Tk10 Admin PDF

7/28/2019 Tk10 Admin PDF

1/80

Tivoli Key Lifecycle Manager

Administering

Version 1 Release 0.0.3


2/80


3/80

Tivoli Key Lifecycle Manager

Administering

Version 1 Release 0.0.3


4/80

NoteBefore using this information and the product it supports, read the information in Notices on page 65.

October 2010

This edition applies to version 1.0.0.3 of Tivoli Key Lifecycle Manager (product number 5724-T60) and to allsubsequent releases and modifications.

Copyright International Business Machines Corporation 2008, 2009.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.


5/80

Contents

Tables . . . . . . . . . . . . . . . v

Administering . . . . . . . . . . . . 1Specifying the keystore . . . . . . . . . . . 1Copying ICSF protected device certificates betweenz/OS systems using thetklmKeyStoreEntryMetaDataCreate command . . . 3Configuration settings . . . . . . . . . . . 8

Specifying levels of audit information . . . . . 9Specifying port and timeout settings . . . . . 10Specifying certificate settings . . . . . . . 12Specifying SSL certificates for key serving . . . 13

LTO tape drive administration . . . . . . . . 15Guided steps to create key groups and drives . . 15Administering keys, key groups, and drives . . 18

3592 tape drive administration . . . . . . . . 29

Guided steps to create certificates and drives . . 30Administering certificates and drives . . . . . 33

DS8000 storage image administration. . . . . . 43

Guided steps to create storage images and imagecertificates . . . . . . . . . . . . . . 43

Administering DS8000 storage images . . . . 46Backup and restore . . . . . . . . . . . . 55Backup and restore runtime requirements . . . 56Backing up critical files . . . . . . . . . 56Restoring a backup file . . . . . . . . . 57Starting and stopping the Tivoli Key LifecycleManager server on distributed systems . . . . 59Starting and stopping the Tivoli Key LifecycleManager server on z/OS systems . . . . . . 60Deleting a backup file . . . . . . . . . . 62Additional backup and restore tasks on thecommand line interface . . . . . . . . . 62

Notices . . . . . . . . . . . . . . 65

Trademarks . . . . . . . . . . . . . . 66

Index . . . . . . . . . . . . . . . 69

Copyright IBM Corp. 2008, 2009 iii

|

|

||


6/80

iv IBM Tivoli Key Lifecycle Manager: Administering


7/80

Tables

1. Status icons and their meanings. . . . . . 192. Status icons and their meanings. . . . . . 33

3. Status icons and their meanings. . . . . . 46

Copyright IBM Corp. 2008, 2009 v


8/80

vi IBM Tivoli Key Lifecycle Manager: Administering


9/80

Administering

Administration is the set of tasks by which you prepare and then monitor theTivoli Key Lifecycle Manager environment.

Specifying the keystore

Your first task is to use the graphical user interface to specify the keystore thatTivoli Key Lifecycle Manager uses.

About this task

If no keystore exists, use the Keystore page in the graphical user interface tospecify the keystore.

Before you begin, determine the type of keystore to use:

v

JCEKS (JCE software provider)Use this keystore type if you are using only Java software. For all operatingsystems and a 3592 tape drive, LTO tape drive, or DS8000 Turbo drive. Ensurethat the flat file JCEKS keystore resides in a restricted area of the file system onthe Tivoli Key Lifecycle Manager system. Use a JCEKS keystore for all operatingsystems other than z/OS. You might also use this keystore type on a z/OSsystem if you want to use JCE software and a flat file to store keys.

v JCERACFKS (JCE software provider)

Use this keystore type to store key material in your RACF keyring that is notusing Integrated Cryptographic Services Facility (ICSF). For a z/OS operatingsystem with a 3592 tape drive or DS8000 Turbo drive.

If you use a RACF keyring for the master keystore, you may need to give the

SSRECFG and the SSRE_USERID started task ID user access to that RACFkeyring before you select and configure the RACF keyring using a JCERACFKSor JCECCARACFKS keystore type. A RACF keyring is not used with an LTOtape drive.

v JCECCARACFKS (IBMJCECCA provider)

The hardware JCE provider must be set in the Java security properties file. Usethis keystore type to store key material in your RACF keyring that is using ICSF.For a z/OS operating system with a 3592 tape drive or DS8000 Turbo drive.

