GitHubContribute in GitHub: Open doc issue|Edit online

Setting up for keys

In order to be able to use EKMF Web to manage keys in various services, the following steps are generally required:

  1. You first need to create an instance of that service, or install an agent (e.g. KMG Agent on System z).
  2. You then need to create a connection to those services in EKMF Web, which are referred to as Keystores or Keystore connections throughout this document and the user interface.
  3. The last step is to create a key template that specifies the characteristics of the keys to be created, like naming conventions, key algorithm and key length.

Key label template tags

During the creation of a key template, you can specify a key label template to enforce key naming conventions. Those key label templates can consist of fixed strings and tags, which are placeholders that will be populated during the creation of each individual key. You can specify custom tags. If you for example add <myTag> to your key label template, a value for myTag must be provided each time a key is created with this template. In addition to custom tags, you can als use system tags that are provided automatically during key creation.

Valid system tags are:

Tag Alternative spelling Description
<sequenceNumber> <seqno>
<sqn>		 The sequence number is resolved automatically at generation time (no user input).
<sequenceNumber/len> <seqno/len>
<sqn/len>		 accept a parameter that specifies the sequence number length (number of digits). Currently 5 digits are enforced. Automatically resolved at generation time (no user input is required).
<sequenceNumber/P> <seqno/P>
<sqn/P>		 Prompt user for value of the sequence number.
<sequenceNumber/len/P> <seqno/len/P>
<sqn/len/P>		 Sequence Number with length & prompt user for value

The calculation of the secuence number is based on a lookup in the database to avoid conflicts with keys from other key templates. The behaviour is similar to EKMF Workstation, where the next available number is looked up by a complex database query with a regular expression every time a new key is generated. For EKMF Web there is table where the final key label is stored with all tags filled out except the sequence number.

As an example, when a key is created from a template specifying the following key label template <h>ABC.<myTag>.<another>.<seqno/4>AAA, and for which the following tags are specified:

  • h —> O
  • myTag —> JJ
  • another —> ASD
  • seqno --> Replace the requested length of seqno with zeros, e.g. <seqno/4> becomes 0000

Then the resulting pre-final label OABC.JJ.ASD.0000AAA is used as a lookup string in the table.

Supported keystores

EKMF Web supports the following keystores:

EKMF Web V2.0:

  • KMG Agent for keys on z/OS that can be used for Pervasive Encryption

EKMF Web V2.1: