GitHubContribute in GitHub: Edit online

Setting up keys for GKLM

IBM Enterprise Key Management Foundation Web (EKMF Web) provides centralized key management. You can use EKMF Web to store the master key in ICSF. This master key protects all the keys and certificates that are stored in the IBM® Security Guardium® Key Lifecycle Manager database.

You can configure EKMF Web for the new and existing installations of IBM Security Guardium Key Lifecycle Manager.

Important: You cannot configure IBM Security Guardium Key Lifecycle Manager servers from different deployments or setups with the same EKMF Web server. Such a configuration might cause unrecoverable data loss. You can do so in a replication setup.

Deployment Scenario

In the deployment scenario presented below, there are:

  • Two GKLM instances
  • Two EKMF Web instances running the key management APIs; primary and DR
  • Four EKMF Web instances running the crypto connect APIs; primary and failover for each GKLM instance
  • Four EKMF Agents for distributing keys for each of the crypto connect API instances

EKMF Web Deployment Scenario with GKLM

Create key template for GKLM

You need to set up a key template for use with GKLM on EKMF Web.

Perform the following steps to create a template:

  1. Select Key management > Key templates from the menu bar.
  2. On the Key template page, click the Create button on the right.
  3. Specify the following settings on the template creation panels. Use the Back and Next buttons to navigate between the panels and click Save at the end to confirm your changes.
Settings of a key template for GKLM
Panel name Setting Description
General Name Enter the template name. The templates names can consist of up to 30 uppercase alphabetic characters, numerals, and hyphens. For example, you can call your template TEAMEKMF.
General Keystore type The type of keystore, chose Pervasive Encryption to create keys for GKLM.
General Key Label Enter the pattern of the key names. All keys that are generated with this template have a name that follows this pattern. For GKLM, the fixed value GKLM.MKEY.<ALIAS> is required.
General Description Optionally, provide more details about this template in the description
Details Key algorithm Only AES is available for this type of template.
Details Key type For GKLM you must select Cipher as key type.
Details Key size Select 256 for the key size
Details Key state Set the Key state to Active.
Details Key's active period Optionally, adjust the activation and expiration date for the keys
Details Keystore groups Select a connection to a KMG keystore. For GKLM, at least one connection to a KMG Agent installed and running on a z/OS LPAR is required. Refer to Seting for Pervasive Encryption for details.
Advanced properties Allow key export Set this to Off to prevent keys for GKLM from being exported.
Advanced properties Other properties needed by the keystore Specify { “keyWords”: [“ANY-MODE”]}
Summary Review your settings and click Save

EKMF Web settings in GKLM env config file

Follow the GKLM documentation for configuring IBM Security Guardium Key Lifecycle Manager to use EKMF Web.


EKMF Web must be enabled for mTLS.

The RACF user ID that the GKLM mTLS client certificate maps to must be authorized to the EKMFWEB application and the role it plays. See Application access and roles for details on the sample GKLMEKMG group.

Clients that wish to connect with only mTLS need to include header ekmf-mtls: true with each request. E.g.

--cert client.cer \ 
--key client.key \ 
--request GET '' \
--header 'Accept: application/json' \
--header 'ekmf-mtls: true'