Parameters to install the IBM Security Guardium Key Lifecycle Manager container

Use this topic to understand the parameters that are used to install an IBM Security Guardium Key Lifecycle Manager container.

Depending on the platform on which you are installing IBM Security Guardium Key Lifecycle Manager, refer to one of the two Parameters column in Table 1:
  • The Parameters (for zCX) column lists the parameters that are used for installation on the zCX environment.
  • The Parameters (for Helm Charts) column lists the parameters that are used for installation on a Red Hat® OpenShift® Container Platform cluster or a Kubernetes cluster. These parameters are defined in the values.yaml file.
* indicates that the parameter is mandatory.
Table 1. Parameters and their descriptions
Parameter (for zCX) Parameter (for Helm Charts) Description
Container name
name*   Name for the container.
Environment variables
DB_PASSWORD* sklmdb_password*

Password to connect to the database instance where the IBM Security Guardium Key Lifecycle Manager database is running.

DB_TYPE sklmdb_type*

Type of the database.
Depending on the database that you use, specify one of the following values:
db2 (Default value)
Db2® database
postgres
PostgreSQL database
zos_db2
Native (non-container) Db2 for z/OS®
Note: This parameter is ignored in the subsequent run commands when the same value of the gklmAppVolume parameter is used.

DB_USER sklmdb_username*

User name of the database.

For example, klmdb42

DB_NAME sklmdb_name*

Name of the database.

For example, KLMDB42

ZOS_DB_NAMES  

If the value of DB_TYPE is zos_db2, specify the location name of the database. If multiple database names, specify them as comma-separated values.

Note: This parameter is mandatory if the value of the DB_TYPE parameter is zos_db2.

ZOS_DB_LOCATION*  

Location of the database.
Note: This parameter is mandatory if the value of the DB_TYPE parameter is zos_db2.

DB_PORT* sklmdb_port*

Port number of the database instance where the IBM Security Guardium Key Lifecycle Manager database is running.

DB_HOST* sklmdb_host*

IP address or a fully qualified host name of the system that hosts the database instance where the IBM Security Guardium Key Lifecycle Manager database is running. You can use the same system to host the database instance and the application container, or choose a different system for each of them.

LICENSE* sklmapp_license

Variable to accept license terms.

Specify the value as accept.

SKLM_SEED* sklmapp_seed*

A secret passcode that is unique for a deployment, and must be stored securely. The value is a random string of 32 or 64 characters that you can generate by using an external utility.
Note: Make sure that the value of this parameter in the subsequent run commands is the same as the value used in the first run command, when the same value of the gklmAppVolume parameter is used.

SKLMADMIN_USERNAME sklmadmin_username

User name of the IBM Security Guardium Key Lifecycle Manager administrator. You can specify only alphanumeric characters.
Default value: sklmadmin
Important: Do not change the default value of this parameter.

SKLMADMIN_PASSWORD* sklmadmin_password*

Password for the IBM Security Guardium Key Lifecycle Manager administrator user.

LIBERTY_KEYSTORE_PASSWORD liberty_keystore_password

Password for the IBM Security Guardium Key Lifecycle Manager keystore.
Default value: Ch@ngemypa55word
Note: Make sure that the value of this parameter in the subsequent run commands is the same as the value used in the first run command, when the same value of the gklmAppVolume parameter is used.

LIBERTY_KEYSTORE_PASSWORD_OLD liberty_keystore_password_old

Old password for the IBM Security Guardium Key Lifecycle Manager keystore. If you want to change the keystore password, specify the current password as the value of this parameter, and the new password in the LIBERTY_KEYSTORE_PASSWORD parameter.
Default value: Ch@ngemypa55word
Note: Make sure that the value of this parameter in the subsequent run commands is the same as the value used in the first run command, when the same value of the gklmAppVolume parameter is used.

LIBERTY_AES_ENCRYPTION_KEY  

Key for encrypting the password for the IBM Security Guardium Key Lifecycle Manager administrator user with the AES algorithm.

If you do not provide a value for this property, IBM Security Guardium Key Lifecycle Manager uses the value of the SKLM_SEED parameter for encryption.

