Configuring compliance for Suite B in IBM Security Guardium Key Lifecycle Manager

You can configure IBM® Security Guardium® Key Lifecycle Manager to comply with standards that are specified by the US National Security Agency (NSA) to define security requirements for encryption.

About this task

In IBM Security Guardium Key Lifecycle Manager, you can enable and disable Suite B compliance by using the Update Security Configurations REST Service.

Procedure

  • Enable Suite B compliance
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run the Update Security Configurations REST Service to set the Suite_B property to on in the SKLMConfig.properties configuration file. Pass the user authentication identifier that you obtained in Step 2 along with the request message, as shown in the following example: 
      POST https://localhost:port/SKLM/rest/v1/ckms/securityConfigurations/update
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "Suite_B": "128"}
      You can also set the value of Suite_B to 192.
    4. Restart the IBM Security Guardium Key Lifecycle Manager server. For more information, see Restarting the Guardium Key Lifecycle Manager server.
  • Disable Suite B compliance
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run the Update Security Configurations REST Service to set the Suite_B property to off in the SKLMConfig.properties configuration file. Pass the user authentication identifier that you obtained in Step 2 along with the request message, as shown in the following example: 
      POST https://localhost:port/SKLM/rest/v1/ckms/securityConfigurations/update
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "Suite_B": "off"}
    4. Restart the IBM Security Guardium Key Lifecycle Manager server. For more information, see Restarting the Guardium Key Lifecycle Manager server.

What to do next

Suite B compliance requires ECDSA certificate for TLS communication. Ensure that you select a server certificate that uses the ECDSA algorithm for TLS communication. Also, select the same certificate for UI access.

If a certificate with the ECDSA algorithm is not available, create a new certificate. For more information, see Creating a server certificate.