com.netscape.cmstools
Class DRMTool

java.lang.Object
  extended by com.netscape.cmstools.DRMTool

public class DRMTool
extends java.lang.Object

The DRMTool class is a utility program designed to operate on an LDIF file to perform one or more of the following tasks:

     (A) Use a new storage key (e. g. - a 2048-bit key to replace a
         1024-bit key) to rewrap the existing triple DES symmetric key
         that was used to wrap a user's private key.

         STARTING INVENTORY:

             (1) a DRMTOOL configuration file containing DRM LDIF record
                 types and the processing status of their associated fields

             (2) an LDIF file containing 'exported' DRM data
                 (referred to as the "source" DRM)

                 NOTE:  If this LDIF file contains data that was originally
                        from a DRM instance that was prior to RHCS 8, it
                        must have previously undergone the appropriate
                        migration steps.

             (3) the NSS security databases (e. g. - cert8.db, key3.db,
                 and secmod.db) associated with the data contained in
                 the source LDIF file

                 NOTE:  If the storage key was located on an HSM, then the
                        HSM must be available to the machine on which the
                        DRMTool is being executed (since the RSA private
                        storage key is required for unwrapping the
                        symmetric triple DES key).  Additionally, a
                        password may be required to unlock access to
                        this key (e. g. - which may be located in
                        the source DRM's 'password.conf' file).

             (4) a file containing the ASCII BASE-64 storage certificate
                 from the DRM instance for which the output LDIF file is
                 intended (referred to as the "target")

         ENDING INVENTORY:

             (1) all items listed in the STARTING INVENTORY (unchanged)

             (2) a log file containing information suitable for audit
                 purposes

             (3) an LDIF file containing the revised data suitable for
                 'import' into a new DRM (referred to as the "target" DRM)

         DRMTool PARAMETERS:

             (1) the name of the DRMTOOL configuration file containing
                 DRM LDIF record types and the processing status of their
                 associated fields

             (2) the name of the input LDIF file containing data which was
                 'exported' from the source DRM instance

             (3) the name of the output LDIF file intended to contain the
                 revised data suitable for 'import' to a target DRM instance

             (4) the name of the log file that may be used for auditing
                 purposes

             (5) the path to the security databases that were used by
                 the source DRM instance

             (6) the name of the token that was used by
                 the source DRM instance

             (7) the name of the storage certificate that was used by
                 the source DRM instance

             (8) the name of the file containing the ASCII BASE-64 storage
                 certificate from the target DRM instance for which the
                 output LDIF file is intended

             (9) OPTIONALLY, the name of a file which ONLY contains the
                 password needed to access the source DRM instance's
                 security databases

            (10) OPTIONALLY, choose to change the specified source DRM naming
                 context to the specified target DRM naming context

            (11) OPTIONALLY, choose to ONLY process CA enrollment requests,
                 CA recovery requests, CA key records, TPS netkeyKeygen
                 enrollment requests, TPS recovery requests, and
                 TPS key records

         DATA FIELDS AFFECTED (using default config file values):

             (1) CA DRM enrollment request

                 (a) dateOfModify
                 (b) extdata-requestnotes

             (2) CA DRM key record

                 (a) dateOfModify
                 (b) privateKeyData

             (3) CA DRM recovery request

                 (a) dateOfModify
                 (b) extdata-requestnotes (NEW)

             (4) TPS DRM netkeyKeygen (enrollment) request

                 (a) dateOfModify
                 (b) extdata-requestnotes (NEW)

             (5) TPS DRM key record

                 (a) dateOfModify
                 (b) privateKeyData

             (6) TPS DRM recovery request

                 (a) dateOfModify
                 (b) extdata-requestnotes (NEW)

     (B) Specify an ID offset to append to existing numeric data
         (e. g. - to renumber data for use in DRM consolidation efforts).

