Specifying that keys are used only once
You can specify that the keys in a key group are used only once. For security reasons, for example, you might prevent additional use of previously used keys that are defined for a key group.
About this task
You can use the REST interface to set the stopRoundRobinKeyGrps
property in the SKLMConfig.properties file. Your role must have the permission to the configure
action. This property is
not initially present in the property file unless you set its value to
true
. Important:
- Turning on this flag can cause key serving to stop if a key group is in use and the last key
from the key group is served. Additional requests for a key from this group on a key serving write
request cause an error and send an error code of
0xEE34 (NO_KEY_TO_SERVE)
to the device. To enable successful processing of new key serving write requests, add new keys to the key group. Alternatively, you might specify use of a different key group that has available keys. Key serving read requests always succeed when the requested key exists. - Use this property in an environment of strict government compliance and with
FIPS
140. With the property on, you must actively monitor your key groups. Ensure that a key group does not run out of keys, causing the server to stop serving keys and the tape write request to fail. - If you turn on this flag, do not turn off the flag. For example, if you turn on the flag, a key group does not serve previously used keys. If you turn off the flag, the next key in the group is served. After the last key in the group is served, the next key to be served is the first key in the group.
- When this option is set, do not separately assign individual key aliases that belong to a key group to devices.