Managing AEK with an external IBM Security Key Lifecycle Manager

If you want to store and retrieve your SED authentication keys from IBM® Security Key Lifecycle Manager (ISKLM) server in your environment, you must configure Cloud Pak for Data System as a client. Once your system is integrated with ISKLM, you can also switch back to a local keystore if needed.

Integrating Cloud Pak for Data System with ISKLM server for AEK management

The following list is the procedure for the ISKLM server integration. It is important to work with your ISKLM system administrator to configure the ISKLM server to communicate with Cloud Pak for Data System.

1. Set up the ISKLM server with information regarding Cloud Pak for Data System, and download the server certificate.
2. Configure Cloud Pak for Data System with ISKLM server information and export the client certificate from your system to the ISKLM server.
3. Test the ISKLM configuration.
4. Export the current AEK from local keystore to ISKLM.
5. Switch AEK management from local keystore to ISKLM.

Switching your system from external ISKLM server back to local keystore

Sometimes you might want to switch the key management back to the local keystore in Cloud Pak for Data System. For example, there might be a need to move to a different ISKLM server in your organization, or you might want to move your system to a different location. In such cases, you can follow the steps below to move your system back to using the local keystore:

1. Import the current AEK from ISKLM to Cloud Pak for Data System.
2. Add the imported AEK into the local keystore.
3. Switch AEK management from ISKLM to local keystore.