Post-Upgrade Scripts
This section contains scripts that are required to include new functionality in upgraded CORE server software.
Example. Let's assume that:
- Bootstrapping the latest CORE server software introduces a new capability.
- Bootstrapping is the only possible method to enable it.
- The CORE upgrade procedure does not enable it.
To introduce this feature in an upgraded system, we need to use external tools, such as scripts. The following table summarizes the post-upgrade scripts.
Feature | System bootstrapped before Release |
System upgraded to Release |
Script |
---|---|---|---|
Keystore password encryption. Refer to Post-upgrade to 2.0.1808 |
2.0.1808 |
2.0.1808 (or later) |
ekm_encrypt_pfx_password |
ekm_encrypt_truststore_password | |||
Check-Integrity Setting | 2.0.1905 | 2.0.1905 (or later) | ekm_gen_integrity_key |
Authentication![]() ![]() |
2.0.2112 | 2.0.2112 (or later) | ekm_create_two_factor_master_key |
Warning
Do not run 2.0.1808 scripts unless you confirmed that all CORE Service connector ports in the Server.xml File have the following settings:
- the keystore and truststore passwords are set to - "NotThePassword"
.
- the protocol - com.dyadicsec.ekm.syscrypto.ObfuscatorProtocol
.
Refer to Post-upgrade to 2.0.1808 - Keystore Password Encryption.
ekm_encrypt_pfx_password
This tool encrypts the password used by the CORE Servers SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. handler to open the server's keystore
key.pfx
located in the Certificates Folder.
Syntax:
sudo /opt/ekm/bin/ekm_encrypt_pfx_password.sh
ekm_encrypt_truststore_password
This tool encrypts the password used by the CORE Servers SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. handler to open the server's truststore
root_ca.ks
located in the Certificates Folder.
Syntax:
sudo /opt/ekm/bin/ekm_encrypt_truststore_password.sh
ekm_gen_integrity_key
This script is relevant when upgrading 2.0.1905 and earlier releases.
CORE Software release 2.0.1905 introduced
Check-Integrity Setting
feature that uses the CORE system's key named integrity-key
. This key is created during the bootstrap of 2.0.1905 or later release and it is stored in the Root partition with the rest of the system keys and certificates. For example,
To enable this functionality on servers that were upgraded from releases bootstrapped before 2.0.1905, run this script.
Note
The script rejects an attempt to overwrite the existing integrity-key
.
Important
In the CORE cluster upgrade from releases earlier than 1905, the following sequence is mandatory:
1. Upgrade all servers in the cluster.
2. Select an EP and run the script on it. The CORE DB mirroring automatically distributes the new key-shares to all servers.
Do not run this script separately on two disconnected EPs. Such a scenario might cause various issues when the pairs are recombined into one cluster.
As long as the script is not executed and a client's integrity_check
setting remains at its default value, all ucl show <key UID>
commands from this client shall a false integrity error
.
If you cannot ignore this false alarm, set the integrity_check == -1
on all relevant clients. Refer to
Check-Integrity Setting
Syntax:
ekm_gen_integrity_key
[-s,--self <arg>] // EP Certified-IP
[-o <arg>] // EP Bootstrap-Port
Example:
sudo /opt/ekm/bin/ekm_gen_integrity_key.sh
ekm_create_two_factor_master_key
Use this tool to create CORE OTPOne-Time Password (or Pin) - a password that is valid for only one login session or transaction. master key. It is used to derive user-specific OTP
One-Time Password (or Pin) - a password that is valid for only one login session or transaction. secret-keys in partitions that enabled TOTP
Time-based One Time Password-based 2FA
Two-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) feature.
Syntax:
ekm_create_two_factor_master_key
[-s,--self <arg>] // EP Certified-IP
[-o <arg>] // EP Bootstrap-Port
Example:
sudo /opt/ekm/bin/ekm_create_two_factor_master_key.sh