TKE security policy wizards
Strictly defined security policies are important in order to govern who can do the following TKE
workstation activities:
- Manage the TKE workstation
- Activities include setting up access to the TKE workstation and managing your smart card environment.
- Manage host crypto modules running in Common Cryptographic Architecture (CCA) mode
- Activities include setting up access to the module, managing general purpose settings, and master key wrapping management.
- Manage host crypto modules running in IBM Enterprise PKCS11 (EP11) mode
- Activities include setting up access to the module, managing general purpose setting, and master key wrapping management.
TKE 9.1 and later provides six TKE security policy wizards that work together to implement a comprehensive set of security policies for managing access to the TKE workstation and managing host crypto modules and their domains. All of the TKE security policies require that something be stored on a smart card so use the TKE Smart Card Wizard to create all the smart cards that the other TKE wizards need. See the TKE Smart Card Wizard in Table 1 for additional information. Five additional wizards setup the minimum recommended security policies for managing administrators responsible for specific tasks. See Table 2 for additional information.
TKE security policy guidance
Before using the TKE security policy wizards, analyze your environment and decide which of the
policies you need to implement:
- Controlling who has access to your TKE workstation
- This policy should be on your list because you need to control who has access to your TKE workstation. See the TKE Workstation Logon Profile Wizard in Table 2 for additional information.
- Controlling who can manage CCA legacy settings
- Analyze your host cryptographic environment managed from the TKE workstation to determine if this policy applies to you. See the Setup Module Policy Wizard in Table 2 for additional information.
- Controlling who can manage CCA PCI-compliant domain settings
- Analyze your host cryptographic environment managed from the TKE workstation to determine if this policy applies to you. See the Setup PCI Environment Wizard in Table 2 for additional information.
- Controlling who can manage EP11 module-wide settings
- Analyze your host cryptographic environment managed from the TKE workstation to determine if this policy applies to you. See the Setup Module Policy Wizard in Table 2 for additional information.
- Controlling who can manager EP11 domain-specific settings
- Analyze your host cryptographic environment managed from the TKE workstation to determine if this policy applies to you. See the Setup Domain Policy Wizard in Table 2 for additional information.
TKE security policy wizards
Once you know which set of TKE security policies you need, use the TKE Smart Card Wizard
to create the smart cards you need for the rest of the TKE security policy wizards. Table 1 provides a summary of the TKE Smart Card
Wizard. Table 2 provides a summary of the
security policy implementation wizards.
Note: There is a link to wizard-specific information and
guidance provided on the welcome screen of all six of the wizards.
| Required activity | TKE security policy wizard name | TKE security policy wizard purpose | Where the TKE security policy wizard is found |
|---|---|---|---|
| Manage smart card environment. | TKE Smart Card Wizard | To create all the smart cards needed by the other TKE security policy wizards. You can also create a new TKE zone, enroll the TKE in a zone, or both. | Smart Card Utility Program (SCUP) in the File pull down menu. |
| Policy purpose | TKE security policy wizard name | TKE security policy wizard purpose | Where the TKE security policy wizard is found |
|---|---|---|---|
| Control access to the TKE workstation. | TKE Workstation Logon Profile Wizard | To create TKE local crypto adapter smart card profiles that control access to the TKE workstation. | Cryptographic Node Management (CNM) Utility in the Access Control pull down menu. |
| Control who can manage CCA legacy settings. | Setup Module Policy Wizard | To create CCA module-wide roles and authorities to control administrative access for managing module-wide and normal mode domain-specific settings. | Trusted Key Entry (TKE) application in Open a host or CCA domain group on the module's General tab. |
| Control who can manage CCA PCI-compliant domain settings. | Setup PCI Environment Wizard | To create CCA domain-specific roles and authorities to control administrative access for managing the domain-specific settings in IMPRINT and PCI-COMPLIANT domains. | Trusted Key Entry (TKE) application in Open a host or CCA domain group on the domain's General tab (only available while in imprint mode). |
| Control who can manage EP11 module-wide settings. | Setup Module Policy Wizard | To add administrators to the EP11 module-wide list and take the modules out of imprint mode to control administrative access for managing EP11 module-wide settings. | Trusted Key Entry (TKE) application in Open the host of EP11 domain group on the Module General tab (only available while in imprint mode). |
| Control who can manage EP11 domain-specific settings. | Setup Domain Policy Wizard | To add administrators to the EP11 domain-specific list and take the domains out of imprint mode to control administrative access for managing EP11 domain-specific settings. | Trusted Key Entry (TKE) application in Open the host or EP11 domain group on Domain General tab (only available while in imprint mode). |