Administering wrapping keys and devices
To administer wrapping keys and devices, you might want to determine their status. You can map their association, or add, modify, or delete specific wrapping keys or devices.
About this task
Before you begin, examine the columns on the page, which provides buttons to add, modify, or delete a table item. To sort information, click a column header.
Use the 3592 Key and Device Management page to map wrapping keys to devices to determine status of items in the table. You might add, modify, or delete wrapping keys or devices. Your role must have permissions to the view action and to the appropriate device group.
The table is organized in these areas:
- The left table shows the information about wrapping keys. It lists the wrapping key alias, type, whether the wrapping key is used as a system default or system partner, the expiration date, and status of the wrapping key.
- In right columns, information about drives indicates the drive name and whether the drive uses a system default as its default or partner certificate.
- Status icons indicate the status of a certificate.
Table 1. Status icons and their meanings Icon Description Certificate is in an active state. Certificate is in a compromised state. Certificate expires soon. Certificate is in an expired state. Certificate valid from future date, for migrated certificates with a future use time stamp. IBM® Security Guardium® Key Lifecycle Manager has third-party certificate requests that are waiting to be signed and imported.
Log on to the graphical user interface:
- In the Key and Device Management section on Welcome page, select 3592.
- Click .
- Alternatively, right-click 3592 and select Manage keys and devices.
Descriptions of some steps describe alternatives by using the graphical user interface or the REST interface. For any one work session, do not switch between interfaces.
Descriptions of some tasks might mention task-related properties in the
SKLMConfig.propertiesfile. Use the graphical user interface or the REST interface to change these properties.
On the 3592 Key and Device Management page,
you can add, modify, or delete a certificate or drive. Additionally,
you can monitor the status of certificates.
You might do these administrative tasks:
Click Add. Alternatively, you can select a step-by-step process to create certificates and drives.
On the Create Certificate dialog, select the certificate type as either self-signed or from a third-party provider, and complete the required information. Then, click Create Certificate. Your role must have the permissions to the create action and to the appropriate device group. To make this certificate the default, your role must have permission to the modify action.
- Tape drive
On the Add Tape Drive dialog, type the drive information. Then, click Add Tape Drive. Your role must have the permission to the create action and a permission to the appropriate device group.
- Use step by step process for certificate and drive creation
On the Step1: Create Certificates and Step2: Identify Drives pages, enter the necessary information.
A success indicator varies, showing a change in a column for the certificate or device.
To change or delete a certificate or drive, select a certificate or drive, and then click Modify. Alternatively, right-click the selected certificate or drive. Then, click Modify, or double-click a certificate or device entry in the list.
Specify changes in the Modify Certificate dialog. Then, click Modify Certificate. Your role must have the permissions to the modify action and to the appropriate device group.
- Tape drive
Specify changes in the Modify Tape Drive dialog. Then, click Modify Tape Drive. Your role must have permissions to the modify action and to the appropriate device group.
A success indicator varies, showing a change in a column for the certificate or device. Changes to some information, such as optional fields, might not be provided in the table.
To delete a certificate or drive, highlight the entry in the table and click Delete. Alternatively, right-click the selected certificate or drive. Then, click Delete.
Ensure that you have a current backup of the keystore before you delete a certificate. Any tapes that are written by using this certificate become non-readable after the certificate is deleted. The certificate to be deleted can be in any state, such as active. Regardless of its state, you cannot delete a certificate that is associated with a device. You also cannot delete a certificate that is marked as either default or partner. Your role must have the permissions to the delete action and to the appropriate device group.
Deleting a certificate deletes the material from the database.
To confirm deletion, click OK.
- Tape drive
Metadata for the drive that you delete, such as the drive serial number, is removed from the IBM Security Guardium Key Lifecycle Manager database. To confirm deletion, click OK. Your role must have permissions to the delete action and to the appropriate device group.
A success indicator is that the certificate or device is removed from the administration table.