GitHubContribute in GitHub: Open doc issue|Edit online

What's New?

Unified Key Orchestrator v3.1 provides efficient and security-rich centralized key management.

Release notes for v3.1.0.8

New features and enhancements

Following are the new features and enhancements that are included in v3.1.0.8.

Crypto Connect ACSP (CC ACSP)

Crypto Connect ACSP (CC ACSP) is an IBM solution under Crypto Connect, designed to efficiently manage and distribute access to Hardware Security Modules (HSMs). It optimizes resource usage and reduces costs by enabling a single HSM to be shared across multiple applications or containers.

For more information, see Understanding CC ACSP server.

Managed keys status

The managed keys status offers enhanced verification capabilities, checking key and keystore states against the database without performing updates. You can customize verification settings for manual or automated processes, optimizing resource usage, and system performance. Verified keys are flagged if out-of-sync, ensuring up-to-date status tracking.

For more information, see Managed keys status

Crypto Connect CAT updates

Features:
  • Database cleanup is performed daily once and also during server startup. It can be configured by using the following environment variables:
    • CAT_DB_SIZE_LIMIT
    • CAT_RETENTION_PERIOD_IN_DAYS
    • CAT_CLEANING_PERIOD_IN_DAYS
  • Support for the following PQC data algorithms:
    • ML-KEM
    • Dilithium
    • Kyber
    • ML-DSA
  • Additional field in API - variant used for PQC algorithm
  • Pagination for counting queries
  • Authorization with mTLS works with certificates and token is no longer required
  • Support for TR31 data
  • Support for CryptoCoprocessorActivity count queries
  • Extract symmetric and asymmetric keys from TKDS
Bug fixes:
  • Curves for ECC are returned also in data based on SMF46 records
  • DES algorithms size unification to 56/112/168
  • Improved performance of Kafka error handling
  • Updates of dependencies to the latest versions
  • Proper system IDs for key lifecycle events
  • Better handling of deserialization errors
  • Correct PQC security strength for AES algorithms
  • Filtering parameters validation
  • GraphiQL UI support
  • Proper secondary job start time for key lifecycle events
  • Streamline cryptographic algorithm names (identical algorithms had different names depending on the source)

Enhancements

  • Enhanced Data set view for better data set analysis with consistency improvements. The following are the enhancements:

    • Percentage-based data set representation
    • Quick filters for data sets states
    • Multi-PLEX view
    • Migration state filtering
    • Table refresh functionality
    • Customizable columns
    • Data sets table Download
    • View more items per page
    • Enhanced data set detail page

    For more information, see Viewing data set encryption status.

  • Enhanced the Overview page to display information based on selected vaults and Plexes. You can filter the data based on one or more vaults and Plexes. You can view the following information in the Overview page now.

    • Keystores
    • Key templates
    • Managed keys
    • Keys expiration status
    • Managed keys states
    • Data sets encyptions status

    For more information, see the Overview page.

  • UKO KMG Agent updates:

    • Supports Elliptic Curve Cryptography (ECC) algorithm for key template creation.
    • Added Key usage field to RSA, EC, ML-KEM, and ML-DSA algorithms.
    • Added modes to ML-DSA algorithm.
    • Added key types: IMPORTER and EXPORTER to AES algorithm.
    • Added Key management customization to ML-KEM and ML-DSA algorithms.

    For more information, see Creating key templates and Algorithm properties for UKO KMG Agent keystore type.

Known issues

  • Openid Connect problems

    Logging on to UKO leaves you with a screen full of 403 Unauthorized messages. In the log you see

    javax.security.auth.login.CredentialException: The client ID or the realm name is not set or is not a match for the incoming request. Please check your Openid Connect Client configuration com.ibm.ws.security.authentication.jaas.modules.HashtableLoginModule

    Workaround

    This is a current issue with newer versions of Liberty, for example versions 25.0.0.9 or 25.0.0.10. Revert back to an older version, for example 25.0.0.3 until Liberty resolves the issue.

  • Successful key sync is not updated automatically

    When a key is synced with the target keystore, the update is not automatically reflected in the managed key instance view of the Managed Keys page. The Out of Sync flag still appears for the key.

    Workaround

    Close and reopen the managed key instance view of the key.

  • Key template that is configured with UKO KMG Agent and ML-DSA or ML-KEM algorithm with certain key usage combinations cannot be used to create key instance

    If you configure a key template by using the UKO KMG Agent and ML-DSA or ML-KEM algorithm, you can use them to create key instances only if you have selected the following key usage combinations, For the other combinations, it will not work.

    • For ML-DSA: Only digital signature usage is allowed (The Signature option from the list).
    • For ML-KEM: Key encipherment, Data encipherment, or both.

  • Inability to create key template by using UKO KMG Agent and ML-KEM or ML-DSA (for certificate signing)

    You cannot create a key template by using UKO KMG Agent and ML-KEM or ML-DSA algorithms if you have selected Certificate signing key usage. This can be resolved by using API.

