device.AutoPendingAutoDiscovery
Specifies whether to add a new device that contacts IBM® Security Guardium® Key Lifecycle Manager to a list of pending devices that you can accept or reject before key serving occurs, or to add a new device automatically to the drive table for immediate key service upon request. The attribute applies to predefined base device families and user-defined device groups.
To modify device.AutoPendingAutoDiscovery, you must have a role with permissions to modify a device group. The device.AutoPendingAutoDiscovery attribute in the IBM Security Guardium Key Lifecycle Manager database replaces the previous drive.acceptUnknownDrives and the ds8k.acceptUnknownDrives properties.
- device.AutoPendingAutoDiscovery={0 | 1| 2}
- Specifies whether to add a device that contacts IBM Security Guardium Key Lifecycle Manager to a list
of pending devices that you can accept or reject before key serving
occurs, or to add a device automatically to the drive table for immediate
key service upon request.
- Required
- Yes.
- Values
- 0 (manual)
- Both the auto pending and auto discovery functions are off. All
incoming devices are rejected, and not added to the data store. You
must manually add devices and machine IDs.
The corresponding choice in the graphical user interface is Only accept manually added devices for communication.
- 1 (auto accept)
- The auto discovery function is on, and the auto pending function
is off. All incoming devices of a valid device group are added to
the data store and are automatically served keys upon request.
The corresponding choice in the graphical user interface is Automatically accept all device requests for communication.
Note:- Do not use a setting of 1 (auto accept) for the DS5000 device family. This setting allows generation and serving of keys to DS5000 storage servers before you backup data.
- For all other device families, you must back up any new keys that are served.
Migrating from a previous version of IBM Security Guardium Key Lifecycle Manager sets the auto discovery value toon
by device group if either of these conditions are true:ds8k.acceptUnknownDrives=true
The auto discovery function is on for a device group of DS8000®.
drive.acceptUnknownDrives=true
The auto discovery function is on for all valid device groups.
If both values are false, the value of device.AutoPendingAutoDiscovery is set to 0 (off). After migration, the ds8k.acceptUnknownDrives and drive.acceptUnknownDrives properties are removed from the migrated
SKLMConfig.properties
file.Note: To allow tape drive devices of a specific type that connect to IBM Security Guardium Key Lifecycle Manager to be added and operational without an administrator validating the addition, use this setting in combination with these additional settings:- 3592 tape drive
For a 3592 device group, also specify values for the system default and partner certificates in the IBM Security Guardium Key Lifecycle Manager database. Use the Device Group Attribute Update REST Service to set these values.
- LTO tape drive
For an LTO device group, use the Device Group Attribute Update REST Service to specify a key group by using the symmetricKeySet attribute in the IBM Security Guardium Key Lifecycle Manager database.
- 2 (auto pending)
- The auto pending function is on. All incoming devices are added to a pending list, but are not
automatically served keys upon request. You must accept or reject a device in the pending devices
list before the device is served keys upon request.
The corresponding choice in the graphical user interface is Hold new device requests pending my approval.
- Default
- 0 (off. You must manually add devices to IBM Security Guardium Key Lifecycle Manager.)
- Example
device.AutoPendingAutoDiscovery=2
Suggested settings include:
Device group | Suggested value for device.AutoPendingAutoDiscovery |
---|---|
LTO | Any setting is acceptable if there are no device groups. However, if device groups are specified:
|
3592 | |
DS5000 | Auto accept ( Auto pending (
device.AutoPendingAutoDiscovery=2 ) is suggested.
Keys are generated on the initial request. Before you accept the request, back up IBM Security Guardium Key Lifecycle Manager. When machine affinity is enabled for DS5000, auto pending is the easiest way to add machine
identifiers to IBM Security Guardium Key Lifecycle Manager because the machine ID
information is populated from the device request. There is no graphical user interface to add new
machine IDs to IBM Security Guardium Key Lifecycle Manager.Note: If you set
device.AutoPendingAutoDiscovery=2 , a DS5000 storage server that contacts IBM Security Guardium Key Lifecycle Manager is put in the auto pending table. Before devices
are accepted, a backup is suggested. However, the backup stores the devices in a pending state. If
you restore this backup, devices that are previously accepted are placed in the pending table,
causing requests from those devices to fail until you accept them again.Manual ( |
DS8000 | Any setting is acceptable. In general, auto accept is the least secure setting because IBM Security Guardium Key Lifecycle Manager serves keys to any device that contacts IBM Security Guardium Key Lifecycle Manager. |
GENERIC | Do not set a value. This property does not affect the GENERIC device family because devices are not supported in this family. |