Post-upgrade tasks for Encryption Key Manager
After Encryption Key Manager is migrated, you must validate the configuration and protect data.
- Do not run Encryption Key Manager. After migration, Encryption Key Manager retains its ability to serve keys.
- Resolve possible problems with certificates and keys.
Encryption Key Manager does not restrict device groups to which a certificate and its keys can be associated. Certificates and keys that belong to multiple device types are marked as
CONFLICTEDafter migration to IBM® Security Guardium® Key Lifecycle Manager, Version 4.2. You cannot change their device group to another device group. IBM Security Guardium Key Lifecycle Manager can use a certificate or key that is marked as
CONFLICTEDfor both read and write operations.Migration might also cause a certificate to appear with an
UNKNOWNlabel in the IBM Security Guardium Key Lifecycle Manager graphical user interface.
certificates can be used as rollover certificates. Once scheduled as a rollover, the unknown
certificate is updated to the specific device group of the rollover. A TLS server certificate with
UNKNOWNlabel is updated to be a TLS certificate.
- Pending certificates might be listed on the graphical user
interface with a device group that has an
UNKNOWNstatus. First, accept the pending certificate, which then has an
UNKNOWNstatus. Next, use the Certificate Update REST Service to update the certificate usage to a specific device group. The update changes the certificate status to a state such as active.
- After migration completes, one or more devices might be
associated with the
UNKNOWNdevice group. You can assign the device group for
UNKNOWNdevices to a new group, or allow the group to be determined when the devices make a first key service request.
Use the Certificate List REST Service command to find certificates that are marked as
UNKNOWN. For more information, see Certificate List REST Service
- Unknown certificates can be used as rollover certificates. Once scheduled as a rollover, the unknown certificate is updated to the specific device group of the rollover. A TLS server certificate with an
- Verify that the migrated Encryption Key Manager
configuration is in the state that you expect before you make any updates or any configuration
changes to IBM Security Guardium Key Lifecycle Manager.
The Encryption Key Manager configuration keystore becomes the IBM Security Guardium Key Lifecycle Manager keystore after migration is complete. You cannot migrate the Encryption Key Manager server data a second time to the same IBM Security Guardium Key Lifecycle Manager server.
What to do next
From the Welcome page, configure the drive types, keys, and certificates that your organization requires, or get started with using the product. See Administering.