Recreate keys
If the flowchart indicated that you have to recreate your keys, you have to recreate these keys with WSOP v3.2 or later. When the replacement keys have been generated, revoke the legacy key. You must use the replacement keys when you re-encrypt and re-sign all data that were previously encrypted or signed with the revoked keys.
Procedure
If you haven’t already initialized a new database as part of Migrate keys when upgrading WSOP from v3.0 or Migrate keys when upgrading WSOP from v3.1:
-
Install DBMT:
The commands in this section use DBMT v2.1.0. Later versions of the tool can be used, too.
tar -xf dbmt-2.1.0.tar.gz cd opt/nfast/webservices/dbmt-2.1.0 ./install.sh -
Change the database name in the DBMT configuration to the new database.
For more information on how to install and configure DBMT, see section WSOP Database Management Tool in the WSOP User Guide.
-
Initialize the new database:
dbmt db-init --config /path/to/new/config.yaml -
With the old WSOP version still running, install the WSOP v3.2 or higher on another local system, for example on a Linux server. See section Upgrading the Web Services Option Pack in the WSOP User Guide.
-
Configure the new WSOP version to use the new database.
Generate a new key for encryption/decryption
-
Ensure the client terminals for the new and old WSOP instances instances are in a secure environment. This ensure that the confidentiality of the exposed plaintext is protected.
-
With the old WSOP version and the old key, decrypt the relevant ciphertext:
curl --cacert server_ca.pem \ --cert client_crt.pem \ --key client_key.pem \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --request POST \ -d '{"alg":"RSA-OAEP", "kid":"/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys/0ff67c26-379c-52c3-9880-cb8a138a5b66","ciphertext":"<base64url-encoded ciphertext omitted>"}' \ 'https://wsop.server:18001/crypto/v1/decrypt' Result: { "plaintext": "aGVsbG8gd29ybGQ" } -
Generate a replacement key with the new WSOP version:
curl --cacert server_ca.pem \ --cert client_crt.pem \ --key client_key.pem \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --request POST \ -d '{"keytype": "RSA", "length": 2048, "appname": "simple", "ident": "newrsakey"}' \ 'https://wsop.server:18001/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys' Result: {"kid":"/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys/49b26396-88bf-53c9-9ca8-535e0fe9ef2e"} -
Re-encrypt the plaintext with the replacement key:
curl --cacert server_ca.pem \ --cert client_crt.pem \ --key client_key.pem \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --request POST \ -d '{"alg":"RSA-OAEP", "kid":"/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys/49b26396-88bf-53c9-9ca8-535e0fe9ef2e","payload":"aGVsbG8gd29ybGQ"}' \ 'https://wsop.server:18001/crypto/v1/encrypt'
Generate a new key for signing/verifying
-
With the new WSOP version, generate a replacement key:
curl --cacert server_ca.pem \ --cert client_crt.pem \ --key client_key.pem \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --request POST \ -d '{"keytype": "RSA", "length": 2048, "appname": "simple", "ident": "newrsakey"}' \ 'https://wsop.server:18001/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys' Result: {"kid":"/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys/49b26396-88bf-53c9-9ca8-535e0fe9ef2e"} -
Re-sign the payload with the replacement key:
curl --cacert server_ca.pem \ --cert client_crt.pem \ --key client_key.pem \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --request POST \ -d '{"alg":"RS256", "kid":"/km/v1/groups/2dc4849d-583c-5a9e-9901-dfe3415bc91f/keys/49b26396-88bf-53c9-9ca8-535e0fe9ef2e","payload": "aGVsbG8gd29ybGQ"}' \ 'https://wsop.server:18001/crypto/v1/sign'