Specifying that keys are used only once

You can specify that the keys in a key group are used only once. For security reasons, for example, you might prevent additional use of previously used keys that are defined for a key group.

About this task

You can use the REST interface to set the stopRoundRobinKeyGrps property in the SKLMConfig.properties file. Your role must have the permission to the configure action. This property is not initially present in the property file unless you set its value to true.
Important:
  • Turning on this flag can cause key serving to stop if a key group is in use and the last key from the key group is served. Additional requests for a key from this group on a key serving write request cause an error and send an error code of 0xEE34 (NO_KEY_TO_SERVE) to the device. To enable successful processing of new key serving write requests, add new keys to the key group. Alternatively, you might specify use of a different key group that has available keys. Key serving read requests always succeed when the requested key exists.
  • Use this property in an environment of strict government compliance and with FIPS 140. With the property on, you must actively monitor your key groups. Ensure that a key group does not run out of keys, causing the server to stop serving keys and the tape write request to fail.
  • If you turn on this flag, do not turn off the flag. For example, if you turn on the flag, a key group does not serve previously used keys. If you turn off the flag, the next key in the group is served. After the last key in the group is served, the next key to be served is the first key in the group.
  • When this option is set, do not separately assign individual key aliases that belong to a key group to devices.

Procedure

  1. First, determine the current state of the property in the SKLMConfig.properties file. This property is not initially present in the property file unless you set its value to true.
    • REST interface:
      Use Get Single Config Property REST Service to get the current value of the property. Send the following HTTP request:
      GET https://localhost:port/SKLM/rest/v1/configProperties/
      stopRoundRobinKeyGrps
      Content-Type: application/json
      Accept : application/json
      Authorization: SKLMAuth userAuthId=139aeh34567m
      Accept-Language : en
  2. Change the state of the stopRoundRobinKeyGrps property to a value of true in the SKLMConfig.properties file.
    • REST interface:
      Send the following HTTP request:
      PUT https://localhost:port/SKLM/rest/v1/configProperties
      Content-Type: application/json
      Accept: application/json
      Authorization: SKLMAuth authId=139aeh34567m
      Accept-Language: en
      { "stopRoundRobinKeyGrps": "true"}
  3. To determine success, use the Get Single Config Property REST Service.

    Additionally, on the Welcome page in the graphical user interface, you might observe a warning in the Action Items section. The section lists key groups with 10 percent or fewer available keys. Double-click an entry in this table to access the Modify Key Groups dialog, where you can add more keys for use by the group.

    There is no other warning. The low key count warning applies to all key groups, including the key group that is specified as the default.

    Table 1. Topic change log
    Date Change description
    08 Nov 2021 Removed wsadmin steps as WebSphere Application Server Liberty does not support the wsadmin interface.
    10 Sept 2021 Initial version.