Creating a client by using the graphical user interface

Use the Clients page to create a client in the IBM Security Guardium Key Lifecycle Manager server for key management operations. You can create a client and add managed objects to it. You can also use the page to modify and delete the client, and to add managed objects to it.

About this task

IBM Security Guardium Key Lifecycle Manager supports two methods by which a client can communicate with the IBM Security Guardium Key Lifecycle Manager server for key management:
  • Using KMIP
  • Using IBM Security Guardium Key Lifecycle Manager REST APIs
For information about the KMIP method, see Using KMIP to manage and serve keys, certificates, and other cryptographic objects, and for information about the REST API method, see Using REST APIs to manage and serve keys, certificates, and other cryptographic objects. When you accept a pending certificate, its client is automatically registered and displayed on the Clients page.
When you register a client, you can specify one of the following certificates to be used for communication:
  • An existing client certificate that is not in use by another client.
  • A pending client certificate.
  • A stored client certificate that can be imported.
You can also register the client without associating a certificate. You can later associate it with a certificate by selecting the certificate from the pending certificate list. Click the Pending client registration requests link on the dashboard to select the certificate. If you accept, the certificate is imported into the database and marked as trusted. The certificate can then be used for secure communication between the client and IBM Security Guardium Key Lifecycle Manager. You can also associate a certificate when you modify client information.

Also, you can specify the users who can perform the key management operations. These users must exist in the WebSphere Application Server Liberty with the klmUser role.

Procedure

  1. Log in to the graphical user interface.
  2. Click the Clients menu.
    The Clients page is displayed.
  3. In the Clients tab, click Create.
    The Create Client page is displayed.
  4. Specify the client name.
  5. Select an application usage type from the Client Usage list. The Client Usage list includes the following values.
    Application usage type Description
    Oracle Specifies that this client is used for Oracle TDE configuration.
    MongoDB Specifies that this client is used for MongoDB configuration.
    VMware Specifies that this client is used for VMware configuration.
    FileNet Specifies that this client is used for FileNet configuration.
    NetApp Specifies that this client is used for NetApp configuration.
    Db2 Specifies that this client is used for Db2 configuration.
    Generic Specifies a client that uses the Key Management Interoperability Protocol to interact with IBM Security Guardium Key Lifecycle Manager.
    Note: The usage type is only a label for your information to know which client is created for what purpose. IBM Security Guardium Key Lifecycle Manager does not verify whether the client is created for the selected usage type.
  6. Click Save.
    The client is created. You can now associate a client certificate, users, and objects to it.
  7. To add a client certificate to the client, click Add.
    The Add Client Certificate dialog is displayed.
  8. Select a client certificate for secure communication with the server and click Save. You can select any of the following options:
    Client certificate Description
    Associate unused client certificate Use an existing client certificate from the database, which is not in use by any other client. From the Certificate from keystore list, select the required certificate.
    Accept pending client certificate Select a certificate from the list of pending certificates. These certificates are pushed to the server from a client and are yet to be accepted for communication with the server.

    To accept the client communication certificate and mark it as trusted, in the Certificate name box, enter a name for the certificate, and then from the Certificate list, select a certificate.

    Import client certificate Import a client certificate to IBM Security Guardium Key Lifecycle Manager. In the Certificate name box, enter a name for the certificate.

    To upload the certificate, select one of the following options:

    • File: Select this option to upload the certificate file. Click Browse to select the certificate file to be imported.
    • Certificate content: Select this option to upload the certificate content. Copy the content of the certificate from Begin Certificate to End Certificate and paste it in the text box that is displayed. Click Save, and then Close.
  9. To add users to the client, click Add.
    The Add Users dialog is displayed.
  10. From the Users list, select the user that you want to add to the client and click Add Users. Repeat this step for other users. After you added all the users, click Save. Click Cancel to close the dialog.
    The added users have the required permissions to manage the cryptographic objects that are associated with the client.
  11. To add objects to the client, click Add.
    The Add Objects dialog is displayed.
  12. To add objects to the client, select the type of object from the Select object type list. Specify the values for the fields.
  13. Click Save and Add more objects to add more objects to the client. Click Save and Exit if you do not want to add more objects. Click Exit to close the dialog.
    The List of available objects table lists all the added objects.
  14. Click Exit to exit the Create Client page.

What to do next

Add or associate cryptographic objects with the registered client. For more information, see Adding cryptographic objects by using the graphical user interface.