Data objects and properties migrated from Encryption Key Manager
The data objects and properties are also migrated from Encryption Key Manager.
- Audit.metadata.file.name
File must exist in the same directory as the configuration file itself and must be read enabled.
- config.drivetable.file.url
File must exist in the same directory as the configuration file itself and must be read enabled.
- config.keystore.file
File must exist in the same directory as the configuration file itself and must be read and write enabled.
- config.keystore.password.obfuscated
- config.keystore.type
The keystore type must not be
PKCS11IMPLKS
. - TransportListener.ssl.keystore.name
File must exist in the same directory as the configuration file itself and must be read enabled.
- TransportListener.ssl.keystore.password.obfuscated
- TransportListener.ssl.keystore.type
The keystore type must not be
PKCS11IMPLKS
. - TransportListener.ssl.port
The value must be a positive integer between 1024 to 65535 and must not be identical to the value for TransportListener.tcp.port.
- TransportListener.ssl.truststore.type
The truststore type must not be
PKCS11IMPLKS
. - TransportListener.tcp.port
The value must be a positive integer between 1024 to 65535 and must not be identical to the value for TransportListener.ssl.port.
Migration includes the following data objects:
- Keystores
- IBM Security Guardium Key Lifecycle Manager stores all keys and certificates
in the database. During migration, the keys and certificates from the two Encryption Key Manager keystores,
Config
, andTransportListner
are all copied to the IBM Security Guardium Key Lifecycle Manager database. Keys and certificates are copied from theConfig
keystore. The certificates are copied from theTransportListner
truststore.A certificate from the
TransportListener
keystore is set as the TLS certificate for IBM Security Guardium Key Lifecycle Manager. The config.keystore.ssl.certalias property is updated with the alias of this certificate.Other Encryption Key Manager keystores are not used.
- Devices
- All the device information is read from the drive table pointed at by the config.drivetable.file.url property, and is entered in an IBM Security Guardium Key Lifecycle Manager database. If the drive has the symalias property that is defined, the drive type is set to LTO. If the drive has aliases that are defined, the drive type is set to 3592. Migration sets a type of UNKNOWN for a drive that has none of these properties that are defined and that has no type that can be determined.
- Key groups
- The keygroup.xml file that is pointed at by the
config.keygroup.xml.file property, is parsed, and the key group information is
stored in an IBM Security Guardium Key Lifecycle Manager database. All the group
members and group relationships are also migrated.
If the symmetricKeySet property has a list of aliases or range of aliases, a default key group named
DefaultMigrationGroup
is created with all the aliases as members of the group. In this case, the symmetricKeySet property is set toDefaultMigrationGroup
. If the symmetricKeySet property is already a group alias, the default migration group is not created. - Metadata
- All the metadata information that is pointed at by the Audit.metadata.file.name property is migrated into an IBM Security Guardium Key Lifecycle Manager database.
- Audit.eventQueue.max
- Audit.handler.file.size
- Audit.event.outcome
- Audit.event.types
- config.keystore.name (set to
defaultKeyStore
) - cert.valiDATE
- drive.acceptUnknownDrives is migrated to the database as the default entry in the specified device group.
- fips
- TransportListener.ssl.ciphersuites
- TransportListener.ssl.clientauthentication
- TransportListener.ssl.port
- TransportListener.ssl.protocols
- TransportListener.ssl.timeout
- TransportListener.tcp.port
- TransportListener.tcp.timeout
- useSKIDefaultLabels
- zOSCompatibility
- drive.default.alias1
- drive.default.alias2
- symmetricKeySet (set to an already-specified group alias, otherwise set to DefaultMigrationGroup)