Migrate from CCKM Appliance
This section describes steps to export migration data from a CCKM Appliance to CCKM on a CipherTrust Manager (referred to as CCKM Embedded).
Before proceeding with migration:
Note that the origin of migrated keys might not match between the CCKM Embedded and CCKM Appliance due to different terminologies used by these solutions.
Pause all the schedules in the CCKM Appliance until the migration is complete, otherwise, the CCKM Appliance and CipherTrust Manager might have data mismatch after migration. After the migration is successful, you should enable all the schedules on the CipherTrust Manager.
Ensure the CCKM Appliance is in sync with the configured clouds.
If the CCKM Appliance is in a cluster, you need to perform migration only on any one node.
Minimum Supported Versions
CCKM Appliance 1.10.4
Data Security Manager 6.4.3
Note
Data Security Manager (DSM) is EOL as of June 2024 and its support as a key source is being deprecated.
CipherTrust Manager 2.13.0
Supported Clouds
The migration only supports AWS Cloud, Azure Cloud, Google Cloud, Salesforce, and Salesforce Sandbox data.
Note
Migration of IBM Cloud and Salesforce Government Cloud data is not supported.
Prerequisites
CCKM Appliance is configured with a supported version of key source (DSM or CipherTrust Manager)
IP address, admin credentials, and SSL certificate of the CCKM Appliance
CCKM Appliance is accessible from the CipherTrust Manager. By default, the CipherTrust Manager connects to the CCKM Appliance on port 443. If the CCKM Appliance is not running on the default port (443), you need to specify the custom port along with the IP address in the steps described below.
DSM servers are accessible from the CipherTrust Manager
The CipherTrust Manager is backed up (for rollback, if required)
Scenarios
1. Migrate cloud keys with DSM as key source, move source keys to a local CM
The steps below apply to root domain only. To perform migration on a child domain, refer to Migration from CCKM Appliance to Child Domain.
Generate RSA Key Pair
Exporting migration data from CCKM Appliance requires an RSA key pair (public and private) on the CipherTrust Manager. The public key is used to encrypt the data while the private key is used to decrypt the exported data.
To generate an RSA key pair, run the ksctl keys create
command:
./ksctl-linux-amd64 keys create --name <rsa-key-name> --alg <key-algorithm> --size <key-size>
Here,
--name
: Name for RSA key pair.--alg
: Algorithm for the RSA key pair.--size
: Size for the key pair.
Example:
./ksctl-linux-amd64 keys create --name rsa-key --alg RSA --size 4096
Output:
{
"id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"uri": "kylo:kylo:vault:keys:rsa-key-v0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.519466Z",
"name": "rsa-key",
"updatedAt": "2021-05-07T03:55:47.519466Z",
"usage": "sign",
"usageMask": 3,
"meta": {
"ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61"
},
"version": 0,
"algorithm": "RSA",
"size": 4096,
"unexportable": false,
"undeletable": false,
"neverExported": true,
"neverExportable": false,
"emptyMaterial": false,
"publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a",
"sha1Fingerprint": "878bcd84e81c4170",
"sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75",
"objectType": "Private Key",
"activationDate": "2021-05-07T03:55:43.229267Z",
"state": "Active",
"aliases": [
{
"alias": "rsa-key",
"type": "string",
"index": 0
}
],
"links": [
{
"id": "6dc578f7-1864-43a7-899a-5035d54f1772",
"uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.531762Z",
"updatedAt": "2021-05-07T03:55:47.531762Z",
"type": "publicKey",
"source": "kylo:kylo:vault:keys:rsa-key-v0",
"sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"target": "kylo:kylo:vault:keys:rsa-key-pub-v0",
"targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395",
"index": 0
}
],
"uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3",
"muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca"
}
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1"
is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
under "links"
is the public key ID, which is used to download the export file.
Download Export File
As a CipherTrust Manager administrator, download the migration data (the export file) from the CCKM Appliance. This file contains migration data to be uploaded to CCKM Embedded.
Run the command:
./ksctl-linux-amd64 migrations download --cckm-host "<cckm-ip-or-hostname>" --cckm-user "<cckm-user>" --cckm-certificate "<certificate-file-content>" --public-key-id "<public-key-id>"
Here,
--cckm-host
: IP address or hostname of the CCKM Appliance.--cckm-user
: Admin user of the CCKM Appliance.--cckm-certificate
: SSL certificate downloaded from the CCKM Appliance.By default, the content of the SSL certificate spans over multiple new lines. However, to input the certificate as an inline argument, the certificate content needs to be converted into the single-line format where every new line is represented by
\n
.To covert the certificate into the single-line format:
Download the certificate in a file (say
certificate.cert
).Store the certificate file at a location on your machine, for example, at
/root/cert/
.Run the following command:
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <full-path-to-certificate-file>
For example, to convert your certificate file (
/root/cert/certificate.cert
), run the command:awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /root/cert/certificate.cert
The above command returns the certificate in the single-line format, as shown below:
-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIGCBPpf2sUMA0GCSqGSIb3DQEBDAUAMC8xIDAeBgNVBAMT\nF0NHIENBIFMgb24gcGt2LWNsdXN0ZXIxMQswCQYDVQQGEwJVUzAeFw0yMTAzMDMw\nNzI0MDVaFw0zMTAzMDQwNzI0MDVaMCQxFTATBgNVBAMTDHBrdi1jbHVzdGVyMTEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOh14c\nhxamUh7eO/TzdS016djkaL8x1a/uljy8RediBA2W5Yrmm4sTBxO/PFZ0l+OwyzYe\n7VqsCG3P5+lsTiXw2VlXKT7qyiil7P8ParCoKt6v5fp6BjtDZzq7q3uG8daZqL4M\nKrAiI8rcGPDgsAex/kSPAB4di1AFjDDNv7SCiet5kWJq8YeTZEuwYa8rxLi2QEqJ\n4h/mHDqD35jNiSf4FRksWfUwtsY652XIfBvPdnwkpsA/+kENO4Aiuve9CSvyIBmR\nKaqBwnmYdQZaBJGFKEvjnARtSMMwCUlLxikQCiUk1BaW9H7f/WQUuNh7xManRb7w\ndNkhqAhSPyqgjz/TAgMBAAGjgbIwga8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEw\nDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0OBBYEFFnFr/+FuXPw\n02+F2es0v8/XeGvzkuy55dTO7SwhLGTKiuv5L2ADawGQmlNQ7thNUN2P\n-----END CERTIFICATE-----\n
Copy the returned single-line certificate content. You need to paste this content as the value for
--cckm-certificate
.
--public-key-id
: ID of the local (public) key of the RSA key pair generated in Generate RSA Key Pair.
The command prompts for the password. Enter the password of the CCKM Appliance user (cckm-user
).
