tklmKeyList

Use the tklmKeyList command to list a key or keys in the keystore, which is based on specified criteria such as an active state.

Note: The IBM Security Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Key Lifecycle Manager. Use the REST interfaces instead.

Purpose

Use this command to list a key or keys in the keystore, which is based on specified criteria such as an active state.

Permissions

Your role must have a permission to the view action and a permission to the appropriate device group.

Syntax

tklmKeyList -uuid universalKeyID -alias keyalias -keyStoreName keystorename -usage {LTO | 3592 | DS5000 | DS8000 | BRCD_ENCRYPTOR | ONESECURE | ETERNUS_DX |XIV | GPFS | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT } -attributes [state value] -v {y | n}

Note: The KMIP interface for IBM Security Key Lifecycle Manager Version 2 does not support private and public key objects.

IBM Security Key Lifecycle Manager creates certificate objects with public and private key objects internally, but does not set some KMIP required and optional attributes on these objects. Running the tklmKeyList command in verbose mode lists many of the KMIP attributes as NULL. Similarly, symmetric key objects that are created through the non-KMIP interface of IBM Security Key Lifecycle Manager list many of the KMIP attributes as NULL. The null values do not affect the IBM Security Key Lifecycle Manager function.

Parameters

There are no required parameters.

-alias

Specify a unique name for the key.

-attributes

Specify the current state of the key. The following values are supported:

pending: A certificate request entry is pending the return of a certificate that is approved and certified by a certificate authority.
pre-active: Object exists but is not yet usable for any cryptographic purpose, such as migrated certificates with a future use time stamp.
active: Object is in operational use for protecting and processing data that might use Process Start Date and Protect Stop Date attributes. For example, protecting includes encryption and signature issue. Processing includes decryption and signature verification.
compromised: The security of the object is suspect for some reason. A compromised object never returns to an uncompromised state, and cannot be used to protect data. Use the object only to process cryptographically protected information in a client that is trusted to handle compromised cryptographic objects.
IBM Security Key Lifecycle Manager retains the state of the object immediately before it was compromised. To process data that was previously protected, the compromised object might continue to be used.
deactivated: Object is not to be used to apply cryptographic protection such as encryption or signing. However, if extraordinary circumstances occur, the object can be used with special permission to process cryptographically protected information. For example, processing includes decryption or verification.
destroyed: Object is no longer usable for any purpose. This status causes the object to be removed from the product.
destroyed-compromised: Object is no longer usable for any purpose. This status causes the object to be removed from the product.

-keyStoreName

Specify the name of the keystore.

-uuid

Specify the Universal Unique Identifier of the key. For example, KEY-a3ce9230-bef9-42bd-86b7-6d208ec119cf.

-usage

Specify a unique device group, such as LTO.

You can include the following values:

LTO: Specifies the LTO device group.
3592: Specifies the 3592 device group.
DS5000: Specifies the DS5000 device group.
DS8000: Specifies the DS8000 device group.
ONESECURE: Specifies the ONESECURE device group that is in the DS5000 device family.
ETERNUS_DX: Specifies the ETERNUS_DX device group that is in the DS5000 device family.
XIV: Specifies the IBM Spectrum Accelerate (previously known as XIV) device group.
GPFS: Specifies the IBM Spectrum Scale (previously known as GPFS) device group.
GENERIC: Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
SSLCLIENT: Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
SSLSERVER: Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
userdevicegroup: Specifies a user-defined group that is based on a supported device family.

-v [y | n]

Verbose. The default is n, or no extra information. To list more information about a key, specify y (for yes):

-v y

Example

This Jython-formatted command verbosely lists all the keys that are in active state.

print AdminTask.tklmKeyList ('[-usage LTO 
	-attributes "{state active}" -v y]')