tklmKeyImport
Use the tklmKeyImport command to import
secret keys or public/private key pairs. A secret key is a symmetric
key. A public/private key pair is an asymmetric key pair with a public
key and a private key. The private key file is in PKCS#12
format.
Purpose
Use this command to import secret keys or public/private key pairs. A secret key is a symmetric key. A public/private key pair is an asymmetric key pair with a public key and a private key. The private key file is in PKCS#12 format.To import secret keys, the import file can contain multiple keys. Each key contains the required alias value for that key. The import file must be generated by a previous tklmKeyExport command.
Permissions
To import the key, you must have permission to the configure action, or, create action and the permission to the appropriate device group. When you import a secret key, you must also have permission to configure, create, or view action for the asymmetric key pair that is specified by the keyAlias parameter.
Syntax
An asterisk (*) indicates a deprecated value. If you enter the deprecated value, do not include the asterisk.
tklmKeyImport -alias keyalias -newAlias newkeyalias -keyAlias keyalias -fileName pathandkeyfilename -keyStoreName keystorename -usage {LTO | 3592 | DS5000 | DS8000 | BRCD_ENCRYPTOR | ONESECURE | ETERNUS_DX | XIV | GPFS | PEER_TO_PEER | DS8000_TCT | GENERIC | userdevicegroup | SSLSERVER | SSL Server* | SSLCLIENT } -type {secretkey | privatekey} -password passwordvalue
Parameters
- -alias
- Required parameter in the following scenarios:
- If the value of the type attribute is secretkey and
you want to rename the key with the newAlias parameter during the import
process.
Specify a value for this parameter if you want to import a specific secret key from a keystore file that has multiple secret keys.
- If the value of the type attribute is privatekey and if the keystore file contains multiple private keys.
This parameter is not required when the keystore file contains only one private key. If you specify a value, it is ignored.
- If the value of the type attribute is secretkey and
you want to rename the key with the newAlias parameter during the import
process.
- -fileName
- Required. Specify the path and file name of the file from which keys are imported.
- -keyAlias
- Required
if the value of the -type attribute is
secretkey
. Specify the alias of the private key entry in the keystore that is used to decrypt the secret key, or keys, from the file. Use the same alias value to import and export a secret key, or keys. - -keyStoreName
- Required. Specify the name of the keystore into which the imported key is imported.
- -newAlias
- Specify a new value for the key alias.
- -password
- Required if the value of the -type attribute
is
privatekey
. This password was previously specified by using the tklmKeyExport command. If you export private keys to aPKCS#12
file, ensure that the file with the key is wrapped by using a FIPS-approved method before the file leaves the computer. - -type
- Required. Specify whether the keys are secret or private. You
can include the following values:
- secretkey
- Specifies a symmetric key.
If you select this value, specify for the -usage attribute a value for a device group family that administers keys.
- privatekey
- Specifies an asymmetric key in a key pair with a public key and
a private key.If you select this value, specify for the -usage attribute a value for a device group that administers certificates, or specify one of these values:
- SSLCLIENT
- SSLSERVER
- -usage
- Required. Specify the target application usage, such as LTO device group. You can include the following values:
- LTO
- Specifies the LTO device group.
- 3592
- Specifies the 3592 device group.
- DS5000
- Specifies the DS5000 device group.
- DS8000
- Specifies the DS8000 device group.
- BRCD_ENCRYPTOR
- Specifies the BRCD_ENCRYPTOR device group that is in the LTO device family.
- ONESECURE
- Specifies the ONESECURE device group that is in the DS5000 device family.
- ETERNUS_DX
- Specifies the ETERNUS_DX device group that is in the DS5000 device family.
- XIV
- Specifies the IBM Spectrum Accelerate (previously known as XIV) device group.
- GPFS
- Specifies the IBM Spectrum Scale (previously known as GPFS) device group.
- PEER_TO_PEER
- Specifies the PEER_TO_PEER device group.
- DS8000_TCT
- Specifies the DS8000_TCT device group that is in the GPFS device family.
- GENERIC
- Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
- SSLCLIENT
- Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
- SSLSERVER
- Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
- userdevicegroup
- Specifies a user-defined group that is based on a supported device family.
Example
For tape usage, this Jython-formatted command imports a symmetric key named mysecretkey from a file named mykey.p12 into a keystore named myKeystore for use with LTO tape drives.
print AdminTask.tklmKeyImport ('[ -alias mysecretkey -type secretkey
-keyAlias mySecretKey -newAlias myNewSecretKey
-fileName c:\\myimportpath\\mykey.p12 -keyStoreName defaultKeyStore
-usage LTO]')
This Jython-formatted command imports an asymmetric key in a key pair with a public key and a private key. A password is required.
print AdminTask.tklmKeyImport ('[-alias myprivatekey -type privatekey
-keyAlias myPrivateKeyAlias -fileName c:\\myimportpath\\myprivatekey.p12
-keyStoreName defaultKeyStore -usage SSLSERVER -password mypassword]')