To use the rocs command-line utility interactively, run it without any parameters:
rocs
Replacing Operator Card Sets
rocs displays the following prompt:
'rocs' key recovery tool
Useful commands: 'help', 'help intro', 'quit'.
rocs >
In order to use rocs to replace an OCS or recover keys to a softcard, take the following steps:
1 You must select a hardware security device to use by using the module command, which is described in the section module number on page 170.
2 List the OCSs and softcards in the current Security World by using the list cardsets command, which is described in the section list cardsets on page 168.
3 Select the OCS or softcard to which you want to transfer the keys by using the target command, which is described in the section target cardset-spec on page 171.
Note Keys protected by an OCS can only be recovered to another OCS, and not to a softcard. Likewise, softcard-protected keys can only be recovered to another softcard, and not to an OCS.
4 List the keys in the current Security World using the list keys command, which is described in the section list keys on page 169.
5 Select the keys that are to be recovered (from a different OCS or softcard than the one you selected for key transfer) by using the mark command, which is described in the section mark key-spec on page 169.
6 If you have selected any keys by mistake, deselect them by using the unmark command, which is described in the section unmark key-spec on page 171.
7 After you have selected the keys that are to be recovered, transfer these keys by using the recover command, which is described in the section recover on page 170.
rocs prompts you to insert a card from the ACS.
8 Insert a card from the ACS.
rocs prompts you for the pass phrase for this card. This action is repeated until you have loaded the required number of cards from the ACS.
If you do not have the required number of cards from the ACS, press and then . The rocs utility returns you to the rocs > prompt without processing any keys.
Only insert Administrator Cards into a hardware security device that is connected to a trusted server.
Q Enter
Replacing Operator Card Sets
9 If you are recovering keys to an OCS:
a rocs prompts you to insert a card from the first OCS that you have selected as the target.
OCSs are processed in ascending numerical order as listed by the list cardsets command.
b Insert a card from this OCS.
c rocs prompts you for the pass phrase for this card. This action is repeated until you have loaded the required number of cards from the OCS.
If you are recovering keys to a softcard, rocs prompts you for the pass phrase for the softcard that you have selected as the target.
If you decide that you do not want to transfer the keys to the selected card set or softcard, press and then (to quit.rocs returns you to the rocs > prompt and does not process any further OCSs or softcards.
When you have loaded the target softcard or the required number of cards from the target OCS, rocs transfers the selected keys to the target OCS or softcard.
If you have selected other target OCSs or softcards, rocs prompts for a card from the next OCS.
10 Repeat step 9 for each selected target.
11 If you have transferred the correct keys, write the key blobs to disk by using the save function (described in the section save key-spec on page 170). If you have transferred a key by mistake, you can restore it to its original protection by using the revert command (described in the section revert key-spec on page 170).
At the rocs prompt, you can use the following commands:
• help topic
• help intro
• list cardsets
• list keys
• markkey-spec
• modulenumber
• quit
• recover
• rescan
Q Enter
Replacing Operator Card Sets
• revertkey-spec
• savekey-spec
• status
• targetcardset-spec
• unmarkkey-spec
Note You can specify a command by typing enough characters to identify the command uniquely. For example, for the status command, you can type st and then press
.
help
With no arguments specified, help shows a list of available commands with brief usage messages and a list of other help topics. With an argument, help shows detailed help information about a given topic.
help intro displays a brief step-by-step guide to using rocs.
list cardsets
This command lists the OCSs and softcards in the current Security World. For example:
No. Name Keys (recov) Sharing
1 test 6 (6) 3 of 5; 20 minute timeout 2 test2 3 (2) 2 of 3
3 test3 1 (1) 1 of 1; persistent
In this output:
Output Description
No. The card set or softcard number, which you can use to identify this card set in rocs commands.
Name The OCS or softcard name.
Keys The number of keys protected by this OCS or softcard.
(recov) The number of keys protected by this OCS or softcard.
Sharing The K of N parameters for this OCS.
persistent The OCS is persistent and does not have a time-out set.
### minute timeout The OCS is persistent and has a time-out set.
Enter
Replacing Operator Card Sets
list keys
This command lists the keys in the current Security World, as in the following example:
No. Name App Protected by
In this output, the protection methods include:
mark key-spec
This command marks the listed keys that are to be recovered to the target OCS or softcard. You can mark one or more keys by number, ident, OCS or softcard, or hash. For more information, see Specifying keys on page 173.
To mark more than one key at a time, ensure that each key-spec is separated from the other by spaces, as in the following example:
mark key-spec1 key-spec2 key-spec3
If you have not selected a target OCS or softcard, or if rocs cannot parse the key-spec, then rocs displays an error message.
Output Description
No. The key number, which you can use in mark and unmark commands.
Name The key name.
App The application with which the key is associated.
Protected by This indicates the protection method (see table below).
Method Description
module Key protected by the Security World.
name Key protected by the named OCS or softcard.
name-->name2 Key protected by the OCS or softcard name1 marked for recovery to OCS or softcard name2.
module (name) PKCS #11 public object. These are protected by the Security World but associated with a specific OCS or softcard.
module (name
-->name2)
PKCS #11 public object marked for recovery.
Replacing Operator Card Sets
You can mark and remark the keys to be recovered to various target OCSs or softcards.
Remarking a key displaces the first target in favor of the second target.
Note Keys protected by an OCS can only be recovered to another OCS, and not to a softcard. Likewise, softcard-protected keys can only be recovered to another softcard, and not to an OCS.
module number
This command selects the hardware security device to be used. The module number must correspond to a hardware security device in the current Security World. If the hardware security device does not exist, is not in the Security World, or is otherwise unusable, then rocs displays an error message and does not change to the selected module.
quit
This command allows you to leave rocs. If you attempt to quit when you have recovered keys but have not saved them, rocs displays a warning.
recover
This command transfers the marked keys to their target OCSs or softcards. This operation is not permanent until you save these keys by using the save command.
rescan
This command updates the card set and key information.
revert key-spec
This command returns keys that have been recovered, but not saved, to being protected by the original protection method. If the selected keys have not been recovered, rocs displays an error message.
save key-spec
This command writes the new key blobs to disk. If you specify a key-spec, only those keys are saved. Otherwise, all recovered keys are saved.
status
Replacing Operator Card Sets
target cardset-spec
This command selects a given OCS or softcard as the target. You can specify the card set or softcard name, the number returned by list cardsets, or the hash.
unmark key-spec
This command unmarks the listed keys. Unmarked keys are not recovered.