IBM Enterprise Key Management Foundation Web usage in IBM Security Guardium Key Lifecycle Manager
IBM Enterprise Key Management Foundation Web (EKMF Web) provides centralized key management for IBM z/OS. You can use EKMF Web to store the master key in Integrated Cryptographic Service Facility (ICSF). This master key protects all the keys and certificates that are stored in the IBM Security Guardium Key Lifecycle Manager database.
You can configure EKMF Web with a new or an existing installation of IBM Security Guardium Key Lifecycle Manager.
- You cannot configure IBM Security Guardium Key Lifecycle Manager servers from different deployments with the same EKMF Web server. Such a configuration might cause unrecoverable data loss. You can do so in a replication setup.
- You can configure multiple EKMF Web hosts to ensure high availability and failover.
- In a multiple EKMF Web setup, you can configure the
following types of EKMF Web hosts according to your requirements:
- EKMF Web Full
- It handles both master key management and cryptographic operations.
- EKMF Web Crypto
- It handles only the cryptographic operations (encryption and decryption).
You can use this enhancement in a replication setup, where only the master server needs access to the key creation operation. The clone servers serve only the keys, and hence need access to the encryption and decryption operations. So, you can configure the master server with EKMF Web Full host and the clone servers with EKMF Web Crypto host.
- If you configured multiple EKMF Web hosts, you can
set the preference order in which IBM Security Guardium Key Lifecycle Manager
connects to the configured EKMF Web hosts by specifying
the
hostPreferenceSequence
parameter.Setting the host preference order to the nearest available EKMF Web host, combined with the required load balancing, can help improve the performance of the master key operations.
- You can configure multiple IBM Security Guardium Key Lifecycle Manager servers
with a single EKMF Web host by setting the
masterkeyAlias
parameter.