public class DRMTool
extends java.lang.Object
(A) Use a new storage key (e. g. - a 2048-bit key to replace a
1024-bit key) to rewrap the existing triple DES symmetric key
that was used to wrap a user's private key.
STARTING INVENTORY:
(1) a DRMTOOL configuration file containing DRM LDIF record
types and the processing status of their associated fields
(2) an LDIF file containing 'exported' DRM data
(referred to as the "source" DRM)
NOTE: If this LDIF file contains data that was originally
from a DRM instance that was prior to RHCS 8, it
must have previously undergone the appropriate
migration steps.
(3) the NSS security databases (e. g. - cert8.db, key3.db,
and secmod.db) associated with the data contained in
the source LDIF file
NOTE: If the storage key was located on an HSM, then the
HSM must be available to the machine on which the
DRMTool is being executed (since the RSA private
storage key is required for unwrapping the
symmetric triple DES key). Additionally, a
password may be required to unlock access to
this key (e. g. - which may be located in
the source DRM's 'password.conf' file).
(4) a file containing the ASCII BASE-64 storage certificate
from the DRM instance for which the output LDIF file is
intended (referred to as the "target")
ENDING INVENTORY:
(1) all items listed in the STARTING INVENTORY (unchanged)
(2) a log file containing information suitable for audit
purposes
(3) an LDIF file containing the revised data suitable for
'import' into a new DRM (referred to as the "target" DRM)
DRMTool PARAMETERS:
(1) the name of the DRMTOOL configuration file containing
DRM LDIF record types and the processing status of their
associated fields
(2) the name of the input LDIF file containing data which was
'exported' from the source DRM instance
(3) the name of the output LDIF file intended to contain the
revised data suitable for 'import' to a target DRM instance
(4) the name of the log file that may be used for auditing
purposes
(5) the path to the security databases that were used by
the source DRM instance
(6) the name of the token that was used by
the source DRM instance
(7) the name of the storage certificate that was used by
the source DRM instance
(8) the name of the file containing the ASCII BASE-64 storage
certificate from the target DRM instance for which the
output LDIF file is intended
(9) OPTIONALLY, the name of a file which ONLY contains the
password needed to access the source DRM instance's
security databases
(10) OPTIONALLY, choose to change the specified source DRM naming
context to the specified target DRM naming context
(11) OPTIONALLY, choose to ONLY process CA enrollment requests,
CA recovery requests, CA key records, TPS netkeyKeygen
enrollment requests, TPS recovery requests, and
TPS key records
DATA FIELDS AFFECTED (using default config file values):
(1) CA DRM enrollment request
(a) dateOfModify
(b) extdata-requestnotes
(2) CA DRM key record
(a) dateOfModify
(b) privateKeyData
(3) CA DRM recovery request
(a) dateOfModify
(b) extdata-requestnotes (NEW)
(4) TPS DRM netkeyKeygen (enrollment) request
(a) dateOfModify
(b) extdata-requestnotes (NEW)
(5) TPS DRM key record
(a) dateOfModify
(b) privateKeyData
(6) TPS DRM recovery request
(a) dateOfModify
(b) extdata-requestnotes (NEW)
(B) Specify an ID offset to append to existing numeric data
(e. g. - to renumber data for use in DRM consolidation efforts).
STARTING INVENTORY:
(1) a DRMTOOL configuration file containing DRM LDIF record
types and the processing status of their associated fields
(2) an LDIF file containing 'exported' DRM data
(referred to as the "source" DRM)
NOTE: If this LDIF file contains data that was originally
from a DRM instance that was prior to RHCS 8, it
must have previously undergone the appropriate
migration steps.
ENDING INVENTORY:
(1) all items listed in the STARTING INVENTORY (unchanged)
(2) a log file containing information suitable for audit
purposes
(3) an LDIF file containing the revised data suitable for
'import' into a new DRM (referred to as the "target" DRM)
DRMTool PARAMETERS:
(1) the name of the DRMTOOL configuration file containing
DRM LDIF record types and the processing status of their
associated fields
(2) the name of the input LDIF file containing data which was
'exported' from the source DRM instance
(3) the name of the output LDIF file intended to contain the
revised data suitable for 'import' to a target DRM instance
(4) the name of the log file that may be used for auditing
purposes
(5) a large numeric ID offset (mask) to be appended to existing
numeric data in the source DRM instance's LDIF file
(6) OPTIONALLY, choose to change the specified source DRM naming
context to the specified target DRM naming context
(7) OPTIONALLY, choose to ONLY process CA enrollment requests,
CA recovery requests, CA key records, TPS netkeyKeygen
enrollment requests, TPS recovery requests, and
TPS key records
DATA FIELDS AFFECTED (using default config file values):
(1) CA DRM enrollment request
(a) cn
(b) dateOfModify
(c) extdata-keyrecord
(d) extdata-requestnotes
(e) requestId
(2) CA DRM key record
(a) cn
(b) dateOfModify
(c) serialno
(3) CA DRM recovery request
(a) cn
(b) dateOfModify
(c) extdata-requestid
(d) extdata-requestnotes (NEW)
(e) extdata-serialnumber
(f) requestId
(4) TPS DRM netkeyKeygen (enrollment) request
(a) cn
(b) dateOfModify
(c) extdata-keyrecord
(d) extdata-requestid
(e) extdata-requestnotes (NEW)
(f) requestId
(5) TPS DRM key record
(a) cn
(b) dateOfModify
(c) serialno
(6) TPS DRM recovery request
(a) cn
(b) dateOfModify
(c) extdata-requestid
(d) extdata-requestnotes (NEW)
(e) extdata-serialnumber
(f) requestId
(C) Specify an ID offset to be removed from existing numeric data
(e. g. - to undo renumbering used in DRM consolidation efforts).
