Distributing keys

Copy the result of key generation to IBM® Safer Payments instances.

All the key_n.iris files (private triplet subkeys) that you want to use with your IBM Safer Payments installation must be copied manually from the portable memory device to the key subdirectories of all IBM Safer Payments instances.

If you copy usage key triplets to running instances, you must reload the keys as described in Preparing a keygen master key for activation. IBM Safer Payments reloads keys automatically whenever it restarts. Do not overwrite or replace the revoked_keys.iris or the key_n.iris files in the key subdirectory.

The first time that you distribute keys to instances, you must include the file revoked_keys.iris that was generated during the initial creation of the master key. This file stores the no-fly list of revoked keys. Never overwrite this file manually after it is delivered to the instances. Make sure that this file is writable for IBM Safer Payments to revoke keys or to reencrypt the file. For example, if you change to another master key.

The content of the encrypted revoked_keys.iris files might differ on each instance after you reencrypt or revoke a key. As the encryption of this file adds a random token, the encrypted result differs on each instance. Nevertheless, the stored no-fly list is always the same.

When you copy the files to the key subdirectories, change the user and group access privileges so that only the IBM Safer Payments process user can access the files.

Leave a copy of the usage key triplet files on the portable memory device so that you have a reference of generated keys. You must protect and securely store the device.