In an increasingly interconnected world, data breaches grab headlines. The security of sensitive information is vital; and new requirements and regulatory bodies such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) create challenges for enterprises that use encryption to protect their information. As encryption becomes more widely adopted, organizations also must contend with an evergrowing set of encryption keys. Effective management of these keys is essential to ensure both the availability and security of the encrypted information. Centralized management of keys and certificates is necessary to perform the complex tasks related to key and certificate generation, renewal, backup and recovery.

The IBM Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM zEnterprise® and distributed platforms for streamlined, efficient and secure key and certificate management operations. The EKMF is well-suited for banks, payment card processors and other businesses that must meet EMV® and payment card industry (PCI) requirements. EKMF serves as foundation on which remote crypto solutions and analytics for the cryptographic infrastructure can be provided.

The IBM EKMF solution that is used by major financial customers worldwide is the engine in the EKMF. IBM EKMF is developed by IBM EMEA Crypto Competence Center in close cooperation with many of these customers. The EKMF functionality is continuously being extended and adapted to customer needs, industry standards, and regulatory initiatives.


High volume certificates and encryption keys can be managed centrally and uniformly with EKMF independent of target platforms. EKMF manages keys and certificates for cryptographic coprocessors, hardware security modules (HSM), software implementations like Java key store, ATMs, and point of sale terminals. EKMF offers an intensive support for EMV® chip cards, both for issuers, acquirers, and for card brands.

The main attributes of EKMF are:

  • Multi-platform, multi-site & multivendor support.  EKMF provides the facility to perform all key and certificate management functions across different platforms, operation systems, geographical locations, and for a variety of key end points. Specifically EKMF currently supports the following cryptographic platforms:
    • IBM mainframe cryptographic coprocessors (CryptoExpress6, CryptoExpress5, CryptoExpress4) on z/OS
    • IBM 4765 and IBM 4767 on Microsoft Windows® and Linux on Intel86 platforms
    • IBM 4765 and IBM 4767 on Power Systems
    • RACF® keystore and keyrings
    • IBM DataPower® Gateway
    • Other vendor crypto hardware such as Thales®.
    • SSL key stores such Java Key stores, PKCS#12, and KDB
  • Central repository. All keys and certificates are stored in a central repository together with meta data such as activation dates and usage. By storing all key material in a central repository, backup is easily achieved by including the database in existing database backup procedures. This facilitates easy recovery in case keys or certificates are lost.
  • Monitoring of keys and certificates. Expiry of key material is monitored and alerts are generated in due time to initiate replacement. This is especially crucial for certificates as an expired certificate most often means that a service is unavailable.
  • Security features
    • Secure key generation. The security of the system is highly dependent on the method of key generation. In EKMF, key generation takes place within the IBM 4765 cryptographic co-processor where a random generator generates the keys. RSA key generation is in conformance with ANSI 9.31.
    • Role Based Access Control. The EKMF access control system is role based and controls access to functions and keys. The system administrator can define which functions and which keys are available for each user.
    • Dual control. EKMF can be configured to require that 2 or more persons log on to activate EKMF, thus providing dual control for all operations.
    • Audit Logging. Every important activity is logged in a DB2 table and if available, in z/OS SMF.
  • Workflow. Effective work with high key volumes are provided via fully automated and semi-automated processes, and also bulk key management.

EKMF Architecture

EKMF constitutes a centralized architecture where management for multiple servers is performed from a single operator console: the EKMF workstation; as shown in the figure below. The workstation is connected to servers that are equipped with cryptographic engines and host the certificate- or key-consuming applications. One of the servers holds a central EKMF key repository used as backup for all keys and certificates managed by the system.

Being on-line to the servers enables EKMF to manage keys and certificates centrally and in real-time. Generally EKMF pushes key material to key stores associated with the cryptographic engines on the servers. Alternatively, it is possible for an application to request key material from the central EKMF repository, e.g. for use with third party HSMs that do not implement key stores.

The applications request cryptographic support via application programming interfaces (APIs) on the servers. APIs are usually offered as a part of the crypto HW. However, EKMF offers extensions to these APIs for selected areas that substantially ease the use and provides additional functionality.

The EKMF workstation used for PCI compliance includes an IBM 4767 Cryptographic Coprocessor that assures high security and high quality of the generated keys. Other EKMF Clients are available for use outside the secure room environments.

Basic Key Management

Basic key management functions include key generation, key import, key extraction, key print, and key administration. The functions are controlled by key templates and key policies. Besides controlling functions for a key the key template also pre-defines the key's attributes which greatly ease daily work. When generating or entering a key it is automatically distributed to the servers specified in the key template.

Clear key parts are often used for initial exchange of symmetric keys with external partners. Entering of clear key parts is done on the EKMF workstation's keyboard or alternatively on a dedicated high security key board.

Printing of key mailers is performed on a printer attached directly to the EKMF workstation. EKMF supports formatting of the key mailers and can add additional data like contact information and key check value.

Certificate Management

Certificates have become more and more important as many web services and other communication connections rely on a RSA based certificate scheme to assure authenticity and privacy. This scheme requires that certificates are renewed at regular intervals.

EKMF certificate management centralizes and unifies most of the tasks, traditionally performed manually for system components utilizing TLS or other certificate based schemes. Functions are offered that ease administration of a large population of certificates. The EKMF certificate management supports RACF, IBM DataPower Gateway, IBM MQ (formerly IBM WebSphere MQ), and numerous TLS server implementations.

An important function of certificate management is monitoring of certificate expiry. An expired certificate most often means a disrupted service. EKMF monitors certificate expiration and send warning messages in due time before a certificate expires.

Existing certificates can be included easily in EKMF monitoring. EKMF tools scan the system and import the certificate information.

EMV® chip card key management

EKMF offers key management for EMV chip cards as defined by the EMVco organization. Both EMV card issuers, acquirers, and brand certificate authorities can benefit from EKMF's support.

The EMV card issuer and acquirer support consists of:

  • Issuer signature key generation and certificate handling according to the formats and procedures specified by Visa and MasterCard.
  • Card issuing support functions such as signing static data for Static Data Authentication (SDA), generating card unique RSA keys for Dynamic Data Authentication (DDA), and deriving card unique DES keys from issuer master keys.
  • Transaction authorization support for verification of application cryptograms, generation of response cryptograms and secure scripts.

The brand certificate authority support consists of:

  • Management of the EMV root key inclusive publishing the public key.
  • Reception of certificate request from issuers and certification of the issuer public key.

Generation of RSA keys for DDA chip cards is quite time consuming thus making it inappropriate to generate a key at the time it is needed. EKMF offers an elegant solution where keys are pre-generated to a pool utilizing spare crypto capacity during off-peak hours.

Hardware and Software Requirements

  • Hardware requirements:
    For EKMF Workstation: Lenovo or Trenton Intel86 servers. Contact CCC for latest models available.
  • Software requirements:
    For EKMF Workstation: Linux OS is included in the EKMF image.
    Db2 is used as EKMF Repository and must be located on one of the supported platforms: Linux, zOS, AIX

Ready to buy or need more information?