Upgrade from VAE to CADP for C
Upgrading VAE to CADP For C On Linux
Upgrading VAE to CADP For C On Windows
Note
In case you have set the BACKWARD_COMPATIBILITY_VAE Compatibility parameter as 'NO', and CADP for C is running successfully on your machine, it is recommended to uninstall VAE from the machine at your convenience.
Upgrading VAE to CADP for C on Linux
Before upgrading VAE to CADP for C, Thales recommends that you save your existing VAE configuration such as your certificates.
When upgrading VAE to CADP for C, you will use the CADP for C installation script. The upgrade procedure from VAE to CADP for C is essentially the same as a fresh install of CADP for C. However, with the upgrade, you are prompted to indicate whether you wish to maintain backward compatibility with VAE as the installer detects VAE is currently installed on your system. As part of the upgrade, a backup of the VAE library will need to be taken and a soft link from the VAE library (/opt/vormetric/DataSecurityExpert/agent/pkcs11/lib/libvorpkcs11.so) to the CADP for C PKCS#11 library (libcadp_pkcs11.so) will need to be created.
You have the option to upgrade VAE to CADP for C with or without admin rights. When you upgrade VAE to CADP for C with admin rights (as a root user), then as part of the upgrade process, the backup of the VAE library will be taken and a soft link between the two libraries will be created. If you are upgrading from VAE to CADP for C without using admin rights, then you will need to manually backup the VAE library and create the soft link after the upgrade. These final steps do require the use of admin rights as accessing the folder /opt requires the use of admin rights.
Note
Thales recommends that you perform the entire upgrade procedure using admin rights.
The steps for upgrading from VAE to CADP for C with or without admin rights are essentially the same. When you get to the step to install the CADP for C program (Step 5), you will do so using admin rights or no admin rights. If you choose to upgrade without the use of admin rights, then proceed to Backing Up VAE Library and Creating Soft Link between the Libraries after the upgrade. These steps are required.
For information about the CADP for C directory that is installed after the upgrade, refer to Installed Directory on Linux or Installed Directory on Windows depending on which OS you are using.
Using Installation Script for Upgrade
To upgrade VAE to CADP for C:
Download the CADP for C installation file from the Thales Customer Support Portal.
Log on to the client machine on which to install CADP for C.
Unzip and untar the installation file. The untar process creates a directory called CADP_for_C-x.xx.0.000.
tar xvfz "CADP_for_C-x.xx.0.000.tar.gz"Navigate to the CADP_for_C-x.xx.0.000 directory.
cd CADP_for_C-x.xx.0.000Upgrade CADP for C by running
install.sh:With admin rights:
sudo ./install.shWithout admin rights:
./install.shThe next screen displays the End User License Agreement.
Read the agreement. If you agree with the terms of the end-user license agreement, accept it by entering
Yfor yes.Do you accept the terms of the End User License Agreement(Y/N)[N]? YSpecify the folder
<install_folder>in which to store the installation to complete the upgrade. The default folder is/opt. If you wish to change this, enter the name of the folder to use for this upgrade. Otherwise, press Enter to accept the default.Install CADP for C to path [/opt]:<install_folder>Enter the Key Management Server information to be used to communicate with the CipherTrust Manager. Follow the prompts to enter the information as per your environment.
