How to ReKey a Token Vault
Re-keying is the act of decrypting data, and then re-encrypting it with a new set of key bytes (a new key version).
For re-keying the table, Thales offers a Java API, callable from the command line. Once the key has been rotated, the database administrator does not need administrator access to the Key Manager to re- key the token vault. You’ll still need user access to the key, though.
If the re-key operation is interrupted, simply re-run the operation - the process resumes where it stopped.
You can perform re-key operation using either of the following ways:
Rotate the key as explained in the How to Rotate a Key section.
Using ReKey command
Using CT-V Client
Call ReKey command from a CT-V client as shown here:
java -cp SafeNetTokenService-8.12.4.000.jar com.safenet.token.ReKey dbtable naeUser dbUser
You can also provide database properties while performing rekey operation as shown below:
java -cp SafeNetTokenService-8.12.4.000.jar com.safenet.token.ReKey dbtable naeUser dbUser [HostName=<DB HostName>] [Port=<DB Port>] [DBName=<DB Name>]
Where,
dbtable is the token vault - it must be in CAPITAL letters
naeUser is the Key Manager user name
dbUser is the name of the database user
HostName is the database host name where your token vault resides
Port is the database port
DBName is the database name
• If the HostName, Port, and DBName parameters are configured, these values are given precedence over the values specified in the SafeNetToken.properties file and these parameters are supported for MySQL database only.
• Be sure that SafeNetTokenService-8.12.4.000.jar is in the classpath.
• The last three points are optional.
If you do not pass a key name, the ReKey command searches sfnt_key_table to find the correct key for the table. The system prompts for the NAE and database passwords.