Preparing IBM Security Key Lifecycle Manager for KMIP

Use these steps to prepare an IBM® Security Key Lifecycle Manager key server for Key Management Interoperability Protocol (KMIP).

Procedure

The skladmin user can complete the following steps on an IBM Security Key Lifecycle Manager key server.

  1. Create a self-signed SSL/KMIP server certificate or a certificate that is signed by a third-party provider.
    To create a self-signed certificate, complete the following:
    1. Select Advanced Configuration > Server Certificates to open the Administer Server Certificates page.
    2. Click Add to open the Add SSL/KMIP Certificate window.
    3. Select Create self-signed certificate.
    4. Enter a label and description for the certificate and a validity period. Select the RSA algorithm.
    5. Click Add Certificate to create and add the certificate.
    6. Restart the key server by clicking skladmin > Restart Server.
    To create a certificate that is signed by a third-party provider, complete the following:
    1. Select Advanced Configuration > Server Certificates to open the Administer Server Certificates page.
    2. Click Add to open the Add SSL/KMIP Certificate window.
    3. Select Request certificate from a third-party provider.
    4. Enter a label and description for the certificate and a validity period. Select the RSA algorithm.
    5. Click Add Certificate to create and add the certificate, which is active but with a pending status.
    6. Select the certificate and click Export to export the certificate to the key server in the following location: /opt/IBM/WebSphere/AppServer/products/sklm.
    7. Manually send this certificate request file to a certificate authority.
    8. After the signed certificate is returned from the certificate authority, open the Welcome page, and in the Action Items area, click Third-party certificates pending import to import the certificate to the key server.
    9. On the Import page, select the certificate and click Import to open the Import Certificate window.
    10. Browse for the certificate and click Import. After import, the certificate status will change to valid.
    11. Restart the key server by clicking skladmin > Restart Server.
  2. Export the SSL/KMIP server certificate to a location on the key server.
    1. Select Advanced Configuration > Server Certificates to open the Certificates window.
    2. Select the certificate and click Export to open the Export Certificate window.
    3. Enter a file name and location for the certificate and select a certificate type.
    4. Click Export Certificate.
  3. Create a Multi-Master configuration with a minimum of two IBM Security Key Lifecycle Manager key servers. The Multi-Master configuration can be set up only in a new IBM Security Key Lifecycle Manager environment.

    You must ensure that your computer host names are configured correctly before you set up IBM Security Key Lifecycle Manager masters for Multi-Master configuration. You must update the /etc/hosts file in the primary and standby master servers of the cluster to enable host name to IP address mapping.

    The /etc/hosts file is located in the following paths:
    Linux
    /etc/hosts
    Windows
    C:\Windows\System32\Drivers\etc\
    The following /etc/hosts file example displays a mapping of IP addresses and host names (sklma and sklmb) for the primary and secondary master.
    [root@sklma ]# cat /etc/hosts
# 127.0.0.1 sklma
0.00.000.01 sklma
0.00.000.02 sklmb

    Complete the following steps on the IBM Security Key Lifecycle Manager that contains the SSL/KMIP certificate, which will serve as the primary master server.

    1. Click Administration > Multi-Master to open the Multi-Master page.
    2. Click Multi-Master to establish the server as the primary master server.
    3. In the Multi-Master page, click Refresh master Status. After the refresh, verify that all protocols and services are showing a green square.
    4. Click Add Master to open the Add Master window and add the standby master to the Multi-Master cluster.
    5. In the Basic Properties tab, enter the following information for the standby master.
      Host name / IP address
      Enter the host name of the IBM Security Key Lifecycle Manager standby master.
      IBM Security Key Lifecycle Manager user name
      Enter the name of the IBM Security Key Lifecycle Manager administrator. The administrator name is displayed by default.
      IBM Security Key Lifecycle Manager password
      Enter the password for the IBM Security Key Lifecycle Manager administrator.
      WebSphere Application Server user name
      Enter the WebSphere Application Server login user ID for the IBM Security Key Lifecycle Manager administrator profile. The default WebSphere Application Server login ID is displayed.
      WebSphere Application Server password
      Enter the password for the WebSphere Application Server login user ID.
      UI port
      Enter the HTTPS port to access the IBM Security Key Lifecycle Manager graphical user interface and REST services. The default port number is displayed.
    6. In the Advanced Properties tab, enter the following information.
      Do you want to set this master as standby database?
      Select Yes to add the current instance of IBM Security Key Lifecycle Manager as a standby master to the cluster.
      HADR port
      Enter the port number for the standby HADR database to communicate with the primary HADR database.
      Standby priority index
      Enter the priority index value for the standby database to take over when the primary database is down. You can set the priority index to any value in the range 1-3. The standby server with a higher-priority index level (lower number) takes precedence over the lower-priority databases.
    7. Click Test Connection to test whether the communication between the primary master and the standby master is successful.
    8. If the connection is successful, click Add to add the standby master to the cluster. The HADR database builds across both masters, and depedning on the number of masters in the cluster, may take 10 - 30 minutes to finish.
    9. Log in to both IBM Security Key Lifecycle Manager servers in the cluster and verify the Multi-Master availability. The Welcome screen displays the status of each server.
      If a server is in a failed state, open the DB2 HADR Status window, select the server, and click Refresh master Status.
  4. Export the DS8000® client certificate from the storage system and import it to the primary master key server to register the storage system as an IBM Security Key Lifecycle Manager client.
    1. Click Client and Groups to open the Client Dashboard page.
    2. Click Create to open the Register Clients page.
    3. Select Import Client Certificate and enter both a client name and a certificate name. Browse for the client certificate that was imported to the key server.
    4. Click Register Client.
  5. To set up a trusted connection with the DS8000, you must import the server certificate into the storage system when you configure a connection to the key servers from the storage system.