HEALTH_AUTHORIZATION_TOKEN sklm_health_token

Health token in your Kubernetes, OCP, or zCX environment. This is used as a token by Kubernetes, OCP, or zCX platform to make secure health check calls for health of the container.

Port numbers
9443* 30443* Port number for the graphical user interface.
5696* 32696* KMIP TLS port
1441* 31441* IPP TLS port
3801* 31801* IPP TCP port
1111 31111 Port number for the master server in a replication setup.
Note: Specify this parameter when you are deploying the container in a replication setup.
2222 32222 Port number for the clone server in a replication setup.
Note: Specify this parameter when you are deploying the container in a replication setup.
Persistent storage
gklmAppVolume*   Persistent storage to store the application server configuration and metadata information.

Sample value - /opt/ibm/wlp/products

Sample environment variables file contents

Installing IBM Security Guardium Key Lifecycle Manager on IBM zCX environment with Db2 for z/OS
DB_TYPE=zos_db2
DB_NAME=KLMDB42
DB_USER=klmdb42
DB_PASSWORD=xxxxx
DB_HOST=9.x.x.x
DB_PORT=446
ZOS_DB_NAMES=KLMSMM,KLMLGG,KLM32KLH
ZOS_DB_LOCATION=db_location
LICENSE=accept
SKLM_SEED=68d95f0081f1dbfc0b06de9b0916df1c
SKLMADMIN_USERNAME=sklmadmin
SKLMADMIN_PASSWORD=Ch@ngeMe
Installing IBM Security Guardium Key Lifecycle Manager on IBM zCX environment with PostgreSQL
DB_TYPE=postgres
DB_NAME=KLMDB42
DB_USER=klmdb42
DB_PASSWORD=xxxxx
DB_HOST=9.x.x.x
DB_PORT=5432
LICENSE=accept
SKLM_SEED=68d95f0081f1dbfc0b06de9b0916df1c
SKLMADMIN_USERNAME=sklmadmin
SKLMADMIN_PASSWORD=Ch@ngeMe

Deploying the IBM Security Guardium Key Lifecycle Manager container by using encrypted secrets

Note: Applicable from V4.2.0.2 onwards.
  1. Create a keystore of type PKCS12 with key pair as shown.
    Alias = gklm-key

    Keystore name = defaultKeystore.p12

  2. Create a file encryption.properties and specify the PKCS12 keystore password in the file.

    enc.password=passw0rd

  3. Create a Docker file with following contents.
    # Extend from SKLM Application Repository
    ARG LATEST_IMAGE
    FROM ${LATEST_IMAGE}
    ARG PROPERTIES_FILE=${PROPERTIES_FILE}
    ARG KEYSTORE_FILE=${KEYSTORE_FILE}
    #Copy license file to SKLM
    COPY $PROPERTIES_FILE /opt/ibm/wlp/configuration
    COPY $KEYSTORE_FILE /opt/ibm/wlp/configuration
  4. Build a docker image by using the docker file that you created (Step 3). Provide the keystore and properties file as the inputs. Make sure that the keystore (defaultKeystore.p12) and the encryption.properties files have read/write permissions for a non-root user.
    docker build -t <tag name> --build-arg LATEST_IMAGE=<GKLM image name> --build-arg PROPERTIES_FILE=<properties file name> --build-arg KEYSTORE_FILE=<keystore file name> --no-cache .
    For example,
    docker build -t gklm4202 --build-arg LATEST_IMAGE=docker-na.artifactory.swg-devops.com/sec-sklm-build-docker-local/sklm:Dev_RTP_4202_55.x86_64 --build-arg PROPERTIES_FILE=encryption.properties --build-arg KEYSTORE_FILE=defaultKeystore.p12 --no-cache .
  5. Extract the public key from the PKCS12 file that is created in Step 1 and store it. Specify the public key as -inkey to encrypt the secrets by using the following command.
    echo "Ch@ngemypa55word" | openssl rsautl -encrypt -inkey sklm_public -pubin | base64 -w 0
  6. Specify the following encrypted secrets as environment variables and start the container with the new image that is created in Step 4.
    LIBERTY_KEYSTORE_PASSWORD, LIBERTY_KEYSTORE_PASSWORD_OLD, SKLMADMIN_PASSWORD, DB_PASSWORD