Release notes for v3.1.0.7

New features and enhancements

Following are the new features and enhancements that are included in v3.1.0.7.

Post-quantum cryptography

UKO now supports post-quantum cryptography (PQC) algorithms (ML-DSA and ML-KEM) for KMG agent.

Additional fix is required for the EKMF Workstation when starting to use PQC in combined environments.

New crypto analytics and inventory capabilities

  • New CAT Agent to collect SMF and keystore related information.
  • New CC CAT graphQL API to query crypto inventory information residing in PostgreSQL included as part of Crypto Connect.

Enhancements

  • New Add-on components tab for the Getting started page.
  • You can now choose HMAC algorithm and hashing methods for KMG Agent while creating key templates.
  • EKMF Web frontend is removed. It can be configured to get started instead of the UKO frontend, but both cannot be run at the same time anymore. The application switcher is removed as well.

Fixed vulnerabilities

  • CVE-2025-22233
  • CVE-2025-22235
  • CVE-2025-48734

Fixed issues

  • Fixed the issue with nested side panels reusing filters that are applied on a table in the parent component.

  • Fixed the issue with the Managed keys section of key template properties displaying the wrong key count.

  • Fixed front-end accessibility violations.

  • Fixed the issue with the orderBy filter that appears in the Managed keys tab for every action that is performed.

  • The following issues with Key template properties side panel are resolved:

    • Key state update doesn’t persist after saving.
    • Activate and deactivate key actions after properties change doesn’t persist after saving.
    • Unassigning the keystore group from the template displays an incorrect dropdown placeholder.
    • Changing the Activate keys after property doesn't update the dropdown with the selected value.

  • Under the Security and recovery section of a vault, if recovery key name is updated, the status was not correctly notified (whether success or failure, the notification was always success). This issue has been fixed.

  • Fixed the issue with the out of sync and in sync key count information in the Overview page being incorrectly displayed.

Known issues

If you make changes to a keystore group that that has keys in it, the Out of sync status might not appear immediately for the keys in the Managed keys tab. Workaround Click on the keys to open the side panel to view the updated Out of sync status.

Release notes for v3.1.0.6

New features and improvements:

  • You can download the Microsoft DKE logs from the About page (click the ? icon to open the About page).
  • New HMAC key mangement support for KMG keystores.
  • Optimized UI performance.
  • The cache can now be rebuilt from the Administration panel. Before this was only possible using the API.
  • You can create RSA key with different key management flags.
  • Updated version of access-management-api-client and v4-api-typescript-axios package to use official version and fixed vulnerabilities.

Fixed vulnerabilities:

  • CVE-2025-27152
  • CVE-2025-26791
  • CVE-2024-21538
  • CVE-2024-4067

Fixed issues:

  • KMG key creation: The key cannot be created without entering a key name.
  • You can filter key by keystore now.
  • Fixed the issue with key template: While creating a key from a template with a placeholder in it, the key naming now matches the one defined in the template.
  • Archive and edit template keystore issue: Fixed the modal to show the template-related keys only.
  • KMG keystore Connection details side panel now displays connection details correctly.
  • The Disconnect action is not available for a keystore if keys in the keystore is not in pre-active state, destroyed state without a pending flag, or removed from the vault.
  • Fixed accessibility issues.

Release notes for v3.1.0.5

New features and improvements:

  • Import keystores from the Workstation can be disabled via server.env flag: DISABLE_IMPORT_KEYSTORES_FROM_WORKSTATION=true
  • Database schema migrations can be disabled via server.env flag: DISABLE_MIGRATIONS=true
  • Key state of any version of a CCA key (KMG Keystores) can be changed using the API (previously only possible for latest version)

Fixed Vulnerabilities:

  • CVE-2024-38820
  • CVE-2024-21538
  • CVE-2024-47535
  • CVE-2024-52316
  • CVE-2024-52317
  • CVE-2024-52798
  • CVE-2024-55565
  • WS-2024-0017
  • CVE-2024-50379
  • CVE-2024-56337

Release notes for v3.1.0.4

New features and improvements:

  • New ‘Getting started’ page
  • Improvements to the ‘Overview’ page
  • Simplified creation flows while working in the context of a vault, and even more simplified flow while creating a key off of a template.
  • RSA algorithm support for KMG keystore type keys.
  • Microsoft Double Key Encryption (DKE) keystore support
  • Private endpoint (TLS proxy) support for Azure key vaults.
  • Face-lifted and more streamlined confirmation modals
  • New information tiles for Data sets, Audit log, API and Administration pages
  • New - ‘System status’ tab under the Administration page
  • Support for IBM WebSphere Application Server Liberty. For more information, see WebSphere Application Server Liberty 24.0.0.7.
  • new server.env variables: SAF_VAULT_ID_TO_UPPER_CASE and SAF_ACTION_TO_UPPER_CASE to support the use of RACFVARS in vault-specific EJBROLE definitions

Release notes for v3.1.0.3

New features and improvements:

  • Improvements of the administration page.
  • Adaptation of the new default Google delete period time from 1 day to 30 days.
  • The url to the Open API is changed from /api/explorer to /openapi/ui.
  • Fix the issue of the Message Authentication Code (MAC) verification with non-system keys.