Example:
./ksctl-linux-amd64 migrations download --cckm-host "127.0.0.1" --cckm-user "admin" --cckm-certificate "-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIGCBPpf2sUMA0GCSqGSIb3DQEBDAUAMC8xIDAeBgNVBAMT\nF0NHIENBIFMgb24gcGt2LWNsdXN0ZXIxMQswCQYDVQQGEwJVUzAeFw0yMTAzMDMw\nNzI0MDVaFw0zMTAzMDQwNzI0MDVaMCQxFTATBgNVBAMTDHBrdi1jbHVzdGVyMTEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOh14c\nhxamUh7eO/TzdS016djkaL8x1a/uljy8RediBA2W5Yrmm4sTBxO/PFZ0l+OwyzYe\n7VqsCG3P5+lsTiXw2VlXKT7qyiil7P8ParCoKt6v5fp6BjtDZzq7q3uG8daZqL4M\nKrAiI8rcGPDgsAex/kSPAB4di1AFjDDNv7SCiet5kWJq8YeTZEuwYa8rxLi2QEqJ\n4h/mHDqD35jNiSf4FRksWfUwtsY652XIfBvPdnwkpsA/+kENO4Aiuve9CSvyIBmR\nKaqBwnmYdQZaBJGFKEvjnARtSMMwCUlLxikQCiUk1BaW9H7f/WQUuNh7xManRb7w\ndNkhqAhSPyqgjz/TAgMBAAGjgbIwga8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEw\nDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0OBBYEFFnFr/+FuXPw\n02+F2es0v8/XeGvzkuy55dTO7SwhLGTKiuv5L2ADawGQmlNQ7thNUN2P\n-----END CERTIFICATE-----\n" --public-key-id "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
Output:
CCKM enterprise user password:
File is downloading.
File downloaded successfully: migration_20210621143427.json
An export file named "migration_<TIMESTAMP>.json"
(for example, migration_20210621143427.json
) is created and downloaded to your machine.
Note
After downloading the migration data (the export file), open the file and check whether it contains a "containers"
tag at the beginning of the file.
Upload Export File
As a CipherTrust Manager administrator, upload the downloaded export file to CCKM Embedded.
Run the command:
./ksctl-linux-amd64 migrations upload --file <export-file-name>
Here,
--file
: Name of the export file.
Example:
./ksctl-linux-amd64 migrations upload --file migration_20210621143427.json
Output:
{
"id": "26304f13-5626-419b-bd81-459fda7fdb68",
"file_size": 21712358,
"created_at": "2021-05-07T04:55:33.251439962Z",
"checksum_sha256":"3e853d19e1d4a3687dfcf7bde5fc6bb192c19345462c5f4ae05c481acf26968b",
"product": "CCKM"
}
Note down the "id"
value, "26304f13-5626-419b-bd81-459fda7fdb68"
. It is required when applying the migration data. Now, you need to apply the migration data to CCKM Embedded (refer to Migrate Complete Data).
Apply Migration Data
The migration data can be applied to CCKM Embedded in two ways:
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
After migration, all the source keys from DSM will be migrated to the current domain on the CipherTrust Manager (where the migration is being performed).
Even if you migrate specific KMS containers, all of the DSM source keys will be migrated.
After all the source keys are moved to the CipherTrust Manager, you can remove DSM from CCKM Embedded, if needed. Refer to Deleting DSM Domains and Deleting a DSM Connection.
Migrate Data of Set of Containers
This method requires a list of containers. After the exported file is uploaded to the CipherTrust Manager, you can get the list of containers and select the containers to be migrated.
To migrate the data of a set of containers:
List the migrated containers.
Run the command:
./ksctl-linux-amd64 migrations containers list –id <export-file-id>
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.
Example:
./ksctl-linux-amd64 migrations containers list --id 26304f13-5626-419b-bd81-459fda7fdb68
Output:
{ "Containers": [ { "id": "b10ba3f2-b835-485d-b09a-07d4c002ff97", "type": "aws", "name": "805182230944", "tenant": "805182230944" }, { "id": "0de664f3-7c70-4fae-9213-4e16bb99a4fc", "type": "aws", "name": "556782317223", "tenant": "556782317223" }, { "id": "3f2b09ba-485d-b835-b09a-07d4c002ff97", "type": "salesforce", "name": "0056A0000011XDvQAM", "tenant": "0056A0000011XDvQAM" }, { "id": "4f4b11ba-c385-456d-b09a-07d4c002ff97", "type": "salesforcesandbox", "name": "0056A0000011ABvZCM", "tenant": "0056A0000011ABvZCM" }, { "id": "0941754d-9cb9-4b32-a241-59f7a4703756", "type": "azure", "name": "pkv-premium", "tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10" } }
This command returns the list of containers with their IDs. From this list, you can select the containers to be migrated.
Select the desired containers to be migrated. In this example, we will migrate the containers with the IDs
"b10ba3f2-b835-485d-b09a-07d4c002ff97"
and"0941754d-9cb9-4b32-a241-59f7a4703756"
.Apply the migration to migrate the desired container.
Run the command:
./ksctl-linux-amd64 migrations apply --id <export-file-id> --private-key-id <private-key-id> --migrate-cckm-source-keys --containers "<container1-id>,<container2-id>,...,<containerN-id>"
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.--migrate-cckm-source-keys
: Tag to migrate the source keys.--containers
: Comma-separated container IDs.
Example:
./ksctl-linux-amd64 migrations apply --id 26304f13-5626-419b-bd81-459fda7fdb68 --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1 --migrate-cckm-source-keys --containers "b10ba3f2-b835-485d-b09a-07d4c002ff97,0941754d-9cb9-4b32-a241-59f7a4703756",
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 22940401, "created_at": "2021-05-06T14:19:54.76812635Z", "status": "In progress", "checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e", "product": "CCKM" }
The container migration data is applied. It might take some time to complete. Verify the migration status. Refer to Check Migration Status for details.
Migrate Complete Data
To migrate the complete data, run the command:
./ksctl-linux-amd64 migrations apply --id <export-file-id> --private-key-id <private-key-id> --migrate-cckm-source-keys
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.--migrate-cckm-source-keys
: Tag to migrate the source keys.
Example:
./ksctl-linux-amd64 migrations apply --id 26304f13-5626-419b-bd81-459fda7fdb68 --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1 --migrate-cckm-source-keys
Output:
{
"id": "26304f13-5626-419b-bd81-459fda7fdb68",
"file_size": 22940401,
"created_at": "2021-05-06T14:19:54.76812635Z",
"status": "In progress",
"checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e",
"product": "CCKM"
}
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status
command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "9c9149ad-901b-405f-aefd-b279e6257f97",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 }
}
In the sample output above, "overall_status": "Completed"
indicates that migration of CCKM Appliance to CCKM Embedded is successful. Also, verify that migration status of different clouds and key sources such as "cckm_azure_keys"
, "cckm_aws_keys"
, and "cckm_dsm_keys"
is "Completed"
.
In the output, "num_ignored"
indicates the number of Azure keys for which blobs are present on the DSM but the keys have been deleted.
After the migration status is "Completed"
, you can add connection to supported clouds to perform operations on the added data.
After migration, you can see the migrated keys on the Keys page of the CipherTrust Manager GUI. The migrated keys are added with the prefix Migration-DSM-
.
Add Connection
Add connection to the desired clouds on the CipherTrust Manager. Refer to Connection Manager for details on connection management.
Update Containers
After the connection is created, update connection in AWS KMS, Azure key vaults, Salesforce organizations, and Google key rings on the Containers tab. After the update, keys in supported clouds can be managed from CCKM Embedded.
