following parameters in the TPS
CS.cfg
file to use the appropriate DRM connection
information:
conn.drm.totalConns=1
conn.drm1.hostport=
DRM_HOST:DRM_SSLPORT
conn.drm1.clientNickname=Server-Cert
conn.drm1.servlet.GenerateKeyPair=/kra/GenerateKeyPair
Summary of Contents for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Page 42: ...20 ...
Page 43: ...Part I Setting up Certificate Services ...
Page 44: ......
Page 190: ...168 ...
Page 208: ...186 ...
Page 223: ...Part II Additional Configuration to Manage CA Services ...
Page 224: ......
Page 256: ...234 ...
Page 270: ...248 ...
Page 280: ...258 ...
Page 292: ...270 ...
Page 293: ...Part III Managing the Subsystem Instances ...
Page 294: ......
Page 408: ...386 ...
Page 438: ...416 ...
Page 439: ...Part IV References ...
Page 440: ......
Page 503: ...Netscape Defined Certificate Extensions Reference 481 OID 2 16 840 1 113730 13 ...
Page 504: ...482 ...
Page 556: ...534 ...
Page 564: ...542 ...