Secure configurations

You must maximize security in environment, installation, administration, and operations to ensure that only authorized persons can gain access to sensitive information for IBM® Security Guardium® Key Lifecycle Manager.

Environment

You can configure these environmental elements for maximum security:

  • Restrict physical access to systems to prevent unauthorized access to the server hardware, allowing only authorized administrators to have access to the system console.
  • Ensure that the communication network is secure against eavesdropping and spoofing.
  • Use a firewall and maintain all ports behind the firewall. Open only the ports that IBM Security Guardium Key Lifecycle Manager requires.
  • Specify file system controls to protect sensitive files on the IBM Security Guardium Key Lifecycle Manager system. Controls must secure the files and limit access to only those users who require access.
  • Secure the key server, configuration files, log files, audit log file, database instance, and IBM Security Guardium Key Lifecycle Manager backup files.
  • Ensure that the system has adequate disk space to store the audit logs.
  • If you use any kind of debugging utility on IBM Security Guardium Key Lifecycle Manager, you must ensure that the output is secure. Access IBM Security Guardium Key Lifecycle Manager only from a secure system in which you are aware of all installed applications.
  • Although sensitive information in the IBM Security Guardium Key Lifecycle Manager backup JAR file is protected by password, not all of the contents of the JAR file is protected by password, making the file vulnerable to corruption or intentional damage. Keep the JAR file secure.
  • Do not edit the files that are contained in a backup JAR file. The files become unreadable. Retain backup files in a secure location to which you control the password. Retain a copy of backup files in a secure location that is not on the IBM Security Guardium Key Lifecycle Manager computer, and not in the IBM Security Guardium Key Lifecycle Manager directory path.
  • When you use a browser to administer IBM Security Guardium Key Lifecycle Manager, by using some of the IBM Security Guardium Key Lifecycle Manager panels, you can browse the directory layout on the server system. IBM Security Guardium Key Lifecycle Manager as a product runs as root, and when you browse the file system, these root permissions are used.

Installation

  • Do not install on a domain controller.
  • Do not install on a shared file system.

Administrative and user assumptions

Securely manage administrators:

  • Grant administrator rights only to persons who manage IBM Security Guardium Key Lifecycle Manager and who meet your site requirements for trust and competence in maintaining the security of IBM Security Guardium Key Lifecycle Manager.
  • Administrators must work in accordance with the guidance provided by the system documentation and IBM Security Guardium Key Lifecycle Manager documentation.
  • The SKLMAdmin is a privileged user with unrestricted access to IBM Security Guardium Key Lifecycle Manager. A user must log in as SKLMAdmin only when the privilege is required.
  • Grant user IDs on the system only to users authorized to work with the information on the systems.
  • Ensure that users with access to IBM Security Guardium Key Lifecycle Manager are cooperative and not hostile.
  • Do not grant operating system privileges to administrators such as LTOAuditor who is not required to start or stop the Guardium Key Lifecycle Manager server.

Operation

Securely manage ongoing operation:

  • Enable the suggested password policy.
  • Choose and manage the user and administrator passwords according to the password policy. For more information, see Password policy.
  • Enable auditing.
  • Establish and implement the necessary procedures for the secure operation of the system.
  • Ensure that maintenance procedures include regular diagnostics and auditing of the system, including regular backups and review of the audit files and error logs.
  • Transmit passwords securely to system users.
  • Instruct users and administrators to not disclose their passwords.
  • Account lockout mechanism for the users who repeatedly enter incorrect passwords. For more information, see tklm.lockout.attempts and tklm.lockout.enable.
  • Protect the configuration file from disclosure as rigorously as the administrator password itself, including all representations of the content of the configuration file, such as printouts and backups.

Configuration properties and attributes

Table 1 describes a set of configuration properties and attributes with settings for maximum security. Configure a property in a way that is secure, but not set for maximum security. These examples are provided to help you understand those decisions.

Table 1. Secure configuration property settings
Property Most secure recommendation
Audit.event.outcome Specify success and failure events.
Audit.eventQueue.max Set to a value of zero.
Audit.event.types Specify all values other than the value none.
Audit.handler.file.multithreads No security impact.
Audit.handler.file.name Specify a valid, secure location for the file.
Audit.handler.file.size No security impact.
Audit.handler.file.threadlifespan No security impact.
backup.keycert.before.serving Set to a value of true.
cert.valiDATE Set to a value of true.
config.keystore.name Do not change this value.
config.keystore.ssl.certalias Use the graphical user interface or the REST interface to set the valid value for the protocol.
debug Enabling debug logging might affect IBM Security Guardium Key Lifecycle Manager performance. Enable this option only under the guidance of your IBM support representative.
device.AutoPendingAutoDiscovery (an attribute in the IBM Security Guardium Key Lifecycle Manager database) Set to a value of 0 (zero, or manual) or 2 (auto pending).
enableClientCertPush Set to a value of false.
enableMachineAffinity (an attribute in the IBM Security Guardium Key Lifecycle Manager database) Set to a value of true (enabled).
fips Set to a value of true (enabled).
KMIPListener.ssl.port Set to a valid port number.
lock.timeout Use the default value.
maxPendingClientCerts Use the default value.
pcache.refresh.interval Use the default value.
tklm.backup.db2.dir Specify a valid, secure directory.
tklm.backup.dir Specify a valid, secure directory.
tklm.encryption.keysize Use the default value.
tklm.encryption.password This property is internally used. Do not change its value.
tklm.lockout.attempts Use the default value.
tklm.lockout.enable Set to a value of true (enabled).
tklm.encryption.pbe.algorithm This property is internally used. Do not change its value.
TransportListener.tcp.port Specify a valid port number.
TransportListener.tcp.timeout Specify a valid timeout interval.
TransportListener.ssl.ciphersuites Use the default value.
TransportListener.ssl.clientauthentication Specify the highest value that your device supports.
TransportListener.ssl.port * Specify a valid port number.
TransportListener.ssl.protocols Specify a value of SSL_TLSv2.
TransportListener.ssl.timeout Specify a valid timeout interval.
Transport.ssl.vulnerableciphers.patterns Use the default value.
stopRoundRobinKeyGrps Specify a value of true, although in some environments false might be acceptable. For more cautions, see the reference topic for the stopRoundRobinKeyGrps property.
useSKIDefaultLabels No security impact.
zOSCompatibility No security impact.