Adding a wrapping key

You can add more wrapping keys for use with IBM® Security Guardium® Key Lifecycle Manager. If you are creating certificates, determine your site policy on the use of self-signed and CA certificates.

About this task

You can use the Create Wrapping Key dialog to create wrapping keys. Alternatively, you can use the following REST services:
  • Create Certificate REST Service
  • Certificate Generate Request REST Service
  • Secret Key Create REST Service
Your role must have the permissions to the create action and to the appropriate device group. To make this certificate the default, your role must have permission to the modify action.

Before you begin, determine your site policy on the use of self-signed and CA certificates. You might need to create self-signed certificates for the test phase of your project. In advance, you might also request certificates from a certificate authority for the production phase.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface.
    2. In the Key and Device Management section on Welcome page, select 3592.
    3. Click Go to > Manage keys and devices. Alternatively, right-click 3592 and select Manage keys and devices.
    4. On the management page for 3592, click Add.
    5. Select Wrapping Key.
    6. On the Create Wrapping Key dialog, select the wrapping key type, Certificate or AES Key.
    7. Click Create.
    8. Create a wrapping key.
      Certificate
      1. On the Create Certificate dialog, select either a self-signed certificate, or a certificate request for a third-party provider.
      2. Specify values for the required and optional parameters. For example, you might optionally specify that this certificate is the default or the partner certificate. Then, click Create Certificate.
      AES Key
      On the Create AES Key dialog, specify values for the required and optional parameters. For example, you might optionally specify that this AES key is the default or the partner AES key. Then, click Create.
  • Using REST interface
    1. Open the Swagger UI. For more information, see Using Swagger UI.
    2. Authenticate and authorize to access the REST APIs. For more information, see Authentication process for REST services.
    3. Go to the Certificate management section.
    4. Depending on the type of wrapping key you want to create, use the applicable REST API.
      Certificate
      Use the Create Certificate REST Service to create a certificate and a public and private key pair, and store the certificate in an existing keystore.
      For example, you can send the following HTTP request:
      POST https://localhost:port/SKLM/rest/v1/certificates
      Content-Type: application/json
      Accept : application/json
      Authorization: SKLMAuth authId=139aeh34567m
      Accept-Language : en
      {"type":"selfsigned","alias":"sklmCertificate1","cn":"sklm","ou":
      "sales","o":"myCompanyName","usage":"3592","country":"US","validity":
      "999", "algorithm ": " RSA " }
      Certificate request
      Use the Certificate Generate Request REST Service to create a PKCS #10 certificate request file. For example, you can send the following HTTP request:
      POST https://localhost:port/SKLM/rest/v1/certificates
      Content-Type: application/json
      Accept : application/json
      Authorization: SKLMAuth authId=139aeh34567m
      {"type":"certreq","alias":"sklmCertificate1","cn":"sklm","ou":
      "sales","o":"myCompanyName","usage":"3592","country":"US","validity":
      "999","fileName":"myCertRequest1.crt","algorithm":"ECDSA"}
      AES key
      Use the Create Key REST Service to create one or more symmetric keys to encrypt and decrypt data. For example, you can send the following HTTP request:
      POST https://localhost:port/SKLM/rest/v1/keys
      Content-Type: application/json
      Accept: application/json
      Authorization: SKLMAuth userAuthId=139aeh34567m
      {"alias":"abc","numOfKeys":"1","usage":"3592"

What to do next

Back up the new certificates or AES keys before they are served to devices. You can associate a wrapping key with a specific device.

If you selected certificate request, manually send the certificate request to a certificate authority. When the signed certificate returns, import the certificate by using a pending action item on the Welcome page, or by using the Certificate Import REST Service. When the import completes, back up the certificate to enable serving the certificate to a device.