Using REST APIs to manage and serve keys, certificates, and other cryptographic objects

IBM® Security Guardium® Key Lifecycle Manager provides REST APIs for clients to communicate with the IBM Security Guardium Key Lifecycle Manager server for managing and serving cryptographic objects. Clients (For example, cloud applications devices) that support REST APIs and that need to use keys and other cryptographic objects from IBM Security Guardium Key Lifecycle Manager can use this method to communicate with the IBM Security Guardium Key Lifecycle Manager server.

Before you begin

Ensure that users that you want to associate with a client exist in WebSphere® Application Server Liberty, and have the klmClientUser user role assigned to them. Only users that are associated with a client can access and work with the client's cryptographic objects.
In a Multi-Master setup, ensure that the same users and user groups are configured on all the master servers.
Best practice: Integrate with a centralized user repository such as LDAP for user authentication and management.

Procedure

  1. Register the client in the IBM Security Guardium Key Lifecycle Manager server.
    For detailed instructions, see Creating a client by using the graphical user interface. You can also use the Create Client REST Service.
  2. Assign users to the client.
    Only these users can perform key management operations. For detailed instructions, see Creating a client by using the graphical user interface. You can also use the Assign Users to a Client REST Service.
  3. Add cryptographic objects.

Results

You can now use the REST services and perform the required operations on the cryptographic objects. For a list of supported operations, see Managing clients, client groups, and their cryptographic objects.