Chapter 1: About This Manual

AKM VM Migration Upgrade to v4.6

This guide is intended to provide the steps and prerequisite tasks needed to perform an upgrade to the new 4.6 version of AKM for VMware. AKM 4.6 will be using the Ubuntu OS (previously Suse Linux), so upgrades to this version will require a migration of your AKM DB. It is advised that this process be overseen by a Townsend support technician via web call.

Change Log

The following table provides information on the changes to this documentation:

Version Date Description
1.0.0 5/7/2011 Initial release.
1.1.0 9/3/2018 Updates for version 4.6 of Alliance Key Manager
1.2.0 12/6/2018 Chapter 7 added to cover software updates once the user is at or above v4.6

Chapter 2: Pre-requisites for Current AKMs

  • Submit an AKM Upgrade Ticket with Support
  • Update backup and restore module
  • Generate backups of each AKM
  • Build the replacement 4.6 VMs

Submit an AKM Upgrade Ticket with Support

You will first need to submit a support ticket via the Townsend Security Support portal located at the following address. if you require credentials to access the site, please request them at the link or email support@townsendsecurity to request support credentials

http://www.townsendsecurity.com/support

Backup and Restore Module

Once you have submitted your ticket to Townsend Security Support, you will need to check the backup and restore module version on your current production AKMs. You can access this by using the webmin user interface ( https://(your.akm.ip):3886 ). Once you have authenticated to the web interface, navigate to “Webmin Configuration”.

image alt text

You will then select “Webmin Modules” from the icons shown. Check your current backup restore module version by clicking the delete tab. the current version should be displayed in the list of installed modules.

image alt text

NOTE: if the version shown is any lower than 1.15 you will need to install an updated backup and restore module.

Updating the Backup and Restore Module

NOTE: The new module will be attached to your support ticket for download. this file will be called “akmbr.wbm.gz”. This step must be performed on Each AKM that will be migrated.

image alt text

Click on the “Install” tab and select “From upload file”. Find “akmbr.wbm.gz” on your local system and then click the button to “Install Module”. To be certain the module was installed correctly, you can click on the delete tab again to confirm the version number has changed.

Generate Backup Files

A secret key backup and an application bacup must be taken of each AKM in your production environment. Backups are taken from the Webmin user interface under “AKM Backup and Restore”. If you do not already have backup locations configured, more information on AKM backup procedures can be found at:

http://docs.townsendsecurity.com/akm_server_management_guide/#chapter-3-backup-and-restore

Chapter 3: Prepare Target AKMs for Migration

NOTE: If you are using AKM HSMs your upgrade path will require a re-image of your AKM hardware. This process is slightly different than the standard migration process. at this point you should consult with the support technician via the upgrade ticket to confirm the order in which to re-image the AKMs. This will mitigate any downtime in your production environment.

Build New VMs from AKM 4.6 Image

AKM for VMware

AKM for Microsoft Azure

AKM for Amazon Web Services

Upload Backup and License Files to Target AKMs

You will need to upload 3 files to your replacement AKMs file system under /home/admin/uploads. This can be done using Webmin, by selecting “File Manager”, or you can use Filezilla or SCP.

The three files that are needed will be:

  • License.txt
  • akm_secret_backup_*
  • akm_application_backup_*

image alt text

With those three files present under /home/admin/uploads you can return to the AKM shell’s “akm-menu” in VMware or via an SSH connection.

Chapter 4: Initialize New AKMs

image alt text

akm-menu

From the “akm-menu” you will take option 1 to “Initialize AKM”. There are 3 options to initialize here, you will select option 3 to initialize from backups. Once the option is selected you will be asked if you would like to preserve your certificate structure from the previous AKMs. Selecting “No” will generate an entirely new PKI, and new client certificates will need to be distributed to the client side.

image alt text

NOTE: If you would like your certificate structure preserved you will need to take individual backups of each of your old AKMs. You will then initialize each replacement AKM with the backup files respective to its roll.

image alt text

Once you hit enter the upgrade/migration process will start. You will be prompted once the migration is complete.

image alt text

Chapter 5: Confirm Key Migration via AKM Administrative Console

NOTE: At this point you may experience issues authenticating your secondary or mirror AKMs to the AKM Administrative Console or the Client, you will need to alter the /etc/akm/akm.conf file, on the AKM, to correct the issue. there should be two of these files present under /etc/akm following the initialization. one of them will be “akm.conf.old”. confirm that thisis present. The support technician assisting you will provide instructions to correct issue.

AKM Administrative Console.

Once your AKM(s) are initialized from the backups you will want to confirm that all of the expected production keys exist on the AKM database. To do this you may need to re-issue the admin authentication certificates to the AKM Administrative console. Those will be available for download from the AKM filesystem at /home/admin/downloads. For more information on configuring AKM Administrative Console see:

AKM Administrative Console Guide

NOTE: If you selected “y” for Yes, to preserve your previous AKMs CA and certificate structure you should not need to re-apply certificates to your AKM Administrative console connection, you can simply “File” > “Edit Key Server”, to alter the originally configured connection and replace the old AKM IP with your new IP.

Once you have established a connection in AKM Administrative Console you will want to display the key name list, under “Manage Keys” to confirm that all the expected keys are present.

image alt text

NOTE: If you use SQL Server TDE your key list can be found under the “Key connection for SQL server” drop down. the option will be “Display EKM Key List”

Re-establish Mirroring

It may be necessary to re-configure mirroring between your new AKMs. this will be done in the AKM Administrative Console using the “Set Mirror Address” option under “Mirroring”. more information on the configuration of mirroring in Admin Console can be found in the document below:

http://docs.townsendsecurity.com/akm_administrative_console_guide/#chapter-15-mirroring

Chapter 6: Re-establish, or Confirm the Client Connection

Re-Configure the Client Connection to AKM

If you chose not to preserve your previous AKM certificate structure, you will need to re-distribute the client authentication certificates to any client that requests keys from AKM. You will need to download the AKM client authentication material from the AKM filesystem at /home/admin/downloads/*user.zip. information specific to each client side connection type can be found at the links below.

MongoDB
.NET C#
Linux C
Java
Oracle
Perl
Python
PHP
IBMi Zos
IBMi
TDE & SQL Server EKM
SQL Server UDF

Confirm the Client Connection

If you chose to preserve your old AKM certificates during the migration from the backup files, you should be able to simply update the IP in your client side configuration and test key retrieval. If there are any errors at this point you will need to update your AKM Upgrade support ticket and include any client side error messages you see as well as the AKM error log. The AKM error log is located at /var/log/townsend/akm

Final Steps

1.) Confirm that the client side connection is active with your support technician. this can be done on the upgrade call, or via the support ticket.
2.) Request, and apply the replacement permanent licenses for the new AKMs.
3.) Migrate all production client connections to the new AKMs.

Chapter 7: Future Software Updates

Each time you log into the Webmin UI, you will see new package updates available on the dashboard.

image alt text

When you click on the package updates section you will be taken to a list of the available updates. You should see something similar to the image below.

image alt text

You can apply all available updates by selecting the select all option. Once you have made your selection you can click the button to Update Selected Packages. You can specify to be alerted of new updates via email if you need. This feature can be found by scrolling to the bottom of the list. You will be able to set an interval to check for updates, as well as provide an email and specify any action to be taken.

image alt text

After clicking Update Selected Packages you will be taken to the screen below to confirm and install the updates. Click on Install Now when you are ready to begin the update.

image alt text

You will see the output similar to what is shown below. The update process is done when you see install complete at the bottom of the output window.

image alt text

Your updates will be complete at this point and any future updates can be applied in this manner as well.

NOTE: An alternative method to update your AKM can be completed via the AKM shell. This method requires accss to the AKM shell using SSH, Putty, your VM console, or a dummy console. Once connected, you can issue the command sudo apt-get update to list the available packages for update. When you are ready to apply the update, you will issue the command sudo apt-get upgrade. The process may take a few moments to finish.