Managing AEK with an external IBM Security Key Lifecycle Manager

If you want to store and retrieve your SED AEKs from IBM® Security Key Lifecycle Manager (ISKLM) server in your environment, you must configure IIAS as a client. Once IIAS is integrated with ISKLM, you can also switch back to local keystore if needed.

Integrating IIAS with ISKLM server for AEK management

The following list is the procedure for the ISKLM server setup. It is important to work with your IBM Security Key Lifecycle Manager (ISKLM) system administrator to configure the ISKLM server to communicate with the IIAS.

  1. Set up the ISKLM server with information regarding IIAS system and download the server certificate.
  2. Configure IIAS system with ISKLM server information and export the client certificate from IIAS to the ISKLM server.
  3. Test the ISKLM configuration.
  4. Export the current AEK from local keystore to ISKLM.
  5. Switch IIAS from local keystore to ISKLM to manage the AEK.

Switching IIAS from external ISKLM server back to local keystore for AEK management

It is possible that you might want to switch back to the local keystore in IIAS from the ISKLM for doing AEK management. For example, there can be a need to move to a different SKLM server in your organization, or you want to move IIAS system to a different location. In such cases you can follow the steps below to move IIAS back to using local keystore instead of ISKLM to manage the AEK.

  1. Import the current AEK from the ISKLM to the IIAS
  2. Add the imported AEK into the local keystore
  3. Switch IIAS from ISKLM to local keystore to manage the AEK