For Salesforce, you also need to synchronize certificates and update endpoints linked with the organizations.
Synchronize certificates: After migration, the certificates linked with the cache-only keys and schedulers are not synchronized. You need to manually synchronize them on CCKM. Refer to Prepare the Cache-Only Key Integration for details.
Update endpoints: The endpoint URLs used in Named Credentials for cache-only keys before migration will not work after migration. This is because the Callout URL check performed by Salesforce while fetching the cache-only keys will fail. So, you need to update the endpoint URLs in Named Credential on Salesforce and create the same endpoints on CCKM.
Alternatively, you can create new endpoint URLs on Salesforce and CCKM and use them.
Refer to Prepare the Cache-Only Key Integration and Edit a Salesforce Cache-Only Key Endpoint for details.
2. Migrate cloud keys with DSM as key source, move source keys to an External CM
Migrate Source Keys from DSM to External CipherTrust Manager
To migrate the source keys from DSM to the external CipherTrust Manager:
Download the CLI tool (
ksctl
).Log on to the external CipherTrust Manager.
ksctl login --user <username> --password <password> --url <External CM URL> --days <number of days> --hours <number of hours> --yes --domain <domain-name-or-id>
Generate an RSA key pair and note down the private and public key IDs.
ksctl keys create --name <key name> --alg RSA --size 2048
Output:
{ "id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1", "uri": "kylo:kylo:vault:keys:rsa-key-v0", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2021-05-07T03:55:47.519466Z", "name": "rsa-key", "updatedAt": "2021-05-07T03:55:47.519466Z", "usage": "sign", "usageMask": 3, "meta": { "ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61" }, "version": 0, "algorithm": "RSA", "size": 4096, "unexportable": false, "undeletable": false, "neverExported": true, "neverExportable": false, "emptyMaterial": false, "publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n", "defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a", "sha1Fingerprint": "878bcd84e81c4170", "sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75", "objectType": "Private Key", "activationDate": "2021-05-07T03:55:43.229267Z", "state": "Active", "aliases": [ { "alias": "rsa-key", "type": "string", "index": 0 } ], "links": [ { "id": "6dc578f7-1864-43a7-899a-5035d54f1772", "uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2021-05-07T03:55:47.531762Z", "updatedAt": "2021-05-07T03:55:47.531762Z", "type": "publicKey", "source": "kylo:kylo:vault:keys:rsa-key-v0", "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1", "target": "kylo:kylo:vault:keys:rsa-key-pub-v0", "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395", "index": 0 } ], "uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3", "muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca" }
Download the migration data from the CCKM Appliance.
ksctl migrations download --cckm-host <cckm-host> --cckm-user <cckm-user> --cckm-certificate <cckm-certificate> --public-key-id <public-key-id>
Output:
CCKM enterprise user password: File is downloading. File downloaded successfully: migration_20210621143427.json
Upload the migration data to the CipherTrust Manager.
ksctl migrations upload --file <downloaded migrations filename>
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 21712358, "created_at": "2021-05-07T04:55:33.251439962Z", "checksum_sha256":"3e853d19e1d4a3687dfcf7bde5fc6bb192c19345462c5f4ae05c481acf26968b", "product": "CCKM" }
List all containers from the uploaded migration file.
ksctl migrations containers list --id <migrations file resource id>
Output:
{ "Containers": [ { "id": "b10ba3f2-b835-485d-b09a-07d4c002ff97", "type": "aws", "name": "805182230944", "tenant": "805182230944" }, { "id": "0de664f3-7c70-4fae-9213-4e16bb99a4fc", "type": "aws", "name": "556782317223", "tenant": "556782317223" }, { "id": "3f2b09ba-485d-b835-b09a-07d4c002ff97", "type": "salesforce", "name": "0056A0000011XDvQAM", "tenant": "0056A0000011XDvQAM" }, { "id": "4f4b11ba-c385-456d-b09a-07d4c002ff97", "type": "salesforcesandbox", "name": "0056A0000011ABvZCM", "tenant": "0056A0000011ABvZCM" }, { "id": "0941754d-9cb9-4b32-a241-59f7a4703756", "type": "azure", "name": "pkv-premium", "tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10" } }
Apply migration.
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
After migration, all the source keys from DSM will be migrated to the current domain on the CipherTrust Manager (where the migration is being performed).
After all the source keys are moved to the CipherTrust Manager, you can remove DSM from CCKM Embedded, if needed. Refer to Deleting DSM Domains and Deleting a DSM Connection.
To apply the migration data, run the command:
ksctl migrations apply --id <migrations file resource id> --private-key-id <RSA private key id> --migrate-only-cckm-source-keys
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 22940401, "created_at": "2021-05-06T14:19:54.76812635Z", "status": "In progress", "checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d08529 13c0fb3a54f584c28460aa9cd65383e", "product": "CCKM" }
Check the migration status.
ksctl migrations status
Output:
{ "id": "9c9149ad-901b-405f-aefd-b279e6257f97", "overall_status": "Completed", "source": "CCKM", "cckm_azure_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 }, "cckm_sfdc_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 }, "cckm_aws_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 }, "cckm_dsm_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 } }
Note
Run the
migrations apply
command with themigrate-only-cckm-source-keys
flag. Only the source keys from DSM will be migrated to the CipherTrust Manager without migrating cloud keys.The
migrate-only-cckm-source-keys
flag is optional and is applicable to the CCKM Appliance migrations only.
Migrate Cloud Keys to the CipherTrust Manager
Prerequisites for Migration
Source keys from DSM are migrated to the external CipherTrust Manager.
After migrating the DSM source keys to the external CM, assign the Key Admins permission to the client CM. Refer to Add the Client for details.
Migration Steps
To migrate the cloud keys to the CipherTrust Manager:
On the CipherTrust Manager
Configure the external CipherTrust Manager as a key source.
Add the external CipherTrust Manager connection. Refer to CM Connection/External CM.
Add the external CipherTrust Manager domains where the DSM source keys were migrated.
Refresh the CipherTrust domains added to the CipherTrust Manager.
Download the CLI tool (
ksctl
).Log on to the CipherTrust Manager.
ksctl login --user <username> --password <password> --url <CM URL> --days <number of days> --hours <number of hours> --yes --domain <domain-name-or-id>
Generate an RSA key pair and note down the private and public key IDs.
ksctl keys create --name <key name> --alg RSA --size 2048
Output:
{ "id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1", "uri": "kylo:kylo:vault:keys:rsa-key-v0", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2021-05-07T03:55:47.519466Z", "name": "rsa-key", "updatedAt": "2021-05-07T03:55:47.519466Z", "usage": "sign", "usageMask": 3, "meta": { "ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61" }, "version": 0, "algorithm": "RSA", "size": 4096, "unexportable": false, "undeletable": false, "neverExported": true, "neverExportable": false, "emptyMaterial": false, "publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n", "defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a", "sha1Fingerprint": "878bcd84e81c4170", "sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75", "objectType": "Private Key", "activationDate": "2021-05-07T03:55:43.229267Z", "state": "Active", "aliases": [ { "alias": "rsa-key", "type": "string", "index": 0 } ], "links": [ { "id": "6dc578f7-1864-43a7-899a-5035d54f1772", "uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2021-05-07T03:55:47.531762Z", "updatedAt": "2021-05-07T03:55:47.531762Z", "type": "publicKey", "source": "kylo:kylo:vault:keys:rsa-key-v0", "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1", "target": "kylo:kylo:vault:keys:rsa-key-pub-v0", "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395", "index": 0 } ], "uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3", "muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca" }
Download the migration data from the CCKM Appliance.
