User guide

CHAPTER 8

Keystores

•

Initializing a Keystore on page 31

•

Reinitializing the Keystore on page 31

•

Binary Importing and Exporting of the Keystore on page 32

Initializing a Keystore

When the FIPS appliance is powered on from a factory-reset or when its configuration

is reset, the serial console requires the initialization of a keystore and a self-signed device

certificate. The steps for initialization are:

•

During the boot process, the current release’s HSM firmware is installed on the

FIPS-compliant crypto card HSM.

•

You are prompted to create a new keystore. As part of the new keystore creation, you

must provide the following data:

•

The security officer name and password. Save these credentials as they are required

for such tasks as creating new restore passwords and for changing the security officer

password.

•

The keystore restore or HSM master key backup password. Every time you export

the system configuration, save the current restore password for the archived keystore.

•

Web username and password for running cryptographic operations using keys stored

in the HSM’s keystore.

•

The self-signed certificate creation proceeds as normal except that the HSM is used

to generate a secure RSA private key which is stored in the HSM’s database.

Documentation

FIPS Overview on page 9•

Reinitializing the Keystore

If there is a change in the security policy of the deployment that requires the creation of

new RSA key pairs and corresponding certificates, you will need to reinitialize the keystore.

You can reinitialize the keystore from either a stand-alone node or from a cluster.