Specifying key serving parameters

You can change the default certificate settings that IBM Security Guardium Key Lifecycle Manager provides.

About this task

Use the Key Serving Parameters page to change certificate settings. Alternatively, you can use the following REST services to list or change the appropriate properties in the SKLMConfig.properties file:

Get Single Config Property REST Service and Update Config Property REST Service

Your role must have the permission to the configure action.

Before you begin, determine whether:

  • To carry out certificate date validation before a key is served. Validation confirms that the certificate is valid, and is not expired.
  • To identify certificates by using the subject key identifier that is stored in the certificate.

Procedure

  1. Go to the appropriate page or directory:
    • Graphical user interface:

      Log on to the graphical user interface. Click IBM Security Guardium Key Lifecycle Manager > Configuration > Key Serving Parameters.

    • REST interface:
      • Open a REST client.
  2. Change the value for one or more certificate settings:
    • In the graphical user interface, change one or more of the following settings, and then click OK:
      Do not use expired certificates for write requests or data writes.
      Before you serve a key, validates that the expiration date is not passed for the certificate or certificates that wraps this key. Expired certificates are used only for read requests. When this setting is enabled, expired certificates are not used for write requests. Selecting this check box changes the value of the cert.valiDATE property to true in the SKLMConfig.properties file.
      Keep pending client device communication certificates.
      Keep communication certificates from client devices pending until you accept the certificates for use in secure communication between the device and the Guardium Key Lifecycle Manager server. If you disable this setting, you must manually import client device communication certificates. This configuration parameter is associated with the value of the enableClientCertPush property from client devices pending in the SKLMConfig.properties file.
      Identify certificates by certificate name.
      Identify certificates by using the certificate name that is stored in the certificate, rather than using a subject key identifier. You specify the certificate name when you create a certificate. This function is used when decrypting data that was written to a device.

      When disabled, the Subject Key Identifier is used to determine the certificate to be used when reading data on a cartridge or other device. This configuration parameter is associated with the value of the useSKIDefaultLabels property in the SKLMConfig.properties file.

    • REST interface:
      1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
      2. To run Get Single Config Property REST Service, send the HTTP GET request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
        Service request
        GET https://localhost:<port>/SKLM/rest/v1/configProperties/
        cert.valiDATE
        Content-Type: application/json
        Accept: application/json
        Authorization: SKLMAuth userAuthId=139aeh34567m
        Accept-Language: en
        Success response
        Status Code : 200 OK
        Content-Language: en
        {"cert.valiDATE" : "False"}
      3. Specify the required change. For example, you can send the following service request to change the value of the cert.valiDATE property to true:
        PUT https://localhost:<port>/SKLM/rest/v1/configProperties
        Content-Type: application/json
        Accept: application/json
        Authorization: SKLMAuth authId=139aeh34567m
        Accept-Language: en
        { "cert.valiDATE": "true"}

What to do next

Changes to certificate settings occur dynamically. Next, you might create the necessary certificates and associate them with specific devices.