Window actions

Function menu

This menu includes options to exit the Configuration Migration Tasks application, and to predefine smart card readers as the source of signatures for commands to EP11 crypto modules.

MCA Smart Card menu

This menu includes options to display the contents of an MCA smart card, initialize and personalize an MCA smart card, back up an MCA smart card, or change the PIN on an MCA smart card.

IA Smart Card menu

This menu includes options to display the contents of an IA smart card, initialize and enroll an IA smart card in a migration zone, personalize an IA smart card (set the PIN and description), unblock an IA smart card, or change the PIN on an IA smart card.

KPH Smart Card menu

This menu includes options to display the contents of a KPH smart card, initialize and enroll a KPH smart card in a migration zone, personalize a KPH smart card (set the PIN and description), unblock a KPH smart card, or change the PIN on a KPH smart card.

Migration Zones menu

Use the Work with migration zones function on this menu to display the list of migration zones that are known to the TKE workstation, and add or delete entries.

To minimize the number of times an MCA smart card must be inserted in a card reader during migration tasks, the TKE workstation maintains a list of known migration zones. The list is updated automatically when a new MCA smart card is created. If you must add or remove migration zones from this list, you can use this function. To add a migration zone to the list, you must insert the MCA smart card for the zone in the smart card reader and enter the PINs.

KPH Certificates menu

Use the Work with KPH certificates function on this menu to display the list of KPH smart cards that are known to the TKE workstation, and add or delete entries.

To minimize the number of times KPH smart cards must be inserted in a card reader during migration tasks, the TKE workstation maintains a list of known KPH certificates. The list is updated automatically when a new KPH smart card is created. If you must add or remove a KPH certificate from this list, you can use this function. To add a KPH certificate to the list, you must insert the KPH smart card in the smart card reader.

Enroll source module in migration zone

This option starts a wizard that takes you through the steps to enroll a source host crypto module in a migration zone. The source crypto module must be enrolled in a migration zone before configuration data can be collected from it. This action is needed only for CCA crypto modules.

You need to know what migration zone you will use before you run this wizard. If you must define a new migration zone, you can use the MCA Smart Card menu to create a new MCA smart card. If you define a new migration zone, you also must create IA and KPH smart cards to use in the zone.

To run this wizard, you must load a signature key that permits the Certificate Insert operation on the source crypto module. If the signature key has insufficient authority, you can load a different signature key.

Collect configuration data

This option starts a wizard that takes you through the steps to collect configuration data from a source host crypto module and save it in a file. Before you run this wizard on a CCA host crypto module, you must enroll the host crypto module in the migration zone.

You must know what migration zone and what KPH smart cards you will use before you run this wizard. Only KPH smart cards for the selected migration zone can be used.

In this wizard, you indicate the set of domains that you want to collect configuration data from. Configuration data for only those domains is saved in the configuration data file. During the apply task, configuration data for domains that are not saved in the configuration data file is set to the default value.

To run this wizard on a CCA crypto module, you must load a signature key that permits the Crypto Data Extract operation on the source host crypto module. If the signature key has insufficient authority, you can load a different signature key.

Apply configuration data

This option starts a wizard that takes you through the steps to apply configuration data to a target host crypto module or target domain group.

The wizard prompts you to insert IA smart cards in the smart card reader and enter the PIN. The "K" policy for the migration zone specifies the required number of IA smart cards.

The wizard prompts you to insert KPH smart cards in the smart card reader and enter the PIN. "M" of the "M-of-N" policy for the migration zone is the required number of KPH smart cards.

To run this wizard on a CCA crypto module, you must load a signature key that permits the Target Prepare and Crypto Target Inject operations on the target host crypto module or target group. If the signature key has insufficient authority, you can load a different signature key. The default role and authority that is created when a host crypto module is initialized allow you to run these operations.

Review Configuration Data

This option starts a wizard that displays the non-secret contents of a configuration data file that you select.

Different data is saved in the configuration data file for CCA and EP11 host crypto modules. For both crypto module types, the saved data includes the serial number and code level of the source crypto module, the date and time that the configuration data was collected, the migration zone and KPH certificates used, and what domains were collected. For CCA it includes a list of the roles and authorities collected, the domain controls for collected domains, and key register status and key hashes for collected domains. For EP11 it includes the crypto module administrators and attributes, and the domain administrators, attributes, control points, and key status and hash values for collected domains.