If you use a RACF keyring for the master keystore, you may need to give theSSRECFG and the SSRE_USERID started task ID user access to that RACFkeyring before you select and configure the RACF keyring using a JCERACFKSor JCECCARACFKS keystore type. A RACF keyring is not used with an LTO

tape drive.v JCECCAKS (IBMJCECCA provider)

The hardware JCE provider must be set in the Java security properties file. Usethis keystore type when using a file-based keystore that leverages IntegratedCryptographic Services Facility. Ensure that a flat file JCECCAKS keystoreresides in a restricted area of the file system on the Tivoli Key Lifecycle Managersystem. When Tivoli Key Lifecycle Manager is configured to use hardwareprotection, key material will be stored within ICSFs CKDS and PKDS. WhenTivoli Key Lifecycle Manager is configured not to use hardware protection, key

Copyright IBM Corp. 2008, 2009 1


10/80

material will be stored within the flat file-based JCECCAKS keystore. For a z/OSoperating system with a 3592 tape drive, LTO tape drive, or DS8000 Turbo drive.

The JCE provider setting is configurable in the Java security properties file,JAVA_HOME/lib/security/java.security. If you use the hardware provider togenerate keys, you must use the JCECCAKS or JCECCARACFKS keystore type.

Procedure1. Navigate to the keystore page.

If no keystore exists:

a. Log on to the graphical user interface.

b. On the Welcome page, select First, you must create the master keystore.

For a file-based keystore:

v Graphical user interface:

Log on to the graphical user interface. From the navigation tree, select TivoliKey Lifecycle Manager > Settings > Keystore.

v Command line interface:

In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,log on to wsadmin with an authorized user ID, such as the TKLMAdminuser ID. For example, on Windows systems, navigate to the directorydrive:\Program Files\IBM\tivoli\tip\bin and type:

Windows systems:

wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:

./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems:

a. Change to the SSRE_APPSERVER_HOME/bin directory.

b. Type:

wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython2. Specify the keystore information:


a. In the Keystore window, select the keystore type, and type the keystorename in the Keystore name field.

b. Complete the remaining, necessary information, and then click OK.


To add a file-based keystore, use the tklmKeyStoreAdd command. Forexample, type:

print AdminTask.tklmKeyStoreAdd ('[-storeName tklmNewKeystore-storeFileName TKLM_HOME/keymanager/test.jceks-storeType jceks -storePassword password]')

3. A success indicator will vary, depending on the interface:


On the Success page, under Next Steps, click a related task that you want toperform.


A completion message indicates success.

4. Back up the new keystore.

2 IBM Tivoli Key Lifecycle Manager: Administering


11/80

What to do next

You might define an SSL certificate for communication with Tivoli Key LifecycleManager on the SSL port and review other configuration data. Alternatively, youmight configure the drive types, and keys or certificates that your organizationrequires, using the new keystore.

Copying ICSF protected device certificates between z/OS systemsusing the tklmKeyStoreEntryMetaDataCreate command

You might want to replicate ICSF protected device certificates across separateinstances of Tivoli Key Lifecycle Manager for z/OS systems that do NOT share anyof the following resources: RACF, ICSF and DB2.

The tklmKeyStoreEntryMetaDataCreate command allows you to copy ICSFprotected device certificates (that is, with Tivoli Key Lifecycle Manager set upusing JCECCARACFKS) to another Tivoli Key Lifecycle Manager system that is notsharing RACF, ICSF and DB2 resources.

To successfully copy ICSF protected device certificates between separate instancesof Tivoli Key Lifecycle Manager, complete these tasks in RACF, ICSF, and TivoliKey Lifecycle Manager:

Confirm ICSF and Tivoli Key Lifecycle Manager settings

Ensure that your Tivoli Key Lifecycle Manager and system setups meet thesecriteria:

v Both ICSF instances are set up with the exact same set of Master Keys.Otherwise, the private key material is not importable to the secondary instanceof Tivoli Key Lifecycle Manager.

v All instances of Tivoli Key Lifecycle Manager have these keystore settings:

JCECCARACFKS is the keystore type. Keyring and Keyring Owner are defined.

