Administering wrapping keys and devices

To administer wrapping keys and devices, you might want to determine their status. You can map their association, or add, modify, or delete specific wrapping keys or devices.

About this task

Before you begin, examine the columns on the page, which provides buttons to add, modify, or delete a table item. To sort information, click a column header.

Use the 3592 Key and Device Management page to map wrapping keys to devices to determine status of items in the table. You might add, modify, or delete wrapping keys or devices. Your role must have permissions to the view action and to the appropriate device group.

The table is organized in these areas:

  • The left table shows the information about wrapping keys. It lists the wrapping key alias, type, whether the wrapping key is used as a system default or system partner, the expiration date, and status of the wrapping key.
  • In right columns, information about drives indicates the drive name and whether the drive uses a system default as its default or partner certificate.

  • Status icons indicate the status of a certificate.
    Table 1. Status icons and their meanings
    Icon Description
    Active Normal
    Certificate is in an active state.
    Compromised
    Certificate is in a compromised state.
    Expiring certificate
    Certificate expires soon.
    Expired
    Certificate is in an expired state.
    Valid from future date
    Certificate valid from future date, for migrated certificates with a future use time stamp.
    Pending import
    IBM® Security Guardium® Key Lifecycle Manager has third-party certificate requests that are waiting to be signed and imported.

Procedure

  1. Log on to the graphical user interface:
    1. In the Key and Device Management section on Welcome page, select 3592.
    2. Click Go to > Manage keys and devices.
    3. Alternatively, right-click 3592 and select Manage keys and devices.

    Descriptions of some steps describe alternatives by using the graphical user interface or the REST interface. For any one work session, do not switch between interfaces.

    Descriptions of some tasks might mention task-related properties in the SKLMConfig.properties file. Use the graphical user interface or the REST interface to change these properties.

  2. On the 3592 Key and Device Management page, you can add, modify, or delete a certificate or drive. Additionally, you can monitor the status of certificates.

    You might do these administrative tasks:

    • Add

      Click Add. Alternatively, you can select a step-by-step process to create certificates and drives.

      • Certificate

        On the Create Certificate dialog, select the certificate type as either self-signed or from a third-party provider, and complete the required information. Then, click Create Certificate. Your role must have the permissions to the create action and to the appropriate device group. To make this certificate the default, your role must have permission to the modify action.

      • Tape drive

        On the Add Tape Drive dialog, type the drive information. Then, click Add Tape Drive. Your role must have the permission to the create action and a permission to the appropriate device group.

      • Use step by step process for certificate and drive creation

        On the Step1: Create Certificates and Step2: Identify Drives pages, enter the necessary information.

      A success indicator varies, showing a change in a column for the certificate or device.

    • Modify

      To change or delete a certificate or drive, select a certificate or drive, and then click Modify. Alternatively, right-click the selected certificate or drive. Then, click Modify, or double-click a certificate or device entry in the list.

      • Certificate

        Specify changes in the Modify Certificate dialog. Then, click Modify Certificate. Your role must have the permissions to the modify action and to the appropriate device group.

      • Tape drive

        Specify changes in the Modify Tape Drive dialog. Then, click Modify Tape Drive. Your role must have permissions to the modify action and to the appropriate device group.

      A success indicator varies, showing a change in a column for the certificate or device. Changes to some information, such as optional fields, might not be provided in the table.

    • Delete

      To delete a certificate or drive, highlight the entry in the table and click Delete. Alternatively, right-click the selected certificate or drive. Then, click Delete.

      • Certificate

        Ensure that you have a current backup of the keystore before you delete a certificate. Any tapes that are written by using this certificate become non-readable after the certificate is deleted. The certificate to be deleted can be in any state, such as active. Regardless of its state, you cannot delete a certificate that is associated with a device. You also cannot delete a certificate that is marked as either default or partner. Your role must have the permissions to the delete action and to the appropriate device group.

        Deleting a certificate deletes the material from the database.

        To confirm deletion, click OK.

      • Tape drive

        Metadata for the drive that you delete, such as the drive serial number, is removed from the IBM Security Guardium Key Lifecycle Manager database. To confirm deletion, click OK. Your role must have permissions to the delete action and to the appropriate device group.

      A success indicator is that the certificate or device is removed from the administration table.