Upgrades:

  • netty to 4.1.110.Final
  • netty.refactor to 1.1.18
  • bouncy-castle to 1.78.1
  • azure.identity to 1.12.2

Vulnerabilities:

  • Issue 4014: Address CVE-2024-35255 vulnerability
  • Issue 3993: Address CVE-2024-30172, CVE-2024-29857, and CVE-2024-30171 vulnerability
  • Issue 3809: Address CVE-2024-29025 vulnerability

Release notes for v3.1.0.2

New features and improvements:

  • Introduction of the server.env parameter SAF_PROFILE_PREFIX which replaces the hardcoded value of EKMFWEB and affects the security definitions in the EJBROLE and APPL classes
  • Removal of the limitation to 50 vaults
  • The vault administrator role has been added to the documentation and workflows
  • The missing views for the tables T_VAULTS_API_V4, T_TEMPLATES_API_V4, T_KEYS_API_V4, and T_KEYSTORES_API_V4 have been created
  • Compatibility with the latest version of WebSphere Liberty (24.0.0.2)

Release notes for v3.1.0.1

New features and improvements:

  • Key templates can now define key instance naming schemes in the user interface. In previous versions this was only possible using custom properties. Note that the use of system placeholders in the main key naming scheme and the key instance naming scheme will have an impact on whether a key can be rotated. In addition, you can decide for some type of keystores, whether previous versions of the key should be deactivated upon key rotation.
  • The environment and location fields are obsolete and have been removed from Azure keystores.
  • Keys can now be filtered by template alignment status.
  • Keys can now be filtered by whether the key in keystore is in sync with what is expected.
  • Better support for native rate limitation for operations in different clouds.
  • Integration between UKO and EKMF Workstation allows for seamless management of Pervasive Encryption and AWS AES keys between the two products, including data integrity calculations. The installation instructions have been updated to include the steps required for shared use of EKMF Workstation and UKO.
    • Use filters to display keys that can be edited by UKO (Edit) or that are View only (secure room required) because they are managed by EKMF Workstation
    • Multi-zone key distribution; a key created on the EKMF Workstation that spans multiple instances, zones and application names are now fully supported.
    • Support for specifying the key zone used by UKO (defaults to I)
    • Support for specifying the key zone used by EKMF Workstation (defaults to 2)
  • Migration to v3.1.0.1 can be done manually or using workflows.

Vulnerabilities:

  • Issue 2596: Address CVE-2022-45868 vulnerability
  • Issue 3125: Address CVE-2023-44487 vulnerability

Upgrades:

  • netty to 4.1.100.Final
  • reactor-netty-http to 1.1.12
  • h2 to 2.2.220

Release notes for v3.1.0.0

Application switcher

With UKO v3.1 you can decide between the prevoius EKMF Web V2.1 application and the new UKO v3.1 application. To switch between the applications, click on the switch icon Switch icon in the top right corner.

z/OSMF workflows

UKO provides z/OSMF workflows for installation, migration and other basic tasks.

Data set dashboard

Proactively manage your data set encryption deployment with an enterprise view of which data sets are encrypted and which keys are in use.

Security-rich key generation

Generate keys with IBM FIPS 140-2 level 4 certified CryptoExpress cards on IBM Z for hardware generated keys.

Learn more

Policy-based key generation

Easily create your key templates to generate keys that adhere to your internal policies such as enforcing key naming conventions.

Role-based access and dual control

Comply with security standards with role-based access that defines functions for each role, and enforce dual control requiring 2 or more people to activate EKMF.

External RESTful API

Seamlessly integrate key management with your business processes.

Set up keys for GKLM

Advanced auditability and compliance

Provide auditors with consolidated key management logs for all keys managed.

Audit events in EKMF Web

Key rotation

Rotate managed keys, including master keys, on demand to comply with your policy requirements.

Multi-tenancy

Leverage secure repositories with fine-grained access controls known as vaults to enable multi-tenancy and self-service key management.

Secure room operation

Set up UKO for z/OS in combination with Enterprise Key Management Foundation Workstation (EKMF Workstation) for secure room operation.

Learn more

An EKMF Workstation and UKO for z/OS coexistence compatibility fix is planned for EKMF Workstation Q4 releases (9.5.4 and 10.2.4) expected end of December. Requests for earlier delivery as an interim Fix Pack to existing versions will be considered on request.

Notices

  • Key rotation for PE keys works only using the RESTful APIs. UI update will be provided in the first fixpack.
  • CCA Firmware update is required to enable and support Azure and Google with the CKM-RAKW export keyword. This will require update to CCA 7.4.46 or 8.1.75 (and 7.5/8.2)