Migration Step by Step

Infineon Security Platform

previous page next page

Infineon Security Platform Solution

Migration Step by Step

The process of credentials migration has two parts – administrative and user steps. The first part consists of authorization, setup, and management of the migration process done by the administrator. Once the administrative steps are complete, the users simply have to export and import their keys and certificates from the source to the destination.

In server mode, migration of user-specific keys and certificates is handled by Trusted Computing Management Server, i.e. you do not have to perform the migration steps (except User Step 3 and 4).

Administrative Steps

Step 1 - Exporting the destination computer identity How To:
Performing migration requires that a destination computer, where the user keys and certificates are intended to be migrated to, be identified first. To enable this, a public key identifying the destination computer is made available (exported) by an administrator of the destination computer. This key will be subsequently used to associate user keys and certificates to this computer (Note: When content is protected by the public key of the destination system, only the private key of the computer, protected by the Trusted Platform Module, can access the migrated keys and certificates). This step is necessary to create a root of trust in the migration operation – by ensuring only the intended destination systems can access the user-sensitive credentials.

The Infineon Security Platform Administrator of the destination system must export the computer certificate (public key) to a file. Follow the steps mentioned:

  • Select Migration in the Infineon Security Platform Settings Tool.
  • Select This is the destination platform and click Save….
  • Navigate to a file storage location of your choice that can be accessed from both computers. The file is saved with a default file name as SpPubKeyArchive.xml.

    Acceptable storage media: Removable media or mapped network drive.

Please make note of the location and filename of the exported key since it will be required for the next step.

Step 2 - Authorization by the owner of the source computer
 		 How To:
The next step in migration requires that the owner of the source computer (to be migrated) authorizes the migration of the user keys and certificates to a specific destination computer. This requires that the owner has access to the computer public key of the destination computer. This is the public key exported earlier by an administrator of the destination computer (see step 1 above). The authorization of the destination computer by an Infineon Security Platform Owner causes the security software stack to ensure that the user keys and certificates can only be associated to the specified destination computer.

The Infineon Security Platform Owner of the source computer (computer to be migrated) must authorize the export of the user credentials to the intended destination computer. Follow the steps mentioned:

  • Select Migration in the Infineon Security Platform Settings Tool.
  • Select This is the source platform and click Authorize….
  • On the Authorize Migration screen, click on Import....
  • Navigate to the location of public key file SpPubKeyArchive.xml and click on Open.
  • Type in the Owner Password of the source computer or provide the Owner Password Backup File and click OK.
  • Verify that the host name of the destination computer along with the unique Platform ID is listed and then click Close.
Step 1 and Step 2 combined - Automatic export and authorization How To:
An alternative way for combining and performing the above two steps is auto-export and authorization, which bypasses step 1 listed above and is very similar to step 2. The Infineon Security Platform Owner of the source computer authorizes the migration of the user keys and certificates on a specific computer to a specific destination computer. The difference is that instead of manually identifying the file with the destination computer credentials, the destination platform itself is identified using the standard network computer browse dialog. Once a system is identified, the Infineon Security Platform attempts to dynamically contact the destination machine (using the DCOM) and requests the platform keys and certificates. If the target system is equipped with the Infineon Security Platform, the migration information is automatically transferred between the two computers.

Preconditions:

  • Source computer: The current user (Infineon Security Platform Owner) must be a member of the Administrators group of the destination computer.
  • Destination computer: Infineon Security Platform is installed and enabled.
  • Destination computer: The system policy Allow Administrators to retrieve the SRK public key remotely is enabled.
  • Destination computer: There is no firewall blocking the incoming DCOM request (like the firewall integrated in Microsoft Windows XP or any other firewall).
  • The network is configured to allow DCOM requests.
  • Both source computer and destination computer must be members of domains trusting each other.

In cases where the automatic authorization is not possible, the manual steps (1 & 2) listed above must be followed.

