Parameters to install the IBM Security Guardium Key Lifecycle Manager container
Use this topic to understand the parameters that are used to install an IBM Security Guardium Key Lifecycle Manager container.
Depending on the platform on which you are installing IBM Security Guardium Key Lifecycle Manager, refer to one of the two Parameters column in
Table 1:
- The Parameters (for zCX) column lists the parameters that are used for installation on the zCX environment.
- The Parameters (for Helm Charts) column lists the parameters that are used for installation on a Red Hat® OpenShift® Container Platform cluster or a Kubernetes cluster. These parameters are defined in the values.yaml file.
Parameter (for zCX) | Parameter (for Helm Charts) | Description |
---|---|---|
Container name | ||
name* | Name for the container. | |
Environment variables | ||
DB_PASSWORD* | sklmdb_password* | Password to connect to the database instance where the IBM Security Guardium Key Lifecycle Manager database is running. |
DB_TYPE | sklmdb_type* |
Type of the database. Depending on the database that you use, specify one of the
following values:
Note: This parameter is ignored in the subsequent run commands when the
same value of the gklmAppVolume parameter is used.
|
DB_USER | sklmdb_username* |
User name of the database. For example, |
DB_NAME | sklmdb_name* |
Name of the database. For example, |
ZOS_DB_NAMES |
If the value of DB_TYPE is zos_db2, specify the location name of the database. If multiple database names, specify them as comma-separated values. Note: This parameter is mandatory if the value of the DB_TYPE parameter is
zos_db2.
|
|
ZOS_DB_LOCATION* |
Location of the database. Note: This parameter is mandatory if the value of the
DB_TYPE parameter is zos_db2.
|
|
DB_PORT* | sklmdb_port* | Port number of the database instance where the IBM Security Guardium Key Lifecycle Manager database is running. |
DB_HOST* | sklmdb_host* | IP address or a fully qualified host name of the system that hosts the database instance where the IBM Security Guardium Key Lifecycle Manager database is running. You can use the same system to host the database instance and the application container, or choose a different system for each of them. |
LICENSE* | sklmapp_license |
Variable to accept license terms. Specify the value as accept. |
SKLM_SEED* | sklmapp_seed* |
A secret passcode that is unique for a deployment, and must be stored securely. The value
is a random string of 32 or 64 characters that you can generate by using an external utility. Note: Make sure that the value of this parameter in the subsequent run commands is the
same as the value used in the first run command, when the same value of the
gklmAppVolume parameter is used.
|
SKLMADMIN_USERNAME | sklmadmin_username |
User name of the IBM Security Guardium Key Lifecycle Manager
administrator. You can specify only alphanumeric characters. Default value:
sklmadmin
Important: Do not change the default value of this
parameter.
|
SKLMADMIN_PASSWORD* | sklmadmin_password* | Password for the IBM Security Guardium Key Lifecycle Manager administrator user. |
LIBERTY_KEYSTORE_PASSWORD | liberty_keystore_password |
Password for the IBM Security Guardium Key Lifecycle Manager keystore.
Default value: Ch@ngemypa55word
Note: Make sure that the value of this parameter in the subsequent run commands is the
same as the value used in the first run command, when the same value of the
gklmAppVolume parameter is used.
|
LIBERTY_KEYSTORE_PASSWORD_OLD | liberty_keystore_password_old |
Old password for the IBM Security Guardium Key Lifecycle Manager
keystore. If you want to change the keystore password, specify the current password as the value of
this parameter, and the new password in the LIBERTY_KEYSTORE_PASSWORD
parameter. Default value: Ch@ngemypa55word
Note: Make sure that the value of this parameter in the subsequent run commands is the
same as the value used in the first run command, when the same value of the
gklmAppVolume parameter is used.
