Migrate KMIP Managed Objects from Data Security Manager
This document provides instructions to migrate KMIP managed objects from a Data Security Manager (DSM) to the CipherTrust Manager using the client utility.
Note
Currently, the CipherTrust Manager supports migration of the following KMIP managed objects:
Certificate
Opaque Object
Public Key
Symmetric Key
Private Key
Secret Data
Note
Currently, the CipherTrust Manager does not support migration of the following KMIP managed objects:
Template
SplitKey
PGPKey
You can also migrate KMIP accessible agent keys using the CipherTrust Manager ksctl to restore a DSM backup file.
KMIP accessible agent keys are the only type of DSM object which can be migrated through both the client utility and ksctl. Both methods are idempotent, so migrating the same key object twice does not overwrite the key on CipherTrust Manager.
Prerequisites
DSM version 6.4.3 or higher
CipherTrust Manager 2.3.0 or higher
Ubuntu or RHEL to run the migration utility
Client Utility (kmip-migration-utility-linux-amd64) and migration configuration file (migration.cfg) placed in the same folder on the Ubuntu/RHEL machine
Certificate and key file required to connect migration utility with DSM KMIP port. Refer to DSM Configuration.
One DSM KMIP Agent License should be assigned to the migration utility on the DSM appliance
Note
If you do not have a DSM KMIP Agent license available internally, contact your Account team. They can provide you a temporary license.
Recommendations
This is a list of recommendations and precautionary measures for a successful migration:
Create a backup of CipherTrust Manager and DSM server before initiating the migration process. If migration is not successful or there is any loss of data, then the user can restore the data using this backup.
Ensure no operations are being performed on DSM during the migration process to avoid any conflict.
The DSM appliance, CipherTrust Manager, and the KMIP migration utility – all must be connected to an active Internet connection, preferably on the same network to minimize network latency and improved performance.
Understanding the Architectural Differences and Similarities
In DSM and CipherTrust Manager, domains are used for logically organizing and managing KMIP managed objects. Domains restrict the use of keys and security objects within the user and clients (for CipherTrust Manager) and hosts (for DSM) that belong to the domain.
During migration, the client utility transfers the KMIP managed objects within a domain from DSM to the specified domain in the CipherTrust Manager. The domain name can be specified in the configuration file.
Supported KMIP attributes in CipherTrust Manager
| Supported Attributes | Supported Attributes | Supported Attributes |
|---|---|---|
| Activation Date | Cryptographic Parameters | Link |
| Alternate Name | Cryptographic Usage Mask | Name |
| Application Specific Information | Custom Attribute | Object Type |
| Compromise Date | Deactivation Date | Process Start Date |
| Compromise Occurrence Date | Destroy Date | Protect Stop Date |
| Contact Information | Digest Attribute | Revocation Reason |
| Cryptographic Algorithm | Fresh Attribute | State |
| Cryptographic Domain Parameters | Initial Date | Unique Identifier |
| Cryptographic Length | Last Change Date | Usage Limits |
Note
CipherTrust Manager supports KMIP version 1.4
Supported attributes are stored in the object’s metadata as per KMIP specifications on CipherTrust Manager. It also stores the attributes that are exclusively supported by DSM only. For more information on the above listed attributes, refer to the OASIS KMIP Documentation.
Note
For Opaque Objects, the supported attributes are:
ID
Data Type
Data Value
Other opaque object attributes are stored in the object’s metadata.
The
Structuretype values of custom attributes are not supported.If you're using the KMIP migration utility version 2.1 or higher, KMIP 2.0 spec attributes are stored in the object's metadata on CipherTrust Manager. For example, Protection Storage Mask.
Note
The client utility can migrate objects of only one DSM domain to the CipherTrust Manager. If migrating objects across multiple domains is required, the client utility must be configured and executed individually for each domain.
Note
If no domain is specified in the configuration file during migration, the migration of the KMIP objects from DSM will be mapped to the root domain of the CipherTrust Manager.
Note
Objects migrated from the DSM to CipherTrust Manager will have a prefix dsm- in their names on the CipherTrust Manager to identify them uniquely.
