5 Things to Know about the Enterprise Key Management Foundation
AxelBuecker 270000KUKR Visits (8989)
When individuals or organizations engage in trustworthy online activities or credit card based transactions, just to name a few, everyone expects that their transactions and data be protected with the utmost care. This typically implies that data is encrypted and transactions can be verified through digital signatures.
1. EKMF is hardware based encryption
The IBM Enterprise Key Management Foundation uses the latest cryptographic technologies to create, manage, and store your encryption keys. The EKMF workstation contains a Hardware Cryptographic Module (HMC) that is used to securely create keys. The local keystores are protected by a set of master keys .
EKMF user roles are managed by the cryptographic hardware. Roles Based Access Controls are in place for all aspects of EKMF functionality. Roles are created to allow sets of users to perform specific actions, such as generate keys, print PIN mailers, or enter key parts for recovery. Sets of authorities are given to user roles.
EKMF stores all keys in a secured DB2 database. That database may be local to the EKMF workstation, or on a remote system, such as IBM z/OS. Keys are retrieved from the DB2 database and sent to endpoint systems’ keystores, such as z/OS ICSF cryptographic datasets.
EKMF manages many different types of encryption keys: Symmetric keys, such as DES and AES, and asymmetric Keys, such as RSA,ECC. EKMF also supports the EMV standards for supplying keys for “chipped” payment cards. Essential keys for all enterprise encryption requirements, from cards to ATMs to point of sale systems, can be supplied through the centralized workstation.
5. EKMF can be a PKI Certificate Authority
Public key cryptography has grown heavily in use during the last years. EKMF offers public key cryptography functions for RSA. The functionality extends the basic RSA key generation and administration to true certificate management. In particular there are certificate management functions for SSL and RACF that offers an easy monitoring of all certificates. EKMF can create, issue, and sign X.509v3 Digital Certificates for the enterprise.
If you want to find out more about the IBM Enterprise Key Management Foundation you can read our IBM Redbooks Solution Guide “Cen
W. Craig Johnston joined IBM in 1982, and is currently working in the IBM System z Lab Services team specializing in mainframe security. Craig is focused on working with clients to implement enterprise wide encryption and the System z security components. His previous positions include devising and directing the testing strategies for RACF and other security services provided by components and products for z/OS and other platforms. Craig has been a member of RACF Development as both a function verification and system tester. As part of the IBM Academic Initiative, Craig worked on several IBM Redbook residencies and teaches mainframe security.