Converting a Keystore File

The convert feature is currently used only for EAR types of keystores. It supports to download the Master Encryption Key contained in the Remote Key Server (ie a KMIP server) to the local keystore. The old keystore containing the credentials to the RKS will be renamed and will be replaced with a new one of type “local”.

Since the Integrated backup encryption feature does not store a Master Encryption Key at the RKS and does not support keystore of type “local”, this option is not needed/supported for credentials of type AWS-BAR and AZURE-BAR.

$ onkstore -file my_keystore -convert
Which type of keystore would you like to create:
1 - Local Keystore
2 - AWS EAR Keystore
3 - AWS BAR Keystore
4 - KMIP EAR Keystore
5 - AZURE EAR Keystore
6 – AZURE BAR Keystore

Conversion complete for /vobs/tristarp/sqldist/etc/my_keystore.p12

Currently, only option 1 (converting to a local keystore file) is supported. The original keystore file is copied to a backup file (my_keystore.p12.bak#) before being overwritten during the conversion.

Note: By downloading your MEK to a local machine, you are increasing the chances of exposing that key, which is the reason to use a RKS in the first place.

Copyright© 2020 HCL Technologies Limited