CORE Post-Upgrade Scripts User Interface Guide

Post-Upgrade Scripts

This section contains scripts that are required to include new functionality in upgraded CORE server software.

Example. Let's assume that:

Bootstrapping the latest CORE server software introduces a new capability.
Bootstrapping is the only possible method to enable it.
The CORE upgrade procedure does not enable it.

To introduce this feature in an upgraded system, we need to use external tools, such as scripts. The following table summarizes the post-upgrade scripts.

Feature	System bootstrapped before Release	System upgraded to Release	Script
Keystore password encryption. Refer to Post-upgrade to 2.0.1808	2.0.1808	2.0.1808 (or later)	ekm_encrypt_pfx_password
	2.0.1808	2.0.1808 (or later)	ekm_encrypt_truststore_password
Check-Integrity Setting	2.0.1905	2.0.1905 (or later)	ekm_gen_integrity_key
AuthenticationProcess used to achieve sufficient confidence in the binding between the Entity and the presented Identity. with Credentials and OTPOne-Time Password (or Pin) - a password that is valid for only one login session or transaction. Code	2.0.2112	2.0.2112 (or later)	ekm_create_two_factor_master_key

Warning
Do not run 2.0.1808 scripts unless you confirmed that all CORE Service connector ports in the Server.xml File have the following settings:
- the keystore and truststore passwords are set to - "NotThePassword".
- the protocol - com.dyadicsec.ekm.syscrypto.ObfuscatorProtocol.
Refer to Post-upgrade to 2.0.1808 - Keystore Password Encryption.

ekm_encrypt_pfx_password

This tool encrypts the password used by the CORE Servers SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. handler to open the server's keystore key.pfx located in the Certificates Folder.

Syntax:

sudo /opt/ekm/bin/ekm_encrypt_pfx_password.sh

ekm_encrypt_truststore_password

This tool encrypts the password used by the CORE Servers SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. handler to open the server's truststore root_ca.ks located in the Certificates Folder.

Syntax:

sudo /opt/ekm/bin/ekm_encrypt_truststore_password.sh

ekm_gen_integrity_key

This script is relevant when upgrading 2.0.1905 and earlier releases.

CORE Software release 2.0.1905 introduced Check-Integrity Setting feature that uses the CORE system's key named integrity-key. This key is created during the bootstrap of 2.0.1905 or later release and it is stored in the Root partition with the rest of the system keys and certificates. For example,

ucl list -p root --password *******
			Partition 0 root: 7 objects found
			Private ECC key  : UID=d43f5355be424a7e Name="integrity-key"
			Private ECC key  : UID=f14904221ecd29ca Name="root-ca-key"
			Certificate      : UID=ff10813684a0bfc1 Name="saml-certificate"
			Private ECC key  : UID=00ef7ec97b5f403e Name="saml-key"
			Certificate      : UID=0eb6fbdde132d635 Name="root-ca-certificate"
			Private ECC key  : UID=33dfae48f0315a38 Name="secret-data-key"
			Password key     : UID=62a7ff1213cc5f50 Name="pwd-key"	

To enable this functionality on servers that were upgraded from releases bootstrapped before 2.0.1905, run this script.

Note
The script rejects an attempt to overwrite the existing integrity-key.

Important
In the CORE cluster upgrade from releases earlier than 1905, the following sequence is mandatory:
1. Upgrade all servers in the cluster.
2. Select an EP and run the script on it. The CORE DB mirroring automatically distributes the new key-shares to all servers.

Do not run this script separately on two disconnected EPs. Such a scenario might cause various issues when the pairs are recombined into one cluster.

As long as the script is not executed and a client's integrity_check setting remains at its default value, all ucl show <key UID> commands from this client shall a false integrity error.

If you cannot ignore this false alarm, set the integrity_check == -1 on all relevant clients. Refer to Check-Integrity Setting

Syntax:

ekm_gen_integrity_key
[-s,--self <arg>] // EP Certified-IP
[-o <arg>] // EP Bootstrap-Port

Example:

sudo /opt/ekm/bin/ekm_gen_integrity_key.sh

ekm_create_two_factor_master_key

Use this tool to create CORE OTPOne-Time Password (or Pin) - a password that is valid for only one login session or transaction. master key. It is used to derive user-specific OTPOne-Time Password (or Pin) - a password that is valid for only one login session or transaction. secret-keys in partitions that enabled TOTPTime-based One Time Password-based 2FATwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) feature.

Syntax:

ekm_create_two_factor_master_key
[-s,--self <arg>] // EP Certified-IP
[-o <arg>] // EP Bootstrap-Port

Example:

sudo /opt/ekm/bin/ekm_create_two_factor_master_key.sh