IBM Support

IBM Security Key Lifecycle Manager Version 4.0.0 Fix Packs

Fix Readme


Abstract

This page contains information about the fix packs that are released for IBM Security Key Lifecycle Manager Version 4.0.0.0.

Before you install a fix pack, you must have previously installed the base version (4.0.0.0) of the product. Fix packs are cumulative and contain all updates released prior to the fix pack.

Content

Expand a fix pack section to view its details.

IBM Security Key Lifecycle Manager Version 4.0.0 Fix Pack 3 (4.0.0.3)

Refer to the Readme for details about the fixed issues, and for instructions to download and apply the fix pack.  

IBM Security Key Lifecycle Manager Version 4.0.0 Fix Pack 2 (4.0.0.2)

Refer to the Readme for details about the fixed issues, and for instructions to download and apply the fix pack.  

IBM Security Key Lifecycle Manager Version 4.0.0 Fix Pack 1 (4.0.0.1)

Refer to the Readme for details about the fixed issues, and for instructions to download and apply the fix pack.  

IBM Security Key Lifecycle Manager Version 4.0.0.1 offers the following enhancements: 

The documentation to support the base version of the release is available in the IBM product documentation.

New REST API to update multiple client certificates as per WWNN

You can update the certificate for devices in multiple PEER_TO_PEER device groups that have the same WWNN (worldwide node name) value as in the new certificate by using the new Bulk Certificate Update REST Service.
To update multiple device certificates with a new certificate, use the REST interface:
  1. Open a REST client.
  2. Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
  3. Run the Bulk Certificate Update REST Service.

Bulk Certificate Update REST Service 

Use Bulk Certificate Update REST Service to update communication certificates for client devices that have the same WWNN (worldwide node name) value as in the new certificate. For example, you can run this REST service to update certificates for devices in multiple PEER_TO_PEER device groups.

Operation
PUT
URL
https://<host>:<port>/SKLM/rest/v1/certificates/bulkCertUpdate/

By default, IBM® Security Key Lifecycle Manager server listens to nonsecure port 9080 (HTTP) and secure port 9443 (HTTPS) for communication. During IBM Security Key Lifecycle Manager installation, you can modify these default ports. 

Request

Request Parameters
Parameter Description
host Specify the IP address or host name of the IBM Security Key Lifecycle Manager server.
port Specify the port number on which the IBM Security Key Lifecycle Manager server listens for requests.
Request Headers
Header name Value
Content-Type multipart/form-data
Accept application/json
Authorization SKLMAuth userAuthId=<authIdValue>
Accept-Language Any valid locale that is supported by IBM Security Key Lifecycle Manager. For example: en or de
Form parameter
Parameter name Description
fileName Required. Specify the new certificate file. Ensure that the certificate is trusted in IBM Security Key Lifecycle Manager.

Response

Response Headers
Header name Value and description
Status Code
200 OK
The request was successful. The response body contains the requested representation.
400 Bad Request
The authentication information was not provided in the correct format.
401 Unauthorized
The authentication credentials were missing or incorrect.
404 Not Found Error
The processing of the request fails.
500 Internal Server Error
The processing of the request fails because of an unexpected condition on the server.
Content-Type application/json
Content-Language Locale for the response message.
Success response body

JSON object with the following specification:

JSON property name Description
code Returns the code that is specified by the status property.
status Returns the status message to indicate whether the certificate is updated or not.
0
The status indicates that the certificate update task succeeded.
1
The status indicates that the certificates are not updated.
Error Response Body

JSON object with the following specification.

JSON property name Description
code Returns the application error code.
message Returns a message that describes the error.

Example

Service request to update certificates
PUT https://localhost:<port>/SKLM/rest/v1/certificates/bulkCertUpdate
Content-Type:  multipart/form-data; 
boundary=---------------------------293582696224464
Authorization: SKLMAuth userAuthId=139aeh34567m
-----------------------------293582696224464
Content-Disposition: form-data; name="fileName"; filename="clientcert.cer"
<File Content>
-----------------------------293582696224464
Success response
{
    "code": "0",
    "status": "CTGKM3491I Device communication certificates are updated. "
}
{
    "code": "CTGKM3490E",
    "status": "CTGKM3490E Failed to update the communication certificates because the new certificate file is invalid."
}

Support for checking chain of trusted certificates

When you add the device root certificate to the truststore, all devices with client communication certificates that are signed by this root certificate are automatically trusted. Clients or devices with multiple intermediate signed certificates but a common root certificate authority (CA) can get their client communication certificates trusted by adding only the device root certificate in the truststore.

Note: For KMIP client communication, you need to set the chainOfTrustEnabled server configuration property to support the checking of chain of trusted certificates. Use the Update Config Property REST Service to set the property value.
chainOfTrustEnabled

The chainOfTrustEnabled property specifies whether to trust a client certificate that has the root certificate, from its trust chain, already trusted in the IBM Security Guardium Key Lifecycle Manager server.

chainOfTrustEnabled={true|false}

Values
true | false
On a new installation of IBM Security Guardium Key Lifecycle Manager, the value is set to false.  
Set the property-value pair as chainOfTrustEnabled=true to automatically trust client communication certificates for clients or devices with multiple intermediate signed certificates but a trusted device root certificate.
Required or Optional Optional
Default false
Example chainOfTrustEnabled=true

New unique return code for KMIP requests from untrusted clients

When the communication certificate in a KMIP request has the registered WWNN value but the certificate is not trusted by the server, the following new error message is displayed:

CTGKM3497E Failed to complete the KMIP request. The communication certificate has the registered WWNN value but is not trusted by the server. Use a trusted certificate and retry the operation.

Explanation

The WWNN value of the client communication certificate in the KMIP request is registered with the device group but the certificate is not trusted in the IBM® Security Key Lifecycle Manager server.

System action

The KMIP operation fails.

Administrator response

Use a trusted client communication certificate, and retry the operation.

Simplified authentication and authorization step in using the Swagger UI

The high-level step 2 in the procedure to use the Swagger UI is now simplified.

Here is the updated procedure:

  1. Access the Swagger UI.
    In any browser, enter the following URL: 
    https://host:9443/ibm/SKLM/swagger
    Where, host is the IP address of the host where the IBM Security Key Lifecycle Manager server is installed.
  2. Authenticate and authorize the REST API operations.
    1. Click Authorize.
    2. In the Authorization window, specify the login credentials, and click Login.
    3. Click Authorize and you can close the window.
      All the IBM Security Key Lifecycle Manager REST APIs are now authorized. You can now run and test any REST API.
  3. Run a REST API.
    1. Expand the method for the REST API that you want to run.
    2. Click Try it out.
    3. Specify the required parameters and click Execute.
    4. Review the response.

Fix Pack Readme File

Access the Fix Pack Readme file here: IBM Security Key Lifecycle Manager: Fix Pack Readme Files

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 March 2022

UID

ibm12464551

Page Feedback