Purpose
Manages the Object Data Manager (ODM) database entries that are associated with the encryption
key server when the logical volume uses the key server key-protection method for encryption.
Syntax
keysvrmgr action [-h] [flags]
Description
An encryption key server is used to securely store encryption key information. The access to the
encryption key server is secured by certificate exchanges between the client and the server. When a
logical volume (LV) uses the key server key-protection method for encryption, the information about
the encryption key server is stored in the ODM database. You can use the
keysvrmgr command to manage the ODM database entries that are associated with the
encryption key server.
Starting from
IBM® AIX® 7.2 with Technology Level 5, you can run
the
keysvrmgr command by specifying the
action parameter to
perform one of the following operations:
- add: Adds a key server
entry
- modify: Modifies an existing
key server entry
- remove: Removes a key server
entry
- show: Displays information
about the key server entry
action parameters
- add
- Syntax:
keysvrmgr add [-h] -i server_ip [-p server_port] [-g sklm_device_group] -s server_cert_path -c client_cert_path [-P type] server_id
- Adds a key server entry to the ODM database. This action parameter can be
specified with the following flags:
- -i
- Specifies the IP address of the encryption key server in the following format:
a.b.c.d
where each value of a, b,
c, and d are in the range 0 - 255.
- -p
- (Optional) Specifies the port of the encryption key server. You can specify a port value in the
range 0 – 65535. The default value is 5696.
- -g
- (Optional) Specifies the device group name associated with IBM Security Key Lifecycle Manager.
- -s
- Specifies the absolute path to the X.509 server certificate associated with the encryption key
server.
- -c
- Specifies the absolute path of the Public Key Cryptography Standards #12 (PKCS #12) client
certificate associated with your system.
- -P
- Specifies the type of password protection for the client certificate. You can specify the
following values for this flag:
- y|Y – The password of the client certificate will be prompted during the command
run time.
- n|N – The client certificate is not protected by a password. This is the default
value.
- p|P – The password of the client certificate is stored in platform keystore (PKS).
- server_id
- Specifies the ID of the encryption key server entry that you want to create in the following
format:
server_name[:device_group]
where
server_name is the name of the key server entry and
device_group is the name of the device group associated with IBM Security Key
Lifecycle Manager.
- modify
- Syntax:
keysvrmgr modify [-h] -i server_ip [-p server_port] [-s server_cert_path] [-c client_cert_path] [-P type] server_id
- Modifies an existing key server entry in the ODM database. This action
parameter can be specified with the following flags and values:
- -i
- Specifies the IP address of the encryption key server in the following
format:
a.b.c.d
where each value of a, b,
c, and d are in the range 0 - 255.
- -p
- (Optional) Specifies the port of the encryption key server. You can specify a port value in the
range 0 – 65535. The default value is 5696.
- -s
- Specifies the absolute path to the X.509 server certificate associated with the encryption key
server.
- -c
- Specifies the absolute path of the PKCS #12 client certificate associated with your system.
- -P
- Specifies the type of password protection for the client certificate. You can specify the
following values for this flag:
- y|Y – The password of the client certificate will be prompted during the command
run time.
- n|N – The client certificate is not protected by a password. This is the default
value.
- p|P – The password of the client certificate is stored in platform keystore (PKS).
- server_id
- Specifies the ID of the key server entry that you want to modify in the following format:
server_name[:device_group]
where
server_name is the name of the encryption key server and
device_group is the name of the device group associated with IBM Security Key
Lifecycle Manager.
- remove
- Syntax:
keysvrmgr remove [-h] server_id
- Removes a key server entry from the ODM database. You must specify the ID of the key server
entry that you want to remove from the ODM database.
- show
- Syntax:
keysvrmgr show [-h] server_id
Displays
information about the specified key server ID.
Files
- /usr/sbin/keysvrmgr
- Contains the keysvrmgr command.