Secure configurations
You must maximize security in environment, installation, administration, and operations to ensure that only authorized persons can gain access to sensitive information for IBM® Security Guardium® Key Lifecycle Manager.
Environment
You can configure these environmental elements for maximum security:
- Restrict physical access to systems to prevent unauthorized access to the server hardware, allowing only authorized administrators to have access to the system console.
- Ensure that the communication network is secure against eavesdropping and spoofing.
- Use a firewall and maintain all ports behind the firewall. Open only the ports that IBM Security Guardium Key Lifecycle Manager requires.
- Specify file system controls to protect sensitive files on the IBM Security Guardium Key Lifecycle Manager system. Controls must secure the files and limit access to only those users who require access.
- Secure the key server, configuration files, log files, audit log file, database instance, and IBM Security Guardium Key Lifecycle Manager backup files.
- Ensure that the system has adequate disk space to store the audit logs.
- If you use any kind of debugging utility on IBM Security Guardium Key Lifecycle Manager, you must ensure that the output is secure. Access IBM Security Guardium Key Lifecycle Manager only from a secure system in which you are aware of all installed applications.
- Although sensitive information in the IBM Security Guardium Key Lifecycle Manager backup JAR file is protected by password, not all of the contents of the JAR file is protected by password, making the file vulnerable to corruption or intentional damage. Keep the JAR file secure.
- Do not edit the files that are contained in a backup JAR file. The files become unreadable. Retain backup files in a secure location to which you control the password. Retain a copy of backup files in a secure location that is not on the IBM Security Guardium Key Lifecycle Manager computer, and not in the IBM Security Guardium Key Lifecycle Manager directory path.
- When you use a browser to administer IBM Security Guardium Key Lifecycle Manager, by using some of the IBM Security Guardium Key Lifecycle Manager panels, you can browse the directory layout on the server system. IBM Security Guardium Key Lifecycle Manager as a product runs as root, and when you browse the file system, these root permissions are used.
Installation
- Do not install on a domain controller.
- Do not install on a shared file system.
Administrative and user assumptions
Securely manage administrators:
- Grant administrator rights only to persons who manage IBM Security Guardium Key Lifecycle Manager and who meet your site requirements for trust and competence in maintaining the security of IBM Security Guardium Key Lifecycle Manager.
- Administrators must work in accordance with the guidance provided by the system documentation and IBM Security Guardium Key Lifecycle Manager documentation.
- The
SKLMAdmin
is a privileged user with unrestricted access to IBM Security Guardium Key Lifecycle Manager. A user must log in asSKLMAdmin
only when the privilege is required. - Grant user IDs on the system only to users authorized to work with the information on the systems.
- Ensure that users with access to IBM Security Guardium Key Lifecycle Manager are cooperative and not hostile.
- Do not grant operating system privileges to administrators such
as
LTOAuditor
who is not required to start or stop the Guardium Key Lifecycle Manager server.
Operation
Securely manage ongoing operation:
- Enable the suggested password policy.
- Choose and manage the user and administrator passwords according to the password policy. For more information, see Password policy.
- Enable auditing.
- Establish and implement the necessary procedures for the secure operation of the system.
- Ensure that maintenance procedures include regular diagnostics and auditing of the system, including regular backups and review of the audit files and error logs.
- Transmit passwords securely to system users.
- Instruct users and administrators to not disclose their passwords.
- Account lockout mechanism for the users who repeatedly enter incorrect passwords. For more information, see tklm.lockout.attempts and tklm.lockout.enable.
- Protect the configuration file from disclosure as rigorously as the administrator password itself, including all representations of the content of the configuration file, such as printouts and backups.
Configuration properties and attributes
Table 1 describes a set of configuration properties and attributes with settings for maximum security. Configure a property in a way that is secure, but not set for maximum security. These examples are provided to help you understand those decisions.
Property | Most secure recommendation |
---|---|
Audit.event.outcome | Specify success and failure events. |
Audit.eventQueue.max | Set to a value of zero. |
Audit.event.types | Specify all values other than the value none . |
Audit.handler.file.multithreads | No security impact. |
Audit.handler.file.name | Specify a valid, secure location for the file. |
Audit.handler.file.size | No security impact. |
Audit.handler.file.threadlifespan | No security impact. |
backup.keycert.before.serving | Set to a value of true . |
cert.valiDATE | Set to a value of true . |
config.keystore.name | Do not change this value. |
config.keystore.ssl.certalias | Use the graphical user interface or the REST interface to set the valid value for the protocol. |
debug | Enabling debug logging might affect IBM Security Guardium Key Lifecycle Manager performance. Enable this option only under the guidance of your IBM support representative. |
device.AutoPendingAutoDiscovery (an attribute in the IBM Security Guardium Key Lifecycle Manager database) | Set to a value of 0 (zero,
or manual) or 2 (auto pending). |
enableClientCertPush | Set to a value of false . |
enableMachineAffinity (an attribute in the IBM Security Guardium Key Lifecycle Manager database) | Set to a value of true (enabled). |
fips | Set to a value of true (enabled). |
KMIPListener.ssl.port | Set to a valid port number. |
lock.timeout | Use the default value. |
maxPendingClientCerts | Use the default value. |
pcache.refresh.interval | Use the default value. |
tklm.backup.db2.dir | Specify a valid, secure directory. |
tklm.backup.dir | Specify a valid, secure directory. |
tklm.encryption.keysize | Use the default value. |
tklm.encryption.password | This property is internally used. Do not change its value. |
tklm.lockout.attempts | Use the default value. |
tklm.lockout.enable | Set to a value of true (enabled). |
tklm.encryption.pbe.algorithm | This property is internally used. Do not change its value. |
TransportListener.tcp.port | Specify a valid port number. |
TransportListener.tcp.timeout | Specify a valid timeout interval. |
TransportListener.ssl.ciphersuites | Use the default value. |
TransportListener.ssl.clientauthentication | Specify the highest value that your device supports. |
TransportListener.ssl.port * | Specify a valid port number. |
TransportListener.ssl.protocols | Specify a value of SSL_TLSv2 . |
TransportListener.ssl.timeout | Specify a valid timeout interval. |
Transport.ssl.vulnerableciphers.patterns | Use the default value. |
stopRoundRobinKeyGrps | Specify a value of true , although
in some environments false might be acceptable. For
more cautions, see the reference topic for the stopRoundRobinKeyGrps property. |
useSKIDefaultLabels | No security impact. |
zOSCompatibility | No security impact. |