 The Infineon Security Platform Owner of the source computer (computer to be migrated) must authorize the export of the user keys and certificates to the intended destination computer. Follow the steps mentioned:
  • Select Migration in the Infineon Security Platform Settings Tool.
  • Select This is the source platform and click Authorize….
  • On the Authorize Migration screen, click on Browse…. This will open the network browse dialog.
  • Navigate and find the destination computer and select OK.
  • This will initiate the automatic transfer of the migration information from the source computer to the destination computer.

 

User Steps

If a user had configured Personal Secure Drives on the source computer, it is important to backup all Personal Secure Drive image files to be migrated, and to store the backup image files (default file name: SpPSDBackup.fsb) of the source computer in a location that can be accessed by both computers. To use a copies of the source PSD image files on the destination computer, the backup image files of the source computer must be made available.

Step 1 - Export of user keys and certificates from the source computer How To:
After the Administrative Steps are finalized, the individual Infineon Security Platform Users are allowed to securely export their keys and certificates (protected by the public key of the destination system and thus, readable only by the destination platform).

Infineon Security Platform Users on the source computer export their keys and certificates for migration. Follow the steps mentioned:

  • Select Migration in the Infineon Security Platform Settings Tool.
  • Select This is the source platform and click on Export….
  • Choose the destination computer from the list and click Next.
  • Navigate to a file storage location of your choice that can be accessed from both computers. The file is saved with a default file name as SpMigrationArchive.xml. Click Next.
  • Enter the Basic User Password for the source computer and click Next.
  • Confirm the settings and click Next.
  • On the Summary screen verify that the export of user keys and certificates was successful and click Finish.

Please make note of the location and name of the archive file since it will be required for the next step.

Step 2 - Import of the user keys and certificates on the destination computer
 		 How To:
Subsequently, users are also required to “import” the keys and certificates on the destination computers, as long as they have a user account.

On a destination computer, the individual Infineon Security Platform Users can import their keys and certificates. Follow the steps mentioned:

  • Select Migration in the Infineon Security Platform Settings Tool.
  • Select This is the destination platform and click on Import….
  • Navigate to the location of the archive file SpMigrationArchive.xml and click Next.
  • Enter the Basic User Password that was set up on the source computer and click Next.
  • Confirm the settings and click Next.
  • If Security Platform features were previously configured on the destination platform, a warning message will appear. Read the warning message carefully and click Yes.
  • On the Summary screen, verify that the migration of user keys and certificates is successful and click Finish.
  • At the finish screen of the wizard, you will have an opportunity to automatically advance to the next step by selecting the option Start Security Platform User Initialization Wizard.

Note the hints on Migration and Personal Secure Drives.

Step 3 - Configuring applications to use the migrated keys and certificates How To:
Once the migration of the keys and certificates is complete it is important to associate these new credentials to any individual applications the user is intending to use on the destination computer.

Since the credentials can be used across multiple applications, the actual method for importing the migrated keys and certificates will be unique to the individual application software provider. For example users can configure the Encrypting File System to use the migrated certificate. Follow the steps mentioned:

  • Go to User Settings in the Infineon Security Platform Settings Tool.
  • Click Configure....
  • Follow the on screen directions and click Change... on the Security Platform Features - Encryption Certificate page.
  • Select the migrated certificate, click OK and proceed to the next wizard page.
Step 4 - Reconfiguring user features - Personal Secure Drive How To:
Once the migration of the keys and certificates is complete, the user must reconfigure the Personal Secure Drive settings on the destination computer. If one or more Personal Secure Drives had been configured on the source computer, you need to reconfigure the migrated Personal Secure Drives on the destination computer (see Managing your Personal Secure Drives). To reconfigure a Personal Secure Drive, select I want to change my Personal Secure Drive settings and follow the on-screen directions. To use a copy of a source Personal Secure Drive on the destination computer, the concerned backup image file (default file name: SpPSDBackup.fsb) of the source computer must be restored. Note that after the restoration you will have two independent Personal Secure Drives on source and destination computer.


©Infineon Technologies AG

previous page start next page