|
LIBERTY_AES_ENCRYPTION_KEY |
Key for encrypting the password for the IBM Security Guardium Key Lifecycle Manager administrator user with the AES algorithm. If you do not provide a value for this property, IBM Security Guardium Key Lifecycle Manager uses the value of the SKLM_SEED parameter for encryption. |
|
HEALTH_AUTHORIZATION_TOKEN | sklm_health_token | Health token in your Kubernetes, OCP, or zCX environment. This is used as a token by Kubernetes, OCP, or zCX platform to make secure health check calls for health of the container. |
Port numbers | ||
9443* | 30443* | Port number for the graphical user interface. |
5696* | 32696* | KMIP TLS port |
1441* | 31441* | IPP TLS port |
3801* | 31801* | IPP TCP port |
1111 | 31111 | Port number for the master server in a replication setup. Note: Specify this parameter when
you are deploying the container in a replication setup.
|
2222 | 32222 | Port number for the clone server in a replication setup. Note: Specify this parameter when
you are deploying the container in a replication setup.
|
Persistent storage | ||
gklmAppVolume* | Persistent storage to store the application server configuration and metadata
information. Sample value - /opt/ibm/wlp/products |
Sample environment variables file contents
- Installing IBM Security Guardium Key Lifecycle Manager on IBM® zCX environment with Db2 for z/OS
-
DB_TYPE=zos_db2 DB_NAME=
KLMDB421
DB_USER=klmdb421
DB_PASSWORD=xxxxx DB_HOST=9.x.x.x DB_PORT=446 ZOS_DB_NAMES=KLMSMM,KLMLGG,KLM32KLH ZOS_DB_LOCATION=db_location LICENSE=accept SKLM_SEED=68d95f0081f1dbfc0b06de9b0916df1c SKLMADMIN_USERNAME=sklmadmin SKLMADMIN_PASSWORD=Ch@ngeMe - Installing IBM Security Guardium Key Lifecycle Manager on IBM zCX environment with PostgreSQL
-
DB_TYPE=postgres DB_NAME=
KLMDB421
DB_USER=klmdb421
DB_PASSWORD=xxxxx DB_HOST=9.x.x.x DB_PORT=5432 LICENSE=accept SKLM_SEED=68d95f0081f1dbfc0b06de9b0916df1c SKLMADMIN_USERNAME=sklmadmin SKLMADMIN_PASSWORD=Ch@ngeMe
Deploying the IBM Security Guardium Key Lifecycle Manager container by using encrypted secrets
- Create a keystore of type
PKCS12
with key pair as shown.Alias = gklm-key
Keystore name = defaultKeystore.p12
- Create a file encryption.properties and specify the PKCS12 keystore
password in the file.
enc.password=passw0rd
- Create a Docker file with following
contents.
# Extend from SKLM Application Repository ARG LATEST_IMAGE FROM ${LATEST_IMAGE} ARG PROPERTIES_FILE=${PROPERTIES_FILE} ARG KEYSTORE_FILE=${KEYSTORE_FILE} #Copy license file to SKLM COPY $PROPERTIES_FILE /opt/ibm/wlp/configuration COPY $KEYSTORE_FILE /opt/ibm/wlp/configuration
- Build a docker image by using the docker file that you created (Step 3). Provide the keystore
and properties file as the inputs. Make sure that the keystore
(defaultKeystore.p12) and the encryption.properties files
have read/write permissions for a non-root
user.
For example,docker build -t <tag name> --build-arg LATEST_IMAGE=<GKLM image name> --build-arg PROPERTIES_FILE=<properties file name> --build-arg KEYSTORE_FILE=<keystore file name> --no-cache .
docker build -t gklm4210 --build-arg LATEST_IMAGE=docker-na.artifactory.swg-devops.com/sec-sklm-build-docker-local/sklm:Dev_RTP_421_55.x86_64 --build-arg PROPERTIES_FILE=encryption.properties --build-arg KEYSTORE_FILE=defaultKeystore.p12 --no-cache .
- Extract the public key from the
PKCS12
file that is created inStep 1
and store it. Specify the public key as-inkey
to encrypt the secrets by using the following command.echo "Ch@ngemypa55word" | openssl rsautl -encrypt -inkey sklm_public -pubin | base64 -w 0
- Specify the following encrypted secrets as environment variables and start the container with
the new image that is created in Step
4.
LIBERTY_KEYSTORE_PASSWORD, LIBERTY_KEYSTORE_PASSWORD_OLD, SKLMADMIN_PASSWORD, DB_PASSWORD