Fix Readme

Abstract

This page contains information about the fix packs that are released for IBM Security Guardium Key Lifecycle Manager Version 4.1.1.0.

Before you install a fix pack, you must have previously installed the base version (4.1.1.0) of the product. Fix packs are cumulative and contain all updates released before the fix pack.

Content

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 7 (4.1.1.9)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 7 (4.1.1.8)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 7 (4.1.1.7)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 6 (4.1.1.6)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 5 (4.1.1.5)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 4 (4.1.1.4)

Refer to the readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager (GKLM) 4.1.1.4 offers the following enhancements:

Support for secure connection between GKLM on IBM zCX and Db2 for z/OS
EKMF Web enhancements
Upgraded middleware versions:
- WebSphere Application Server Liberty 22.0.0.3
- IBM SDK Java Technology Edition 8.0.7.5

Support for secure connection between GKLM on IBM zCX and Db2 for z/OS

You can now set up a secure connection between GKLM installed on IBM z/OS Container Extension (zCX) environment and Db2 for z/OS by using Docker secrets.

To install GKLM 4.1.1.4 with secure connection enabled with Db2 for z/OS, see the relevant section:

Existing installation (4.1.1.x)

If you have GKLM 4.1.1 or later (source) installed and you are upgrading to 4.1.1.4 (target), complete these steps:

Ensure that you configure the same database and volume details that was referenced by the earlier container (source).
Complete the steps in the Procedure section.

New installation (GKLM 4.1.1.4 )

If you are installing GKLM 4.1.1.4 for the first time, complete these steps:

Ensure that the prerequisites mentioned in the Before you begin section in Installing on IBM zCX environment with Db2 for z/OS are met.
Complete the steps in the Procedure section.

Procedure

Complete the following steps on the host system with the IBM zCX environment:

Ensure that the databases are running and ready to accept connections.
Configure SSL/TLS on Db2 for z/OS. For instructions, see Configuring the Db2 server for SSL.
Obtain the 4.1.1.4 fix pack installation files from Fix Central. For download instructions, see the GKLM 4.1.1.4 readme file.
Log in to the host system and navigate to the directory where you saved the 4.1.1.4 fix pack installation files, license, and Docker files.
Extract the Docker image of the GKLM application from the image file.
Sample command:
```
docker load -i sklm_Rel_4114_91.s390x.tar
```

Build the Docker image of the GKLM application by using the Docker file to include the Db2 license file.

Sample command:

docker build -t gklmzos --build-arg LATEST_IMAGE=sklm_Rel_4114_91.s390x.tar --build-arg DB2_LICENSE_FILE=db2jcc_license_cisuz.jar --no-cache .

Initialize the Docker swarm. To do so, run the following command:
```
docker swarm init
```

Define the Docker secrets.

echo <DB_PWD> | docker secret create sklmdb_password -
echo <DB_USR> | docker secret create sklmdb_username -
echo 68d95f0081f1dbfc0b06de9b0916df1c | docker secret create sklmapp_seed -
echo <your_sklmadmin_password> | docker secret create sklmadmin_password -
echo <your_liberty_keystore_password> | docker secret create liberty_keystore_password -

Define a Docker secret from the Db2 SSL/TLS certificate.
```
docker secret create db2_ssl_cert <Db2_SSL_CERT_FILE>
```
Where,
- db2_ssl_cert is the secret name.
- Db2_SSL_CERT_FILE is the Db2 SSL/TLS certificate file name.

Spin the GKLM container by using the docker service command.

docker service create --name <gklm_service> -p 3801:3801 -p 1111:1111 -p 2222:2222 -p 9443:9443 -p 5696:5696 -p 1441:1441 -e DB_HOST=9.xx.xx.xx -e DB_PORT=446 -e DB_TYPE=zos_db2 -e ZOS_DB_NAMES=KLMSMM,KLMLGG,KLM32KLH -e LICENSE=accept -e ZOS_DB_LOCATION=db_location --mount src=klmappvolume,dst=/opt/ibm/wlp/products --secret sklmdb_username --secret sklmdb_password --secret sklmapp_seed --secret sklmadmin_password --secret liberty_keystore_password --secret db2_ssl_cert gklmzos

Note: Ensure that the database names that you specify in the ZOS_DB_NAMES parameter are in the same sequence in which they were created.

For more information about the parameters, see Parameters to install IBM Security Guardium Key Lifecycle Manager container.

To monitor the progress, run the following command.
```
docker service logs -f <gklm_service>
```
After you see the following message in the logs, proceed to the next step:
IBM Security Guardium Key Lifecycle Manager server started.
Launch the GKLM graphical user interface.
```
https://IP_address:port/ibm/SKLM/login.jsp
```
Where, IP_address is the IP address or FQDN of the GKLM server, and port is the port number that GKLM server listens on for requests.
On the Configuration page that opens, click the License Agreements link to review the license terms, and then select the I accept the terms in the License Agreements checkbox.
Click Activate License.
Upload the GKLM license activation file and activate the license.
Click Login.
Log in to the GKLM graphical user interface with the administrator user credentials. For example, sklmadmin.

EKMF Web enhancements

Overview
What's new
Configuring EKMF Web
Best practices for configuring EKMF Web
REST documentation
Updating EKMF certificate

Overview

IBM Enterprise Key Management Foundation Web (EKMF Web) provides centralized key management for IBM z/OS. You can use EKMF Web to store the master key of GKLM in Integrated Cryptographic Service Facility (ICSF). This master key protects all the keys and certificates that are stored in the GKLM database.

What's new

Support for configuring multiple EKMF Web hosts for high availability and failover

You can now configure GKLM with multiple EKMF Web hosts by specifying the EKMF Web hosts details in the hosts parameter. For instructions see, Configuring EKMF Web.

Support for configuring multiple GKLM servers with a single EKMF Web host by using custom master key alias

You can now configure multiple GKLM servers with a single EKMF Web by setting the masterkeyAlias parameter. It specifies the alias for the GKLM master key stored by EKMF Web. The masterkeyAlias parameter is set by using the Update EKMF Web Configuration Settings REST Service.

Support for configuring GKLM with EKMF Web Crypto only host

In a multiple EKMF Web setup, you can configure two types of EKMF Web hosts:

EKMF Web Full: It handles both master key management and cryptographic operations.
EKMF Web Crypto: It handles only cryptographic operations (encryption and decryption).

You can use this enhancement in a replication setup, where only the master GKLM server needs access to the key creation operation. The clone GKLM servers only serve the keys, and hence only need access to the encryption and decryption operations. So, you can configure the master GKLM server with EKMF Web Full host and the clone GKLM servers with EKMF Web Crypto host.

Provision to set preference order in a multiple EKMF Web setup

In a multiple EKMF Web setup, you can set the preference order in which GKLM connects to the configured EKMF Web hosts by specifying the hostPreferenceSequence parameter. Setting the host preference order to the nearest available EKMF Web, combined with required load balancing, can help improve the performance of the master key operations. You can set the hostPreferenceSequence parameter by using the Update EKMF Web Configuration Settings REST Service.

EKMF Web support for GKLM Traditional on zLinux platforms

EKMF Web is now supported by GKLM Traditional edition installed on zLinux platforms. With this support, master key can now be stored in ICSF by using EKMF Web even for GKLM Traditional installed on zLinux platforms. This enhancement is not available on a multi-master GKLM setup.

Configuring EKMF Web with GKLM

Depending on your setup, see the relevant section:

Configuring a new EKMF Web setup
Adding EKMF hosts to an existing EKMF Web setup
Configuring EKMF Web in a replication setup

Configuring a new EKMF Web setup

When you configure GKLM with EKMF Web, you can use one of the two supported authentication mechanisms:

OpenID Connect (OIDC): Requires user credentials for authentication
Mutual Transport Layer Security (mTLS): Requires the exchange of public certificates between GKLM and EKMF Web for authentication

Depending on the applicable authentication mechanism, see the relevant section for instructions:

Procedure for OIDC setup

Set up the key template in EKMF Web
Define EKMF Web configuration parameters in GKLM
Import the EKMF Web and OIDC server certificate
Test connection
Set up master key
Verify configuration of master key in EKMF Web

Step 1: Set up the key template in EKMF Web

Use the graphical user interface or the REST services of EKMF Web to set up a key template. Create a new key template in EKMF Web by specifying the following parameter values.

Note: Ensure that you use the same values for template creation as given in the table. In a multiple EKMF Web hosts setup, ensure that the key template is configured to distribute the keys to all the required keystore groups used by the multiple EKMF Web hosts.

Table 1. Key template parameter values

Parameter	Value
Template name	GKLMTEMPLATE
Keystore type	Pervasive Encryption
Key Label template	GKLM.MKEY.<ALIAS> Note: Specify this value as is.
Key type	Cipher
Key size	256
Key state	Active
Keystore groups	cserver Note: Specify a value according to your environment. In a multiple EKMF Web hosts setup, ensure that this parameter is set to all the key groups from where the master key is accessed by the multiple EKMF Web hosts.
Advanced properties	`{"keyWords": [ "ANY-MODE"]}`

Step 2: Define EKMF Web configuration properties in GKLM

Open the Swagger UI. For more information, see Using Swagger UI.
Go to the Master key management section.

Run the Update EKMF Web Configuration Settings REST Service to define the EKMF Web parameters in GKLM. To specify a custom master key alias, use the masterkeyAlias parameter. For more information about the EKMF Web parameters, see the REST documentation.

Note: In an OIDC authentication setup, ensure that the mtls parameter is set to false. Also, ensure that the master key alias is correct as it cannot be changed directly after it is configured. If you want to change the master key alias, first migrate the master key store from EKMF Web to JCEKS and then reconfigure EKMF Web with the desired master kay alias.

Configuring a single EKMF Web host:

POST SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
{
    "templateName": "TEMPGKLM",
    "mtls": "false",
    "masterkeyAlias": "MKEY123",
    "hosts": [
        {
            "host": "ekmf1.mycompany.com",
            "port": "443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a919tf53ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "testuser",
            "password": "*******"
        }
    ]
}

Configuring multiple EKMF Web hosts:

To configure multiple EKMF Web hosts, specify the EKMF Web hosts and their details in the hosts parameter in comma-separated format.

POST SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
{
    "templateName": "TEMPGKLM",
    "mtls": "false",
    "masterkeyAlias": "MKEY123",
    "hosts": [
        {
            "host": "ekmf1.mycompany.com",
            "port": "443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a919tf53ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "testuser",
            "password": "*******"
        }
        {
            "host": "ekmf2.mycompany.com",
            "port": "443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a919tf53ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "testuser",
            "password": "*******"
        }
    ],
    "hostPreferenceSequence": [ 
            "ekmf1.mycompany.com", 
            "ekmf2.mycompany.com" 
     ]
}

To view the already configured EKMF Web details, run the Get EKMF Web Configuration Settings REST Service.
```
GET https://host:9443/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
```

Step 3: Import the EKMF Web certificate and OIDC server certificate to the GKLM truststore

Download the EKMF Web public certificate and the OIDC server public certificate.
Log in to the GKLM graphical user interface.
Navigate to Configuration > Truststore, and click Add.
Click Upload and upload the EKMF Web server certificate to the SKLM_DATA directory.
Specify the certificate alias and type of certificate and, click Add to add the certificate in the truststore.
To import the OIDC server certificate, repeat the steps 4 and 5.