STARTING INVENTORY:
(1) a DRMTOOL configuration file containing DRM LDIF record
types and the processing status of their associated fields
(2) an LDIF file containing 'exported' DRM data
(referred to as the "source" DRM)
NOTE: If this LDIF file contains data that was originally
from a DRM instance that was prior to RHCS 8, it
must have previously undergone the appropriate
migration steps.
ENDING INVENTORY:
(1) all items listed in the STARTING INVENTORY (unchanged)
(2) a log file containing information suitable for audit
purposes
(3) an LDIF file containing the revised data suitable for
'import' into a new DRM (referred to as the "target" DRM)
DRMTool PARAMETERS:
(1) the name of the DRMTOOL configuration file containing
DRM LDIF record types and the processing status of their
associated fields
(2) the name of the input LDIF file containing data which was
'exported' from the source DRM instance
(3) the name of the output LDIF file intended to contain the
revised data suitable for 'import' to a target DRM instance
(4) the name of the log file that may be used for auditing
purposes
(5) a large numeric ID offset (mask) to be removed from existing
numeric data in the source DRM instance's LDIF file
(6) OPTIONALLY, choose to change the specified source DRM naming
context to the specified target DRM naming context
(7) OPTIONALLY, choose to ONLY process CA enrollment requests,
CA recovery requests, CA key records, TPS netkeyKeygen
enrollment requests, TPS recovery requests, and
TPS key records
DATA FIELDS AFFECTED (using default config file values):
(1) CA DRM enrollment request
(a) cn
(b) dateOfModify
(c) extdata-keyrecord
(d) extdata-requestnotes
(e) requestId
(2) CA DRM key record
(a) cn
(b) dateOfModify
(c) serialno
(3) CA DRM recovery request
(a) cn
(b) dateOfModify
(c) extdata-requestid
(d) extdata-requestnotes (NEW)
(e) extdata-serialnumber
(f) requestId
(4) TPS DRM netkeyKeygen (enrollment) request
(a) cn
(b) dateOfModify
(c) extdata-keyrecord
(d) extdata-requestid
(e) extdata-requestnotes (NEW)
(f) requestId
(5) TPS DRM key record
(a) cn
(b) dateOfModify
(c) serialno
(6) TPS DRM recovery request
(a) cn
(b) dateOfModify
(c) extdata-requestid
(d) extdata-requestnotes (NEW)
(e) extdata-serialnumber
(f) requestId
DRMTool may be invoked as follows:
DRMTool
-drmtool_config_file <path + drmtool config file>
-source_ldif_file <path + source ldif file>
-target_ldif_file <path + target ldif file>
-log_file <path + log file>
[-source_pki_security_database_path <path to PKI source database>]
[-source_storage_token_name '<source token>']
[-source_storage_certificate_nickname '<source nickname>']
[-target_storage_certificate_file <path to target certificate file>]
[-source_pki_security_database_pwdfile <path to PKI password file>]
[-append_id_offset <numeric offset>]
[-remove_id_offset <numeric offset>]
[-source_drm_naming_context '<original source DRM naming context>']
[-target_drm_naming_context '<renamed target DRM naming context>']
[-process_requests_and_key_records_only]
where the following options are 'Mandatory':
-drmtool_config_file <path + drmtool config file>
-source_ldif_file <path + source ldif file>
-target_ldif_file <path + target ldif file>
-log_file <path + log file>
AND at least ONE of the following are a 'Mandatory' set of options:
(a) options for using a new storage key for rewrapping:
[-source_pki_security_database_path
<path to PKI source database>]
[-source_storage_token_name '<source token>']
[-source_storage_certificate_nickname '<source nickname>']
[-target_storage_certificate_file
<path to target certificate file>]
AND OPTIONALLY, specify the name of a file which ONLY contains
the password needed to access the source DRM instance's
security databases:
[-source_pki_security_database_pwdfile
<path to PKI password file>]
AND OPTIONALLY, rename source DRM naming context --> target
DRM naming context:
[-source_drm_naming_context '<source DRM naming context>']
[-target_drm_naming_context '<target DRM naming context>']
AND OPTIONALLY, process requests and key records ONLY:
[-process_requests_and_key_records_only]
(b) option for appending the specified numeric ID offset
to existing numerical data:
[-append_id_offset <numeric offset>]
AND OPTIONALLY, rename source DRM naming context --> target
DRM naming context:
[-source_drm_naming_context '<source DRM naming context>']
[-target_drm_naming_context '<target DRM naming context>']
AND OPTIONALLY, process requests and key records ONLY:
[-process_requests_and_key_records_only]
(c) option for removing the specified numeric ID offset
from existing numerical data:
AND OPTIONALLY, rename source DRM naming context --> target
DRM naming context:
[-source_drm_naming_context '<source DRM naming context>']
[-target_drm_naming_context '<target DRM naming context>']
[-remove_id_offset <numeric offset>]
AND OPTIONALLY, process requests and key records ONLY:
[-process_requests_and_key_records_only]
(d) (a) rewrap AND (b) append ID offset
[AND OPTIONALLY, rename source DRM naming context --> target
DRM naming context]
[AND OPTIONALLY process requests and key records ONLY]
(e) (a) rewrap AND (c) remove ID offset
[AND OPTIONALLY, rename source DRM naming context --> target
DRM naming context]
[AND OPTIONALLY process requests and key records ONLY]
NOTE: Options (b) and (c) are mutually exclusive!