Skip to content

Key Retiring Utility

dc_changed.png Previously AA85 - PCIDSS Key Retiring Utility.pdf

This PCIDSS Key Retiring utility retires specified encryption keys and regenerates new encryption keys. Related table columns are then re-encrypted by new keys. The utility allows for the automatic retiring of old keys and regeneration of new ones, while keys manually created by HSM administrators can also be introduced as new keys.

In the case of automatic key retiring, the utility can be run for selected general MIA / ACS settings encryption keys or issuer / groups based on key type and provider. Replacement with manually created keys can be carried out for general MIA / ACS settings encryption keys or issuers by entering the new key alias of keys created by the HSM administrator.

Uploading the Utility

A System Administrator will be responsible for uploading the utility through the MIA (Utilities > Upload Utility).

To upload the utility

  • There is no need to select an Issuer or Group to upload this utility.

  • Browse to locate and select the File name (PCIDSSKeyRetiringUtility.war).

  • Click the Apply button to upload the utility.

    The utility will be listed in the MIA utilities section (Utilities > Utilities) PCIDSS Key Retiring Utility.

Running the Utility

This utility makes changes in the HSM keystore and re-encrypts cardholder data and configuration settings in the database. Therefore, a full backup of the HSM keystore and ActiveAccess database should be taken before running this utility. If any archive database has been configured for automatic archiving, a backup of its database should be taken as well.

Note

Automatic archiving and purging in System Management > Archive Management must be disabled before running the utility. During the utility run, all ActiveAccess modules must stop receiving requests from the outside world.

Utility List

To run the utility

  • Go to the MIA utilities section (Utilities > Utilities)

  • Click the Run link adjacent to the PCIDSS Key Retiring Utility.

    The PCIDSS Key Retiring Utility screen is displayed prompting users to select which issuer, group or general encryption keys to run the utility for.

Retiring keys automatically

To customise the key retiring process

  • Select Retire old keys and generate new ones automatically

To retire keys automatically

  • Select the General encryption keys radio button

    • Select the MIA settings encryption key checkbox

    • Select the ACS settings encryption key checkbox

  • Select the Issuer radio button

    • Select the Issuer from the drop down list

    • Select the key type from the Type drop down list

    • Select the provider from the Provider drop down list

    • If the Type selected is RSA Signing, select the key size from the Key size drop down list.

  • Select the Group radio button

    • Select the issuer group from the Group drop down list

    • Select the key type from the Type drop down list

    • Select the provider from the Provider drop down list

    • If the key type selected for Type is RSA Signing, select the Key size from the drop down list.

  • Click the Prepare / Run button

Note

The key retiring process for SecureCode HMAC, CAVV, and RSA Signing Keys is a one-stage process and once one of these key type options is selected, the Run button will be available. The process for retiring General/Data Encryption Keys occurs in two stages: Preparation and Finalization. For stage one of the process, the Prepare button will be available.

Retiring keys using manually created keys

Select the following field to customise the key retiring process

  • Select Retire old encryption keys and use the keys which have been created by HSM administrator

Use the following fields for retiring keys using manually created keys

  • Select the General encryption keys radio button

    • Select the MIA settings encryption key checkbox and enter the created key in the New key alias field

    • Select the ACS settings encryption key checkbox and enter the created key in the New key alias field

  • Select the Issuer radio button

    • Select the Issuer from the drop down list

    • Enter the created key in the New key alias field

  • Click the Prepare button

Results

When the process is complete, the Results will be available for immediate display. For more details of the utility process you can check AA_HOME/mia_log.log.

Encryption Key - Preparation Failure

If there is a failure within any of the steps of the preparation process, the utility stops and logs the details of the issue for the administrator's reference.

Encryption Key - Failed Resume/Rollback

If the encryption key retiring fails in the preparation stage, the process can be resumed from the latest status once the issue is resolved or all the changes can be undone using the Rollback option. When a process has a failed status, new processes cannot be started until the current process is successfully resumed or rolled back.

Encryption Key - Preparation Success

During the encryption key retiring process, a new encryption key is generated and a temporary column is added to the specified table for every column that keeps encrypted data. The data from the main column is decrypted using the old key, then encrypted using the new key and stored in a temp column.

Encryption Key - Finalization Re-encrypt/Finalize/Rollback

Once the preparation stage of the encryption key retiring process is completed successfully, the process can be finalized.

If any new data has been created after the completion of the preparation stage, the encryption process can be redone using the Re-encrypt option.

Alternatively, all the changes made during the preparation stage can be undone using the Rollback option.

The Finalize option completes the encryption key retiring process. In the Finalization process, once all the required columns are re-encrypted, the main column is dropped and the temp column is renamed to the name of the main column. In the final step, all the required constraints and indexes are created for the main column.

When the MIA settings encryption key is automatically or manually retired and replaced with a new one

If there are any other instances of MIA, Registration or Enrolment servers, rather than the current server, in the environment, replace the DBOWNERPASSWORD and DBPASSWORD values with their plain values in the TOMCAT_HOME/bin/config/miaconfig.properties, regconfig.properties or eb_config.properties file, then add the following properties to it and restart:

HSMENCALIAS=MIA_DB_DESEDE_NEW (where MIA_DB_DESEDE_NEW is the new MIA settings encryption key alias in HSM)

PLAIN_TEXT=

When the ACS settings encryption key is automatically or manually retired and replaced with a new one

If there is any other instance of ACS, rather than the current server, in the environment, replace the DBOWNERPASSWORD and DBPASSWORD values with their plain values in the TOMCAT_HOME/bin/config/acsconfig.properties file, then add the following properties to it and restart:

HSMENCALIAS=AA_Administration_NEW (where AA_Administration_NEW is the new ACS settings encryption key alias in HSM)

PLAIN_TEXT=

When the Issuer's data encryption key is automatically or manually retired and replaced with a new one

The current notification report files of the selected issuer are no longer valid and will be re-collected in the next run of the specified job in the Registration server.

If there is any other instance of Registration server, rather than the current instance, in the environment, add the following property into the TOMCAT_HOME/bin/config/regconfig.properties file:

NOTIFICATION_REPORT_REGEN_ISSUERIDS=1234567890 (where 1234567890 is the Issuer ID)

If property NOTIFICATION_REPORT_REGEN_ISSUERIDS already exists, modify its value by appending the Issuer ID to the end and restart.

Encryption Key - Archive

Following the successful finalization of the encryption key retiring process, if archiving is configured on the system, the encryption key of the archive database must also be retired and replaced using the Re-encrypt Archive option.