Managing the IBM Guardium Key Lifecycle Manager master key

Use the IBM Guardium Key Lifecycle Manager graphical user interface or a REST interface to set a master key and then move the master key to a different repository according to your organization needs.

Before you begin

Before you set the master key in the Unified Key Orchestrator (UKO) repository or move the master key from other repository to the UKO repository, configure UKO. For the configuration steps, see Configuring Unified Key Orchestrator.

About this task

IBM Guardium Key Lifecycle Manager supports the following repositories to store the master key.
JCEKS
Java Cryptography Extension Keystore (JCEKS) is the default master keystore.
HSM
Configure Hardware Security Module (HSM) to store the master key. For more information, see Integrating HSM with IBM Guardium Key Lifecycle Manager.
UKO
Configure Unified Key Orchestrator (UKO) to store the master key. For more information, see Unified Key Orchestrator usage in IBM Guardium Key Lifecycle Manager.

After you create the first server certificate or key, a AES 256-bit master key is generated in the IBM Guardium Key Lifecycle Manager server. When you set the keystore for the first time by using graphical user interface or Master Key REST Service, a new master key is created. All the cryptographic data that was encrypted with the earlier master key is reencrypted with the new master key.

When you move the master key from one repository (source) to another repository (destination), IBM Guardium Key Lifecycle Manager automatically uses the master key from the destination repository for encryption. When you move the master key from JCEKS to HSM or UKO, the JCEKS key repository is deleted. However, when you move the master key from HSM or UKO to JCEKS, the master key in HSM or UKO is not deleted.

You can also use the REST services to manage the master key. For more information, see Master key management REST services.

Procedure

  1. Log in to the IBM Guardium Key Lifecycle Manager graphical user interface.
  2. On the IBM Guardium Key Lifecycle Manager home page, click the menu icon Menu icon at the upper left of the page.
  3. Click Configuration > Master key manangement.
  4. Create a master key.
    1. On the Master key management page, select a repository.
      For example, the default repository is JCEKS.
    2. Click Submit.
      The master key is created in the JCEKS key repository.
  5. You can now move the master key from JCEKS to other repositories. Complete the following steps to move the master key to HSM or UKO.
    Moving the key to HSM
    Complete the following steps to move the key to HSM:
    1. Select HSM from the list.
    2. Specify the PKCS11 config file path and the password in the respective fields.
    3. Click Save.
    4. Click Submit.
    Moving the key to UKO
    Make sure that UKO is configured before you complete the following steps:
    1. Select UKO from the list.
    2. Click Submit.