You selected the setting Enable protection of encryption keys by ICSF ifz/OS hardware-assisted cryptography is being used..

To verify these settings on the graphical user interface, click Tivoli KeyLifecycle Manager > Settings > Keystore

Create and list the device certificate

Create a new device certificate and list the device certificate.

1. If a device certificate does not already exist, use the Tivoli Key LifecycleManager graphical user or command line interface to create a new device

certificate on your primary Tivoli Key Lifecycle Manager instance.For this example, the alias/label of the device certificate is ds8k.cert1. Thisassumes that the Tivoli Key Lifecycle Manager keystore is configured andconforms to the setup requirements that you previously confirmed. In thisexample, the keystore settings are:

v Keystore type: JCECCARACFKS

v Keystore name: Tivoli Key Lifecycle Manager Keystore

v Keyring: TKLMKeyStore

v User ID: ssrecfg

Administering 3

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|


12/80

v You selected the checkbox for Enable protection of encryption keys byICSF if z/OS hardware-assisted cryptography is being used.

2. Open an ISPF command shell and issue the following RACDCERT command tolist the certificate details. This example uses SSRECFG in the ID field as theuser that owns this RACF keyring. If you configured your keyring to be owned

by a different user ID, substitute that user ID in the ID field.

racdcert list(label('ds8k.cert1')) id(ssrecfg)

The following display should occur:

Label:ds8k.cert1Certificate ID:2QfjwdfF0tTihKL4kqmpqaOFoqNAStatus:TRUSTStart Date:2009/09/21 15:37:53End Date: 2012/09/20 15:37:53Serial Number:11658BE1D4E5B6F0Issuer's Name:CN=ds8k cert.OU=.O=.L=.SP=.C=Subject's Name:CN=ds8k cert.OU=.O=.L=.SP=.C=Private Key Type:PCICCPrivate Key Size:2048PKDS Label:IBM47582.30097670.51194776.68948079.21097733.43298099.8083Ring Associations:Ring Owner:SSRECFG

Ring:TKLMKeyStore

Export the ICSF protected device certificate

All Tivoli Key Lifecycle Manager instances that are configured with a keystore typeof JCECCARACFKS produce device certificates which store public information inRACF and private information in ICSF. Complete these steps to export theinformation from both places:

1. To export the public information for the ds8k.cert1 device certificate to adataset, issue the RACDCERT EXPORT command from the ISPF commandshell. For example:

RACDCERT ID(SSRECFG) EXPORT (LABEL('ds8k.cert1'))DSN('TKLM.DS8K.CERT1') FORMAT(CERTDER)

Alternatively, you can create a JCL job to export the certificate. The JCL jobmight be convenient if you have multiple certificates that need to be exported,or if you intend to export certificates in the future. For example:

//CERTEXPT JOB //* CAUTION: This is neither a JCL procedure nor a complete JOB. *//* Before using this JOB step, you will have to make the following *//* modifications: *//* *//* 1) Add the job parameters to meet your system requirements. *//*******************************************************************//* Batch job that will export certificate material *//* for a given userid into a dataset. *//*************************************************************//*//REXX EXEC PGM=IKJEFT01//*//SYSTSPRT DD SYSOUT=*//*-----------------------------------------------------------*//SYSTSIN DD DATA

RACDCERT ID(SSRECFG) +EXPORT(LABEL('ds8k.cert1')) +DSN('TKLM.DS8K.CERT1') +FORMAT(CERTDER)

/*//*


|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|


13/80

2. Transmit your output dataset from the previous step over to your secondaryTivoli Key Lifecycle Manager system.

For example, use XMIT to send the TKLM.DS8K.CERT1 dataset to thesecondary Tivoli Key Lifecycle Manager instance.

3. Export the private key material from the primary ICSF PKDS, using theKEYXFER utility that is downloaded from the z/OS UNIX tools website:

http://www.ibm.com/servers/eserver/zseries/zos/unix/bpxa1ty2.htmlReview the KEYXFER README.TXT document for tool pre-requisites andusage. The README.TXT can be downloaded from this website:ftp://ftp.software.ibm.com/s390/zos/tools/keyxfer/keyxfer.readme.txt

Note that the KEYXFER utility needs to be accessible by both your primary andsecondary ICSF systems.

On your primary Tivoli Key Lifecycle Manager system, update the KEYXFERjob to perform a WRITE operation with the PKDS Label from the previousRACDCERT LIST command. For example:

KEYXFER WRITE,-IBM47582.30097670.51194776.68948079.21097733.43298099.8083,-TKLM.KEYXFER.OUTPUT(PRVKEY)

Optionally run this as a batch job. For example://KEYXFERW JOB //* CAUTION: This is neither a JCL procedure nor a complete JOB. *//* Before using this JOB step, you will have to make the following *//* modifications: *//* *//* 1) Add the job parameters to meet your system requirements. *//*******************************************************************//* INVOKES THE ICSF KEYXFER TOOL TO *//* COPY THE PRIVATE PORTION OF AN ICSF *//* KEY TO A DATASET. *//* KEYXFER REQUIRES THE OUTPUT *//* DATASET TO BE PREALLOCATED. *//* ADDITIONALLY, THE //SYSEXEC DD DSN= STATEMENT *//* NEEDS TO BE MODIFIED TO POINT TO THE DATASET *

//* WHERE THE KEYXFER EXEC WAS PLACED. *//*******************************************************************//*//REXX EXEC PGM=IKJEFT01//*//SYSEXEC DD DSN=USERID.REXX,DISP=SHR//SYSTSPRT DD SYSOUT=*//*-----------------------------------------------------------------*//* DUMP THE LABELS/CERTS CREATED *//*-----------------------------------------------------------------*//SYSTSIN DD DATAKEYXFER WRITE, +IBM47582.30097670.51194776.68948079.21097733.43298099.8083, +TKLM.KEYXFER.OUTPUT(PRVKEY)/*//*

4. Transmit the output dataset containing your private keyTKLM.KEYXFER.OUTPUT(PRVKEY) to your secondary Tivoli Key LifecycleManager system. The output dataset will have your private key wrapped underthe ICSF master key, rather than in the clear. Note that your secondary TivoliKey Lifecycle Manager system must be set up with the same ICSF master keyto enable the KEYXFER utility to import your private key into the secondaryICSF PKDS.

Administering 5

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|
http://www.ibm.com/servers/eserver/zseries/zos/unix/bpxa1ty2.htmlftp://ftp.software.ibm.com/s390/zos/tools/keyxfer/keyxfer.readme.txtftp://ftp.software.ibm.com/s390/zos/tools/keyxfer/keyxfer.readme.txthttp://www.ibm.com/servers/eserver/zseries/zos/unix/bpxa1ty2.html


14/80

Import the ICSF protected device certificate

Import the ICSF protected device certificate. In this example, the keystore settingsfor the secondary Tivoli Key Lifecycle Manager are the same as for the primaryTivoli Key Lifecycle Manager:

v Keystore type: JCECCARACFKS

v

Keystore name: Tivoli Key Lifecycle Manager Keystorev Keyring: TKLMKeyStore

v User ID: ssrecfg

v You selected the checkbox for Enable protection of encryption keys by ICSFif z/OS hardware-assisted cryptography is being used.

Complete these steps:

1. On the secondary Tivoli Key Lifecycle Manager instance, receive both thecertificate file TKLM.DS8K.CERT1 and the output private key dataset fromKEYXFER TKLM.KEYXFER.OUTPUT(PRVKEY).

2. Stop all Tivoli Key Lifecycle Manager servers that are running on yoursecondary system. You can do this by stopping all System Services Runtime

Environment instances which will in turn stop all Tivoli Key Lifecycle Managerinstances.

