tklmKeyImport

Use the tklmKeyImport command to import secret keys or public/private key pairs. A secret key is a symmetric key. A public/private key pair is an asymmetric key pair with a public key and a private key. The private key file is in PKCS#12 format.

Note: The IBM Security Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Key Lifecycle Manager. Use the REST interfaces instead.

Purpose

Use this command to import secret keys or public/private key pairs. A secret key is a symmetric key. A public/private key pair is an asymmetric key pair with a public key and a private key. The private key file is in PKCS#12 format.

To import secret keys, the import file can contain multiple keys. Each key contains the required alias value for that key. The import file must be generated by a previous tklmKeyExport command.

Permissions

To import the key, you must have permission to the configure action, or, create action and the permission to the appropriate device group. When you import a secret key, you must also have permission to configure, create, or view action for the asymmetric key pair that is specified by the keyAlias parameter.

Syntax

An asterisk (*) indicates a deprecated value. If you enter the deprecated value, do not include the asterisk.

tklmKeyImport -alias keyalias -newAlias newkeyalias -keyAlias keyalias -fileName pathandkeyfilename -keyStoreName keystorename -usage {LTO | 3592 | DS5000 | DS8000 | BRCD_ENCRYPTOR | ONESECURE | ETERNUS_DX | XIV | GPFS | PEER_TO_PEER | DS8000_TCT | GENERIC | userdevicegroup | SSLSERVER | SSL Server* | SSLCLIENT } -type {secretkey | privatekey} -password passwordvalue

Parameters

-alias

Required parameter in the following scenarios:

If the value of the type attribute is secretkey and you want to rename the key with the newAlias parameter during the import process.
Specify a value for this parameter if you want to import a specific secret key from a keystore file that has multiple secret keys.
If the value of the type attribute is privatekey and if the keystore file contains multiple private keys.

This parameter is not required when the keystore file contains only one private key. If you specify a value, it is ignored.

-fileName

Required. Specify the path and file name of the file from which keys are imported.

-keyAlias

Required if the value of the -type attribute is secretkey. Specify the alias of the private key entry in the keystore that is used to decrypt the secret key, or keys, from the file. Use the same alias value to import and export a secret key, or keys.

-keyStoreName

Required. Specify the name of the keystore into which the imported key is imported.

-newAlias

Specify a new value for the key alias.

-password

Required if the value of the -type attribute is privatekey. This password was previously specified by using the tklmKeyExport command. If you export private keys to a PKCS#12 file, ensure that the file with the key is wrapped by using a FIPS-approved method before the file leaves the computer.

-type

Required. Specify whether the keys are secret or private. You can include the following values:

secretkey

Specifies a symmetric key.

If you select this value, specify for the -usage attribute a value for a device group family that administers keys.

privatekey

Specifies an asymmetric key in a key pair with a public key and a private key.

If you select this value, specify for the -usage attribute a value for a device group that administers certificates, or specify one of these values:

SSLCLIENT
SSLSERVER

-usage

Required. Specify the target application usage, such as LTO device group. You can include the following values:

LTO: Specifies the LTO device group.
3592: Specifies the 3592 device group.
DS5000: Specifies the DS5000 device group.
DS8000: Specifies the DS8000 device group.
BRCD_ENCRYPTOR: Specifies the BRCD_ENCRYPTOR device group that is in the LTO device family.
ONESECURE: Specifies the ONESECURE device group that is in the DS5000 device family.
ETERNUS_DX: Specifies the ETERNUS_DX device group that is in the DS5000 device family.
XIV: Specifies the IBM Spectrum Accelerate (previously known as XIV) device group.
GPFS: Specifies the IBM Spectrum Scale (previously known as GPFS) device group.
PEER_TO_PEER: Specifies the PEER_TO_PEER device group.
DS8000_TCT: Specifies the DS8000_TCT device group that is in the GPFS device family.
GENERIC: Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
SSLCLIENT: Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
SSLSERVER: Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
userdevicegroup: Specifies a user-defined group that is based on a supported device family.

Example

For tape usage, this Jython-formatted command imports a symmetric key named mysecretkey from a file named mykey.p12 into a keystore named myKeystore for use with LTO tape drives.

print AdminTask.tklmKeyImport ('[	-alias mysecretkey -type secretkey 
	-keyAlias mySecretKey -newAlias myNewSecretKey 
		-fileName c:\\myimportpath\\mykey.p12 -keyStoreName defaultKeyStore 
			-usage LTO]')

This Jython-formatted command imports an asymmetric key in a key pair with a public key and a private key. A password is required.

print AdminTask.tklmKeyImport ('[-alias myprivatekey -type privatekey 
	-keyAlias myPrivateKeyAlias -fileName c:\\myimportpath\\myprivatekey.p12 
		-keyStoreName defaultKeyStore -usage SSLSERVER -password mypassword]')