As a first activity, create a wrapping key for a 3592 tape drive.
Before you begin
Before you begin, determine your site policy for the use of self-signed and certificates
that are issued by a certificate authority (CA). You can create self-signed certificates for the
test phase of your project. In advance, you can also request certificates from a certificate
authority for the production phase.
About this task
You can use the
Create Certificate dialog or the following REST services to
create certificates or certificate requests:
- Create Certificate REST Service
- Certificate Generate Request REST Service
Your role must have the permissions to the
create action and to the appropriate device group. To make this certificate the default, your role
must have permission to the modify action.
Procedure
- Using graphical user interface
- Log in to the graphical user interface.
- In the Key and Device Management section on the
Welcome page, select 3592.
- Click . Alternatively, right-click 3592 and
select Guided key and device creation.
- On the Step 1: Create Wrapping Key page, click
Create.
- On the Create Wrapping Key dialog, select the wrapping key type,
Certificate or AES Key.
- Click Create.
- Create a wrapping key.
- Certificate
-
- On the Create Certificate dialog, select either a self-signed certificate,
or a certificate signing request for a third-party provider.
- Specify values for the required and optional parameters. For example, you might optionally
specify that this certificate is the default or the partner certificate. Then, click
Create Certificate.
- AES Key
- On the Create AES Key dialog, specify values for the required and optional
parameters. For example, you might optionally specify that this AES key is the default or the
partner AES key. Then, click Create.
- Click Close.
- Using REST interface
- Open the Swagger UI. For more information, see Using Swagger UI.
- Authenticate and authorize to access the REST APIs. For more information, see Authentication process for REST services.
- Create a wrapping key.
- Certificate
-
Use the Create Certificate REST Service to create a
certificate. For example, you can send the following HTTP request:
-
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"type":"selfsigned","alias":"sklmCertificate1","cn":"sklm","ou":"sales",
"o":"myCompanyName","usage":"3592","country":"US","validity":"999", "
algorithm ": " RSA " }
- Certificate signing request
-
Use the Certificate Generate Request REST Service to create a
PKCS #10
certificate request file. For example, you can send the following HTTP
request:
-
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
{"type":"certreq","alias":"sklmCertificate1","cn":"sklm","ou":"sales","o":
"myCompanyName","usage":"3592","country":"US","validity":"999","fileName":
"myCertRequest1.crt","algorithm":"ECDSA"}
- AES Key
-
Use the Create Key REST Service to create symmetric keys.
For example, you can send the following HTTP request:
-
POST https://localhost:port/SKLM/rest/v1/keys
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"alias":"abc","numOfKeys":"1","usage":"3592"}
What to do next
Back up the new wrapping keys before they are served to devices. For a certificate
signing request, the next step might be to import the signed certificate. You can go to the next
step to define specific devices, and associate wrapping keys with the devices. Select Step 2:
Identify Drives or click Go to Next Step.
For a 3592 device group, also specify values for the system default and
partner certificates in the IBM Security Guardium Key Lifecycle Manager database. Use
the Device Group Attribute Update REST Service to set these values.