Data objects and properties migrated from Encryption Key Manager

The data objects and properties are also migrated from Encryption Key Manager.

Properties that must be in the Encryption Key Manager configuration file include:
  • Audit.metadata.file.name

    File must exist in the same directory as the configuration file itself and must be read enabled.

  • config.drivetable.file.url

    File must exist in the same directory as the configuration file itself and must be read enabled.

  • config.keystore.file

    File must exist in the same directory as the configuration file itself and must be read and write enabled.

  • config.keystore.password.obfuscated
  • config.keystore.type

    The keystore type must not be PKCS11IMPLKS.

  • TransportListener.ssl.keystore.name

    File must exist in the same directory as the configuration file itself and must be read enabled.

  • TransportListener.ssl.keystore.password.obfuscated
  • TransportListener.ssl.keystore.type

    The keystore type must not be PKCS11IMPLKS.

  • TransportListener.ssl.port

    The value must be a positive integer between 1024 to 65535 and must not be identical to the value for TransportListener.tcp.port.

  • TransportListener.ssl.truststore.type

    The truststore type must not be PKCS11IMPLKS.

  • TransportListener.tcp.port

    The value must be a positive integer between 1024 to 65535 and must not be identical to the value for TransportListener.ssl.port.

Migration includes the following data objects:

Keystores
IBM Security Guardium Key Lifecycle Manager stores all keys and certificates in the database. During migration, the keys and certificates from the two Encryption Key Manager keystores, Config, and TransportListner are all copied to the IBM Security Guardium Key Lifecycle Manager database. Keys and certificates are copied from the Config keystore. The certificates are copied from the TransportListner truststore.

A certificate from the TransportListener keystore is set as the TLS certificate for IBM Security Guardium Key Lifecycle Manager. The config.keystore.ssl.certalias property is updated with the alias of this certificate.

Other Encryption Key Manager keystores are not used.

Devices
All the device information is read from the drive table pointed at by the config.drivetable.file.url property, and is entered in an IBM Security Guardium Key Lifecycle Manager database. If the drive has the symalias property that is defined, the drive type is set to LTO. If the drive has aliases that are defined, the drive type is set to 3592. Migration sets a type of UNKNOWN for a drive that has none of these properties that are defined and that has no type that can be determined.
Key groups
The keygroup.xml file that is pointed at by the config.keygroup.xml.file property, is parsed, and the key group information is stored in an IBM Security Guardium Key Lifecycle Manager database. All the group members and group relationships are also migrated.

If the symmetricKeySet property has a list of aliases or range of aliases, a default key group named DefaultMigrationGroup is created with all the aliases as members of the group. In this case, the symmetricKeySet property is set to DefaultMigrationGroup. If the symmetricKeySet property is already a group alias, the default migration group is not created.

Metadata
All the metadata information that is pointed at by the Audit.metadata.file.name property is migrated into an IBM Security Guardium Key Lifecycle Manager database.
The properties that are migrated from the Encryption Key Manager configuration file to the SKLMConfig.properties file might include:
  • Audit.eventQueue.max
  • Audit.handler.file.size
  • Audit.event.outcome
  • Audit.event.types
  • config.keystore.name (set to defaultKeyStore)
  • cert.valiDATE
  • drive.acceptUnknownDrives is migrated to the database as the default entry in the specified device group.
  • fips
  • TransportListener.ssl.ciphersuites
  • TransportListener.ssl.clientauthentication
  • TransportListener.ssl.port
  • TransportListener.ssl.protocols
  • TransportListener.ssl.timeout
  • TransportListener.tcp.port
  • TransportListener.tcp.timeout
  • useSKIDefaultLabels
  • zOSCompatibility
These properties are migrated from the Encryption Key Manager configuration file to the IBM Security Guardium Key Lifecycle Manager database:
  • drive.default.alias1
  • drive.default.alias2
  • symmetricKeySet (set to an already-specified group alias, otherwise set to DefaultMigrationGroup)