Key Management Server IP Address/Hostname:<cm_ip> /IP address or hostname of the CipherTrust Manager. Key Management Server Port:<cm_port> /Server port number of the CipherTrust Manager interface.Indicate whether to maintain backward comptability with VAE:
Maintain Backward Compatibility with VAE (y/n)[y]:<yes or no> /Indicate whether you wish to maintain backwardcompatibility with VAE.If you wish to maintain backward compatibility with VAE, enter
yfor yes. With this setting, theClient_Compatibility_Modein the CADP for C PKCS#11 property file (CADP_PKCS11.properties) will be set toLegacyVAEduring the upgrade:Client_Compatibility_Mode=LegacyVAE. TheClient_Compatibility_Modeindicates the mode in which the PKCS#11 library runs. In theLegacyVAEmode, the CADP for C PKCS#11 library will execute specific functionality associated with the legacy VAE. If you entery, the following message displays:upgrading from VAE. Proceed to step 10.If you do not wish to maintain backward compatibility with VAE, enter
nfor no. With this setting, the compatiblity mode ofCipherTrust, which is the default setting, will be used in the CADP for C PKCS#11 property file:Client_Compatibility_Mode= CipherTrust. InCipherTrustmode, the CADP for C PKCS#11 library will execute functionality associated with the converged CADP for C features. If you entern, proceed to step 11.
Enter the user credentials to log into the CipherTrust Manager and then proceed to Step 13:
Key Management Server username:<cm_user> /Username associated with the user account to use to log into the CipherTrust Manager. For example, 'admin'. Key Management Server user password:<cm_user_password> /Password (associated with the username) to use to log into the CipherTrust Manager. Enter PIN for Login:<vae pin> /VAE PIN used to access PKCS#11 API functions for encryption and key management.Note
The VAE PIN is the original PIN created during the machine or host registration between the VAE and Data Security Manager (DSM). Besides using the VAE PIN to encrypt the client private key associated with the client certificate that establishes a secure channel between the VAE and the Key Manager (previously, Data Security Manager (DSM) and after the upgrade, CipherTrust Manager), this PIN is also used to log on to PKCS#11 enabling you to access the PKCS#11 API functions for encryption and key management. As an application developer, provide this PIN as an argument of the
C_LoginAPI.Enter the protocol to use for communication between the client and the CipherTrust Manager:
Key Management Server Protocol (ssl/tcp)[ssl]:<protocol> /Protocol to use for communication between the client and the CipherTrust Manager.If you specified to use
tcpfor the protocol, then after entering requested information at this step and a successful installation, the messageCADP for C Installation is completeddisplays:CADP for C Installation is completed! You can edit the configuration files located at: /opt/CipherTrust/CADP for C/CADP_PKCS11.properties /opt/CipherTrust/CADP for C/CADP_CAPI.propertiesIf you specified to use
sslfor the protocol, then proceed to the next step.Enter the username and password to log into the CipherTrust Manager as well as the passphrase to be used to protect the private key:
Key Management Server username:<cm_user> /Username associated with the user account to use to log into the CipherTrust Manager. For example, 'admin'. Key Management Server user password:<cm_user_password> /Password (associated with the username) to use to log into the CipherTrust Manager. Enter Passphrase to protect private key: /The passphrase associated with the private key.Enter the information to be incorporated into a Certificate Signing Request (CSR) for the SSL client certificate:
====Enter information that will be incorporated into your certificate request.==== Country code (2 letter code e.g., US): State or Province name (e.g., California): Locality or city name (e.g., San Jose): Organization name (e.g., company): Organization Unit name (e.g., Section): Common Name (e.g., your name or your server's hostname): Email Address (optional):Note
VAE only uses the SSL protocol for communication with the Key Manager (DSM previously and CipherTrust Manager after the upgrade). When you selected to maintain backward compatibility with VAE, SSL is automatically selected as the protocol to use.
For example:
====Enter information that will be incorporated into your certificate request.==== Country code (2 letter code e.g., US): IN State or Province name (e.g., California): UP Locality or city name (e.g., San Jose): Noida Organization name (e.g., company): Thales Organization Unit name (e.g., Section): Eng Common Name (e.g., your name or your server's hostname): Server1x Email Address (optional):On successful installation, the message
CADP for C Installation is completeddisplays.CADP for C Installation is completed! You can edit the configuration files located at: /opt/CipherTrust/CADP_for_C/CADP_PKCS11.properties /opt/CipherTrust/CADP_for_C/CADP_CAPI.properties
Silent Upgrade on Linux
To upgrade VAE to CADP for C on Linux silently:
Modify the BACKWARD_COMPATIBILITY_VAE parameter in
cadp_for_c_basic.conffile as per your environment.Execute the following command:
sudo ./install.sh -c <path_to_conf_file>/cadp_for_c_basic.conf -d <install_folder> -y
Backing Up VAE Library and Creating Soft Link between the Libraries
If you completed the upgrade of VAE to CADP for C (without the use of admin rights), perform the following steps:
Log on to the client machine on which CADP for C is installed as a user with admin rights.
