Enforcing regular key changes

Ensure that keys are rotated at the end of their lifetime.

Regular key changes are recommended.

The National Institute of Standards and Technology (NIST) has developed guidelines for key management. Use them to define the correct key retention periods for your organization.

You can download the NIST Special Publication 800-57 from NIST: http://csrc.nist.gov/publications/PubsSPs.html#SP%20800

Based on the NIST guidelines, the recommended maximum key life is 120 days and maximum master key life is three years.

Important: Retirement or replacement of keys is required if the integrity of the key is weakened or keys are suspected of being compromised.

Define maximum key life

Follow these steps to define the maximum key life and the maximum master key life:

  1. In the user interface, click the Administration tab.
  2. Select System > Configuration from the navigation menu. Click the System tab.
  3. Scroll down to the Encryption section.
    Figure 1. Encryption section
    This image is explained in the surrounding text.
  4. In the Maximum key life (days) field, enter the number of days you defined in your organization.
If the maximum key life is reached and no key is changed during this period, IBM® Safer Payments automatically shuts down.

Set maximum key life alerts

Safer Payments provides a Status Alarm Indicator (SAI) that alerts if the end of the maximum key life approaches. SAI alerts can be sent to the Safer Payments dashboard and can be distributed by email, or log messages.

You must define the following two status alarm indicators:
  • One for the encryption key, it must have the alarm type encryption key remaining lifetime.
  • One for the master key, it must have the alarm type master key remaining lifetime.
  1. On the Safer Payments user interface, click the Administration tab.
  2. Select Dashboard settings > Status alarm indicators from the navigation menu.
  3. From the Status Alarm Indicators table, click the alt attribute (New status alarm indicator) icon to create a new status alarm indicator.
    Figure 2. New Status Alarm Indicator form
    This image shows the General Settings section and the Thresholds section. In the General Settings section, Mandator is set to Mandator, Position is set to 1, Check each (seconds) is set to 60, Alarm Status is set to Warning, Alarm type is set to Encryption key remaining. In the Thresholds section, the below (days) and above (days) checkboxes are cleared. Show on dashboard is selected. Display text is set to {name}:{value} and Display tooltip is set to Display tooltip. Event Log Message Delivery is selected. Log message template is set to Log message template. Email is selected.

Figure 2 shows an exemplary SAI definition for monitoring the last encryption key change.

This SAI assumes a maximum key life of 120 days. If the current key is valid for only 10 more days a warning is displayed on the dashboard, a mail is sent out, and a log message is created.