         STARTING INVENTORY:

             (1) a DRMTOOL configuration file containing DRM LDIF record
                 types and the processing status of their associated fields

             (2) an LDIF file containing 'exported' DRM data
                 (referred to as the "source" DRM)

                 NOTE:  If this LDIF file contains data that was originally
                        from a DRM instance that was prior to RHCS 8, it
                        must have previously undergone the appropriate
                        migration steps.

         ENDING INVENTORY:

             (1) all items listed in the STARTING INVENTORY (unchanged)

             (2) a log file containing information suitable for audit
                 purposes

             (3) an LDIF file containing the revised data suitable for
                 'import' into a new DRM (referred to as the "target" DRM)

         DRMTool PARAMETERS:

             (1) the name of the DRMTOOL configuration file containing
                 DRM LDIF record types and the processing status of their
                 associated fields

             (2) the name of the input LDIF file containing data which was
                 'exported' from the source DRM instance

             (3) the name of the output LDIF file intended to contain the
                 revised data suitable for 'import' to a target DRM instance

             (4) the name of the log file that may be used for auditing
                 purposes

             (5) a large numeric ID offset (mask) to be appended to existing
                 numeric data in the source DRM instance's LDIF file

             (6) OPTIONALLY, choose to change the specified source DRM naming
                 context to the specified target DRM naming context

             (7) OPTIONALLY, choose to ONLY process CA enrollment requests,
                 CA recovery requests, CA key records, TPS netkeyKeygen
                 enrollment requests, TPS recovery requests, and
                 TPS key records

         DATA FIELDS AFFECTED (using default config file values):

             (1) CA DRM enrollment request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestnotes
                 (e) requestId

             (2) CA DRM key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (3) CA DRM recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

             (4) TPS DRM netkeyKeygen (enrollment) request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestid
                 (e) extdata-requestnotes (NEW)
                 (f) requestId

             (5) TPS DRM key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (6) TPS DRM recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

     (C) Specify an ID offset to be removed from existing numeric data
         (e. g. - to undo renumbering used in DRM consolidation efforts).

         STARTING INVENTORY:

             (1) a DRMTOOL configuration file containing DRM LDIF record
                 types and the processing status of their associated fields

             (2) an LDIF file containing 'exported' DRM data
                 (referred to as the "source" DRM)

                 NOTE:  If this LDIF file contains data that was originally
                        from a DRM instance that was prior to RHCS 8, it
                        must have previously undergone the appropriate
                        migration steps.

         ENDING INVENTORY:

             (1) all items listed in the STARTING INVENTORY (unchanged)

             (2) a log file containing information suitable for audit
                 purposes

             (3) an LDIF file containing the revised data suitable for
                 'import' into a new DRM (referred to as the "target" DRM)

         DRMTool PARAMETERS:

             (1) the name of the DRMTOOL configuration file containing
                 DRM LDIF record types and the processing status of their
                 associated fields

             (2) the name of the input LDIF file containing data which was
                 'exported' from the source DRM instance

             (3) the name of the output LDIF file intended to contain the
                 revised data suitable for 'import' to a target DRM instance

             (4) the name of the log file that may be used for auditing
                 purposes

             (5) a large numeric ID offset (mask) to be removed from existing
                 numeric data in the source DRM instance's LDIF file

             (6) OPTIONALLY, choose to change the specified source DRM naming
                 context to the specified target DRM naming context

             (7) OPTIONALLY, choose to ONLY process CA enrollment requests,
                 CA recovery requests, CA key records, TPS netkeyKeygen
                 enrollment requests, TPS recovery requests, and
                 TPS key records

         DATA FIELDS AFFECTED (using default config file values):

             (1) CA DRM enrollment request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestnotes
                 (e) requestId

             (2) CA DRM key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (3) CA DRM recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

             (4) TPS DRM netkeyKeygen (enrollment) request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-keyrecord
                 (d) extdata-requestid
                 (e) extdata-requestnotes (NEW)
                 (f) requestId

