device.AutoPendingAutoDiscovery

Specifies whether to add a new device that contacts IBM® Security Guardium® Key Lifecycle Manager to a list of pending devices that you can accept or reject before key serving occurs, or to add a new device automatically to the drive table for immediate key service upon request. The attribute applies to predefined base device families and user-defined device groups.

To modify device.AutoPendingAutoDiscovery, you must have a role with permissions to modify a device group. The device.AutoPendingAutoDiscovery attribute in the IBM Security Guardium Key Lifecycle Manager database replaces the previous drive.acceptUnknownDrives and the ds8k.acceptUnknownDrives properties.

device.AutoPendingAutoDiscovery={0 | 1| 2}
Specifies whether to add a device that contacts IBM Security Guardium Key Lifecycle Manager to a list of pending devices that you can accept or reject before key serving occurs, or to add a device automatically to the drive table for immediate key service upon request.
Required
Yes.
Values
0 (manual)
Both the auto pending and auto discovery functions are off. All incoming devices are rejected, and not added to the data store. You must manually add devices and machine IDs.

The corresponding choice in the graphical user interface is Only accept manually added devices for communication.

1 (auto accept)
The auto discovery function is on, and the auto pending function is off. All incoming devices of a valid device group are added to the data store and are automatically served keys upon request.

The corresponding choice in the graphical user interface is Automatically accept all device requests for communication.

Note:
  • Do not use a setting of 1 (auto accept) for the DS5000 device family. This setting allows generation and serving of keys to DS5000 storage servers before you backup data.
  • For all other device families, you must back up any new keys that are served.
Migrating from a previous version of IBM Security Guardium Key Lifecycle Manager sets the auto discovery value to on by device group if either of these conditions are true:
  • ds8k.acceptUnknownDrives=true

    The auto discovery function is on for a device group of DS8000®.

  • drive.acceptUnknownDrives=true

    The auto discovery function is on for all valid device groups.

If both values are false, the value of device.AutoPendingAutoDiscovery is set to 0 (off). After migration, the ds8k.acceptUnknownDrives and drive.acceptUnknownDrives properties are removed from the migrated SKLMConfig.properties file.

Note: To allow tape drive devices of a specific type that connect to IBM Security Guardium Key Lifecycle Manager to be added and operational without an administrator validating the addition, use this setting in combination with these additional settings:
  • 3592 tape drive

    For a 3592 device group, also specify values for the system default and partner certificates in the IBM Security Guardium Key Lifecycle Manager database. Use the Device Group Attribute Update REST Service to set these values.

  • LTO tape drive

    For an LTO device group, use the Device Group Attribute Update REST Service to specify a key group by using the symmetricKeySet attribute in the IBM Security Guardium Key Lifecycle Manager database.

2 (auto pending)
The auto pending function is on. All incoming devices are added to a pending list, but are not automatically served keys upon request. You must accept or reject a device in the pending devices list before the device is served keys upon request.

The corresponding choice in the graphical user interface is Hold new device requests pending my approval.

Default
0 (off. You must manually add devices to IBM Security Guardium Key Lifecycle Manager.)
Example
device.AutoPendingAutoDiscovery=2

Suggested settings include:

Table 1. Device groups and suggested settings
Device group Suggested value for device.AutoPendingAutoDiscovery
LTO

Any setting is acceptable if there are no device groups. However, if device groups are specified:

  • The auto accept option (device.AutoPendingAutoDiscovery=1) is problematic. Moving a device to another group is difficult because the keys or certificates from the family default are already served to the device.
  • Auto pending (device.AutoPendingAutoDiscovery=2) and manual (device.AutoPendingAutoDiscovery=0) options are better choices because an administrator has the opportunity to put the device into the correct group before keys are served.
3592
DS5000

Auto accept (device.AutoPendingAutoDiscovery=1) is not suggested. If auto accept is enabled, keys are generated and served to the device and administrators have no opportunity to back up the keys before data is encrypted with those keys.

Auto pending (device.AutoPendingAutoDiscovery=2) is suggested. Keys are generated on the initial request. Before you accept the request, back up IBM Security Guardium Key Lifecycle Manager. When machine affinity is enabled for DS5000, auto pending is the easiest way to add machine identifiers to IBM Security Guardium Key Lifecycle Manager because the machine ID information is populated from the device request. There is no graphical user interface to add new machine IDs to IBM Security Guardium Key Lifecycle Manager.
Note: If you set device.AutoPendingAutoDiscovery=2, a DS5000 storage server that contacts IBM Security Guardium Key Lifecycle Manager is put in the auto pending table. Before devices are accepted, a backup is suggested. However, the backup stores the devices in a pending state. If you restore this backup, devices that are previously accepted are placed in the pending table, causing requests from those devices to fail until you accept them again.

Manual (device.AutoPendingAutoDiscovery=0) is an acceptable option unless you initially set up the system with machine affinity enabled. If you initially specify the manual setting and enable machine affinity, it is more difficult to populate the system with machine identifiers because you can only add a machine ID to IBM Security Guardium Key Lifecycle Manager by using the Device Group Attribute Update REST Service. Take care to avoid errors in typing the machine ID. After you use auto pending (device.AutoPendingAutoDiscovery=2) to populate the system with machine IDs, changing to a manual setting is an acceptable option.

DS8000

Any setting is acceptable. In general, auto accept is the least secure setting because IBM Security Guardium Key Lifecycle Manager serves keys to any device that contacts IBM Security Guardium Key Lifecycle Manager.

GENERIC Do not set a value. This property does not affect the GENERIC device family because devices are not supported in this family.