IBM Enterprise Key Management Foundation Web usage in IBM Security Guardium Key Lifecycle Manager

IBM® Enterprise Key Management Foundation Web (EKMF Web) provides centralized key management for IBM z/OS. You can use EKMF Web to store the master key in Integrated Cryptographic Service Facility (ICSF). This master key protects all the keys and certificates that are stored in the IBM Security Guardium® Key Lifecycle Manager database.

You can configure EKMF Web with a new or an existing installation of IBM Security Guardium Key Lifecycle Manager.

Before you begin, review the following considerations:
  • You cannot configure IBM Security Guardium Key Lifecycle Manager servers from different deployments with the same EKMF Web server. Such a configuration might cause unrecoverable data loss. You can do so in a replication setup.
  • You can configure multiple EKMF Web hosts to ensure high availability and failover.
  • In a multiple EKMF Web setup, you can configure the following types of EKMF Web hosts according to your requirements:
    EKMF Web Full
    It handles both master key management and cryptographic operations.
    EKMF Web Crypto
    It handles only the cryptographic operations (encryption and decryption).

    You can use this enhancement in a replication setup, where only the master server needs access to the key creation operation. The clone servers serve only the keys, and hence need access to the encryption and decryption operations. So, you can configure the master server with EKMF Web Full host and the clone servers with EKMF Web Crypto host.

  • If you configured multiple EKMF Web hosts, you can set the preference order in which IBM Security Guardium Key Lifecycle Manager connects to the configured EKMF Web hosts by specifying the hostPreferenceSequence parameter.

    Setting the host preference order to the nearest available EKMF Web host, combined with the required load balancing, can help improve the performance of the master key operations.

  • You can configure multiple IBM Security Guardium Key Lifecycle Manager servers with a single EKMF Web host by setting the masterkeyAlias parameter.