Pre-upgrade tasks for Encryption Key Manager

Complete the required tasks before you upgrade Encryption Key Manager (source) to IBM® Security Guardium® Key Lifecycle Manager V4.2 (target).

For Encryption Key Manager on an IBM i or z series system

  1. On an IBM i system or z series, ensure that the keys are in a JCEKS keystore. Otherwise, move the keys to a JCEKS keystore.
  2. Move the JCEKS keystore and Encryption Key Manager properties file from the IBM i or z series system to the host system on which you plan to install IBM Security Guardium Key Lifecycle Manager, V4.2.
  3. Edit the Encryption Key Manager configuration file to change from relative file path to absolute path for the parameters.

For Encryption Key Manager on any other host system

  1. Back up the data of the source Encryption Key Manager server. Migrated data includes the following files:
    • A configuration properties file
    • Keys and certificates that are referenced by the configuration properties file
    • Drive tables
    • An optional metadata file pointed at by the configuration properties file
    • An optional key groups file
  2. Copy the Encryption Key Manager configuration file and all other related files to the host system on which you plan to install IBM Security Guardium Key Lifecycle Manager V4.2 so that these files and the target Guardium Key Lifecycle Manager server are on the same host system.

    After migration, Guardium Key Lifecycle Manager server uses the keystore, TCP port, and TLS port that Encryption Key Manager server previously used.

  3. Edit the Encryption Key Manager configuration file to change from relative file path to absolute path for the parameters.
    Sample configuration parameters to be updated:
    • config.keystore.file

      Absolute path of the keystore. For example, C:/EKM21/test.keys.jceks.

    • TransportListener.ssl.keystore.name

      TLS keystore name of Encryption Key Manager. For example, C:/EKM21/test.keys.ssl.

  4. If Encryption Key Manager was configured to work with LTO tape drives, specify an absolute path for the config.keygroup.xml.file property in the Encryption Key Manager properties file. This update ensures migration of key groups.

    If the config.keygroup.xml.file property does not exist in the properties file, add it to the file.

  5. Stop the Encryption Key Manager process.

    On the Encryption Key Manager server, complete these steps:

    1. Start an administrative session:
      java com.ibm.keymanager.KMSAdminCmd KeyManagerConfig.properties -i
    2. Authenticate to the Encryption Key Manager server by using the login command:
      login -ekmuser EKMAdmin -password password
    3. Stop the server:
      stopekm
    4. Exit the session.

What to do next

Depending on the mode that you want to use for installing the target version of IBM Security Guardium Key Lifecycle Manager, see the topic: