NAME

pkcscca - configuration utility for the CCA token

SYNOPSIS

DESCRIPTION

The pkcscca utility assists in administering the CCA token.

In version 2 of opencryptoki, CCA private token objects were encrypted in CCA hardware. In version 3 these objects are encrypted in software. The v2objectsv3 migration option migrates these v2 objects by decrypting them in CCA hardware using a secure key and then re-encrypting them in software using a software key. Afterwards, v2 objects can be accessed in version 3.

There may be situations where CCA master keys must be changed. All CCA secret and private keys are wrapped with a master key. After a CCA master key is changed, keys wrapped with the old master key need to be re-wrapped with the current master key. The keys migration option migrates these wrapped keys by unwrapping them with the old master key and wrapping them with the current master key.

GENERAL OPTIONS

-d|--datastore directory

the directory where the CCA token information is kept. This directory will be used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok

-v|--verbose

Provide more detailed output

VERSION MIGRATION

-m v2objectsv3

Migrates CCA private token objects from CCA encryption (used in v2) to software encryption (used in v3).

KEY MIGRATION

-m keys

Unwraps private keys with an old CCA master key and wraps them with a new CCA master key.

-k aes|apka|asym|sym

Migrate keys wrapped with the selected master key type.

-s|--slotid SLOTID

The PKCS slot number.

FILES

/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX

contains current list of public and private token objects for the CCA token.

SEE ALSO

README.cca_stdll (in system's doc directory)