ksctl migrations download --cckm-host <cckm-host> --cckm-user <cckm-user> --cckm-certificate <cckm-certificate> --public-key-id <public-key-id>
Output:
CCKM enterprise user password: File is downloading. File downloaded successfully: migration_20210621143427.json
Upload the migration data to the CipherTrust Manager.
ksctl migrations upload --file <downloaded migrations filename>
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 21712358, "created_at": "2021-05-07T04:55:33.251439962Z", "checksum_sha256":"3e853d19e1d4a3687dfcf7bde5fc6bb192c19345462c5f4ae05c481acf26968b", "product": "CCKM" }
List all containers from the uploaded migration file.
ksctl migrations containers list --id <migrations file resource id>
Output:
{ "Containers": [ { "id": "b10ba3f2-b835-485d-b09a-07d4c002ff97", "type": "aws", "name": "805182230944", "tenant": "805182230944" }, { "id": "0de664f3-7c70-4fae-9213-4e16bb99a4fc", "type": "aws", "name": "556782317223", "tenant": "556782317223" }, { "id": "3f2b09ba-485d-b835-b09a-07d4c002ff97", "type": "salesforce", "name": "0056A0000011XDvQAM", "tenant": "0056A0000011XDvQAM" }, { "id": "4f4b11ba-c385-456d-b09a-07d4c002ff97", "type": "salesforcesandbox", "name": "0056A0000011ABvZCM", "tenant": "0056A0000011ABvZCM" }, { "id": "0941754d-9cb9-4b32-a241-59f7a4703756", "type": "azure", "name": "pkv-premium", "tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10" } }
Apply migration.
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
To apply the migration data, run the command:
ksctl migrations apply --id <migrations file resource id> --private-key-id <RSA private key id> --migrate-cloudkeys-with-externalcm
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 22940401, "created_at": "2021-05-06T14:19:54.76812635Z", "status": "In progress", "checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e", "product": "CCKM" }
Check the migration status.
ksctl migrations status
Output:
{ "id": "9c9149ad-901b-405f-aefd-b279e6257f97", "overall_status": "Completed", "source": "CCKM", "cckm_azure_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 }, "cckm_sfdc_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 }, "cckm_aws_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 }, "cckm_dsm_keys": { "status": "Completed", "num_processed": 100, "num_failed": 0, "num_ignored": 0 } }
Note
Run the
migrations apply
command with themigrate-cloudkeys-with-externalcm
flag. Only the cloud keys will be migrated to the CipherTrust Manager without migrating the DSM source keys.The
migrate-cloudkeys-with-externalcm
flag is optional and is applicable to the CCKM Appliance migrations only.If the migration data contains Salesforce schedules, then after migration, update the external CM domain in the Salesforce schedules.
3. Migrate cloud keys but keep using DSM as key source
This section provides instructions to migrate only the cloud keys from a CCKM Appliance to a CipherTrust Manager. Before proceeding, read the prerequisites.
Note
The user who performs the migration becomes the owner of the migrated keys.
The steps above apply to the root domain only. To perform migration on a child domain, refer to Migration from CCKM Appliance to Child Domain.
Generate RSA Key Pair
Exporting migration data from CCKM Appliance requires an RSA key pair (public and private) on the CipherTrust Manager. The public key is used to encrypt the data while the private key is used to decrypt the exported data.
To generate an RSA key pair, run the ksctl keys create
command:
./ksctl-linux-amd64 keys create --name <rsa-key-name> --alg <key-algorithm> --size <key-size>
Here,
--name
: Name for RSA key pair.--alg
: Algorithm for the RSA key pair.--size
: Size for the key pair.
Example:
./ksctl-linux-amd64 keys create --name rsa-key --alg RSA --size 4096
Output:
{
"id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"uri": "kylo:kylo:vault:keys:rsa-key-v0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.519466Z",
"name": "rsa-key",
"updatedAt": "2021-05-07T03:55:47.519466Z",
"usage": "sign",
"usageMask": 3,
"meta": {
"ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61"
},
"version": 0,
"algorithm": "RSA",
"size": 4096,
"unexportable": false,
"undeletable": false,
"neverExported": true,
"neverExportable": false,
"emptyMaterial": false,
"publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a",
"sha1Fingerprint": "878bcd84e81c4170",
"sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75",
"objectType": "Private Key",
"activationDate": "2021-05-07T03:55:43.229267Z",
"state": "Active",
"aliases": [
{
"alias": "rsa-key",
"type": "string",
"index": 0
}
],
"links": [
{
"id": "6dc578f7-1864-43a7-899a-5035d54f1772",
"uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.531762Z",
"updatedAt": "2021-05-07T03:55:47.531762Z",
"type": "publicKey",
"source": "kylo:kylo:vault:keys:rsa-key-v0",
"sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"target": "kylo:kylo:vault:keys:rsa-key-pub-v0",
"targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395",
"index": 0
}
],
"uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3",
"muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca"
}
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1"
is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
under "links"
is the public key ID, which is used to download the export file.
Download Export File
As a CipherTrust Manager administrator, download the migration data (the export file) from the CCKM Appliance. This file contains migration data to be uploaded to CCKM Embedded.
Run the command:
./ksctl-linux-amd64 migrations download --cckm-host "<cckm-ip-or-hostname>" --cckm-user "<cckm-user>" --cckm-certificate "<certificate-file-content>" --public-key-id "<public-key-id>"
Here,
--cckm-host
: IP address or hostname of the CCKM Appliance.--cckm-user
: Admin user of the CCKM Appliance.--cckm-certificate
: SSL certificate downloaded from the CCKM Appliance.By default, the content of the SSL certificate spans over multiple new lines. However, to input the certificate as an inline argument, the certificate content needs to be converted into the single-line format where every new line is represented by
\n
.To covert the certificate into the single-line format:
Download the certificate in a file (say
certificate.cert
).Store the certificate file at a location on your machine, for example, at
/root/cert/
.Run the following command:
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <full-path-to-certificate-file>
For example, to convert your certificate file (
/root/cert/certificate.cert
), run the command:awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /root/cert/certificate.cert
The above command returns the certificate in the single-line format, as shown below:
-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIGCBPpf2sUMA0GCSqGSIb3DQEBDAUAMC8xIDAeBgNVBAMT\nF0NHIENBIFMgb24gcGt2LWNsdXN0ZXIxMQswCQYDVQQGEwJVUzAeFw0yMTAzMDMw\nNzI0MDVaFw0zMTAzMDQwNzI0MDVaMCQxFTATBgNVBAMTDHBrdi1jbHVzdGVyMTEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOh14c\nhxamUh7eO/TzdS016djkaL8x1a/uljy8RediBA2W5Yrmm4sTBxO/PFZ0l+OwyzYe\n7VqsCG3P5+lsTiXw2VlXKT7qyiil7P8ParCoKt6v5fp6BjtDZzq7q3uG8daZqL4M\nKrAiI8rcGPDgsAex/kSPAB4di1AFjDDNv7SCiet5kWJq8YeTZEuwYa8rxLi2QEqJ\n4h/mHDqD35jNiSf4FRksWfUwtsY652XIfBvPdnwkpsA/+kENO4Aiuve9CSvyIBmR\nKaqBwnmYdQZaBJGFKEvjnARtSMMwCUlLxikQCiUk1BaW9H7f/WQUuNh7xManRb7w\ndNkhqAhSPyqgjz/TAgMBAAGjgbIwga8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEw\nDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0OBBYEFFnFr/+FuXPw\n02+F2es0v8/XeGvzkuy55dTO7SwhLGTKiuv5L2ADawGQmlNQ7thNUN2P\n-----END CERTIFICATE-----\n
Copy the returned single-line certificate content. You need to paste this content as the value for
--cckm-certificate
.
