Rebind a keystore secured with HSM authentication
- Last Updated: February 11, 2026
- 3 minute read
- OpenEdge
- Version 13.0
- Documentation
Rebind allows you to bind an existing keystore file to a new database GUID created with the PROCOPY -newinstance command.
For example, a new database instance lets you give a partner access to a copy of the database without letting them use the keystore to access the master database.
To rebind a keystore secured with HSM authentication, follow these steps:
- View the keystore:
proutil sports2020local -c epolicy view keystoreThe following output shows that HSM storage is enabled and the label is label1.
Keystore created : 01.21.2021 01:17 GMT Keystore updated : 02.09.2021 21:51 GMT KMK location : HSM HSM details : Label=label1 Library+/tools/linuxx8664/softhsmm-2.6.2/libsofthsm2.so Administrator account valid : True User account valid : True DMK valid : True DMK_1 id : rt6IQS/Yo7V6FCoKgLqfBA DMK_1 state : Active DMK_1 created : 02.09.2021 21:51 GMT DMK_1 updated : 02.09.2021 21:51 GMT DMK_1 cipher : AES256_CBC_PBE DBCtx valid : True DBCtx DB id : 5qZZ52yLqLB4FBfSAO5yYA DBCtx_1 DB policy id : rt6IQS/Yo7V6FCoKkIZ4BA DBCtx_1 DB policy state : Current DBCtx_1 DB policy version : 0 DBCtx_1 DMK cipher : AES256_CBC_PBE DBCtx_1 DMK id : rt6IQS/Yo7V6FCoKgLqfBA - Before you copy a database instance, truncate the BI file:
proutil sports2020local -C truncate bi - Create the new instance:
procopy sports2020local sports2020target -newinstanceAfter messages log the percentage of data blocks written, the command returns status:
...Copy complete. (6722) Database copied from sports2020local. (1365) Procopy session end. (334) - Copy the keystore:
cp sports2020local.ks sports2020target.ks - Rebind the keystorein order to view it. Because the instance is new, the rebind command needs a new token with a new label in the HSM storage. Ask your HSM administrator for the new token. For related information, see Get HSM connection information.
- Verify the token access, and see the new token, named label2 in this example:
proutil sports2020target -C hsmvalidate hsm -HSMLibrary /linux86_64/softhsm-2.6.1/libsofthtml.so -HSMLabel label2 -verboseOpenEdge Release 12.5 as of Tue Jul 21 18:30:54 EDT 2021 Label: label2 Description: SoftHSM slot ID 0X68cb5446 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Flags: 1 Token present: TRUE Token initialized: TRUE HSM device validation completed successfully. - Ask your HSM administrator to copy the token from the first slot in the HSM to the second slot. When the token is in the second slot, run the rebind command:
proutil sports2020target -C epolicy manage keystore rebind -HSMLabel label2OpenEdge Release 12.5 as of Tue Jul 21 19:30:54 EDT 2021 Key store rebind: new database guid successfully created. (15512) Key store rebind operations have completed successfully. (15514)Note: KEYSTORE REBIND is not interruptible. If the operation does not successfully complete, then you need to delete the copied database and redo the steps starting with the PROCOPY -NEWINSTANCE command. - View the keystore to confirm that the rebind worked:
proutil sports2020 -c epolicy view keystoreKeystore version: 4 Keystore created : 01.21.2021 01:17 GMT Keystore updated : 02.09.2021 21:51 GMT KMK location : HSM HSM details : Label=label2 Library+/tools/linuxx8664/softhsmm-2.6.2/libsofthsm2.so Administrator account valid : True User account valid : True DMK valid : True DMK_1 id : rt6IQS/Yo7V6FCoKgLqfBA DMK_1 state : Active DMK_1 created : 02.09.2021 21:51 GMT DMK_1 updated : 02.09.2021 21:51 GMT DMK_1 cipher : AES256_CBC_PBE DBCtx valid : True DBCtx DB id : 5qZZ52yLqLB4FBfSAO5yYA DBCtx_1 DB policy id : rt6IQS/Yo7V6FCoKkIZ4BA DBCtx_1 DB policy state : Current DBCtx_1 DB policy version : 0 DBCtx_1 DMK cipher : AES256_CBC_PBE DBCtx_1 DMK id : rt6IQS/Yo7V6FCoKgLqfBA
For more about PROUTIL EPOLICY MANAGE KEYSTORE REBIND, see PROUTIL EPOLICY MANAGE qualifier.