NAME

       pkcscca - configuration utility for the CCA token

SYNOPSIS

   VERSION MIGRATION
       pkcscca [-m v2objectsv3] [OPTIONS]

   KEY MIGRATION
       pkcscca [-m keys] [-s SLOTID] [-k aes|apka|asym|sym] [OPTIONS]

   OLD RSA KEY MIGRATION
       pkcscca [-m oldrsakeys] [-s SLOTID] [OPTIONS]

DESCRIPTION

       The pkcscca utility assists in administering the CCA token.

       In version 2 of opencryptoki, CCA private token objects were encrypted in CCA hardware. In
       version 3 these objects are  encrypted  in  software.  The  v2objectsv3  migration  option
       migrates  these  v2 objects by decrypting them in CCA hardware using a secure key and then
       re-encrypting them in software using  a  software  key.  Afterwards,  v2  objects  can  be
       accessed in version 3.

       There  may be situations where CCA master keys must be changed. All CCA secret and private
       keys are wrapped with a master key. After a CCA master key is changed, keys  wrapped  with
       the  old  master key need to be re-wrapped with the current master key. The keys migration
       option migrates these wrapped keys by unwrapping them with the old master key and wrapping
       them with the current master key.

       Up  to  opencryptoki  version  3.14.0,  RSA  keys were created using the RSA-CRT key token
       format (private key section X'08'). RSA-CRT keys are encrypted with the  CCA  ASYM  master
       key,  and  can  not  be  used  for certain mechanisms, e.g.  RSA-PSS or RSA-OAEP. In newer
       opencryptoki versions, RSA keys are created using the RSA-AESC key token  format  (private
       key  section  X'31'). Up to version 3.16.0, RSA public keys also contained full CCA secure
       key tokens, including the private key section (which is encrypted by the CCA master  key).
       The oldrsakeys migration option migrates old RSA private key tokens to the new format, and
       also extracts the public key sections from RSA public key tokens  containing  a  full  CCA
       secure key token.

GENERAL OPTIONS

       -d|--datastore directory
                 the  directory  where  the CCA token information is kept. This directory will be
                 used  to   locate   the   private   token   objects   to   be   migrated.   i.e.
                 /var/lib/opencryptoki/ccatok

       -v|--verbose
            Provide more detailed output

VERSION MIGRATION

       -m v2objectsv3
            Migrates  CCA  private  token  objects  from  CCA encryption (used in v2) to software
            encryption (used in v3).

KEY MIGRATION

       -m keys
            Unwraps private keys with an old CCA master key and wraps them with a new CCA  master
            key.

       -k aes|apka|asym|sym
            Migrate keys wrapped with the selected master key type.

       -s|--slotid SLOTID
            The PKCS slot number.

OLD RSA KEY MIGRATION

       -m oldrsakeys
            Converts  old RSA keys (RSA-CRT) to the new format (RSA-AESC) and extracts the public
            key section only from key objects containing the full RSA key token.

       -s|--slotid SLOTID
            The PKCS slot number.

FILES

       /var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX
              contains current list of public and private token objects for the CCA token.

SEE ALSO

       README.cca_stdll (in system's doc directory)