Post-upgrade tasks for Encryption Key Manager
After Encryption Key Manager is migrated, you must validate the configuration and protect data.
- Do not run Encryption Key Manager. After migration, Encryption Key Manager retains its ability to serve keys.
- Resolve possible problems with certificates and keys.
Encryption Key Manager does not restrict device groups to which a certificate and its keys can be associated. Certificates and keys that belong to multiple device types are marked as
CONFLICTED
after migration to IBM® Security Guardium® Key Lifecycle Manager, Version 4.2. You cannot change their device group to another device group. IBM Security Guardium Key Lifecycle Manager can use a certificate or key that is marked asCONFLICTED
for both read and write operations.Migration might also cause a certificate to appear with anUNKNOWN
label in the IBM Security Guardium Key Lifecycle Manager graphical user interface.- Unknown
certificates can be used as rollover certificates. Once scheduled as a rollover, the unknown
certificate is updated to the specific device group of the rollover. A TLS server certificate with
an
UNKNOWN
label is updated to be a TLS certificate. - Pending certificates might be listed on the graphical user
interface with a device group that has an
UNKNOWN
status. First, accept the pending certificate, which then has anUNKNOWN
status. Next, use the Certificate Update REST Service to update the certificate usage to a specific device group. The update changes the certificate status to a state such as active. - After migration completes, one or more devices might be
associated with the
UNKNOWN
device group. You can assign the device group forUNKNOWN
devices to a new group, or allow the group to be determined when the devices make a first key service request.
Use the Certificate List REST Service command to find certificates that are marked as
CONFLICTED
orUNKNOWN
. For more information, see Certificate List REST Service - Unknown
certificates can be used as rollover certificates. Once scheduled as a rollover, the unknown
certificate is updated to the specific device group of the rollover. A TLS server certificate with
an
- Verify that the migrated Encryption Key Manager
configuration is in the state that you expect before you make any updates or any configuration
changes to IBM Security Guardium Key Lifecycle Manager.
The Encryption Key Manager configuration keystore becomes the IBM Security Guardium Key Lifecycle Manager keystore after migration is complete. You cannot migrate the Encryption Key Manager server data a second time to the same IBM Security Guardium Key Lifecycle Manager server.
What to do next
From the Welcome page, configure the drive types, keys, and certificates that your organization requires, or get started with using the product. See Administering.