Step 4: Test connection

Open the Swagger UI. For more information, see Using Swagger UI.
Go to the Master key management section.
Run the Test or Refresh EKMF Web Connection REST Service to verify whether EKFM Web is configured. This service validates the connection with each of the configured EKMF Web hosts.
```
GET SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection
```
Note: In the response body, for a EKMF Web Crypto only host, the KEY_API_HEALTH response property correctly returns Fail. This is because EKMF Web Crypto only hosts do not support KEY API and only handle cryptographic operations. Also, the CRYPTO_API_HEALTH attribute returns Fail until the Set Up Master Key in EKMF Web REST Service is called.

Step 5: Set up master key in EKMF Web

Open the Swagger UI. For more information, see Using Swagger UI.
Go to the Master key management section.
Run the Set Up Master Key in EKMF Web REST Service to start using the master key in EKMF Web.
If the master key already exists in any other repository (for example, JCEKS or HSM), all the cryptographic objects are encrypted again with the new master key created in EKMF Web.

Note: The encryption of all the cryptographic objects with the new master key might take time depending on the number of cryptographic objects stored in the database.
```
POST SKLM/rest/v1/ckms/masterKey/EKMFWeb/setupMasterKey
```

Step 6: Verify configuration of master key in EKMF Web

To verify that EKMF Web is configured, check whether Master key repository status shows as Connected on the GKLM Welcome page.

The following example shows that the GKLM instance is connected to the EKMF Web host, ekmf.ibm.com and is using KLM41KE as the master key alias.

Master key repository: EKMF Web (Connected- to priority host ekmf.ibm.com-KLM41KE)

If the status is Disconnected, use the Test or Refresh EKMF Web Connection REST Service to diagnose the problem. For example, you can send the following HTTP request:

GET SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Procedure on mTLS setup

Set up the key template in EKMF Web
Define EKMF Web configuration in GKLM
Import the EKMF Web certificate
Set up mTLS communication
Use GKLM public certificate and associate it with a user in EKMF Web
Test connection
Set up master key
Verify configuration

Step 1: Set up the key template in EKMF Web

Use the graphical user interface or the REST services of EKMF Web to set up a key template. Create a new key template in EKMF Web by specifying the following parameter values.

Table 1. Key template parameter values

Parameter	Value
Template name	GKLMTEMPLATE
Keystore type	Pervasive Encryption
Key Label template	GKLM.MKEY.<ALIAS> Note: Specify this value as is.
Key type	Cipher
Key size	256
Key state	Active
Keystore groups	cserver Note: Specify a value according to your environment. In a multiple EKMF Web hosts setup, ensure that this parameter is set to all the keystore groups from where the master key is accessed by the multiple EKMF Web hosts.
Advanced properties	`{"keyWords": ["ANY-MODE" ]}`

Step 2: Define EKMF Web configuration properties in GKLM

Log in to the Swagger UI. For more information, see Using Swagger UI.
Go to the Master key management section.

Run the Update EKMF Web Configuration Settings REST Service to define the EKMF Web parameters in GKLM. To specify a custom master key alias, use the masterkeyAlias parameter. As this is a mTLS connection, ensure that you set the mtls parameter to true. For more information about the EKMF Web parameters, see the REST documentation.

Configuring a single EKMF Web host:

POST SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
{
    "templateName": "TMPLGKLM",
    "mtls": "true",
    "masterkeyAlias": "MKEY123",
    "hosts": [
        {
            "host": "gklm.mycompany.com",
            "port": "443"
        }
    ]
}

Configuring multiple EKMF Web hosts:

To configure multiple EKMF Web hosts, specify the EKMF Web hosts and their details in the hosts parameter in comma-separated format.

POST SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
{
  "templateName": "ARV4GKLM",
    "mtls": "true",
    "masterkeyAlias": "MKEY123",
    "hosts": [
         {
            "host": "ekmfweb_hostname1",
            "port": "19443"
        },
       {
           "host": "ekmfweb_hostname2",
            "port": "19443"
        }
   ],
   "hostPreferenceSequence": [
        "ekmf_hostname1",
        "ekmf_hostname2"
    ]
}

Run the Get EKMF Web Configuration Settings REST Service to view the EKMF Web configuration.
```
GET SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
```

Step 3: Import the EKMF Web certificate to the GKLM truststore

Download the EKMF Web public certificate.
Log in to the GKLM graphical user interface.
Navigate to Configuration > Truststore, and click Add.
Click Upload and upload the EKMF Web certificate to the SKLM_DATA directory.
Specify the certificate alias and type of certificate and, click Add to add the certificate in the truststore.

Step 4: Set up Mutual Transport Layer Security (mTLS) communication

To set up mTLS communication between GKLM and EKMF Web, you can either use a GKLM server certificate or a new certificate.

Using a GKLM server certificate
Using a new certificate

Using GKLM server certificate

Create a server certificate in GKLM. For instructions, see Creating a server certificate. If you want to use a CA-signed certificate, see Creating a certificate request. Skip this step if you already have a server certificate created.
Run the Use Server Certificate REST Service to use the server certificate you created in step 1 as the communication certificate with EKMF Web.
1. Log in to the Swagger UI. For more information, see Using Swagger UI.
2. Go to the Master key management section.
3. Run the Use Server Certificate REST Service.
```
POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/mtls/useServerCertificate
{
  "serverCertificateAlias": "ekmfweb"
}
```
Export the server public certificate with a valid name, such as, GKLM.cer. For instructions, see Exporting a TLS/KMIP server certificate.
Share this exported public certificate with the EKMF Web administrator. The EKMF Web administrator imports this GKLM public certificate in EKMF Web to trust the connection requests from GKLM.

Using a new certificate

Use a certificate generator tool of your choice to create a certificate. The following example shows certificate creation by using the keytool command:
```
keytool -genkeypair –alias ekmfweb -dname cn=myserver.mydomain.com  -validity 365 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore mystore.p12 -storepass mystorepass 
```
Where,
- cn is the distinguished name. It must be same as the DNS name of the server that will use the self-signed certificate for SSL.
- alias is the alias of the keys that are created.
- validity is certificate validity in days. For example, 365.
- keysize is the size of the generated RSA key. For example, 2048.
- storetype is the file format, that is PKCS12.
- keystore is the file in which the generated key pair is stored. For example, mystore.p12.
- storepass is the password of the keystore file. For example, mystorepass.
This keytool command generates an RSA public and private key pair with the ekmfweb alias and an X.509 self-signed public key certificate.

You can also get the certificate CA-signed. After you receive the CA-signed certificate, import it into the keystore (mystore.p12).
Export the public key for EKMF Web mTLS authentication and authorization.
The following example shows how to use keytool to generate a public key:
```
keytool -export -storetype PKCS12 -keystore mystore.p12 -storepass mystorepass  -alias ekmfweb -file GKLM.cer
```
Where,
- alias is the alias of the key that is created.
- file is the name of the file that is created. The public certificate is stored in this file, which can be shared with the EKMF Web administrator.
- storetype is the file format, which is PKCS12.
- keystore is the file in which key pair is stored. For example, mystore.p12.
- storepass is the password of the keystore. For example, mystorepass.
Share the exported public key with the EKMF Web administrator, who can then import the public key in EKMF Web to trust GKLM requests.
Import the key pair that you created to the GKLM keystore:
1. Upload the PKCS #12 file to the SKLM_DATA folder by using the Upload File to Server REST Service. For example, you can send the following HTTP request:
```
POST /SKLM/rest/v1/filetransfer/upload/objectfiles
```
2. Import the file you uploaded in step 1 to the keystore by using the Import EKMF Web Key Pair REST Service. For example, you can send the following HTTP request:
```
POST /SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import
 {
  "fileName": "mystore.p12",
  "password": "mystorepass",
  "sourceAlias": "ekmfweb",
  "destAlias": "servercert"
}
```

Step 5: Use GKLM public certificate and associate it with a user in EKMF Web for mTLS communication

Use the GKLM certificate that you downloaded in step 4 (for example, GKLM.cer) and configure it in EKMF Web for mTLS communication.

Import the client certificate into ICSF, and associate the certificate with a user. This associated user credentials are used when a client connects with this certificate. For more information, see the Support for mTLS section in EKMF Web documentation.

Note: Ensure that the user associated with the certificate has the rights to create template, create key, update key, delete key, encrypt and decrypt.

Step 6: Test connection

Open the Swagger UI. For more information, see Using Swagger UI.
Go to the Master key management section.
Run the Test or Refresh EKMF Web Connection REST Service to verify whether EKFM Web is configured. This service validates the connection with each of the configured EKMF Web server.
```
GET SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection
```
Note: In the response body, for a EKMF Web Crypto only host, the KEY_API_HEALTH response property correctly returns Fail. This is because EKMF Web Crypto only hosts do not support KEY API and only handle cryptographic operations. Also, the CRYPTO_API_HEALTH attribute returns Fail until the Set Up Master Key in EKMF Web REST Service is called.

Step 7: Set up master key

Open the Swagger UI. For more information, see Using Swagger UI.
Go to the Master key management section.
Run the Set up Master Key EKMF Web Configuration REST Service to start using the master key in EKMF Web.
If the master key already exists in any other repository (for example, JCEKS or HSM), then all the cryptographic objects are encrypted again with the new master key created in EKMF Web.

Note: The encryption of all the cryptographic objects with the new master key might take time depending on the number of cryptographic objects stored in the database.
```
POST SKLM/rest/v1/ckms/masterKey/EKMFWeb/setupMasterkey
```

Step 8: Verify configuration

To verify that EKMF Web is configured, check whether Master key repository status shows as Connected on the GKLM Welcome page.

The following example shows that the GKLM instance is connected to the EKMF Web host, ekmf.ibm.com and is using KLM41KE as the master key alias.

Master key repository: EKMF Web (Connected- to priority host ekmf.ibm.com-KLM41KE)

If the status is Disconnected, use the Test or Refresh EKMF Web Connection REST Service to diagnose the problem. For example, you can send the following HTTP request.

GET SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Adding EKMF Web hosts to an existing EKMF Web setup

Before you begin, keep a note of the current master key alias in use. You can find it on the GKLM Welcome page.