--public-key-id
: ID of the local (public) key of the RSA key pair generated in Generate RSA Key Pair.
The command prompts for the password. Enter the password of the CCKM Appliance user (cckm-user
).
Example:
./ksctl-linux-amd64 migrations download --cckm-host "127.0.0.1" --cckm-user "admin" --cckm-certificate "-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIGCBPpf2sUMA0GCSqGSIb3DQEBDAUAMC8xIDAeBgNVBAMT\nF0NHIENBIFMgb24gcGt2LWNsdXN0ZXIxMQswCQYDVQQGEwJVUzAeFw0yMTAzMDMw\nNzI0MDVaFw0zMTAzMDQwNzI0MDVaMCQxFTATBgNVBAMTDHBrdi1jbHVzdGVyMTEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOh14c\nhxamUh7eO/TzdS016djkaL8x1a/uljy8RediBA2W5Yrmm4sTBxO/PFZ0l+OwyzYe\n7VqsCG3P5+lsTiXw2VlXKT7qyiil7P8ParCoKt6v5fp6BjtDZzq7q3uG8daZqL4M\nKrAiI8rcGPDgsAex/kSPAB4di1AFjDDNv7SCiet5kWJq8YeTZEuwYa8rxLi2QEqJ\n4h/mHDqD35jNiSf4FRksWfUwtsY652XIfBvPdnwkpsA/+kENO4Aiuve9CSvyIBmR\nKaqBwnmYdQZaBJGFKEvjnARtSMMwCUlLxikQCiUk1BaW9H7f/WQUuNh7xManRb7w\ndNkhqAhSPyqgjz/TAgMBAAGjgbIwga8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEw\nDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0OBBYEFFnFr/+FuXPw\n02+F2es0v8/XeGvzkuy55dTO7SwhLGTKiuv5L2ADawGQmlNQ7thNUN2P\n-----END CERTIFICATE-----\n" --public-key-id "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
Output:
CCKM enterprise user password:
File is downloading.
File downloaded successfully: migration_20210621143427.json
An export file named "migration_<TIMESTAMP>.json"
(for example, migration_20210621143427.json
) is created and downloaded to your machine.
Note
After downloading the migration data (the export file), open the file and check whether it contains a "containers"
tag at the beginning of the file.
Upload Export File
As a CipherTrust Manager administrator, upload the downloaded export file to CCKM Embedded.
Run the command:
./ksctl-linux-amd64 migrations upload --file <export-file-name>
Here,
--file
: Name of the export file.
Example:
./ksctl-linux-amd64 migrations upload --file migration_20210621143427.json
Output:
{
"id": "26304f13-5626-419b-bd81-459fda7fdb68",
"file_size": 21712358,
"created_at": "2021-05-07T04:55:33.251439962Z",
"checksum_sha256":"3e853d19e1d4a3687dfcf7bde5fc6bb192c19345462c5f4ae05c481acf26968b",
"product": "CCKM"
}
Note down the "id"
value, "26304f13-5626-419b-bd81-459fda7fdb68"
. It is required when applying the migration data. Now, you need to apply the migration data to CCKM Embedded (refer to Migrate Complete Data).
Apply Migration Data
The migration data can be applied to CCKM Embedded in two ways:
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
Migrate Data of Set of Containers
This method requires a list of containers. After the exported file is uploaded to the CipherTrust Manager, you can get the list of containers and select the containers to be migrated.
To migrate the data of a set of containers:
List the migrated containers.
Run the command:
./ksctl-linux-amd64 migrations containers list –id <export-file-id>
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.
Example:
./ksctl-linux-amd64 migrations containers list --id 26304f13-5626-419b-bd81-459fda7fdb68
Output:
{ "Containers": [ { "id": "b10ba3f2-b835-485d-b09a-07d4c002ff97", "type": "aws", "name": "805182230944", "tenant": "805182230944" }, { "id": "0de664f3-7c70-4fae-9213-4e16bb99a4fc", "type": "aws", "name": "556782317223", "tenant": "556782317223" }, { "id": "3f2b09ba-485d-b835-b09a-07d4c002ff97", "type": "salesforce", "name": "0056A0000011XDvQAM", "tenant": "0056A0000011XDvQAM" }, { "id": "4f4b11ba-c385-456d-b09a-07d4c002ff97", "type": "salesforcesandbox", "name": "0056A0000011ABvZCM", "tenant": "0056A0000011ABvZCM" }, { "id": "0941754d-9cb9-4b32-a241-59f7a4703756", "type": "azure", "name": "pkv-premium", "tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10" } }
This command returns the list of containers with their IDs. From this list, you can select the containers to be migrated.
Select the desired containers to be migrated. In this example, we will migrate the containers with the IDs
"b10ba3f2-b835-485d-b09a-07d4c002ff97"
and"0941754d-9cb9-4b32-a241-59f7a4703756"
.Apply the migration to migrate the desired container.
Run the command:
./ksctl-linux-amd64 migrations apply --id <export-file-id> --private-key-id <private-key-id> --containers "<container1-id>,<container2-id>,...,<containerN-id>"
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.--containers
: Comma-separated container IDs.
Example:
./ksctl-linux-amd64 migrations apply --id 26304f13-5626-419b-bd81-459fda7fdb68 --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1 --containers "b10ba3f2-b835-485d-b09a-07d4c002ff97,0941754d-9cb9-4b32-a241-59f7a4703756",
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 22940401, "created_at": "2021-05-06T14:19:54.76812635Z", "status": "In progress", "checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e", "product": "CCKM" }
The container migration data is applied. It might take some time to complete. Verify the migration status. Refer to Check Migration Status for details.
Migrate Complete Data
To migrate the complete data, run the command:
./ksctl-linux-amd64 migrations apply --id <export-file-id> --private-key-id <private-key-id>
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.
