CKM_REPLICATE_TOKEN_RSA_AES

Supported Operations

Encrypt and Decrypt No
Sign and Verify No
SignRecover and VerifyRecover No
Digest No
Generate Key/Key-Pair No
Wrap and Unwrap Yes
Derive No
Available in FIPS Mode Yes
Restrictions in FIPS Mode None

Key Size Range (bits) and Parameters

Minimum 2048
FIPS Minimum 2048
Maximum 4096
Parameter CK_REPLICATE_TOKEN_PARAMS

Description

CKM_REPLICATE_TOKEN_RSA_AES is a Thales vendor-defined mechanism.

This mechanism is used to clone a token from one HSM to another (peer) HSM by creating a duplicate of the token on the peer HSM. This capability is useful if you are using the ProtectServer HSM's load balancing (Work Load Distribution) and redundancy (High Availability) capabilities, which require token consistency. For more information, refer to Token Replication. and Work Load Distribution Model (WLD) and High Availability (HA).

This mechanism is used to implement the wrapping and unwrapping operations that are required for cloning.

NOTE   Before attempting cloning operations, create identity keys for the HSMs with the ctident tool . For more information, refer to ctident.

Wrapping Tokens

The mechanism wraps the token associated with the hSession parameter to C_WrapKey() into a protected format. When the mechanism is used to wrap a token it has a required parameter, a CK_REPLICATE_TOKEN_PARAMS_PTR.

The CK_REPLICATE_TOKEN_PARAMS structure is defined as follows:

typedef struct CK_REPLICATE_TOKEN_PARAMS {
CK_CHAR peerId[CK_SERIAL_NUMBER_SIZE];
} CK_REPLICATE_TOKEN_PARAMS;

The peerId field identifies the peer public key on the administrative token. The public key is used to wrap the token encryption key and therefore must identify the public key of the destination HSM.

CK_REPLICATE_TOKEN_PARAMS_PTR is a pointer to a CK_REPLICATE_TOKEN_PARAMS.

The following conditions must be satisfied:

>The token being wrapped which is associated with the hSession parameter to the C_WrapKey() must be a regular user token (i.e. NOT the administrative token or a smart-card token).

>The session state for hSession must be one of CKS_RO_USER_FUNCTIONS or CKS_RW_USER_FUNCTIONS.

>The hWrappingKey parameter to C_WrapKey() must specify CK_INVALID_HANDLE.

>The hKey parameter to C_WrapKey() must specify CK_INVALID_HANDLE.

Unwrapping Tokens

This mechanism unwraps the protected token information, replacing the entire token contents of the token associated with the hSession parameter to C_UnwrapKey().When the mechanism is used for unwrapping a token, a mechanism parameter must not be specified.

The following conditions must be satisfied:

>The token being unwrapped which is associated with the hSession parameter to C_UnwrapKey() must be a regular user token. That is, NOT the administrative token or a smart card token.

>The session state for hSession must be CKS_RW_USER_FUNCTIONS.

>The hUnwrappingKey parameter to C_UnwrapKey() must specify CK_INVALID_HANDLE.

>The pTemplate parameter to C_UnwrapKey() must specify NULL.

>The ulAttributeCount parameter to C_UnwrapKey() must specify zero.

>The phKey parameter to C_UnwrapKey() must specify NULL.

>Any new sessions must be deferred until the operation has finished.

>The current session must be the only session in existence for the token.

>The application should call C_Finalize() upon completion.

Return to ProtectToolkit-C Mechanisms