Administering wrapping keys and devices

To administer wrapping keys and devices, you might want to determine their status. You can map their association, or add, modify, or delete specific wrapping keys or devices.

About this task

Use the 3592 endpoint management page to map wrapping keys to devices to determine the status of items in the table. You might add, modify, or delete wrapping keys or devices. Your role must have permissions to the view action and to the appropriate endpoint.

The table is organized in these areas:

  • The left table shows the information about wrapping keys. It lists the wrapping key alias, type, whether the wrapping key is used as a system default or system partner, the expiration date, and status of the wrapping key.
  • In the right columns, information about drives indicates the drive name and whether the drive uses a system default as its default or partner certificate.

  • Status icons indicate the status of a certificate.
    Table 1. Status icons and their meanings
    Icon Description
    Active Normal
    		 Certificate is in an active state.
    Compromised
    		 Certificate is in a compromised state and cannot be used for encryption.
    Expiring certificate
    		 Certificate expires soon.
    Expired
    		 Certificate is in an expired state.
    Valid from future date
    		 Certificate valid from future date, for migrated certificates with a future use timestamp.
    Pending import
    		 IBM Guardium Key Lifecycle Manager has certificate authority (CA) certificate requests that are waiting to be signed and imported.
    Certificate usage stopped
    		 Certificate usage is stopped.

Procedure

  1. Log in to the graphical user interface.
  2. Create the 3592 endpoint. For more information, see Creating a 3592 endpoint.

    Descriptions of some steps describe alternatives by using the graphical user interface or the REST interface. For any one work session, do not switch between the interfaces.

    Descriptions of some tasks might mention task-related properties in the SKLMConfig.properties file. Use the IBM Guardium Key Lifecycle Manager graphical user interface or a REST interface to change these properties.

  3. On the 3592 endpoint management page, you can add, modify, or delete a certificate or drive. Also, you can monitor the status of certificates.
    You might do the following administrative tasks.
    • Add
      Wrapping key
      Click Add wrapping key.

      On the Add wrapping key dialog, select the wrapping key type Certificate or AES key. Then, click Add wrapping key. Your role must have the permissions to the create action and to the appropriate endpoint. To make this certificate the default, your role must have permission to the modify action.

      Tape drive
      Click Add tape drive.

      On the Add tape drive dialog, type the drive information. Then, click Add tape drive. Your role must have the permission to the create action and a permission to the appropriate endpoint.

      A success indicator varies, showing a change in a column for the certificate or device.

    • Modify

      To modify a certificate, key, or drive, select a certificate or drive and click the overflow menu icon. From the overflow menu options, click Modify.

      Wrapping key

      Specify changes in the Modify certificate dialog or Modify AES key dialog. Then, click Submit. Your role must have the permissions to the modify action and to the appropriate endpoint.

      Tape drive

      Specify changes in the Modify tape drive dialog. Then, click Modify tape drive. Your role must have permissions to the modify action and to the appropriate endpoint.

      A success indicator varies, showing a change in a column for the certificate or device. Changes to some information, such as optional fields, might not be provided in the table.

    • Delete

      To delete a certificate, key, or drive, select a certificate or drive and click the overflow menu icon. From the overflow menu options, click Delete.

      Wrapping key

      Make sure that you have a current backup of the keystore before you delete a certificate. Any tapes that are written by using this certificate become nonreadable after the certificate is deleted. The certificate to be deleted can be in any state, such as active. Regardless of its state, you cannot delete a certificate that is associated with a device. Also, you cannot delete a certificate that is marked as either default or partner. Your role must have the permissions to the delete action and to the appropriate endpoint.

      To confirm deletion, click OK.

      Tape drive

      Metadata for the drive that you delete, such as the drive serial number, is removed from the IBM Guardium Key Lifecycle Manager database. To confirm deletion, click OK. Your role must have permissions to the delete action and to the appropriate endpoint.

      A success indicator is that the certificate or device is removed from the administration table.