Example:
./ksctl-linux-amd64 migrations apply --id 26304f13-5626-419b-bd81-459fda7fdb68 --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1
Output:
{
"id": "26304f13-5626-419b-bd81-459fda7fdb68",
"file_size": 22940401,
"created_at": "2021-05-06T14:19:54.76812635Z",
"status": "In progress",
"checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e",
"product": "CCKM"
}
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status
command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "9c9149ad-901b-405f-aefd-b279e6257f97",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 }
}
In the sample output above, "overall_status": "Completed"
indicates that migration of CCKM Appliance to CCKM Embedded is successful. Also, verify that migration status of different clouds and key sources such as "cckm_azure_keys"
, "cckm_aws_keys"
, and "cckm_dsm_keys"
is "Completed"
.
In the output, "num_ignored"
indicates the number of Azure keys for which blobs are present on the DSM but the keys have been deleted.
After the migration status is "Completed"
, you can add connection to supported clouds and key sources to perform operations on the added data.
Add DSM Cluster Nodes
If your DSM was in a cluster before migration, then after migration, the DSM connection information will contain only the IP address or hostname with which your CCKM Appliance was configured.
To add other DSM cluster nodes, update the migrated DSM connection on the CipherTrust Manager. Refer to Adding Node in an Existing DSM Connection for details.
Add Connection
Add connection to the desired clouds on the CipherTrust Manager. Refer to Connection Manager for details on connection management.
Update Containers
After the connection is created, update connection in AWS KMS, Azure key vaults, Salesforce organizations, and Google key rings on the Containers tab. After the update, keys in supported clouds and key sources can be managed from CCKM Embedded.
For Salesforce, you also need to synchronize certificates and update endpoints linked with the organizations.
Synchronize certificates: After migration, the certificates linked with the cache-only keys and schedulers are not synchronized. You need to manually synchronize them on CCKM. Refer to Prepare the Cache-Only Key Integration for details.
Update endpoints: The endpoint URLs used in Named Credentials for cache-only keys before migration will not work after migration. This is because the Callout URL check performed by Salesforce while fetching the cache-only keys will fail. So, you need to update the endpoint URLs in Named Credential on Salesforce and create the same endpoints on CCKM.
Alternatively, you can create new endpoint URLs on Salesforce and CCKM and use them.
Refer to Prepare the Cache-Only Key Integration and Edit a Salesforce Cache-Only Key Endpoint for details.
Note
DSM is EOL as of June 2024 and its support as a key source is being deprecated. Therefore, after migrating the cloud keys, it's recommended to migrate the DSM source keys to CipherTrust Manager. Follow the instructions provided in Migrate DSM Source Keys.
4. Migrate cloud keys when CM is used as key source with CCKM Appliance
This section describes steps to migrate both cloud keys and the CipherTrust Manager source keys from CCKM Appliance to the CipherTrust Manager. Before proceeding, read the prerequisites.
Note
The user who performs the migration becomes the owner of the migrated keys.
Migration of the CipherTrust Manager source keys from CCKM Appliance should be done on the same CipherTrust Manager with which the CCKM Appliance is configured.
The steps below apply to root domain only. To perform migration on a child domain, refer to Migration from CCKM Appliance to Child Domain.
Generate RSA Key Pair
Exporting migration data from CCKM Appliance requires an RSA key pair (public and private) on the CipherTrust Manager. The public key is used to encrypt the data while the private key is used to decrypt the exported data.
To generate an RSA key pair, run the ksctl keys create
command:
./ksctl-linux-amd64 keys create --name <rsa-key-name> --alg <key-algorithm> --size <key-size>
Here,
--name
: Name for RSA key pair.--alg
: Algorithm for the RSA key pair.--size
: Size for the key pair.
Example:
./ksctl-linux-amd64 keys create --name rsa-key --alg RSA --size 4096
Output:
{
"id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"uri": "kylo:kylo:vault:keys:rsa-key-v0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.519466Z",
"name": "rsa-key",
"updatedAt": "2021-05-07T03:55:47.519466Z",
"usage": "sign",
"usageMask": 3,
"meta": {
"ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61"
},
"version": 0,
"algorithm": "RSA",
"size": 4096,
"unexportable": false,
"undeletable": false,
"neverExported": true,
"neverExportable": false,
"emptyMaterial": false,
"publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a",
"sha1Fingerprint": "878bcd84e81c4170",
"sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75",
"objectType": "Private Key",
"activationDate": "2021-05-07T03:55:43.229267Z",
"state": "Active",
"aliases": [
{
"alias": "rsa-key",
"type": "string",
"index": 0
}
],
"links": [
{
"id": "6dc578f7-1864-43a7-899a-5035d54f1772",
"uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.531762Z",
"updatedAt": "2021-05-07T03:55:47.531762Z",
"type": "publicKey",
"source": "kylo:kylo:vault:keys:rsa-key-v0",
"sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"target": "kylo:kylo:vault:keys:rsa-key-pub-v0",
"targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395",
"index": 0
}
],
"uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3",
"muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca"
}
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1"
is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
under "links"
is the public key ID, which is used to download the export file.
Download Export File
As a CipherTrust Manager administrator, download the migration data (the export file) from the CCKM Appliance. This file contains migration data to be uploaded to CCKM Embedded.
Run the command:
./ksctl-linux-amd64 migrations download --cckm-host "<cckm-ip-or-hostname>" --cckm-user "<cckm-user>" --cckm-certificate "<certificate-file-content>" --public-key-id "<public-key-id>"
Here,
--cckm-host
: IP address or hostname of the CCKM Appliance.--cckm-user
: Admin user of the CCKM Appliance.--cckm-certificate
: SSL certificate downloaded from the CCKM Appliance.By default, the content of the SSL certificate spans over multiple new lines. However, to input the certificate as an inline argument, the certificate content needs to be converted into the single-line format where every new line is represented by
\n
.To covert the certificate into the single-line format:
Download the certificate in a file (say
certificate.cert
).Store the certificate file at a location on your machine, for example, at
/root/cert/
.Run the following command:
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <full-path-to-certificate-file>
For example, to convert your certificate file (
/root/cert/certificate.cert
), run the command:awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /root/cert/certificate.cert
The above command returns the certificate in the single-line format, as shown below:
-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIGCBPpf2sUMA0GCSqGSIb3DQEBDAUAMC8xIDAeBgNVBAMT\nF0NHIENBIFMgb24gcGt2LWNsdXN0ZXIxMQswCQYDVQQGEwJVUzAeFw0yMTAzMDMw\nNzI0MDVaFw0zMTAzMDQwNzI0MDVaMCQxFTATBgNVBAMTDHBrdi1jbHVzdGVyMTEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOh14c\nhxamUh7eO/TzdS016djkaL8x1a/uljy8RediBA2W5Yrmm4sTBxO/PFZ0l+OwyzYe\n7VqsCG3P5+lsTiXw2VlXKT7qyiil7P8ParCoKt6v5fp6BjtDZzq7q3uG8daZqL4M\nKrAiI8rcGPDgsAex/kSPAB4di1AFjDDNv7SCiet5kWJq8YeTZEuwYa8rxLi2QEqJ\n4h/mHDqD35jNiSf4FRksWfUwtsY652XIfBvPdnwkpsA/+kENO4Aiuve9CSvyIBmR\nKaqBwnmYdQZaBJGFKEvjnARtSMMwCUlLxikQCiUk1BaW9H7f/WQUuNh7xManRb7w\ndNkhqAhSPyqgjz/TAgMBAAGjgbIwga8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEw\nDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0OBBYEFFnFr/+FuXPw\n02+F2es0v8/XeGvzkuy55dTO7SwhLGTKiuv5L2ADawGQmlNQ7thNUN2P\n-----END CERTIFICATE-----\n
Copy the returned single-line certificate content. You need to paste this content as the value for
--cckm-certificate
.
--public-key-id
: ID of the local (public) key of the RSA key pair generated in Generate RSA Key Pair.
The command prompts for the password. Enter the password of the CCKM Appliance user (cckm-user
).
Example:
./ksctl-linux-amd64 migrations download --cckm-host "127.0.0.1" --cckm-user "admin" --cckm-certificate "-----BEGIN CERTIFICATE-----\nMIIDhjCCAm6gAwIBAgIGCBPpf2sUMA0GCSqGSIb3DQEBDAUAMC8xIDAeBgNVBAMT\nF0NHIENBIFMgb24gcGt2LWNsdXN0ZXIxMQswCQYDVQQGEwJVUzAeFw0yMTAzMDMw\nNzI0MDVaFw0zMTAzMDQwNzI0MDVaMCQxFTATBgNVBAMTDHBrdi1jbHVzdGVyMTEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOh14c\nhxamUh7eO/TzdS016djkaL8x1a/uljy8RediBA2W5Yrmm4sTBxO/PFZ0l+OwyzYe\n7VqsCG3P5+lsTiXw2VlXKT7qyiil7P8ParCoKt6v5fp6BjtDZzq7q3uG8daZqL4M\nKrAiI8rcGPDgsAex/kSPAB4di1AFjDDNv7SCiet5kWJq8YeTZEuwYa8rxLi2QEqJ\n4h/mHDqD35jNiSf4FRksWfUwtsY652XIfBvPdnwkpsA/+kENO4Aiuve9CSvyIBmR\nKaqBwnmYdQZaBJGFKEvjnARtSMMwCUlLxikQCiUk1BaW9H7f/WQUuNh7xManRb7w\ndNkhqAhSPyqgjz/TAgMBAAGjgbIwga8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEw\nDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0OBBYEFFnFr/+FuXPw\n02+F2es0v8/XeGvzkuy55dTO7SwhLGTKiuv5L2ADawGQmlNQ7thNUN2P\n-----END CERTIFICATE-----\n" --public-key-id "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
Output:
CCKM enterprise user password:
File is downloading.
File downloaded successfully: migration_20210621143427.json
An export file named "migration_<TIMESTAMP>.json"
(for example, migration_20210621143427.json
) is created and downloaded to your machine.
Note
After downloading the migration data (the export file), open the file and check whether it contains a "containers"
tag at the beginning of the file.
Upload Export File
As a CipherTrust Manager administrator, upload the downloaded export file to CCKM Embedded.
Run the command:
./ksctl-linux-amd64 migrations upload --file <export-file-name>
Here,
--file
: Name of the export file.
Example:
./ksctl-linux-amd64 migrations upload --file migration_20210621143427.json
Output:
{
"id": "26304f13-5626-419b-bd81-459fda7fdb68",
"file_size": 21712358,
"created_at": "2021-05-07T04:55:33.251439962Z",
"checksum_sha256":"3e853d19e1d4a3687dfcf7bde5fc6bb192c19345462c5f4ae05c481acf26968b",
"product": "CCKM"
}
Note down the "id"
value, "26304f13-5626-419b-bd81-459fda7fdb68"
. It is required when applying the migration data. Now, you need to apply the migration data to CCKM Embedded (refer to Migrate Complete Data).
Apply Migration Data
The migration data can be applied to CCKM Embedded in two ways:
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
After migration, all the source keys will be migrated to the current domain on the CipherTrust Manager (where the migration is being performed).
Even if you migrate specific KMS containers, all of the CipherTrust Manager source keys will be migrated.
Migrate Data of Set of Containers
This method requires a list of containers. After the exported file is uploaded to the CipherTrust Manager, you can get the list of containers and select the containers to be migrated.
To migrate the data of a set of containers:
List the migrated containers.
Run the command:
./ksctl-linux-amd64 migrations containers list –id <export-file-id>
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.
Example:
./ksctl-linux-amd64 migrations containers list --id 26304f13-5626-419b-bd81-459fda7fdb68
Output:
{ "Containers": [ { "id": "b10ba3f2-b835-485d-b09a-07d4c002ff97", "type": "aws", "name": "805182230944", "tenant": "805182230944" }, { "id": "0de664f3-7c70-4fae-9213-4e16bb99a4fc", "type": "aws", "name": "556782317223", "tenant": "556782317223" }, { "id": "3f2b09ba-485d-b835-b09a-07d4c002ff97", "type": "salesforce", "name": "0056A0000011XDvQAM", "tenant": "0056A0000011XDvQAM" }, { "id": "4f4b11ba-c385-456d-b09a-07d4c002ff97", "type": "salesforcesandbox", "name": "0056A0000011ABvZCM", "tenant": "0056A0000011ABvZCM" }, { "id": "0941754d-9cb9-4b32-a241-59f7a4703756", "type": "azure", "name": "pkv-premium", "tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10" } }
This command returns the list of containers with their IDs. From this list, you can select the containers to be migrated.
Select the desired containers to be migrated. In this example, we will migrate the containers with the IDs
"b10ba3f2-b835-485d-b09a-07d4c002ff97"
and"0941754d-9cb9-4b32-a241-59f7a4703756"
.Apply the migration to migrate the desired container.
Run the command:
./ksctl-linux-amd64 migrations apply --id <export-file-id> --private-key-id <private-key-id> --migrate-cckm-source-keys --containers "<container1-id>,<container2-id>,...,<containerN-id>"
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.--migrate-cckm-source-keys
: Tag to migrate the source keys.--containers
: Comma-separated container IDs.
Example:
./ksctl-linux-amd64 migrations apply --id 26304f13-5626-419b-bd81-459fda7fdb68 --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1 --migrate-cckm-source-keys --containers "b10ba3f2-b835-485d-b09a-07d4c002ff97,0941754d-9cb9-4b32-a241-59f7a4703756",
Output:
{ "id": "26304f13-5626-419b-bd81-459fda7fdb68", "file_size": 22940401, "created_at": "2021-05-06T14:19:54.76812635Z", "status": "In progress", "checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e", "product": "CCKM" }
The container migration data is applied. It might take some time to complete. Verify the migration status. Refer to Check Migration Status for details.
Migrate Complete Data
To migrate the complete data, run the command:
./ksctl-linux-amd64 migrations apply --id <export-file-id> --private-key-id <private-key-id> --migrate-cckm-source-keys
Here,
--id
: ID of the uploaded export file. Refer to Upload Export File for the ID of the export file.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.--migrate-cckm-source-keys
: Tag to migrate the source keys.