Migration Steps
Pre-Migration
Perform the following pre-migration configuration:
Unzip the migration package at some location in Ubuntu/RHEL machine. The unzipped package contains the following files:
Read Me file (Readme.txt)
Client Utility (kmip-migration-utility-linux-amd64)
Sample Configuration File (sample.cfg)
Migration Configuration File (migration.cfg)
Configuring DSM
Note
If you are not familiar with the DSM appliance, it is strongly advised to refer to the DSM User Manual for related information and instructions before performing these steps.
a. Create a backup of DSM.
b. Make sure that KMIP is configured and enabled for the host in that domain and DSM KMIP trusted CA is added.
Note
The same set of certificate and key will be used in KMIP migration utility. You can set these in the migration.cfg by providing the path where your certificate and key exsists.
KEYSOURCE_CERT_FILE=/home/cert.pem
KEYSOURCE_KEY_FILE=/home/key.pem
Configuring CipherTrust Manager
Note
If you are not familiar with CipherTrust Manager appliance, it is strongly advised to refer to its documentation for related information and instructions, before performing these steps. These steps can only be performed by a user with administrator privileges, and are explained in detail in next sections.
a. Create a backup of the CipherTrust Manager.
b. Create a domain on CM where the object will be migrated. In case no domain is created, the object will be will be migrated to root domain.
d. Create a User with the name that you want to set as the owner of the object to be migrated.
e. Provide permission to this User to perform key management operations. You can do this by adding this User to the
Key AdminsandKey Usersgroups.Prepare migration configuration file
Open the migration configuration (migration.cfg) file. You need to update the following fields:
CipherTrust Manager Configuration
Configuration Field Description CM_IP Specify the IP address of the CipherTrust Manager. CM_CONNECTION Specify the name of the connection. Default value is Local. CM_DOMAIN Specify the name of the domain. CM_KEY_OWNER_ID Specify the owner of the keys to be migrated on the CipherTrust Manager. This user will be owner of the KMIP managed objects migrated from the DSM. It is a mandatory field.
The CM_KEY_OWNER_ID can be specified in thelocal|<user-id>format.DSM Configuration
Configuration Field Description KEYSOURCE_IP Specify the IP address of the DSM appliance. KEYSOURCE_KMIP_PORT Specify the KMIP port for the DSM appliance. KEYSOURCE_BATCH_SIZE Specify the batch size. Default value is 100.
Note: Batch size is the number of items to be migrated in one iteration. This is useful in cases where network connection is slow or erratic. It is recommended to use a value equal to or less than 1000 in this field.KEYSOURCE_TOTAL_ITEMS Specify the total number of items that you wish to migrate. Default value is 20000. KEYSOURCE_CERT_FILE Specify path of the DSM client’s certificate file (.pem format). If you do not have an existing certificate, you can create a new certificate and use the same on DSM to connect to the KMIP utilty. Refer to Generating the Certificates. KEYSOURCE_KEY_FILE Specify path of the DSM client’s key file (.key format). If you do not have an existing key, you can create a new key while creating the certificate and use the same on DSM to connect to the KMIP utilty. Refer to Generating the Certificates. THREADS CipherTrust Manager supports multithreading while migration of objects from DSM. Specify the number of threads you want to utilize depending on your hardware configuration and network latency.
Recommended value for this variable is 5, but if there are frequent issues/errors related to the connectivity, then decrease its value.
Running the Client Migration Utility
Use one of the following commands to run the client migration utility:
If you want to migrate all types of managed objects, run:
./kmip-migration-utility-linux-amd64
If you want to migrate a specific type of managed object, run:
./kmip-migration-utility-linux-amd64 –-objects "<object name>"
Example: To migrate symmetric keys only
./kmip-migration-utility-linux-amd64 --objects "Symmetric Key"
If you want to migrate more than one type of managed objects, run:
./kmip-migration-utility-linux-amd64 –-objects "<Object-Name1>, <Object-Name2>"
Example: To migrate only public keys and certificates
./kmip-migration-utility-linux-amd64 --objects "Public Key,Certificate"
If you want to migrate multiple objects using their UUIDs, then create a file and mention the respective UUIDs in it, one entry per line. Use the following command:
./kmip-migration-utility-linux-amd64 –-filename <filename>
Example: To migrate KMIP managed objects whose UUIDs are mentioned in uuid_list.txt, run:
./kmip-migration-utility-linux-amd64 –-filename uuid_list.txt
The utility will prompt you for following inputs:
- CipherTrust Manager Username and Password.
Enter the login credentials of the user with administrator privileges.
- Permission to initiate the migration.
