You can add more wrapping keys for use with IBM® Security Guardium® Key Lifecycle Manager. If you are creating certificates, determine
your site policy on the use of self-signed and CA certificates.
About this task
You can use the
Create Wrapping Key dialog to create wrapping keys.
Alternatively, you can use the following REST services:
- Create Certificate REST Service
- Certificate Generate Request REST Service
- Secret Key Create REST Service
Your role must have the permissions to the
create action and to the appropriate device group. To make this certificate the default, your role
must have permission to the modify action.
Before
you begin, determine your site policy on the use of self-signed and
CA certificates. You might need to create self-signed certificates
for the test phase of your project. In advance, you might also request
certificates from a certificate authority for the production phase.
Procedure
- Using graphical user interface
- Log in to the graphical user interface.
- In the Key and Device Management section on
Welcome page, select 3592.
- Click . Alternatively, right-click 3592 and select
Manage keys and devices.
- On the management page for 3592, click Add.
- Select Wrapping Key.
- On the Create Wrapping Key dialog, select the wrapping key type,
Certificate or AES Key.
- Click Create.
- Create a wrapping key.
- Certificate
-
- On the Create Certificate dialog, select either a self-signed certificate,
or a certificate request for a third-party provider.
- Specify values for the required and optional parameters. For example, you might optionally
specify that this certificate is the default or the partner certificate. Then, click
Create Certificate.
- AES Key
- On the Create AES Key dialog, specify values for the required and optional
parameters. For example, you might optionally specify that this AES key is the default or the
partner AES key. Then, click Create.
- Using REST interface
- Open the Swagger UI. For more information, see Using Swagger UI.
- Authenticate and authorize to access the REST APIs. For more information, see Authentication process for REST services.
- Go to the Certificate management section.
- Depending on the type of wrapping key you want to create, use the applicable REST
API.
- Certificate
- Use the Create Certificate REST Service to create a certificate and a public
and private key pair, and store the certificate in an existing keystore.
- For example, you can send the following HTTP
request:
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"type":"selfsigned","alias":"sklmCertificate1","cn":"sklm","ou":
"sales","o":"myCompanyName","usage":"3592","country":"US","validity":
"999", "algorithm ": " RSA " }
- Certificate request
- Use the Certificate Generate Request REST Service to create a PKCS #10
certificate request file. For example, you can send the following HTTP request:
-
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
{"type":"certreq","alias":"sklmCertificate1","cn":"sklm","ou":
"sales","o":"myCompanyName","usage":"3592","country":"US","validity":
"999","fileName":"myCertRequest1.crt","algorithm":"ECDSA"}
- AES key
- Use the Create Key REST Service to create one or more symmetric keys to
encrypt and decrypt data. For example, you can send the following HTTP request:
-
POST https://localhost:port/SKLM/rest/v1/keys
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"alias":"abc","numOfKeys":"1","usage":"3592"
What to do next
Back up the new certificates or AES keys before they are served to devices. You can associate a
wrapping key with a specific device.
If you selected certificate request, manually send the certificate request to a certificate
authority. When the signed certificate returns, import the certificate by using a pending action
item on the Welcome page, or by using the Certificate Import REST Service. When the import completes, back up
the certificate to enable serving the certificate to a device.