To add more EKMF Web hosts to an existing EKMF Web setup, complete the following steps:

Log in to the EKMF Web user interface.
Create a new key template in EKMF Web with the required additional keystore groups. For more information about EKMF Web key template parameters, see step 1: Set up a key template in the the Configuring a new EKMF Web setup section.
In the left-navigation bar, click Key management > Keys.
In the Keys table, select the current master key alias that is in use by GKLM and click the key operations button at the end of the key row.
Click the Align with key template operation and then click Align.
This makes key serving available on new EKMF Web host.
Run the Update EKMF Web Configuration Settings REST Service again with the new EKMF Web hosts specified in the hosts parameter.

Configuring EKMF Web in a replication setup

To configure EKMF Web in a replication setup, complete the following steps:

On the master server, perform the EKMF Web configuration steps. For instructions, see the Configuring a new EKMF Web setup section.
After EKMF Web is configured, take a password-based back up of the GKLM master server.
If password-based back up is not enabled, set the enablePBEInEKMFWeb configuration property to true. You can do so by using the Update Config Property REST Service:
1. Log in to the Swagger UI. For more information, see Using Swagger UI.
2. Go to the Server Configuration section.
3. Run the Update Config Property REST Service.
```
PUT /SKLM/rest/v1/configProperties 
{
   "enablePBEInEKMFWeb": "true" 
}
```
Restore the GKLM master server backup on all the clone servers.
On the clone servers, the hostPreferenceSequence parameter is not replicated during replication. You can use this parameter to set a different preference order on the clone servers than the master server, based on your network configuration for performance and failover.
You can set the hostPreferenceSequence parameter by using the Update EKMF Web Host Connection Preference Order REST service:
```
POST /SKLM/rest/v1/ckms/masterKey/EKMFWeb/config/hostPreferenceSequence
{
  "hostPreferenceSequence": [
        "ekmf_hostname1",
        "ekmf_hostname2"
    ]
}
```

Best practices for configuring EKMF Web

Review the following best practices when you configure EKMF Web:

In a multiple EKMF Web hosts setup, ensure that the key template is configured to distribute the keys to all the required keystore groups used by the multiple EKMF Web hosts.
In a replication setup, the GKLM clone servers are used to only serve the keys. So, to ensure high-availability, connect the master GKLM server to the EKMF Web Full server and the GKLM clone servers to the EKMF Web Crypto only server.

REST documentation

The following are the REST services introduced in GKLM 4.1.1.4:

Get EKMF Web Configuration Settings REST Service
Update EKMF Web Configuration Settings REST Service
Update EKMF Web Host Connection Preference Order REST service
Use Server Certificate for mTLS Authentication with EKMF Web REST Service
Import EKMF Web Key Pair REST Service
Test or Refresh EKMF Web Connection REST Service
Setup Master Key in EKMF Web REST service

Get EKMF Web Configuration Settings REST service

Use the Get EKMF Web Configuration Settings REST Service to list the configured EKMF Web parameters.

Operation

GET

URL

https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config

By default, Guardium Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM Security Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
code	Returns the success code.
status	Returns a message that describes the status.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To view the configured EKMF Web parameters in GKLM, send this HTTP request:

GET https://host:9443/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config

Success response

{
  "templateName": "KeytemplateTEST",
    "mtls": "false",
    "masterkeyAlias": "MKEY123",
    "hosts": [
         {
            "host": "ekmf1.mycompany.com",
            "port": "443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "oidc_username",
            "password": "*******"
        },
         { "host": "ekmf2.mycompany.com",
            "port": "4443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "oidc_username",
            "password": "*******"
        },
         {"host": "ekmf3.mycompany.com",
            "port": "4443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "oidc_username",
            "password": "*******"
          }
      ],
     "hostPreferenceSequence": [
          "ekmf1.mycompany.com",
          "ekmf2.mycompany.com",
          "ekmf3.mycompany.com"
    ]
}

Update EKMF Web Configuration Settings REST service

Use the Update EKMF Web Configuration Settings REST Service to define the EKMF Web configuration parameters in GKLM.

Operation

POST

URL

https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Request body

Property name	Description	Required or Optional
templateName	Name of the key template that you created in EKMF Web.	Required
mTLS	Set this property to true for mTLS communication between EKMF Web and GKLM. Possible values are true or false.	Required in a mTLS setup
masterKeyAlias	Specify a custom alias for the master key. If no value is specified, by default the master key is created with an alias in the format KLMnKEY. Where, n is a number that automatically increments with every GKLM server that is configured with an EKMF Web host. For example, KLM1KEY, KLM2Key. The master key alias that you specify must contain only alphabets in uppercase and numbers and must be 7 characters long. For example, ALIAS123. Note: After the master key alias is configured, it cannot be changed directly. If you want to change the master key alias, first migrate the master key store from EKMF Web to JCEKS and then reconfigure EKMF Web with the desired master kay alias.	Optional
hostPreferenceSequence	Specifies the preference order in which GKLM connects to the configured EKMF Web hosts	Optional
hosts	An array to specify EKMF Web hosts and their details.	Required
host	Hostname or IP address of the EKMF host.	Required
port	Port number to access the EKMF Web server.	Required
oidcUrl	URL of the OIDC server for authenticating to the EKMF Web server.	Required in an OIDC setup
clientId	Client ID. You can get this parameter value from the EKMF Web configuration.	Required in an OIDC setup
clientSecretPassword	Password associated with the client ID. You can get this parameter value from the EKMF Web configuration.	Required in an OIDC setup
username	Username of the EKMF Web server. You can get this parameter value from the EKMF Web configuration.	Required in an OIDC setup
password	Password associated with the username of the EKMF Web server. You can get this parameter value from the EKMF Web configuration.	Required in an OIDC setup

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
status	Returns a message that describes the status.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To set the EKMF Web properties in GKLM, send the following HTTP request:

Request for configuring a single EKMF Web host with GKLM:

POST https://host:9443/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
{
    "templateName": "ARV7GKLM",
    "mtls": "false",
    "masterkeyAlias": "MKEY123",
    "hosts": [
        {
            "host": "ekmf1.mycompany.com",
            "port": "443",
            "oidcUrl": "https://oidc.ekmf1.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "oidc_username",
            "password": "*******"
        }
    ]
}

Request for configuring multiple EKMF Web hosts with GKLM:

{
  "templateName": "keytemplateTEST",
    "mtls": "false",
    "masterkeyAlias": "MKEY123",
    "hostPreferenceSequence": [
           "ekmf1.mycompany.com",
           "ekmf2.mycompany.com",
           "ekmf3.mycompany.com"
    ],
    "hosts": [
         {
            "host": "ekmf1.mycompany.com",
            "port": "443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
            "username": "oidc_username",
            "password": "*******"
        },
         {"host": "ekmf2.mycompany.com",
            "port": "4443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
           "username": "oidc_username",
            "password": "*******"
        },
         { "host": "ekmf3.mycompany.com",
            "port": "4443",
            "oidcUrl": "https://oidc.ekmf.mycompany.com/oidc/endpoint/EkmfOpenIdConnect/token",
            "clientId": "9a9e6df92ccf42d9b0c756312846ec98",
            "clientSecretPassword": "*******",
           "username": "oidc_username",
            "password": "*******"
}
]
}

Success response

{
  "status": "CTGKM0606I Update successful, change will take effect immediately"
}

Incorrect request example where OIDC URL is not specified:

POST https://host:9443/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config
{
  "templateName": "KeyTemplateTEST",
  "mtls": "false",
  "masterkeyAlias": "MKEY123",
  "hosts": [
    {
           "host": "ekmf1.mycompany.com",
            "port": "19443",
            "clientId": "fefc57767d3c4e2cbbb3db35123f483d",
            "clientSecretPassword": "*******",
            "username": "oidc_username",
            "password": "*******"
    }
  ]
}

Error response

{
  "code": "CTGKM0631E",
  "message": "CTGKM0631E Missing required parameter \"  oidcUrl  \" ."
}

Update EKMF Web Host Connection Preference Order REST Service

Use the Update EKMF Web Host Connection Preference Order REST Service to update the preference order of EKMF Web hosts for GKLM requests, when multiple EKMF Web hosts are configured. If a configured EKMF Web host is not mentioned, it is given the last preference by default.

Operation

POST

URL

https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config/hostPreferenceSequence

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Request body

Property name	Description
hostPreferenceSequence	Specify the connection preference order of EKMF Web hosts for GKLM requests, when multiple EKMF Web hosts are configured. Specify the hostnames or IP addresses of the EKMF Web hosts that you specified in the hosts parameter during EKMF Web configuration. For example, `{ "hostPreferenceSequence": [ "EKMFWeb_host1", "EKMFWeb_host2" ] }`

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
status	Returns a message that describes the status.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To set EKMF Web hosts preference order, send this HTTP request:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config/hostPreferenceSequence

{
  "hostPreferenceSequence": [

   "ekmf_host1",
    "ekmf_host2",
    "ekmf_host3"   
  ]
}

Success response

[
  {
    "property": "ekmfweb.hostPreferenceSequence",
    "status": "CTGKM0606I Update successful, change will take effect immediately"
  }
]

Invalid request example where the EKMF Web host name is incorrect:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/config/hostPreferenceSequence

{
  "hostPreferenceSequence": [

   "abc",
    "ekmf_host2",
    "ekmf_host3"   
  ]
}

Error response

{
  "code": "CTGKM3608E",
  "message": "CTGKM3608E Value for configuration parameter hostPreferenceSequence=abc is not valid. It is not configured as valid host to connect."
}

Use Server Certificate for mTLS Authentication with EKMF Web REST Service

Use the Use Server Certificate for mTLS Authentication with EKMF Web REST Service to use an existing GKLM server certificate for mTLS communication between GKLM and EKMF Web.

Operation

POST

URL

https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/mtls/useServerCertificate

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Request body

Property name	Description
serverCertificateAlias	Specify the alias of the server certificate that is to be used as the communication certificate. By default, the current in-use server certificate is used as the communication certificate.

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
message	Returns a message that describes the status.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To perform an action to set up mTLS communication between EKMF Web and GKLM, send this HTTP request:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/mtls/useServerCertificate
{
  "serverCertificateAlias": "ekmfweb"
}'

Success response:

{
  "message": "CTGKM3333I Successfully imported the key with alias : $ekmfweb."
}

Invalid request example where the certificate alias is incorrect:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/mtls/useServerCertificate
{
  "serverCertificateAlias": "server_cert"
}'

Error response:

{
  "code": "CTGKM6230E",
  "message": "CTGKM6230E Failed to add the certificate because its alias could not be found in the database. Ensure that the certificate alias exists in the database, and retry the operation."
}

Import EKMF Web Key Pair REST Service

Use the Import EKMF Web Key Pair REST Service to import EKMF Web server key pair to the GKLM keystore for mTLS authentication.

Operation

POST

URL

https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Request body

Property name	Description
fileName	Specify the file name in P12 format. The file is uploaded to the SKLM_DATA folder.
password	Specify the password for the P12 file if it exists.
sourceAlias	Specify the source alias of the certificate and key in P12 file.
destAlias	Specify the new alias of the key pair to be stored in GKLM keystore. By default, ekmfweb is used as the alias. If this is changed, make sure to update the ekmfweb.keyAlias configuration property with same name.

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
code	Returns the success code.
status	Returns a message that describes the status.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To import the EKMF Web key pair, send this HTTP request:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import

{
  "fileName": "ekmfsupplied.p12",
  "password": "file_password",
  "sourceAlias": "ekmfcert",
  "destAlias": "ekmfweb"
}

Success response:

{
 "message": "CTGKM3333I Successfully imported the key with alias : $ekmfweb."
}

Invalid request example where the key pair details are incorrect:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import
{
  "fileName": "ekmf.p12",
  "password": "pass",
  "sourceAlias": "ekmf",
  "destAlias": "ekmfweb"
}'

Error response:

{
  "code": "CTGKM3506E",
  "message": "CTGKM3506E Cannot import file ${SKLM_DATA}/string. Ensure that you specify the correct file name and path."
}

Test or Refresh EKMF Web Connection REST Service

Use the Test or Refresh EKMF Web Connection REST Service to test whether the configured EKMF Web hosts are reachable from GKLM.

Operation

POST

URL

https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

Note: For a EKMF Web Crypto only host, the KEY_API_HEALTH response property correctly returns Fail. This is because EKMF Web Crypto only hosts do not support KEY API and only handle cryptographic operations. Also, the CRYPTO_API_HEALTH attribute returns Fail until the Set Up Master Key in EKMF Web REST Service is called.

JSON property name	Description
KEY_API_HEALTH	Indicates whether the Key API is available. Possible values are: Pass: Indicates that the Key API is available Fail: Indicates that the Key API is unavailable or the EKMF Web host is Crypto only host and does not support the Key API.
CRYPTO_API_HEALTH	Indicates whether the Crypto API is available. Possible values are: Pass: Indicates that the Crypto API is available Fail: Indicates that the Crypto API is unavailable.
Details-KEY_API	Returns the details of the Key API.
Host	Returns the details of the EKMF Web host.
Details-CRYPTO_API	Returns the details of the Crypto API.
Result	Indicates whether the EKMF Web host is reachable. Possible values are: Success: Indicates that the EKMF Web host is reachable. Fail: Indicates that the EKFM Web host is unreachable.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To test the connection between EKMF Web and GKLM, send this HTTP request:

GET https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Success response:

[
  {
    "KEY_API_HEALTH": "Pass",
    "CRYPTO_API_HEALTH": "Pass",
    "Details-KEY_API": "Key api is available on EKMF Web host ekmf_host1 and master key alias 240322.",
    "Host": "ekmf_host1",
    "Details-CRYPTO_API": "Crypto api available using master key alias 240322 ",
    "Result": "Success"
  },
  {
    "KEY_API_HEALTH": "Fail",
    "CRYPTO_API_HEALTH": "Pass",
    "Details-KEY_API": "Key api is not available on this EKMF Web server instance.",
    "Host": "ekmf_host2",
    "Details-CRYPTO_API": "Crypto api available using master key alias 240322 ",
    "Result": "Success"
  }
]

Set Up Master Key REST Service

Use the Set Up Master Key REST Service to start using the master key in EKMF Web.

Operation

POST

URL

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/setupMasterKey

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by GKLM. For example, en or de.

Response

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
code	Returns the success code.
status	Returns a message that describes the status.

Error response body

JSON property name	Description
code	Returns the application error code.
status	Returns a message that describes the error.

Example

To set up the master key, send this HTTP request:

POST https://host:port/SKLM/rest/v1/ckms/masterKey/EKMFWeb/setupMasterKey

Success response

{
  "code": "CTGKM3606I",
  "message": "Master key has been successfully set up in the EKMF Web master key repository."
}

Updating EKMF certificate

Run the following steps to update an EKMF certificate.

Identify GKLM certificate that you want to use for communication with EKMF. The certificate can be a GKLM server certificate or any other appropriate certificate.
Add the certificate to EKMF. You need to map the new certificate with EKMF user.
Run the Set Up Master Key in EKMF Web REST Service to mark the certificate as “In Use”.

Note - These steps are only applicable for GKLM 4.1.1.4 onwards. And, the steps are not applicable for GKLM 4.2 onwards.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 3 (4.1.1.3)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 2 (4.1.1.2)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

IBM Security Guardium Key Lifecycle Manager Version 4.1.1.2 offers the following enhancements:

Support for symmetric key wrapping for 3592 tape drives
Support for Mutual-TLS based authentication between EKMF Web and IBM Security Guardium Key Lifecycle Manager
Server certificate enhancements
- Support for changing TLS server certificates for UI access
- Support for presenting the server certificate chain of trust
Enhanced performance of KMIP query to retrieve and show real-time HADR status.

Support for symmetric key wrapping for 3592 tape drives

With V4.1.1.2, you can now use symmetric or AES keys to wrap encryption keys for 3592 tape drives that are randomly generated, in addition to using certificates. Using symmetric key wrapping for 3592 tape drives is a first step towards making encryption key exchange between IBM Security Guardium Key Lifecycle Manager and 3592 tape drives quantum-safe.

The symmetric keys and certificates that you create for 3592 tape drives are collectively called wrapping keys.

You can do the following administrative activities:

Guided key and device creation

Use these options to create your first wrapping key and drive, and to add more wrapping keys or drives later.

Creating a wrapping key
Identifying drives

Administering wrapping keys and devices

Use these options to determine the status of wrapping keys and drives, to associate wrapping keys and drives, and to add, modify, or delete specific wrapping keys or drives.

Adding a wrapping key
Specifying a rollover wrapping key
Modifying a wrapping key
Deleting a wrapping key
Adding a drive
Modifying a drive
Deleting a drive

Guided key and device creation

Creating a wrapping key

As a first activity, create a wrapping key (certificate or AES key). If you are creating a certificate or certificate request, determine your site policy for the use of self-signed and certificates that are issued by a certificate authority.

About this task

You can use the Create Wrapping Key dialog box to create wrapping keys. Alternatively, you can use the following REST services:

Create Certificate REST Service
Certificate Generate Request REST Service
Secret Key Create REST Service

Your role must have the permissions to the create action and to the appropriate device group. To make a wrapping key the default, your role must have permission to the modify action.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Guided key and device creation.
  4. Alternatively, right-click 3592 and select Guided key and device creation.
- REST interface:
  - Open a REST client.
Create a wrapping key.
- Graphical user interface:
  1. On the Step 1: Create Wrapping Key page, click Create.
  2. On the Create Wrapping Key dialog box, select the wrapping key type, Certificate or AES Key.
  3. Click Create.
  4. Create a wrapping key.
    - Certificate:
      1. On the Create Certificate dialog box, select either a self-signed certificate, or a certificate request for a third-party provider.
      2. Specify values for the required and optional parameters. For example, you might optionally specify that this certificate is the default or the partner certificate. Then, click Create Certificate.
    - AES Key:
      On the Create AES Key dialog box, specify values for the required and optional parameters. For example, you might optionally specify that this AES key is the default or the partner AES key. Then, click Create.
  5. Click Close.
- REST interface:
  1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
  2. Create a wrapping key.
    - Certificate:
      Use the Create Certificate REST Service to create a certificate. For example, you can send the following HTTP request:
```
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en
{"type":"selfsigned","alias":"sklmCertificate1","cn":"sklm","ou":"sales",
"o":"myCompanyName","usage":"3592","country":"US","validity":"999", "
algorithm ": " RSA " }
```
    - Certificate request:
      Use the Certificate Generate Request REST Service to create a PKCS #10 certificate request file. For example, you can send the following HTTP request:
```
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
{"type":"certreq","alias":"sklmCertificate1","cn":"sklm","ou":"sales","o":
"myCompanyName","usage":"3592","country":"US","validity":"999","fileName":
"myCertRequest1.crt","algorithm":"ECDSA"}
```
    - AES Key:
      Use the Secret Key Create REST Service to create symmetric keys. For example, you can send the following HTTP request:
```
POST https://localhost:port/SKLM/rest/v1/keys
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"alias":"abc","numOfKeys":"1","usage":"3592"}
```

What to do next

Back up the new wrapping keys before they are served to devices. For a certificate request, the next step might be to import the signed certificate. You can go to the next step to define specific devices, and associate wrapping keys with the devices. Select Step 2: Identify Drives or click Go to Next Step.

For a 3592 tape drive, also specify values for the system default and partner wrapping keys in the IBM Security Guardium Key Lifecycle Manager database. Use the Device Group Attribute Update REST Service to set these values.

Identifying drives

You can identify a 3592 tape drive for use with IBM Security Guardium Key Lifecycle Manager. Before you begin, create the wrapping keys that you want to associate with the devices that you are about to identify.

About this task

You can use the Add Tape Drive dialog box or the Device Add REST Service to add a device. Your role must have the permission to the create action and to the appropriate device group.

Additionally, if you want to associate a system default or partner wrapping key with the device you identify, you can use the following REST services:

These values were previously stored in the drive.default.alias1 (for system default) or drive.default.alias2 (for system partner) properties.

You can make any of the following choices for serving wrapping keys to devices:

Only accept manually added devices for communication
All incoming devices are not added to the data store. You must manually specify key service to each device.
Hold new device requests pending my approval
All incoming devices of a valid device group are added to the device store, but are not automatically served keys upon request. You must accept or reject a device in the pending devices list before the device is served keys upon request.
Automatically accept all new device requests for communication
All new incoming devices of a valid device group are added to the data store and are automatically served keys upon request.

Note: Do not use this setting if you intend to move the new device to another device group. Instead, select manual or pending approval mode to allow an opportunity to move the device into the appropriate device group before any keys are served.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Guided key and device creation.
  4. Alternatively, right-click 3592 and select Guided key and device creation.
- REST interface:
  Open a REST client.
Skip Step 1: Create wrapping keys. Click the Go to Next Step link or click Step 2: Identify Drives.
You might specify that IBM Security Guardium Key Lifecycle Manager holds new device requests for your approval.
- Graphical user interface:
  Select the Hold new device requests pending my approval option.
- REST interface:
  1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
  2. Use the Device Group Attribute Update REST Service to set the value of the device.AutoPendingAutoDiscovery attribute. For example, you can send the following HTTP request:
```
PUT https://localhost:port/SKLM/rest/v1/deviceGroupAttributes
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
{"name":"3592","attributes":"device.AutoPendingAutoDiscovery 2"}
```
Add a device.
- Graphical user interface:
  1. On the Step 2: Identify Drives page, in the Devices table, click Add.
  2. On the Add Tape Drive dialog box, type the required and optional information.
  3. Click Add Tape Drive.
- REST interface:
  You can use the Device Add REST Service to add a device. For example, you can send the following HTTP request:
```
POST https://localhost:port/SKLM/rest/v1/devices
Content-Type: application/json
Accept : application/json
Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20
Accept-Language : en
{"type":"3592","serialNumber":"CDA39403AQJF","attributes":"worldwideName
ABCdeF1234567890,description marketingDivisionDrive"}
```

What to do next

Next, use the 3592 Key and Device Management page to view all wrapping keys and devices.

Administering wrapping keys and devices

Adding a wrapping key

You can add more wrapping keys for use with IBM Security Guardium Key Lifecycle Manager. If you are creating certificates, determine your site policy on the use of self-signed and CA certificates.

About this task

You can use the Create Wrapping Key dialog box to create wrapping keys. Alternatively, you can use the following REST services:

Create Certificate REST Service
Certificate Generate Request REST Service
Secret Key Create REST Service

Your role must have the permissions to the create action and to the appropriate device group. To make a wrapping key the default, your role must have permission to the modify action.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage keys and devices.
  4. Alternatively, right-click 3592 and select Manage keys and devices.
  5. On the management page for 3592, click Add.
  6. Select Wrapping Key.
- REST interface:
  Open a REST client.
Create a wrapping key.
- Graphical user interface:
  1. On the Create Wrapping Key dialog box, select the wrapping key type, Certificate or AES Key.
  2. Click Create.
  3. Create a wrapping key.
    - Certificate:
      1. On the Create Certificate dialog box, select either a self-signed certificate, or a certificate request for a third-party provider.
      2. Specify values for the required and optional parameters. For example, you might optionally specify that this certificate is the default or the partner certificate. Then, click Create Certificate.
    - AES Key:
      On the Create AES Key dialog box, specify values for the required and optional parameters. For example, you might optionally specify that this AES key is the default or the partner AES key. Then, click Create.
- REST interface:
  Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
  - Certificate
    Use the Create Certificate REST Service to create a certificate and a public and private key pair, and store the certificate in an existing keystore. For example, you can send the following HTTP request:
    POST https://localhost:port/SKLM/rest/v1/certificates Content-Type: application/json Accept : application/json Authorization: SKLMAuth authId=139aeh34567m Accept-Language : en {"type":"selfsigned","alias":"sklmCertificate1","cn":"sklm","ou": "sales","o":"myCompanyName","usage":"3592","country":"US","validity": "999", "algorithm ": " RSA " }
  - Certificate request
    Use the Certificate Generate Request REST Service to create a PKCS #10 certificate request file. For example, you can send the following HTTP request:
    POST https://localhost:port/SKLM/rest/v1/certificates Content-Type: application/json Accept : application/json Authorization: SKLMAuth authId=139aeh34567m {"type":"certreq","alias":"sklmCertificate1","cn":"sklm","ou": "sales","o":"myCompanyName","usage":"3592","country":"US","validity": "999","fileName":"myCertRequest1.crt","algorithm":"ECDSA"}
  - AES key
    Use the Secret Key Create REST Service to create one or more symmetric keys to encrypt and decrypt data. For example, you can send the following HTTP request:
```
POST https://localhost:port/SKLM/rest/v1/keys
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"alias":"abc","numOfKeys":"1","usage":"3592"}
```

What to do next

Back up the new certificates or AES keys before they are served to devices. You can associate a wrapping key with a specific device.

If you selected certificate request, manually send the certificate request to a certificate authority. When the signed certificate returns, import the certificate by using a pending action item on the Welcome panel, or by using the Certificate Import REST Service. When the import completes, back up the certificate to enable serving the certificate to a device.

Specifying a rollover wrapping key

You can specify a wrapping key for future use as the system default or system partner wrapping key.

About this task

You can use the Add Future Write Default dialog box to add a default wrapping key rollover for a specific date and device group. Alternatively, you can use the Add Key Default Rollover REST Service.

Your role must have the permission to the create action and to the appropriate device group.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage default rollover.
  4. Alternatively, right-click 3592 and select Manage default rollover.
  5. On the management page for 3592, click Add.
- REST interface:
  Open a REST client.
Specify an existing wrapping key for future use as a system default or system partner wrapping key.
- Graphical user interface:
  1. On the Add Future Write Default box, select the wrapping key.
  2. Specify whether the key becomes a partner or default wrapping key on the effective date.
  3. Select the effective date.
  4. Click Add Future Write Default.
  Note:
  Do not specify two defaults for the same rollover date.
  
  No validation occurs on whether the selected wrapping key is expired or expires at the time of the rollover.
  
  If a wrapping key does not exist at the time of rollover, IBM Security Guardium Key Lifecycle Manager continues to use the current default wrapping key.
  
  You can add or delete table entries, but cannot modify an entry.
- REST interface:
  Use the Add Key Default Rollover REST Service to add a default wrapping key rollover for a specific date and device group. The rollover key takes the place of the previous default key.
```
POST https://localhost:port/SKLM/rest/v1/rollover/3592
Accept: application/json
Accept-Language: en
Authorization: SKLMAuth userAuthId=b27c9eaa-cef7-4a65-87f2-8a964ac5ace2
Content-Type: application/json
{
  "alias": "key2",
  "keyDefaultType": "1",
  "effectiveDate": "2021-11-05"
}'
```
A success indicator varies, depending on the interface:
- Graphical user interface:
  The wrapping key is added to the table of rollover certificates and keys on the 3592 page.
- Rest interface:
  The status code 200 OK indicates success.
To delete a 3592 wrapping key context from the rollover table:
- Graphical user interface:
  1. Select a 3592 wrapping key context and click Delete. Your role must have a permission to the delete action. Read the warning message. Then, click OK.
  2. The wrapping key is unmarked as a future system default or partner wrapping key, but is otherwise not changed or deleted.
- REST interface:
  - Use the List Key Default Rollover REST Service to list key rollovers in a rollover list.
```
GET https://localhost:port/SKLM/rest/v1/rollover/3592?usage=3592
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
```
  - Use the Delete Key Default Rollover REST Service to remove a wrapping key rollover that is specified in a rollover list.
```
DELETE https://localhost:port/SKLM/rest/v1/rollover/3592/ROLLOVER-d70d6f8-90409301-ecc7-4e3e-ad25-e687b8f9d5ee
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
```

Modifying a wrapping key

You can modify whether a wrapping key is used as the system default or system partner key. Before you begin, determine the changed information for the key, such as a description, or whether you want to make the key system default or system partner key. If you use the REST interface, obtain the value of the uuid for the certificate.

About this task

You can use the Modify Wrapping Key dialog box to modify a wrapping key. Alternatively, you can use the following REST services:

Certificate Update REST Service
Device Type Attribute Update REST Service

Your role must have the permissions to the modify action and to the appropriate device group.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage keys and devices.
  4. Alternatively, right-click 3592 and select Manage keys and devices.
  5. On the management page for 3592, select a wrapping key in the wrapping key table.
  6. Click Modify.
  7. Alternatively, right-click or double-click a wrapping key and then select Modify.
- REST interface:
  Open a REST client.
Modify the wrapping key information:
- Graphical user interface:
  - Certificate: On the Modify Certificate dialog box, change the appropriate fields. Then, click Modify Certificate.
  - AES key: On the Modify AES Key dialog box, change the appropriate fields. Then, click Modify Key.
- REST interface:
  - Use the Certificate List REST Service to find a certificate. For example, you can send the following HTTP request:
    
    GET https://localhost:port/SKLM/rest/v1/certificates?attributes= state active Content-Type: application/json Accept: application/json Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20 Accept-Language : en
  - Use the Certificate Update REST Service to update attributes or usage for a certificate. For example, you can send the following HTTP request:
    
    PUT https://localhost:port/SKLM/rest/v1/certificates Content-Type: application/json Accept: application/json Authorization: SKLMAuth authId=139aeh34567m {"uuid":"CERTIFICATE-99fc36a-4ab6a0e12343","usage": "3592","attributes":"information newinformation" }

What to do next

Next, you might use the 3592 Key and Device Management page to associate wrapping keys with specific devices.

Deleting a wrapping key

You can delete a selected wrapping key, which can be in any state, such as active or expired. You cannot delete a wrapping key that is marked as a default or partner key, or is scheduled for rollover.

About this task

Before you begin, ensure that a backup exists of the keystore with the wrapping key that you intend to delete. Verify that the wrapping key is not marked as a default or partner key, or is scheduled for rollover. Determine the current state of the wrapping key, and ensure that deleting a wrapping key in this state conforms with your site policies.

Important: Delete wrapping keys only when the data protected by those wrapping keys is no longer needed. Deleting wrapping keys is like erasing the data. After the wrapping keys are deleted, data that is protected by those wrapping keys is not retrievable. Deleting a wrapping key deletes the material from the database.

You can use the Delete menu item to delete a wrapping key. Alternatively, you can use the following REST services:

Delete Certificate REST Service
Delete Key REST Service

Your role must have permissions to the delete action and to the appropriate device group.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage keys and devices.
  4. Alternatively, right-click 3592 and select Manage keys and devices.
  5. On the management page for 3592, select a wrapping key in the wrapping key table.
  6. Click Delete.
  7. Alternatively, right-click a wrapping key and then select Delete.
- REST interface:
  Open a REST client.

Delete the wrapping key.

Graphical user interface:
On the Confirm dialog box, read the confirmation message to verify that the correct wrapping key is selected before you delete the wrapping key. Then, click OK.

REST interface:

Use the Certificate List REST Service to find a certificate. For example, you can send the following HTTP request:

GET https://localhost:port/SKLM/rest/v1/certificates?attributes=
state active 
Content-Type: application/json 
Accept: application/json 
Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20 
Accept-Language : en

Use the Delete Certificate REST Service to delete a certificate. For example, you can send the following HTTP request:

DELETE https://localhost:port/SKLM/rest/v1/certificates/mycertalias
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept-Language : en

Use the Delete Key REST Service to delete a key entry from the keystore. For example, you can send the following HTTP request:

DELETE https://localhost:port/SKLM/rest/v1/keys/{keyAlias}
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m

What to do next

Next, you might back up the keystore again to accurately reflect the change in certificates.

Adding a drive

You can add a 3592 tape drive to the IBM Security Guardium Key Lifecycle Manager database. Before you begin, create the wrapping keys that you want to associate with the drives that you are about to identify. Additionally, obtain the tape drive serial number, and other description information. Determine whether the drive uses a specific wrapping key, or a system default wrapping key.

About this task

You can use the Add Tape Drive dialog box or the Device Add REST Service to add a device. Your role must have the permission to the create action and a permission to the appropriate device group.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage keys and devices.
  4. Alternatively, right-click 3592 and select Manage keys and devices.
  5. On the management page for 3592, click Add.
  6. Click Tape Drive.
- REST interface:
  Open a REST client.

Add a device.

Graphical user interface:
On the Add Tape Drive dialog box, type the required and optional information. Then, click Add Tape Drive.

REST interface:

Use the Device Add REST Service to add a device. For example, you can send the following HTTP request:

POST https://localhost:port/SKLM/rest/v1/devices
Content-Type: application/json
Accept : application/json
Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20
Accept-Language : en
{"type":"3592","serialNumber":"CDA39403AQJF","attributes":"worldwideName
ABCdeF1234567890,description salesDivisionDrive"}

What to do next

Next, you might determine the status of the drive that you added.

Modifying a drive

You can modify information about a tape drive in the IBM Security Guardium Key Lifecycle Manager database. For example, you can update the specification for a partner wrapping key that the drive uses, or specify an alternate device group within the same device family.

About this task

Before you begin, create the wrapping keys that you need to associate with the devices that you are about to modify. If you use the REST interface, obtain the value of the uuid for the device that you intend to update. Also, obtain the alias of any certificate that is associated with the drive.

You can use the Modify Tape Drive dialog box or the Device Update REST Service to update a tape drive, or specify an alternate drive within the same device family. Your role must have permissions to the modify action and to the appropriate device group.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage keys and devices.
  4. Alternatively, right-click 3592 and select Manage keys and devices.
  5. On the management page for 3592, select a drive entry in the devices table.
  6. click Modify.
  7. Alternatively, right-click a drive and then select Modify, or double-click a drive entry.
- REST interface:
  Open a REST client.

Modify a device.

Graphical user interface:
In the Modify Tape Drive dialog box, type the required and optional information. Then, click Modify Tape Drive.

REST interface:

Use the Device List REST Service to locate a device. For example, you can send the following HTTP request:

GET https://localhost:port/SKLM/rest/v1/devices 
Content-Type: application/json
Accept : application/json
Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20
Accept-Language : en

Use the Device Update REST Service to update a device. For example, you can send the following HTTP request:

PUT https://localhost:port/SKLM/rest/v1/devices
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth authId=139aeh34567m
{"uuid":"DEVICE-64c588ad-5ed8-4934-8c84-64cb9e11d990","attributes":"aliasTwo myPartner99"}

What to do next

Next, verify that the changes are made. For optional fields, such as the description, you might want to run the Device List REST Service to determine whether the value is changed. Alternatively, reopen the Modify Tape Drive dialog box.

Deleting a drive

You can delete a tape drive. Metadata for the drive that you delete, such as the drive serial number, is removed from the IBM Security Guardium Key Lifecycle Manager database.

About this task

Before you begin, ensure that a current backup exists for the wrapping keys and devices at your site. Obtain the uuid of the device you intend to delete.

You can use the Delete menu item or the Device Delete REST Service to delete a device. Your role must have permissions to the delete action and to the appropriate device group.

Procedure

Go to the appropriate page or directory.
- Graphical user interface:
  1. Log in to the graphical user interface.
  2. In the Key and Device Management section on Welcome page, select 3592.
  3. Click Go to > Manage keys and devices.
  4. Alternatively, right-click 3592 and select Manage keys and devices.
  5. On the management page for 3592, select a device.
  6. Click Delete.
  7. Alternatively, right-click a drive and then select Delete.
- REST interface:
  Open a REST client.
Delete the device.
- Graphical user interface:
  On the Confirm dialog box, read the confirmation message to verify that the correct device is selected before you delete the device. Metadata for the drive that you delete, such as the drive serial number, is removed from the IBM Security Guardium Key Lifecycle Manager database.
  
  Then, click OK.
- REST interface:
  - Use the Device List REST Service to locate a device. For example, you can send the following HTTP request:
```
GET https://localhost:port/SKLM/rest/v1/devices?type=3592
Content-Type: application/json
Accept : application/json
Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20
Accept-Language : en
```
  - Use the Device Delete REST Service to delete a device. For example, you can send the following HTTP request:
```
DELETE https://localhost:port/SKLM/rest/v1/devices/DEVICE-74386920-148c-
47b2-a1e2-d19194b315cf
Content-Type: application/json
Authorization: SKLMAuth authId=139aeh34567m
Accept : application/json
```

Support for mTLS-based authentication between EKMF Web and IBM Security Guardium Key Lifecycle Manager

You can now configure Mutual Transport Layer Security (mTLS) authentication between IBM Enterprise Key Management Foundation Web (EKMF Web) and IBM Security Guardium Key Lifecycle Manager. Configuring mTLS authentication allows both parties to authenticate each other by using certificates.

To integrate IBM Security Guardium Key Lifecycle Manager with EKMF Web when you are using mTLS authentication, complete these steps:

(On EKMF Web) Set up a key template.
(On IBM Security Guardium Key Lifecycle Manager server) Configure EKMF Web.

Note: If you are using OIDC as the authentication method, see Configuring IBM Security Guardium Key Lifecycle Manager to use EKMF Web.

Setting up a key template in EKMF Web

Use the graphical user interface or the REST services of EKMF Web to set up a key template. Create a new key template in EKMF Web by specifying the following parameter values.
Note: Ensure that you use the same values for template creation as given in the table.

Table 1. Key template parameter values

Parameter	Value
Template name	GKLMTEMPLATE
Keystore type	Pervasive Encryption
Key Label template	GKLM.MKEY.<ALIAS> Note: Specify this value as is.
Key type	Cipher
Key size	256
Key state	Active
Keystore groups	cserver Note: Specify a value according to your environment.
Advanced properties	`{ "keyWords": [ "ANY-MODE" ] }`

Configuring IBM Security Guardium Key Lifecycle Manager to use EKMF Web

Define the EKMF Web configuration parameters in the IBM Security Guardium Key Lifecycle Manager configuration file to integrate with EKMF Web.

Before you begin

Create a key template in EKMF Web.
Ensure that the EKMF Web server certificate file is in the PKCS #12 format.
You can use the following command or any other utility to create the .p12 file, if you have the certificate file and its corresponding private key file.
```
openssl pkcs12 -export -in <CERT_FILE> -inkey <PRIVATE_KEY_FILE> -out <OUTPUT_FILE> -name <OUTPUT_FILE_ALIAS>
```
Where,
- <CERT_FILE>: Server certificate file of EKMF Web.
- <PRIVATE_KEY_FILE>: Private key for the EKMF Web certificate file.
- <OUTPUT_FILE>: Output certificate file in .p12 format.
- <OUTPUT_FILE_ALIAS>: Alias of the .p12 certificate file.
For example,
```
openssl pkcs12 -export -in rest_cca_client.cer -inkey rest_cca_client.pkcs8 -out test.p12 -name ekmfcert
```
Import EKMF Web server certificate to the IBM Security Guardium Key Lifecycle Manager keystore:
1. Upload the PKCS #12 file to the SKLM_DATA folder by using the Upload File to Server REST Service. For example, you can send the following HTTP request:
```
POST /SKLM/rest/v1/filetransfer/upload/objectfiles
```
2. Import the certificate file you uploaded in Step 1 to the keystore by using the Import EKMF Web Certificate REST service. For example, you can send the following HTTP request:
```
POST /SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import
```
Import the EKMF Web certificate to the IBM Security Guardium Key Lifecycle Manager truststore as follows:
1. Download the EKMF Web certificate to the IBM Security Guardium Key Lifecycle Manager server.
2. Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface.
3. Navigate to Configuration > Truststore, and click Add.
4. Click Upload and upload the EKMF Web certificate to the SKLM_DATA directory.
5. Specify the certificate alias and type of certificate and, click Add to add the certificate in the truststore.

About the task

To integrate with EKMF Web, you must configure the following parameters in the IBM Security Guardium Key Lifecycle Manager configuration file (SKLMConfig.properties):

Table 2: EKMF Web parameters

Parameter	Description	Sample value
ekmfweb.host	Host name or IP address of the EKMF Web server.	`ekmf_server_hostname`
ekmfweb.port	Port number to access the EKMF Web server.	`443`
ekmfweb.templateName	Name of the template that you created on the EKMF Web server.	`TEAMEKMF`
ekmfweb.mtls	Flag to indicate whether to use mTLS authentication.	`true`
useMasterKeyInEKMFWeb	Flag to indicate whether to configure EKMF Web.	`true`

Procedure

When you configure EKMF Web, you might have one of the following installation setups:

A new installation of IBM Security Guardium Key Lifecycle Manager, on which you have not created a server certificate or any data, contains no keystore.
An existing installation of IBM Security Guardium Key Lifecycle Manager, on which you already have some data or a server certificate, the master key resides in a file-based keystore.

Depending on your installation setup, follow the appropriate procedure to integrate with EKMF Web:

Configuring EKMF Web on a newly installed IBM Security Guardium Key Lifecycle Manager

Add the EKMF Web parameters to the IBM Security Guardium Key Lifecycle Manager configuration file by using the Update Config Property REST Service. For example, you can send the following HTTP request:

PUT https://localhost:port/SKLM/rest/v1/configProperties
{
"ekmfweb.host" : "ekmf_server_hostname",
"ekmfweb.port" : "443",
"ekmfweb.templateName" : "TEAMEKMF",
"ekmfweb.mtls" : "true" 
"useMasterKeyInEKMFWeb" : "true"
}

For more information, see Table 2.

Configuring EKMF Web on an existing installation of IBM Security Guardium Key Lifecycle Manager

Add the EKMF Web parameters to the IBM Security Guardium Key Lifecycle Manager configuration file by using the Update Config Property REST Service.
For example:
```
PUT https://localhost:port/SKLM/rest/v1/configProperties
{
"ekmfweb.host" : "ekmf_server_hostname",
"ekmfweb.port" : "443",
"ekmfweb.templateName" : "TEAMEKMF",
"ekmfweb.mtls" : "true" 
}
```
Note: Do not set the useMasterKeyInEKMFWeb parameter.

For more information, see Table 2.

Run the Master Key REST Service to move the master key from the Java keystore to EKMF.

PUT https://localhost:port/SKLM/rest/v1/ckms/masterKey
{
  "source": "Keystore",
  "destination": "EKMF Web"
}

Verify configuration

To verify whether EKMF Web with mTLS authentication is successfully configured, check whether Master key repository status is Connected on the IBM Security Guardium Key Lifecycle Manager Welcome page. If the status is Disconnected, use the Test EKMF Web Connection REST service to diagnose the problem. For example, you can send the following HTTP request.

GET /SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Support for changing TLS server certificates for UI access

You can now use a TLS/KMIP server certificate for UI access. To configure a TLS/KMIP server certificate for UI access, you can use the Configuration or Advanced Configuration page. Alternatively, you can use the Add Server Certificate to Liberty Keystore REST service.

Depending on the certificate type, follow the relevant instructions:

Creating a new self-signed certificate and setting it for UI access
Setting an existing certificate for UI access
Setting a third-party certificate for UI access

Creating a new self-signed certificate and setting it for UI access

You can use the Server Configuration Wizard or the Advanced Configuration page to create a new self-signed certificate and set it for UI access. Alternatively, you can use the Add Server Certificate to Liberty Keystore REST Service.

Use any of the following methods:

Using graphical user interface
Using REST interface

Using graphical user interface

You can use the following UI options:

Server Configuration Wizard
Advanced Configuration page

Server Configuration Wizard

Log in to the graphical user interface.
On the Welcome page, click Configuration > TLS/KMIP > Launch Server Configuration Wizard.
To create a self-signed certificate, click Create TLS/KMIP Server Certificate.
On the Add TLS/KMIP Certificate dialog box, select Create self-signed certificate.
Specify values for the parameters according to your requirements.
Select the Use this certificate for UI access checkbox.
Click Create Certificate.
For this change to take effect, restart the server.

Advanced Configuration page

Go to Advanced Configuration > Server Certificates.
Click Add.
On the Add TLS/KMIP Certificate dialog box, select Create self-signed certificate.
Specify values for the parameters according to your requirements.
Select the Use this certificate for UI access checkbox.
Click Create Certificate.
For this change to take effect, restart the server.

Using REST interface

Open a REST client.

Create a self-signed certificate by using the Create Certificate REST Service. For example, you can send the following HTTP request:

POST https://localhost:port/SKLM/rest/v1/certificates
{"type":"selfsigned","alias":"sklmCertificate","cn":"sklm","ou":"sales",
"o":"myCompanyName","usage":"3592","country":"US","validity":"999", " 
algorithm ": " RSA "  }

Set the certificate that you created in Step 2 for UI access by using the Add Server Certificate to Liberty Keystore REST Service. For more information, see the Reference section.

Setting an existing certificate for UI access

You can use the Advanced Configuration page to set an existing certificate for UI access. Alternatively, you can use the Add Server Certificate to Liberty Keystore REST Service.

Use any of the following methods:

Using graphical user interface

Log in to the graphical user interface.
On the Welcome page, go to Advanced Configuration > Server Certificates.
Select the certificate that you want to use for UI access and click Modify. The Modify TLS/KMIP Certificate dialog box opens.
Select the Use this certificate for UI access checkbox and click Modify Certificate.
The TLS/KMIP server certificate is updated. For this change to take effect, restart the server.

Using REST interface

Open a REST client.
Run the Add Server Certificate to Liberty Keystore REST Service. For more information, see the Reference section.

Setting a third-party certificate for UI access

You can use the Advanced Configuration page to set a signed third-party certificate for UI access. Alternatively, you can use the Add Server Certificate to Liberty Keystore REST Service.

Note: You can only use a signed TLS/KMIP certificate (self-signed or third-party) for UI access.

Use one of the following methods:

Using graphical user interface
Using REST interface

Using graphical user interface

Import the CA-signed certificate you received from the third party. See, Importing a certificate.
On the Welcome page, go to Advanced Configuration > Server Certificates.
Select the imported certificate and click Modify. The Modify TLS/KMIP Certificate dialog box opens.
Select the Use this certificate for UI access checkbox and click Modify Certificate.
The TLS/KMIP server certificate is updated. For this change to take effect, restart the server.

Using REST interface

Open a REST client.
Import the CA-signed certificate by using the Certificate Import REST Service.
Run the Add Server Certificate to Liberty Keystore REST Service to set the imported certificate for UI access. For more information, see the Reference section.

Support for presenting the server certificate chain of trust

You can now configure IBM Security Guardium Key Lifecycle Manager to present the entire server certificate chain of trust to the client. A certificate chain of trust includes a leaf certificate, one or more intermediate certificate authority (CA) certificates, and a root CA certificate. To present certificate chain of trust, complete these steps:

Import certificate chain of trust
Set the certificate chain of trust for UI access

Import certificate chain of trust

You can use one of the following methods:

Using graphical user interface
Using REST interface

Using graphical user interface

Create a certificate request and manually send the certificate request to a certificate authority. See Creating a certificate request.
Import the returned leaf certificate. See Importing a certificate.
Import the intermediate and root certificates.
1. Go to Advanced Configuration > Client Device Certificates.
2. On the Client Device Certificates page, click Import.
3. In the Import TLS/KMIP Certificate for Clients dialog box, specify the values:
  1. Enter the name of the certificate to be imported.
  2. Click Browse.
  3. If the certificate doesn't exist in the SKLM_DATA directory, upload the certificate by using the Upload option.
  4. Select the certificate file and click Open.
  5. To allow the server to always trust this client certificate, select the Allow the server to trust this certificate and communicate with the associated client device checkbox. By default, the client certificate is not trusted.

Using REST interface

Create a certificate request by using the Certificate Generate Request REST Service.
Manually send the request to a certificate authority.

Import the returned leaf certificate by using the Certificate Import REST Service. For example, you can send the following HTTP request:

POST https://localhost:port/SKLM/rest/v1/certificates/import
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"fileName":"/mycertfilenam.base64","alias":"newsklmCert","format":"base64",
"usage":"SSLSERVER"}

Import the intermediate and root certificates by using the Certificate Import REST Service. For example, you can send the following HTTP request:

POST https://localhost:port/SKLM/rest/v1/certificates/import
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"fileName":"/mycertfilenam.base64","alias":"newsklmCert","format":"base64",
"usage":"SSLCLIENT"}

Set the certificate chain of trust for UI access

You can use one of the following methods:

Using graphical user interface
Using REST interface

Using graphical user interface

Go to Advanced Configuration > Server Certificates.
Select the leaf certificate you imported previously.
Click Modify.
Select the Use this certificate for UI access checkbox.
Click Modify Certificate.
For this change to take effect, restart the server.

Using REST interface

Open a REST client.
Set the leaf certificate for UI access by using the Add Server Certificate to Liberty Keystore REST Service. For more information, see the Reference section.

You can set the certificate chain of trust for KMIP/IPP key serving. Lastly, you can delete the certificate chain of trust when it is no longer required.

Setting certificate chain of trust for KMIP/IPP key serving
Deleting the certificate chain of trust

Setting certificate chain of trust for KMIP/IPP key serving

Go to Advanced Configuration > Server Certificates.
Select the leaf certificate you imported previously.
Click Modify.
Select the Current Certificate in use checkbox.
Click Modify Certificate.
For this change to take effect, restart the server.

Deleting the certificate chain of trust

You can delete a selected certificate, which can be in any state, such as active or expired. You cannot delete a certificate that is in use.

In a certificate chain of trust, the root or intermediate certificates cannot be deleted until their leaf certificates are deleted. You can use the Delete menu item or the Delete Certificate REST Service to delete a certificate.

Before you begin, review the following considerations:

Back up the keystore with the certificate that you intend to delete. See Configuring backup and restore.
Verify that the certificate is not in use.
Determine the current state of the certificate, and ensure that deleting a certificate in this state conforms with your site policies.

To delete a certificate chain of trust, complete these steps:

Using graphical user interface
Using REST interface

Using graphical user interface

Delete the leaf certificate.
1. Go to Advanced Configuration > Server Certificates.
2. Select the leaf certificate and click Delete.
3. On the confirmation message, click OK.
Delete the intermediate certificates, and then the root certificate.
1. Go to Advanced Configuration > Client Device Certificates.
2. Select the certificate you intend to delete and click Delete.
3. On the confirmation message, click OK.

Using REST interface

Open a REST client.
Run the Delete Certificate REST Service. For more information, see Reference section.

Reference

IBM Security Guardium Key Lifecycle Manager is integrated with Swagger UI, an interface to try out the REST services. For more information, see Using Swagger UI.

REST services for 4.1.1.2 enhancements:

3592 device management

Configuring mTLS-based authentication between EKMF Web and IBM Security Guardium Key Lifecycle Manager

Changing TLS certificate for UI access

Presenting server certificate chain trust

Add Key Default Rollover REST Service

Use the Add Key Default Rollover REST Service to add a default key rollover for a specific date and 3592 device group. The rollover wrapping key takes the place of the previous default key.

Operation

POST

URL

https://host:port/SKLM/rest/v1/rollover/3592

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	SKLMAuth userAuthId=<authIdValue>
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, en or de.

Request body

JSON Object with the following specification:

Property name	Description
alias	Required. Specify a name of the existing key. It is not case-sensitive.
keyDefaultType	Required. Specify whether the key is used as the system default or partner key, or both. You can include the following values: 1 Key is the system default. 2 Key is the partner key. 3 Key is used as both the system default and the partner key.
effectiveDate	Required. Specify the date on which the wrapping key is set for default rollover. The value is a current or future date in yyyy-MM-dd format.

Response

Response headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON object with the following specification:

JSON property name	Description
code	Returns the code that is specified by the status property.
status	Returns the status to indicate whether the certificate is marked for rollover.

Error response body

JSON object with the following specification.

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Service request to add a wrapping key for rollover


POST https://localhost:port/SKLM/rest/v1/rollover/3592
Accept: application/json
Accept-Language: en
Authorization: SKLMAuth userAuthId=b27c9eaa-cef7-4a65-87f2-8a964ac5ace2
Content-Type: application/json
{
  "alias": "key2",
  "keyDefaultType": "1",
  "usage": "3592",
  "effectiveDate": "2021-11-05"
}'

Success response

Status Code: 200 OK
{"code": "0","status": "Succeeded"}

Service request to add a wrapping key for rollover with incorrect usage

POST https://9.202.176.124:9443/SKLM/rest/v1/rollover/3592
Accept: application/json
Accept-Language: en
Authorization: SKLMAuth userAuthId=b27c9eaa-cef7-4a65-87f2-8a964ac5ace2
Content-Type: application/json
{
  "alias": "key2",
  "keyDefaultType": "1",
  "usage": "userdevicegroup",
  "effectiveDate": "2021-11-05"
}

Error response

{ "code": "CTGKM0830E", "message": "Device group is not valid: LTO" }
Back to top

List Key Default Rollover REST Service

Use the List Key Default Rollover REST Service to list key rollovers in a rollover list for a specified device group.

Operation

GET

URL: https://host:port/SKLM/rest/v1/certificates/rollover?name=<name value>&usage<usage value>&uuid=<uuid value>
By default, Guardium Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM® Security Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	`application/json`
Accept	`application/json`
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, `en` or `de.`

Query parameters

JSON property name	Description
name	Optional. Specify the name of the existing key. It is not case-sensitive.
uuid	Optional. Specify the unique universal identifier of an existing key rollover.

Response

Response headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON array that contains JSON objects with the following specification:

JSON property name	Description
Key rollover uuid	Returns the unique universal identifier of the key rollover.
<deviceGroup> system default	Returns the system default key name/alias for the device group. This response is returned if the key is a system default.
<deviceGroup> partner default	Returns the partner default key name/alias for the device group. This response is returned if the key is a partner default.
Effective date	Returns the date on which the key is set for rollover. The value is a current or future date in `yyyy-MM-dd` format.

Error response body

JSON object with the following specification:

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Service request to list key rollover

GET https://localhost:port/SKLM/rest/v1/rollover/3592?usage=3592 Content-Type: application/json Accept: application/json Authorization: SKLMAuth userAuthId=139aeh34567m

Success response

Status Code: 200 OK
[
  {
    "Certificate rollover uuid": "ROLLOVER-d70d6f8-85ac2101-86e6-449c-b824-0543d9fddf62",
    "3592 system default": "key2",
    "Effective date": "11/5/21 12:00:00 AM PDT"
  }
]

Service request to list key rollover when an incorrect usage is specified

GET https://localhost:port/SKLM/rest/v1/rollover/3592?usage=lto
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m

Error response
{ "code": "CTGKM0830E", "message": "Device group is not valid: lto" }
Back to top

Delete Key Default Rollover REST Service

Use the Delete Key Default Rollover REST Service to remove a key rollover that is specified in a rollover list.

Operation

DELETE

URL

https://host:port/SKLM/rest/v1/rollover/3592/{uuid}

By default, Guardium Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM Security Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request parameters

Parameter Description

host Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.

port Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name Value

Content-Type application/json

Accept application/json

Authorization SKLMAuth userAuthId=<authIdValue>

Accept-Language Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, en or de.

Path parameters

JSON property name Description

uuid
Required. Specify the universal unique identifier of an existing key rollover.

To get the rollover uuid, you can use the List Key Default Rollover REST Service.

Response

Response headers

Header name Value and description

Status Code
200 OK

The request was successful. The response body contains the requested representation.

400 Bad Request

The authentication information was not provided in the correct format.

401 Unauthorized

The authentication credentials were missing or incorrect.

404 Not Found Error

The processing of the request fails.

500 Internal Server Error

The processing of the request fails because of an unexpected condition on the server.

Content-Type application/json

Content-Language Locale for the response message.

Success response body

JSON object with the following specification:

JSON property name Description

status Returns the status to indicate the removal of key rollover.

Error response body

JSON object with the following specification:

JSON property name Description

code Returns the application error code.

message Returns a message that describes the error.

Examples

Service request to delete a default key rollover with uuid specified

DELETE https://localhost:port/SKLM/rest/v1/rollover/3592/ROLLOVER-d70d6f8-90409301-ecc7-4e3e-ad25-e687b8f9d5ee Content-Type: application/json Accept: application/json Authorization: SKLMAuth userAuthId=139aeh34567m

Success response

Status Code: 200 OK { "status": "Succeeded" }

Service request to delete a default certificate rollover when an incorrect uuid is specified

DELETE https://localhost:port/SKLM/rest/v1/rollover/3592/KEY-d70d6f8-a6bd4208-5b4a-4907-88c0-bf61fb802de5 Content-Type: application/json Accept : application/json Authorization: SKLMAuth userAuthId=139aeh34567m

Error response

{ "code": "CTGKM3036E", "message": "CTGKM3036E Cannot find the specified rollover task." }: Back to top

Add Server Certificate to Liberty Keystore REST Service

Use the Add Server Certificate to Liberty Keystore REST Service to add a certificate to the Liberty keystore.

Operation

POST

URL

https://host:port/SKLM/rest/v1/certificates/addCertToLibertyKeystore

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	application/json
Accept	application/json
Authorization	SKLMAuth userAuthId=<authIdValue>
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, en or de.

Request body

JSON Object with the following specification:

Property name	Description
alias	Specify the alias of the server certificate that you want to add to the Liberty keystore. If no value is specified, the TLS/KMIP server certificate that is in use for key serving is added to the Liberty keystore.

Response

Response headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	application/json
Content-Language	Locale for the response message.

Success response body

JSON object with the following specification:

JSON property name	Description
status	Returns the status to indicate the certificate addition.

Error response body

JSON object with the following specification:

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Request to add a server certificate file to the Liberty keystore

POST https://host:port/SKLM/rest/v1/certificates/addCertToLibertyKeystore
accept: application/json
Authorization: user
Content-Type: application/json
{
  "alias": "servercert1"
}

Success response

{
  "code": "0",
  "status": "Succeeded",
  "message": "CTGKM6231I Certificate is added to the Liberty keystore. Restart the server for the change to take effect."
}

Invalid request where the certificate is a client certificate

POST https://host:port/SKLM/rest/v1/certificates/addCertToLibertyKeystore
accept: application/json
Authorization: user
Content-Type: application/json
{
  "alias": "client_cert"
}

Error response

{
  "code": "CTGKM6228E",
  "message": "CTGKM6228E Failed to add the certificate because the certificate is not a server certificate. Specify a valid server certificate alias, and retry the operation."
}

Import EKMF Web Certificate REST Service

Use the Import EKMF Certificate REST service to import the EKMF certificate file. The certificate file must be in PKCS #12 format.

Operation: POST
URL: POST/SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	`application/json`
Accept	`application/json`
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example: `en` or `de.`

Request body

JSON property name	Description
fileName	Specify the name of the EKMF Web certificate file that you want to upload to the IBM Security Guardium Key Lifecycle Manager Data folder. The certificate file must in the PKCS #12 format.
password	Specify the password for the EKMF certificate file, if exists.
sourceAlias	Specify the alias of the EKMF certificate and key.
destAlias	Specify the alias for the keypair to be stored in IBM Security Guardium Key Lifecycle Manager keystore. The default alias is ekmfweb.

Response

Response headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
code	Returns the code that is specified by the status property.
status	Returns the status to indicate whether the certificate file is imported.

Error response body

JSON object with the following specification.

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Service request to import the EKMF Web certificate file

POST /SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import {
  "fileName": "test.p12",
  "password": "test",
  "sourceAlias": "ekmfcert",
  "destAlias": "ekmfweb"
}

Success response

{
  "message": "CTGKM3333I Successfully imported the key with alias : ekmfcert1."
}

Invalid service request (when the filename and path are incorrect)

POST /SKLM/rest/v1/ckms/masterKey/EKMFWeb/cert/import {
  "fileName": "test1.p12",
  "password": "test",
  "sourceAlias": "ekmfcert",
  "destAlias": "ekmfweb"
}

Error response

{
  "code": "CTGKM3506E",
  "message": "CTGKM3506E Cannot import file ${SKLM_DATA}/test1.p12. Ensure that you specify the correct file name and path."
}

Test EKMF Web Connection REST Service

Use the Test EKMF Web Connection REST service to verify that EKMF Web with mTLS authentication is configured.

Operation: POST
URL: GET /SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Request

Request parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request headers

Header name	Value
Content-Type	`application/json`
Accept	`application/json`
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example: `en` or `de`

Response

Response headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400 Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON property name	Description
message	Returns a success message to indicate that EKMF Web with mTLS is configured.

Error response body

JSON object with the following specification.

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Service request to verify that EKMF Web with mTLS is configured

GET /SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Success response

{
  "message": "Success"
}

CTGKM3333I Successfully imported the key with alias : ${0}."
}

Service request (when EKMF Web is not configured)

GET /SKLM/rest/v1/ckms/masterKey/EKMFWeb/testConnection

Error response

{
  "message": "EKMFWeb connection test failed: CTGKM3581E Configuration missing for :ekmfweb.host, ekmfweb.port."
}

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 1 (4.1.1.1)

Refer to the Readme file for details about the fixed issues, and for instructions to download and apply the fix pack.

The documentation to support the base version of the release is available in the IBM product documentation.

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTJE47","label":"IBM Security Guardium Key Lifecycle Manager"},"ARM Category":[{"code":"a8m0z000000cvdQAAQ","label":"SKLM-\u003ECONFIGURATION"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1.1"}]

Tips

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Packs

Fix Readme

Abstract

Content

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 7 (4.1.1.9)

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 7 (4.1.1.8)

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 7 (4.1.1.7)

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 6 (4.1.1.6)

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 5 (4.1.1.5)

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 4 (4.1.1.4)

Support for secure connection between GKLM on IBM zCX and Db2 for z/OS

Procedure

EKMF Web enhancements

Overview

What's new

Configuring EKMF Web with GKLM

Configuring a new EKMF Web setup

Procedure for OIDC setup

Step 1: Set up the key template in EKMF Web

Step 2: Define EKMF Web configuration properties in GKLM

Step 3: Import the EKMF Web certificate and OIDC server certificate to the GKLM truststore

Step 4: Test connection

Step 5: Set up master key in EKMF Web

Step 6: Verify configuration of master key in EKMF Web

Procedure on mTLS setup

Step 1: Set up the key template in EKMF Web

Step 2: Define EKMF Web configuration properties in GKLM

Step 3: Import the EKMF Web certificate to the GKLM truststore

Step 4: Set up Mutual Transport Layer Security (mTLS) communication

Using GKLM server certificate

Using a new certificate

Step 5: Use GKLM public certificate and associate it with a user in EKMF Web for mTLS communication

Step 6: Test connection

Step 7: Set up master key

Step 8: Verify configuration

Adding EKMF Web hosts to an existing EKMF Web setup

Configuring EKMF Web in a replication setup

Best practices for configuring EKMF Web

REST documentation

Get EKMF Web Configuration Settings REST service

Request

Update EKMF Web Configuration Settings REST service

Request

Update EKMF Web Host Connection Preference Order REST Service

Request

Use Server Certificate for mTLS Authentication with EKMF Web REST Service

Request

Import EKMF Web Key Pair REST Service

Request

Test or Refresh EKMF Web Connection REST Service

Request

Set Up Master Key REST Service

Request

Updating EKMF certificate

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 3 (4.1.1.3)

IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Pack 2 (4.1.1.2)

Support for symmetric key wrapping for 3592 tape drives

Guided key and device creation

Administering wrapping keys and devices

Guided key and device creation

Creating a wrapping key

Identifying drives

Administering wrapping keys and devices

Adding a wrapping key

Specifying a rollover wrapping key

Modifying a wrapping key

What to do next

Deleting a wrapping key

Adding a drive

Modifying a drive

Deleting a drive

Support for mTLS-based authentication between EKMF Web and IBM Security Guardium Key Lifecycle Manager

Table 1. Key template parameter values

Table 2: EKMF Web parameters

Configuring EKMF Web on a newly installed IBM Security Guardium Key Lifecycle Manager

Configuring EKMF Web on an existing installation of IBM Security Guardium Key Lifecycle Manager

Support for changing TLS server certificates for UI access

Creating a new self-signed certificate and setting it for UI access

Using graphical user interface