Contribute in GitHub:
Edit online
Setting up keys for GKLM
IBM Enterprise Key Management Foundation Web (EKMF Web) provides centralized key management. You can use EKMF Web to store the master key in ICSF. This master key protects all the keys and certificates that are stored in the IBM® Security Guardium® Key Lifecycle Manager database.
You can configure EKMF Web for the new and existing installations of IBM Security Guardium Key Lifecycle Manager.
Important: You cannot configure IBM Security Guardium Key Lifecycle Manager servers from different deployments or setups with the same EKMF Web server. Such a configuration might cause unrecoverable data loss. You can do so in a replication setup.
Deployment Scenario
In the deployment scenario presented below, there are:
- Two GKLM instances
- Two EKMF Web instances running the key management APIs; primary and DR
- Four EKMF Web instances running the crypto connect APIs; primary and failover for each GKLM instance
- Four EKMF Agents for distributing keys for each of the crypto connect API instances
Create key template for GKLM
You need to set up a key template for use with GKLM on EKMF Web.
Perform the following steps to create a template:
- Select Key management > Key templates from the menu bar.
- On the Key template page, click the Create button on the right.
- Specify the following settings on the template creation panels. Use the Back and Next buttons to navigate between the panels and click Save at the end to confirm your changes.
| Panel name | Setting | Description |
|---|---|---|
| General | Name | Enter the template name. The templates names can consist of up to 30 uppercase alphabetic characters, numerals, and hyphens. For example, you can call your template TEAMEKMF. |
| General | Keystore type | The type of keystore, chose Pervasive Encryption to create keys for GKLM. |
| General | Key Label | Enter the pattern of the key names. All keys that are generated with this template have a name that follows this pattern. For GKLM, the fixed value GKLM.MKEY.<ALIAS> is required. |
| General | Description | Optionally, provide more details about this template in the description |
| Details | Key algorithm | Only AES is available for this type of template. |
| Details | Key type | For GKLM you must select Cipher as key type. |
| Details | Key size | Select 256 for the key size |
| Details | Key state | Set the Key state to Active. |
| Details | Key's active period | Optionally, adjust the activation and expiration date for the keys |
| Details | Keystore groups | Select a connection to a KMG keystore. For GKLM, at least one connection to a KMG Agent installed and running on a z/OS LPAR is required. Refer to Seting for Pervasive Encryption for details. |
| Advanced properties | Allow key export | Set this to Off to prevent keys for GKLM from being exported. |
| Advanced properties | Other properties needed by the keystore | Specify { “keyWords”: [“ANY-MODE”]} |
| Summary | Review your settings and click Save |
EKMF Web settings in GKLM env config file
Follow the GKLM documentation for configuring IBM Security Guardium Key Lifecycle Manager to use EKMF Web.
mTLS for GKLM
EKMF Web must be enabled for mTLS.
The RACF user ID that the GKLM mTLS client certificate maps to must be authorized to the EKMFWEB application and the role it plays. See Application access and roles for details on the sample GKLMEKMG group.
Clients that wish to connect with only mTLS need to include header ekmf-mtls: true with each request. E.g.
curl
--cert client.cer \
--key client.key \
--request GET 'https://ekmfweb.example.com/api/v2/keys' \
--header 'Accept: application/json' \
--header 'ekmf-mtls: true'