Example:
./ksctl-linux-amd64 migrations apply --id 26304f13-5626-419b-bd81-459fda7fdb68 --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1 --migrate-cckm-source-keys
Output:
{
"id": "26304f13-5626-419b-bd81-459fda7fdb68",
"file_size": 22940401,
"created_at": "2021-05-06T14:19:54.76812635Z",
"status": "In progress",
"checksum_sha256": "3386289c00e7e8bf7ad70a5ca12d0852913c0fb3a54f584c28460aa9cd65383e",
"product": "CCKM"
}
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status
command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "9c9149ad-901b-405f-aefd-b279e6257f97",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 }
}
In the sample output above, "overall_status": "Completed"
indicates that migration of CCKM Appliance to CCKM Embedded is successful. Also, verify that migration status of different clouds and key sources such as "cckm_azure_keys"
, "cckm_aws_keys"
, and "cckm_dsm_keys"
is "Completed"
.
In the output, "num_ignored"
indicates the number of Azure keys for which blobs are present on the CipherTrust Manager but the keys have been deleted.
After the migration status is "Completed"
, you can add connection to supported clouds and key sources to perform operations on the added data.
After migration, you can see the migrated keys on the Keys page of the CipherTrust Manager GUI.
Add Connection
Add connection to the desired clouds on the CipherTrust Manager. Refer to Connection Manager for details on connection management.
Update Containers
After the connection is created, update connection in AWS KMS, Azure key vaults, Salesforce organizations, and Google key rings on the Containers tab. After the update, keys in supported clouds and key sources can be managed from CCKM Embedded.
For Salesforce, you also need to synchronize certificates and update endpoints linked with the organizations.
Synchronize certificates: After migration, the certificates linked with the cache-only keys and schedulers are not synchronized. You need to manually synchronize them on CCKM. Refer to Prepare the Cache-Only Key Integration for details.
Update endpoints: The endpoint URLs used in Named Credentials for cache-only keys before migration will not work after migration. This is because the Callout URL check performed by Salesforce while fetching the cache-only keys will fail. So, you need to update the endpoint URLs in Named Credential on Salesforce and create the same endpoints on CCKM.
Alternatively, you can create new endpoint URLs on Salesforce and CCKM and use them.
Refer to Prepare the Cache-Only Key Integration and Edit a Salesforce Cache-Only Key Endpoint for details.
5. Cloud keys already migrated, but kept DSM as key source, now migrate DSM keys to a local CM
This section provides instructions to migrate the DSM source keys from CCKM Appliance to the CipherTrust Manager. This section assumes that you have already migrated only the cloud keys to the CipherTrust Manager.
Note
The user who performs the migration becomes the owner of the migrated keys.
The steps above apply to the root domain only. To perform migration on a child domain, refer to Migration from CCKM Appliance to Child Domain.
Generate RSA Key Pair
Creating migration data from CCKM Appliance requires an RSA key pair (public and private) on the CipherTrust Manager. The public key is used to encrypt the data while the private key is used to decrypt the migrated data.
To generate an RSA key pair, run the ksctl keys create
command:
./ksctl-linux-amd64 keys create --name <rsa-key-name> --alg <key-algorithm> --size <key-size>
Here,
--name
: Name for RSA key pair.--alg
: Algorithm for the RSA key pair.--size
: Size for the key pair.
Example:
./ksctl-linux-amd64 keys create --name rsa-key --alg RSA --size 4096
Output:
{
"id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"uri": "kylo:kylo:vault:keys:rsa-key-v0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.519466Z",
"name": "rsa-key",
"updatedAt": "2021-05-07T03:55:47.519466Z",
"usage": "sign",
"usageMask": 3,
"meta": {
"ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61"
},
"version": 0,
"algorithm": "RSA",
"size": 4096,
"unexportable": false,
"undeletable": false,
"neverExported": true,
"neverExportable": false,
"emptyMaterial": false,
"publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a",
"sha1Fingerprint": "878bcd84e81c4170",
"sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75",
"objectType": "Private Key",
"activationDate": "2021-05-07T03:55:43.229267Z",
"state": "Active",
"aliases": [
{
"alias": "rsa-key",
"type": "string",
"index": 0
}
],
"links": [
{
"id": "6dc578f7-1864-43a7-899a-5035d54f1772",
"uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.531762Z",
"updatedAt": "2021-05-07T03:55:47.531762Z",
"type": "publicKey",
"source": "kylo:kylo:vault:keys:rsa-key-v0",
"sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"target": "kylo:kylo:vault:keys:rsa-key-pub-v0",
"targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395",
"index": 0
}
],
"uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3",
"muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca"
}
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1"
is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
under "links"
is the public key ID.
Create Migration Data
Create the migration data for the DSM key source. Specify --key-source
as dsm
.
Run the command:
./ksctl-linux-amd64 migrations create --key-source dsm --public-key-id <public-key-id>
Here,
--key-source
: Specifydsm
as the key source.
Example:
./ksctl-linux-amd64 migrations create --key-source dsm --public-key-id c9b6922153e74c1f9be4bf9344ebf8eed827aa281be947a2b249b57f9f0c5d1c
Output:
{
"status": "In progress"
}
Get the uploadID
After you have initiated the creation of migration data for the DSM key source, get the uploadID
by running the ksctl migrations status
command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "9c9149ad-901b-405f-aefd-b279e6257f97",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_gcp_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0},
"cckm_generate_migration": {
"status": "Completed",
"uploadID": "f915a761-9fa8-449d-a969-122601ef244e"
}
}
Note down the "uploadID"
value, "f915a761-9fa8-449d-a969-122601ef244e"
. It is required when applying the migration data. Now, you need to apply the migration data to CCKM Embedded (refer to Apply Migration Data).
Apply Migration Data
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
After migration, all the source keys from DSM will be migrated to the current domain on the CipherTrust Manager (where the migration is being performed).
Even if you migrate specific KMS containers, all of the DSM source keys will be migrated.
After all the source keys are moved to the CipherTrust Manager, you can remove DSM from CCKM Embedded, if needed. Refer to Deleting DSM Domains and Deleting a DSM Connection.
To apply the migration data, run the command:
./ksctl-linux-amd64 migrations apply --id <uploadID> --private-key-id <private-key-id>
Here,
--id
: uploadID returned in Check Status of uploadID.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.
Example:
./ksctl-linux-amd64 migrations apply --id f915a761-9fa8-449d-a969-122601ef244e --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1
Output:
{
"id": "f915a761-9fa8-449d-a969-122601ef244e",
"file_size": 70697,
"created_at": "2022-11-28T04:24:28.004216933Z",
"status": "In progress",
"checksum_sha256": "8b5839e47dfbb68b9dadb1f31e416321a5033db2b7956ddc03e07748e58258a8",
"product": "CCKM"
}
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status
command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "f915a761-9fa8-449d-a969-122601ef244e",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_generate_migration": {
"status": "Completed",
"uploadID": "f915a761-9fa8-449d-a969-122601ef244e"}
}
In the sample output above, "overall_status": "Completed"
indicates that migration of DSM source keys from CCKM Appliance to CCKM Embedded is successful.
Migration from CCKM Appliance to Child Domain
To migrate the CCKM Appliance data to CCKM Embedded in a child domain.
Set
export KSCTL_DOMAIN=<child-domain>
on the machine where you will run the ksctl commands.Perform the migration steps, as described in sections above.
Note
The steps above show examples of ksctl
commands. Switch to the child domain <child-domain>
to:
Check the migration status using the API.
Verify or access the migrated data on the CipherTrust Manager GUI.