             (5) TPS DRM key record

                 (a) cn
                 (b) dateOfModify
                 (c) serialno

             (6) TPS DRM recovery request

                 (a) cn
                 (b) dateOfModify
                 (c) extdata-requestid
                 (d) extdata-requestnotes (NEW)
                 (e) extdata-serialnumber
                 (f) requestId

 

DRMTool may be invoked as follows:


    DRMTool
    -drmtool_config_file <path + drmtool config file>
    -source_ldif_file <path + source ldif file>
    -target_ldif_file <path + target ldif file>
    -log_file <path + log file>
    [-source_pki_security_database_path <path to PKI source database>]
    [-source_storage_token_name '<source token>']
    [-source_storage_certificate_nickname '<source nickname>']
    [-target_storage_certificate_file <path to target certificate file>]
    [-source_pki_security_database_pwdfile <path to PKI password file>]
    [-append_id_offset <numeric offset>]
    [-remove_id_offset <numeric offset>]
    [-source_drm_naming_context '<original source DRM naming context>']
    [-target_drm_naming_context '<renamed target DRM naming context>']
    [-process_requests_and_key_records_only]

    where the following options are 'Mandatory':

    -drmtool_config_file <path + drmtool config file>
    -source_ldif_file <path + source ldif file>
    -target_ldif_file <path + target ldif file>
    -log_file <path + log file>

    AND at least ONE of the following are a 'Mandatory' set of options:

        (a) options for using a new storage key for rewrapping:

            [-source_pki_security_database_path
             <path to PKI source database>]
            [-source_storage_token_name '<source token>']
            [-source_storage_certificate_nickname '<source nickname>']
            [-target_storage_certificate_file
             <path to target certificate file>]

            AND OPTIONALLY, specify the name of a file which ONLY contains
            the password needed to access the source DRM instance's
            security databases:

            [-source_pki_security_database_pwdfile
             <path to PKI password file>]

            AND OPTIONALLY, rename source DRM naming context --> target
            DRM naming context:

            [-source_drm_naming_context '<source DRM naming context>']
            [-target_drm_naming_context '<target DRM naming context>']

            AND OPTIONALLY, process requests and key records ONLY:

            [-process_requests_and_key_records_only]

        (b) option for appending the specified numeric ID offset
            to existing numerical data:

            [-append_id_offset <numeric offset>]

            AND OPTIONALLY, rename source DRM naming context --> target
            DRM naming context:

            [-source_drm_naming_context '<source DRM naming context>']
            [-target_drm_naming_context '<target DRM naming context>']

            AND OPTIONALLY, process requests and key records ONLY:

            [-process_requests_and_key_records_only]

        (c) option for removing the specified numeric ID offset
            from existing numerical data:

            AND OPTIONALLY, rename source DRM naming context --> target
            DRM naming context:

            [-source_drm_naming_context '<source DRM naming context>']
            [-target_drm_naming_context '<target DRM naming context>']

            [-remove_id_offset <numeric offset>]

            AND OPTIONALLY, process requests and key records ONLY:

            [-process_requests_and_key_records_only]

        (d) (a) rewrap AND (b) append ID offset
            [AND OPTIONALLY, rename source DRM naming context --> target
            DRM naming context]
            [AND OPTIONALLY process requests and key records ONLY]

        (e) (a) rewrap AND (c) remove ID offset
            [AND OPTIONALLY, rename source DRM naming context --> target
            DRM naming context]
            [AND OPTIONALLY process requests and key records ONLY]

        NOTE:  Options (b) and (c) are mutually exclusive!

 

Version:
$Revision$, $Date$
Author:
mharmsen

Constructor Summary
DRMTool()
           
 
Method Summary
static void main(java.lang.String[] args)
          The main DRMTool method.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DRMTool

public DRMTool()
Method Detail

main

public static void main(java.lang.String[] args)
The main DRMTool method.

Parameters:
args - DRMTool options