Access the directory in which the
libvorpkcs11.sois located:For example:
cd /opt/vormetric/DataSecurityExpert/agent/pkcs11/lib/Backup the VAE library
libvorpkcs11.soas libvorpkcs11.so.save:mv libvorpkcs11.so libvorpkcs11.so.saveCreate a soft link from the VAE library
libvorpkcs11.soto the CADP for C PKCS#11 library (libcadp_pkcs11.so):*ln –s libcadp_pkcs11.so /opt/vormetric/DataSecurityExpert/agent/pkcs11/lib/libvorpkcs11.sowhere ln -s is a soft link file
Stop the
vaedservice.cd /opt/vormetric/DataSecurityExpert/agent/pkcs11/etc/init.d/ ./vaed stop
Note
The vaed service is stopped as this is not required for upgraded libvorpkcs11.so library.
Upgrading VAE to CADP for C on Windows
Note
You must have admin rights to upgrade from VAE to CADP for C on Windows.
Using GUI-based Upgrade
When upgrading VAE to CADP for C, use the setup executable (setup.exe) file, which is also used to install CADP for C. There are a couple of differences between the upgrade procedure from VAE to CADP for C and the installation procedure for CADP for C as can be seen during the initial part of the upgrade. After the setup starts during an upgrade, the installation wizard detects that VAE is installed. The first prompt that displays is the following:
Select Yes to proceed with the upgrade.
Now, when you get to the the Protocol Information page (Step 5 as described in the GUI based Installation procedure (Windows), the Maintain Backward Compatibility with VAE option is included within this page:
From the drop-down box, select the following:
Yes - If you wish to maintain backward compatibility with VAE, select Yes. With this setting, a backup of the VAE library (vorpkcs11.dll) will be made during the upgrade by the name (vorpkcs11.dll.save). By default, this library is located in C:\Program Files\Vormetric\DataSecurityExpert\Agent\pkcs11\bin\. Also with this setting, the CADP for C PKCS#11 library libcadp_pkcs11.dll will be renamed as vorpkcs11.dll and then added to the mentioned default Vormetric folder. In addition, the Client_Compatibility_Mode in the CADP for C PKCS#11 property file (CADP_PKCS11.properties) will be set to LegacyVAE: Client_Compatibility_Mode=LegacyVAE. The Client_Compatibility_Mode indicates the mode in which the PKCS#11 library runs. In LegacyVAE mode, the CADP for C PKCS#11 library will execute specific functionality associated with the legacy VAE.
No - If you do not wish to maintain backward compatibility with VAE, select No. With this setting, the compatiblity mode of CipherTrust, which is the default setting, will be used in the CADP for C PKCS#11 property file: Client_Compatibility_Mode= CipherTrust. In CipherTrust mode, the CADP for C PKCS#11 library will execute functionality associated with the converged CADP for C features.
Silent Upgrade on Windows
To upgrade VAE to CADP for C on Windows silently:
Modify the BACKWARD_COMPATIBILITY_VAE parameter in
cadp_for_c_basic.conffile as per your environment.Execute the following command:
setup.exe /S /v"/qn CONFIGPATH=<path of cadp_for_c_basic.conf file>"For example:
setup.exe /S /v"/qn CONFIGPATH=C:\Users\Administrator\Desktop\cadp_for_c_basic.conf"
