System information

In the old scheme, the password for the storage token was split and protected by individual

recovery agent passwords. This made it hard to access the storage private, but it did not allow

CS to fully leverage the key protection facility provided by the underlying hardware token.

In the new scheme, CS uses its existing access control scheme to ensure recovery agents are

appropiately authenticated via SSL, and ensures that the agent belongs to the specific recovery

agent group. The recovery request is executed only when m-of-n recovery agents have granted

authorization to the request.

By default, the DRM sets up a 1-of-1 ACL-based recovery scheme, and the agent must belong

to the group "Data Recovery Manager Agents". You can change the scheme by modifying the

appropriate parameters in the CS.cfg file. Refer to Section 2.2, “Recovering Keys” for more

information on this topic.

Note

This section describes how to recover keys that are not stored on a smart card.

For smart card key recovery, see chapter 7, "Token Processing System," in the

Certificate System Administrator's Guide and Section 6, “Administrator

Operations”.

2.1. Finding Archived Keys

Archived keys can be searched to examine the key details or to initiate recovery. Selecting

search criteria and selecting a key from the search results is the same for both operations.

To search for and list archived keys, do the following:

1. Open the DRM agent services page.

2. Click Search for Keys or Recover Keys to display the search criteria form.

When selecting the Recover Keys operation, there is an additional option to initiate recovery

for any key that is found.

Finding Archived Keys