Use the Clients page to create a client in the IBM Security Guardium Key Lifecycle Manager server for key management operations. You can
create a client and add managed objects to it. You can also use the page to modify and delete the
client, and to add managed objects to it.
About this task
IBM Security Guardium Key Lifecycle Manager supports two methods by which
a client can communicate with the IBM Security Guardium Key Lifecycle Manager
server for key management:
- Using KMIP
- Using IBM Security Guardium Key Lifecycle Manager REST APIs
For information about the KMIP method, see Using KMIP to manage and serve keys, certificates, and other cryptographic objects, and
for information about the REST API method, see Using REST APIs to manage and serve keys, certificates, and other cryptographic objects. When
you accept a pending certificate, its client is automatically registered and displayed on the
Clients page.When you register a client, you can specify one of the following certificates to be
used for communication:
- An existing client certificate that is not in use by another client.
- A pending client certificate.
- A stored client certificate that can be imported.
You can also register the client without associating a certificate. You can later associate it
with a certificate by selecting the certificate from the pending certificate list. Click the
Pending client registration requests link on the dashboard to select the
certificate. If you accept, the certificate is imported into the database and marked as trusted. The
certificate can then be used for secure communication between the client and
IBM Security Guardium Key Lifecycle Manager. You can also associate a certificate when you
modify client information.
Also, you can specify the users who can perform the key management
operations. These users must exist in the WebSphere Application Server Liberty
with the klmUser role.
Procedure
-
Log in to the graphical user interface.
-
Click the Clients menu.
The Clients page is
displayed.
-
In the Clients tab, click
Create.
The Create Client page is
displayed.
- Specify the client name.
- Select an application usage type from the Client Usage list. The
Client Usage list includes the following values.
Application usage type |
Description |
Oracle |
Specifies that this client is used for Oracle TDE configuration. |
MongoDB |
Specifies that this client is used for MongoDB configuration. |
VMware |
Specifies that this client is used for VMware configuration. |
FileNet |
Specifies that this client is used for FileNet configuration. |
NetApp |
Specifies that this client is used for NetApp configuration. |
Db2 |
Specifies that this client is used for Db2 configuration. |
Generic |
Specifies a client that uses the Key Management Interoperability Protocol to interact with
IBM Security Guardium Key Lifecycle Manager. |
Note: The usage type is only a label for your information to know which client is created for what
purpose. IBM Security Guardium Key Lifecycle Manager does not verify whether the
client is created for the selected usage type.
- Click Save.
The client is created. You can now
associate a client certificate, users, and objects to it.
- To add a client certificate to the client, click
Add.
The Add Client Certificate dialog
is displayed.
- Select a client certificate for secure communication with the server and click
Save. You can select any of the following options:
Client certificate |
Description |
Associate unused client certificate |
Use an existing client certificate from the database, which is not in use by
any other client. From the Certificate from keystore list, select the
required certificate. |
Accept pending client certificate |
Select a certificate from the list of pending certificates. These certificates
are pushed to the server from a client and are yet to be accepted for communication with the server.
To accept the client communication certificate and mark it as trusted, in the
Certificate name box, enter a name for the certificate, and then from the
Certificate list, select a certificate.
|
Import client certificate |
Import a client certificate to IBM Security Guardium Key Lifecycle Manager. In the Certificate name
box, enter a name for the certificate. To upload the certificate, select one of the following
options:
- File: Select this option to upload the certificate file. Click
Browse to select the certificate file to be imported.
- Certificate content: Select this option to upload the certificate content. Copy the
content of the certificate from Begin Certificate to End Certificate and paste it in the text box
that is displayed. Click Save, and then Close.
|
- To add users to the client, click Add.
The
Add Users dialog is displayed.
- From the Users list, select the user that you want to add to the
client and click Add Users. Repeat this step for other users. After you added
all the users, click Save. Click Cancel to close the
dialog.
The added users have the required permissions to manage the cryptographic objects
that are associated with the client.
- To add objects to the client, click Add.
The
Add Objects dialog is displayed.
- To add objects to the client, select the type of object from the Select object
type list. Specify the values for the fields.
- Click Save and Add more objects to add more objects to the client.
Click Save and Exit if you do not want to add more objects. Click
Exit to close the dialog.
The List of available
objects table lists all the added objects.
-
Click Exit to exit the Create Client page.
What to do next
Add or associate cryptographic objects with the registered client. For more information,
see Adding cryptographic objects by using the graphical user interface.