To administer wrapping keys and devices, you might want to determine their status. You
can map their association, or add, modify, or delete specific wrapping keys or devices.
About this task
Before you begin, examine the columns on the page, which provides buttons to add, modify, or
delete a table item. To sort information, click a column header.
Use the 3592
Key and Device Management page to map wrapping keys to
devices to determine status of items in the table. You might add, modify, or delete wrapping keys or
devices. Your role must have permissions to the view action and to the
appropriate device group.
The table is organized in these areas:
- The left table shows the information about wrapping keys. It lists the wrapping key alias, type,
whether the wrapping key is used as a system default or system partner, the expiration date, and
status of the wrapping key.
- In right columns, information about drives indicates the drive
name and whether the drive uses a system default as its default or
partner certificate.
- Status icons indicate the status of a certificate.
Table 1. Status
icons and their meanings
Icon |
Description |
|
Certificate is in an active state. |
|
Certificate is in a compromised state. |
|
Certificate expires soon. |
|
Certificate is in an expired state. |
|
Certificate valid from future date, for migrated certificates with a future use time
stamp. |
|
IBM® Security Guardium® Key Lifecycle Manager has
third-party certificate requests that are waiting to be signed and
imported. |
Procedure
-
Log on to the graphical user interface:
- In the Key and Device Management section on Welcome page, select 3592.
- Click .
- Alternatively, right-click 3592 and select Manage
keys and devices.
Descriptions of some steps describe alternatives by using the graphical user
interface or the REST interface. For any one work session, do not switch between interfaces.
Descriptions of some tasks might
mention task-related properties in the SKLMConfig.properties
file. Use the graphical user
interface or the REST interface to change these
properties.
-
On the 3592 Key and Device Management page,
you can add, modify, or delete a certificate or drive. Additionally,
you can monitor the status of certificates.
You might
do these administrative tasks:
- Add
Click Add. Alternatively, you can
select a step-by-step process to create certificates and drives.
- Certificate
On the Create Certificate dialog,
select the certificate type as either self-signed or from a third-party
provider, and complete the required information. Then, click Create
Certificate. Your role must have the permissions to the
create action and to the appropriate device group. To make this certificate the default, your role
must have permission to the modify action.
- Tape drive
On the Add Tape Drive dialog,
type the drive information. Then, click Add Tape Drive. Your role must have the permission to the create action and a
permission to the appropriate device group.
- Use step by step process for certificate and drive creation
On
the Step1: Create Certificates and Step2:
Identify Drives pages, enter the necessary information.
A success indicator varies, showing a change in a column for
the certificate or device.
- Modify
To change or delete a certificate or drive,
select a certificate or drive, and then click Modify.
Alternatively, right-click the selected certificate or drive. Then,
click Modify, or double-click a certificate
or device entry in the list.
- Certificate
Specify changes in the Modify Certificate dialog.
Then, click Modify Certificate. Your role must have the permissions to the
modify action and to the appropriate device group.
- Tape drive
Specify changes in the Modify Tape Drive dialog.
Then, click Modify Tape Drive. Your role must have permissions to the modify action and to
the appropriate device group.
A success indicator varies, showing a change in a column for
the certificate or device. Changes to some information, such as optional
fields, might not be provided in the table.
- Delete
To delete a certificate or drive, highlight
the entry in the table and click Delete. Alternatively,
right-click the selected certificate or drive. Then, click Delete.
- Certificate
Ensure that you have a current backup of the keystore
before you delete a certificate. Any tapes that are written by using
this certificate become non-readable after the certificate is deleted.
The certificate to be deleted can be in any state, such as active.
Regardless of its state, you cannot delete a certificate that is associated
with a device. You also cannot delete a certificate that is marked
as either default or partner. Your role must have the permissions to the
delete action and to the appropriate device group.
Deleting a certificate deletes the material from the database.
To
confirm deletion, click OK.
- Tape drive
Metadata for the drive that you delete, such as the
drive serial number, is removed from the IBM Security Guardium Key Lifecycle Manager database.
To confirm deletion, click OK. Your role must have permissions to the delete action and to
the appropriate device group.
A success indicator is that the certificate or device is removed
from the administration table.