PressYesorYto proceed.
It might take some time to migrate all the KMIP objects. You can view the migration logs to monitor the migration status. After successful migration, the client utility closes.
Note
Migration logs can be viewed in the kmip-migration.log file.
Note
After migration, the Fresh Attribute, Custom Attribute, Application Specific Information, and Digest Attribute get stored in the Key metadata.
Post-Migration
After successful migration, the client can perform all the KMIP operations on the migrated objects. For additional steps required for the KMIP client to communicate with the CipherTrust Manager, refer to the Integration Guide for the respective client, available on Thalesdocs.
Limitations
The client utility can migrate objects of only one DSM domain to the CipherTrust Manager at a time.
LDAP users are not supported.
Appendix
Generating the Certificates
This section provides information to generate the Client Certificate, Key, and CA (Optional).
Note
If you already have an existing CA, you can use the same to generate the client certificate and key or else you can create a new CA by executing the command mentioned below
Sample Command:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -out user.key 2048
openssl req -new -key user.key -out user.csr
openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
Creating KMIP client on DSM
Create a user with all privileges.
Note
If you already have a DSM KMIP Agent license available, skip Step 2 or contact your Account team. They can provide you a temporary license.
Upload KMIP license. Navigate to System > License > Upload KMIP license.
Create Domain, enable KMIP, and assign created user.
Logout and login again with the User created above. Navigate to System > Upload KMIP trusted CA. Upload the root CA from which client certificate and private key is created.
Switch domain. Navigate to Hosts > Add hosts. Ensure Host name to be equal to value of CN in client certificate. Select the KMIP check box. Select the Communication enabled check box. Click Import KMIP Certificate to upload the client certificate.
Use the above created KMIP client to communicate to the KMIP utility through 5696 KMIP port.
Troubleshooting
This section includes the errors you may face while migrating from DSM to CipherTrust Manager. This is not an exhaustive list.
Configuration Related Errors
| Error String | Possible Cause | Remediation |
|---|---|---|
| Error loading configuration | Configuration file is either missing or not readable. | Validate migration.cfg |
| Failed to get username and password | CipherTrust Manager username or password was not specified. | Re-run the migration utility and provide CipherTrust Manager username and password when prompted. |
| Error loading logging configuration | FLUME variable in migration.cfg is tampered with. | Restore the default variable value from sample.cfg. |
Migration Related Errors
| Error String | Possible Cause | Remediation |
|---|---|---|
| Cannot Initialize DSM handler : <reason of error> | Configuration error with DSM. Reason is suffixed to the error. | Recheck DSM configuration – check configured parameters and their values for spaces, special characters, wrap in double quotes. |
| Cannot Initialize CipherTrust Manager handler : <reason of error> | Configuration error with CipherTrust Manager. Reason is suffixed to the error. | Recheck CipherTrust Manager configuration – check configured parameters and their values for spaces, special characters, wrap in double quotes. |
| Failed to locate objects on DSM: <reason of error> | DSM is unreachable or inaccessible by the client. Reason is suffixed to the error. | Check connection to DSM or the validity of the client certificate. |
| Cannot parse certificate | Issue with certificate/key file. | Check the format and path of certificate and key file. If issue still persists, download the certificate again or create a new set of certificate and key. |
| Cannot connect to DSM | DSM is unreachable or it is rejecting the certificates. | Check the client certificates and network, then try again. |
Failed to fetch object with UUID // for UUID passed in the file using flag filename | Object not found on DSM (object does not exist or does not belong to the group of client). | Check if the object UUID passed is part of the group which the DSM client belongs to. |
| Failed to fetch object from DSM with ID <uuid> -- Retrying : Error | One of the get attribute request failed with DSM | 5 attempts are made for getting attributes. The error can be ignored if the request is returned successfully in a later attempt. |
| Failed to fetch object from DSM with ID: %s -- Retries Failed | Upon a failure, exponential back off with 5 attempts is setup. If all attempts fail, then this error is logged. | Inspect for the reason behind the error while retrying. |
| Key Format is not compatible with Algorithm | The key format and algorithm in use is not supported by CipherTrust Manager. | Object that are not supported by CipherTrust Manager cannot be migrated. |
| Failed to create link | The link is source to the destination. This implies that either source or destination object did not migrate successfully. | Link is created after successful migration of objects. Try the migration process again to resolve the error. |
