You can change the default certificate settings that IBM Security Guardium Key Lifecycle Manager provides.
About this task
Use the Key Serving Parameters page to change certificate settings.
Alternatively, you can use the following REST services to list or change the appropriate properties
in the SKLMConfig.properties
file:
Get Single Config Property REST Service and Update Config Property
REST Service
Your role must have the permission to the configure
action.
Before
you begin, determine whether:
- To carry out certificate date validation before a key is served.
Validation confirms that the certificate is valid, and is not expired.
- To identify certificates by using the subject key identifier that
is stored in the certificate.
Procedure
-
Go to the appropriate page or directory:
-
Change the value for one or more certificate settings:
- In the graphical user interface, change one or more
of the following
settings, and then click OK:
- Do not use expired certificates for write requests or data writes.
- Before you serve a key, validates that the expiration date is not passed for the certificate or
certificates that wraps this key. Expired certificates are used only for read requests. When this
setting is enabled, expired certificates are not used for write requests. Selecting this
check box changes the value of the cert.valiDATE property to
true
in the SKLMConfig.properties
file.
- Keep pending
client device communication certificates.
- Keep communication
certificates from client devices pending until
you accept the certificates for use in secure communication between
the device and the Guardium Key Lifecycle Manager server. If
you disable this setting, you must manually import client device communication
certificates. This configuration parameter is associated with the
value of the enableClientCertPush property from
client devices pending in the
SKLMConfig.properties
file.
- Identify certificates by certificate name.
- Identify certificates by using the certificate name that is stored in the certificate, rather
than using a subject key identifier. You specify the certificate name when you create a certificate.
This function is used when decrypting data that was written to a device.
When disabled, the
Subject Key Identifier is used to determine the certificate to be used when reading data on a
cartridge or other device. This configuration parameter is associated with the value of the
useSKIDefaultLabels property in the SKLMConfig.properties
file.
- REST
interface:
- Obtain a unique user authentication identifier to
access IBM Security Guardium Key Lifecycle Manager REST
services. For more information about the authentication process, see Authentication process for REST services.
- To run Get Single Config Property REST Service, send the HTTP GET request.
Pass the user authentication identifier that you obtained in
Step a
along with the
request message as shown in the following example.
- Service request
GET https://localhost:<port>/SKLM/rest/v1/configProperties/
cert.valiDATE
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language: en
- Success response
Status Code : 200 OK
Content-Language: en
{"cert.valiDATE" : "False"}
- Specify the required change. For example, you can send the following service request to change
the value of the cert.valiDATE property to
true:
PUT https://localhost:<port>/SKLM/rest/v1/configProperties
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language: en
{ "cert.valiDATE": "true"}
What to do next
Changes to certificate
settings occur dynamically. Next,
you might create the necessary certificates and associate them with
specific devices.