Provided by: opencryptoki_3.17.0+dfsg+20220202.b40982e-0ubuntu1.2_amd64 
NAME
pkcscca - configuration utility for the CCA token
SYNOPSIS
VERSION MIGRATION
pkcscca [-m v2objectsv3] [OPTIONS]
KEY MIGRATION
pkcscca [-m keys] [-s SLOTID] [-k aes|apka|asym|sym] [OPTIONS]
DESCRIPTION
The pkcscca utility assists in administering the CCA token.
In version 2 of opencryptoki, CCA private token objects were encrypted in CCA hardware. In
version 3 these objects are encrypted in software. The v2objectsv3 migration option
migrates these v2 objects by decrypting them in CCA hardware using a secure key and then
re-encrypting them in software using a software key. Afterwards, v2 objects can be
accessed in version 3.
There may be situations where CCA master keys must be changed. All CCA secret and private
keys are wrapped with a master key. After a CCA master key is changed, keys wrapped with
the old master key need to be re-wrapped with the current master key. The keys migration
option migrates these wrapped keys by unwrapping them with the old master key and wrapping
them with the current master key.
GENERAL OPTIONS
-d|--datastore directory
the directory where the CCA token information is kept. This directory will be
used to locate the private token objects to be migrated. i.e.
/var/lib/opencryptoki/ccatok
-v|--verbose
Provide more detailed output
VERSION MIGRATION
-m v2objectsv3
Migrates CCA private token objects from CCA encryption (used in v2) to software
encryption (used in v3).
KEY MIGRATION
-m keys
Unwraps private keys with an old CCA master key and wraps them with a new CCA master
key.
-k aes|apka|asym|sym
Migrate keys wrapped with the selected master key type.
-s|--slotid SLOTID
The PKCS slot number.
FILES
/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX
contains current list of public and private token objects for the CCA token.
SEE ALSO
README.cca_stdll (in system's doc directory)