Configuring an EKMF Web plug-in
After binding a key management system to the repository, the EKMF plug-in must be configured.
Before you begin
APKA and AES master keys must be in place on the AP queues that your Linux instance uses. Master keys are set through the TKE.
About this task
Use a command of this form to configure the plug-in:
# zkey kms configure <config_option>
The zkey kms configure command supports plug-in-specific options that the
plug-in provides. To see which plug-in-specific options a plug-in provides or requires, use the
command:
# zkey kms configure --help
You can supply all configuration options at once, or use the zkey kms
configure command several times, supplying only one or a few configuration options each
time. A useful command might be zkey kms info, which displays information about
the key-management system to which zkey is bound. For example:
# zkey kms info KMS-Plugin: EKMFWeb Supported key types: CCA-AESCIPHER APQNs: (configuration required) ....In the configuration phase, use the info command to see what must still be configured. The preceding example shows that APQNs, that is, AP queues, must be configured.
You must associate AP queues with the key management plug-in. AP queues perform secure key operations for the plug-in. Keys that are generated with the key management plug-in are automatically associated with these AP queues. If a plug-in supports different key types, for example CCA and EP11 keys, then at least one of the matching AP queues with this type must be associated. The EKMF Web plug-in supports only CCA type keys.
An overview of the setup process is shown in Figure 1.

Procedure
Specify the following settings.