Post-upgrade tasks for Encryption Key Manager

After Encryption Key Manager is migrated, you must validate the configuration and protect data.

  • Do not run Encryption Key Manager. After migration, Encryption Key Manager retains its ability to serve keys.
  • Resolve possible problems with certificates and keys.

    Encryption Key Manager does not restrict device groups to which a certificate and its keys can be associated. Certificates and keys that belong to multiple device types are marked as CONFLICTED after migration to IBM® Security Guardium® Key Lifecycle Manager, Version 4.2. You cannot change their device group to another device group. IBM Security Guardium Key Lifecycle Manager can use a certificate or key that is marked as CONFLICTED for both read and write operations.

    Migration might also cause a certificate to appear with an UNKNOWN label in the IBM Security Guardium Key Lifecycle Manager graphical user interface.
    • Unknown certificates can be used as rollover certificates. Once scheduled as a rollover, the unknown certificate is updated to the specific device group of the rollover. A TLS server certificate with an UNKNOWN label is updated to be a TLS certificate.
    • Pending certificates might be listed on the graphical user interface with a device group that has an UNKNOWN status. First, accept the pending certificate, which then has an UNKNOWN status. Next, use the Certificate Update REST Service to update the certificate usage to a specific device group. The update changes the certificate status to a state such as active.
    • After migration completes, one or more devices might be associated with the UNKNOWN device group. You can assign the device group for UNKNOWN devices to a new group, or allow the group to be determined when the devices make a first key service request.

    Use the Certificate List REST Service command to find certificates that are marked as CONFLICTED or UNKNOWN. For more information, see Certificate List REST Service

  • Verify that the migrated Encryption Key Manager configuration is in the state that you expect before you make any updates or any configuration changes to IBM Security Guardium Key Lifecycle Manager.

    The Encryption Key Manager configuration keystore becomes the IBM Security Guardium Key Lifecycle Manager keystore after migration is complete. You cannot migrate the Encryption Key Manager server data a second time to the same IBM Security Guardium Key Lifecycle Manager server.

What to do next

From the Welcome page, configure the drive types, keys, and certificates that your organization requires, or get started with using the product. See Administering.