Ctrl+K

High-level Design

High-level Design#

KRATool is a stand-alone Java-based command-line utility

KRATool Parameters#

Mandatory parameters:

``-kratool_config_file ``
``-source_ldif_file ``
``-target_ldif_file ``
``-log_file ``

Rewrap parameters:

``-source_pki_security_database_path ``
``-source_storage_token_name ``
``-source_storage_certificate_nickname ``
-target_storage_certificate_file <complete path to the target storage certificate file; the target storage certificate is stored in an ASCII format between a header and footer>

ID offset parameters:

-append_id_offset <ID offset that is appended to each record's source ID>
-remove_id_offset <ID offset that is removed from each record's source ID>

Note that either all rewrap parameters OR all ID offset parameters is mandatory.

Optional parameters:

-source_pki_security_database_pwdfile <complete path to the password file which ONLY contains the password used to access the source security databases; used only during rewrapping>
``-source_kra_naming_context ``
``-target_kra_naming_context ``
-process_requests_and_key_records_only

KRATool Config file#

  1. The LDIF record fields specified by this file are the ONLY fields that can be changed in the LDIF file.

  2. No fields can be added without changes to the KRATool source code, and several fields are commented on within this configuration file.

  3. Additionally, internal LDAP fields such as ‘modifyTimestamp’ cannot, and will not, be changed by KRATool.

  4. By default, all supported fields are processed by KRATool and the default config file resides at /usr/share/pki/java-tools/KRATool.cfg

For example, to process or leave out a field from CA enrollment requests, the KRATool looks at the following lines from the configuration file provided

kratool.ldif.caEnrollmentRequest.cn=true
kratool.ldif.caEnrollmentRequest.dateOfModify=true
kratool.ldif.caEnrollmentRequest.dn=true
kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
kratool.ldif.caEnrollmentRequest.requestId=true

If set to true, the field will be processed in the generated LDIF file. If set to false, the field will be untouched in the generated LDIF file.

Low-level Design#

The KRA records, that are processed by KRATool, are classified into 2 types:

  1. Requests

  2. Key Records

There are seven different types of KRA LDIF records that are processed, in total.

KRA LDIF Record Fields to be Processed#

Attribute

Attribute Description

Source Value

Target Value

cn

Common Name of the entry

source cn

(source cn + targ et_uid_offset) OR (source cn - targ et_uid_offset)

dateOfModify

Date the entry was last modified

original date

date modified

ext data-keyrecord

source ext data-keyrecord

(source ext data-keyrecord + targ et_uid_offset)

ext data-requestid

Request ID

source ext data-requestid

(source ext data-requestid + targ et_uid_offset)

extdat a-requestnotes

Comments (usually empty)

comments (generally empty)

comments + [REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] OR [REMOVED OFFSET OF xxx…xxx]

extdat a-serialnumber

Serial number of the cert whose key was retrieved

source extdat a-serialnumber

(source extdat a-serialnumber + targ et_uid_offset)

privateKeyData

payload key wrapped with KRA’s storage cert + Payload enc rypted/wrapped with payload key

private user key wrapped with source storage key

private user key wrapped with target storage key

requestId

Request ID

[source length in digits][source requestId]

[target length in d igits][(source requestId + targe t_uid_offset)]

serialno

Serial number of the key

[source length in digits][source serialno]

[target length in d igits][(source serialno + targe t_uid_offset)]

Key Requests#

  • CA enrollment request:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

extdata-keyrecord

source extdata-keyrecord

(source extdata-keyrecord + target_uid_offset)

extdata-requestid

source extdata-requestid

(source extdata-requestid + target_uid_offset)

extdata-requestnotes

comments (generally empty)

comments + [REWRAPPED] + [APPENDED OFFSET OF xxx…xxx]

requestId

[source length in digits][source requestId]

[target length in digits][(source requestId + target_uid_offset)]

  • CA recovery request:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

extdata-requestid

source extdata-requestid

(source extdata-requestid + target_uid_offset)

extdata-requestnotes

ATTRIBUTE DOES NOT EXIST

[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx]

extdata-serialno

source extdata-serialnumber

(source extdata-serialnumber + target_uid_offset)

requestId

[source length in digits][source requestId]

[target length in digits][(source requestId + target_uid_offset)]

  • TPS netkeyKeygen request:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

extdata-keyrecord

source keyrecord

(source keyrecord + target_uid_offset)

extdata-requestid

source requestid

(source requestid + target_uid_offset)

extdata-requestnotes

ATTRIBUTE DOES NOT EXIST

[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx]

requestId

[source length in digits][source requestId]

[target length in digits][(source requestId + target_uid_offset)]

  • TPS recovery request:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

extdata-requestid

source extdata-requestid

(source extdata-requestid + target_uid_offset)

extdata-requestnotes

ATTRIBUTE DOES NOT EXIST

[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx]

extdata-serialno

source extdata-serialnumber

(source extdata-serialnumber + target_uid_offset)

requestId

[source length in digits][source requestId]

[target length in digits][(source requestId + target_uid_offset)]

  • TPS netkeyKeyRecovery request:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

extdata-requestid

source extdata-requestid

(source extdata-requestid + target_uid_offset)

extdata-requestnotes

ATTRIBUTE DOES NOT EXIST

[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx]

requestId

[source length in digits][source requestId]

[target length in digits][(source requestId + target_uid_offset)]

Key Record#

  • CA keyrecord:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

privateKeyData

private user key wrapped with source storage key

private user key wrapped with target storage key

serialno

[source length in digits][source serialno]

[target length in digits][(source serialno + target_uid_offset)]

  • TPS keyrecord:

Attribute

Source Value

Target Value

cn

source cn

(source cn + target_uid_offset)

dateOfModify

original date

date modified

privateKeyData

private user key wrapped with source storage key

private user key wrapped with target storage key

serialno

[source length in digits][source serialno]

[target length in digits][(source serialno + target_uid_offset)]

References#

Contents