How to Rekey Token Vault
Rekeying is the act of decrypting data, and then re-encrypting it with a new set of key bytes (a new key version).
CT-V offers a command-line utility to rekey a table. Once the key has been rotated, the database administrator does not need administrator access to the Key Manager to rekey the token vault. However, you’ll still need user access to the key. The ReKey command searches the sfnt_key_table to find the correct key for the table.
Note
The rekey operation is performed in a sequence of batches with batch size 1000. During the rekey operation, only 1000 rows that are being processed at the given point of time are locked; the entire vault (table) is not locked.
If the rekey operation is interrupted, rerun the operation - the process resumes where it stopped.
To rekey token vault:
Rotate the key as explained here.
Add
SafeNetTokenService-8.13.0.000.jarto classpath.Run the ReKey utility:
java -cp SafeNetTokenService-8.13.0.000.jar com.safenet.token.ReKey dbtable naeUser dbUserAlternatively, you can also pass the database properties in the ReKey command as shown below:
java -cp SafeNetTokenService-8.13.0.000.jar com.safenet.token.ReKey dbtable naeUser dbUser [HostName=<DB HostName>] [Port=<DB Port>] [DBName=<DB Name>]Where,
dbtable Name of the token vault (must be specified in capital letters) naeUser Name of the Key Manager user dbUser Name of the database user HostName Name of the database host where your token vault resides Port Database port DBName Database name Note
The HostName, Port, and DBName parameters are optional and only supported for MySQL database.
If the HostName, Port, and DBName parameters are configured, these values are given precedence over the values specified in the
SafeNetToken.propertiesfile.
