Creating a wrapping key

As a first activity, create a wrapping key for a 3592 tape drive.

Before you begin

Before you begin, determine your site policy for the use of self-signed and certificates that are issued by a certificate authority (CA). You can create self-signed certificates for the test phase of your project. In advance, you can also request certificates from a certificate authority for the production phase.

About this task

You can use the Create Certificate dialog or the following REST services to create certificates or certificate requests:
  • Create Certificate REST Service
  • Certificate Generate Request REST Service
Your role must have the permissions to the create action and to the appropriate device group. To make this certificate the default, your role must have permission to the modify action.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface.
    2. In the Key and Device Management section on the Welcome page, select 3592.
    3. Click Go to > Guided key and device creation. Alternatively, right-click 3592 and select Guided key and device creation.
    4. On the Step 1: Create Wrapping Key page, click Create.
    5. On the Create Wrapping Key dialog, select the wrapping key type, Certificate or AES Key.
    6. Click Create.
    7. Create a wrapping key.
      Certificate
      1. On the Create Certificate dialog, select either a self-signed certificate, or a certificate signing request for a third-party provider.
      2. Specify values for the required and optional parameters. For example, you might optionally specify that this certificate is the default or the partner certificate. Then, click Create Certificate.
      AES Key
      On the Create AES Key dialog, specify values for the required and optional parameters. For example, you might optionally specify that this AES key is the default or the partner AES key. Then, click Create.
    8. Click Close.
  • Using REST interface
    1. Open the Swagger UI. For more information, see Using Swagger UI.
    2. Authenticate and authorize to access the REST APIs. For more information, see Authentication process for REST services.
    3. Create a wrapping key.
      Certificate

      Use the Create Certificate REST Service to create a certificate. For example, you can send the following HTTP request:

      POST https://localhost:port/SKLM/rest/v1/certificates
      Content-Type: application/json
      Accept : application/json
      Authorization: SKLMAuth authId=139aeh34567m
      Accept-Language : en
      {"type":"selfsigned","alias":"sklmCertificate1","cn":"sklm","ou":"sales",
      "o":"myCompanyName","usage":"3592","country":"US","validity":"999", "
      algorithm ": " RSA " }
      Certificate signing request

      Use the Certificate Generate Request REST Service to create a PKCS #10 certificate request file. For example, you can send the following HTTP request:

      POST https://localhost:port/SKLM/rest/v1/certificates
      Content-Type: application/json
      Accept : application/json
      Authorization: SKLMAuth authId=139aeh34567m
      {"type":"certreq","alias":"sklmCertificate1","cn":"sklm","ou":"sales","o":
      "myCompanyName","usage":"3592","country":"US","validity":"999","fileName":
      "myCertRequest1.crt","algorithm":"ECDSA"}
      AES Key

      Use the Secret Key Create REST Service to create symmetric keys. For example, you can send the following HTTP request:

      POST https://localhost:port/SKLM/rest/v1/keys
      Content-Type: application/json
      Accept: application/json
      Authorization: SKLMAuth userAuthId=139aeh34567m
      {"alias":"abc","numOfKeys":"1","usage":"3592"}

What to do next

Back up the new wrapping keys before they are served to devices. For a certificate signing request, the next step might be to import the signed certificate. You can go to the next step to define specific devices, and associate wrapping keys with the devices. Select Step 2: Identify Drives or click Go to Next Step.

For a 3592 device group, also specify values for the system default and partner certificates in the IBM Security Guardium Key Lifecycle Manager database. Use the Device Group Attribute Update REST Service to set these values.