3. Import the private key into the PKDS by running the KEYXFER job that isupdated to do a READ operation with the same PKDS label that was used inthe export. For example:

KEYXFER READ,-IBM47582.30097670.51194776.68948079.21097733.43298099.8083,-TKLM.KEYXFER.OUTPUT(PRVKEY),OVERWRITE

Optionally, you might run a batch REXX job. For example:

//KEYXFERW JOB //* CAUTION: This is neither a JCL procedure nor a complete JOB. *//* Before using this JOB step, you will have to make the following *

//* modifications: *//* *//* 1) Add the job parameters to meet your system requirements. *//*******************************************************************//* INVOKES THE ICSF KEYXFER TOOL TO *//* READ THE INPUT DATASET AND WRITE A *//* TOKEN TO THE PKDS *//*******************************************************************//*//REXX EXEC PGM=IKJEFT01//*//SYSEXEC DD DSN=USERID.REXX,DISP=SHR//*******************************************************************//* ADDITIONALLY, THE //SYSEXEC DD DSN= STATEMENT *//* NEEDS TO BE MODIFIED TO POINT TO THE DATASET *

//* WHERE THE KEYXFER EXEC WAS PLACED. *//*******************************************************************//SYSTSPRT DD SYSOUT=*//SYSTSIN DD DATAKEYXFER READ, +IBM47582.30097670.51194776.68948079.21097733.43298099.8083, +TKLM.KEYXFER.OUTPUT(PRVKEY), OVERWRITE/*//*

The overwrite option will overwrite an existing PKDS record with this labelname. Ensure that you are not using an existing PKDS record with this labelname before performing this step.


|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|

|

|


15/80

4. The private key should now be in PKDS on your secondary Tivoli KeyLifecycle Manager instance. To verify this, issue REPROOUT.

5. Import the certificate into RACF and associate the certificate with the PKDSlabel of the private key that you imported on your secondary Tivoli KeyLifecycle Manager instance. Then connect the certificate to the keyring of yoursecondary Tivoli Key Lifecycle Manager.

To do this, issue the following commands:RACDCERT ID(SSRECFG) add('TKLM.DS8K.CERT1') TRUSTWITHLABEL('ds8k.cert1')PCICC(IBM47582.30097670.51194776.68948079.21097733.43298099.8083)SETROPTS RACLIST (DIGTCERT) REFRESHRACDCERT ID(SSRECFG) CONNECT(LABEL('ds8k.cert1')RING(TKLMKeyStore))

Optionally, run a JCL job. For example:

//CERTIMP JOB //* CAUTION: This is neither a JCL procedure nor a complete JOB. *//* Before using this JOB step, you will have to make the following *//* modifications: *//* *//* 1) Add the job parameters to meet your system requirements. *

//*-----------------------------------------------------------*//* Run this job to import cert entries under *//* your userid. *//* Note: The PKDS label shown in the PCICC(...) *//* keyword was obtained from Step 2 on page 4 of *//* Create and list the device certificate on page 3 *//*-----------------------------------------------------------*//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=20,REGION=0M//SYSTSPRT DD SYSOUT=*//SYSTSIN DD *RACDCERT ADD('TKLM.DS8K.CERT1') TRUST +WITHLABEL('ds8k.cert1') +PCICC(IBM47582.30097670.51194776.68948079.21097733.43298099.8083)SETROPTS RACLIST(DIGTCERT) REFRESHRACDCERT CONNECT(ID(SSRECFG) +LABEL('ds8k.cert1') +

RING(TKLMKeyStore))/*//

6. A RACF display of the certificate under the SSRECFG ID on your secondaryTivoli Key Lifecycle Manager instance should be similar to this:

racdcert list(label('ds8k.cert1')) id(ssrecfg)Label:ds8k.cert1Certificate ID:2QfjwdfF0tTihKL4kqmpqaOFoqNAStatus:TRUSTStart Date:2009/09/21 15:37:53End Date: 2012/09/20 15:37:53Serial Number:11658BE1D4E5B6F0Issuer's Name:CN=ds8k cert.OU=.O=.L=.SP=.C=Subject's Name:CN=ds8k cert.OU=.O=.L=.SP=.C=

Private Key Type:PCICCPrivate Key Size:2048PKDS Label:IBM47582.30097670.51194776.68948079.21097733.43298099.8083Ring Associations:Ring Owner:SSRECFGRing:TKLMKeyStore

7. At this point the device certificates key material has successfully been added tothe secondary ICSF and RACF key repositories. The next steps will be to addthe necessary device certificate DB2 metadata to the secondary Tivoli KeyLifecycle Manager instances.

Administering 7

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|


16/80

First you must start the Tivoli Key Lifecycle Manager servers on yoursecondary Tivoli Key Lifecycle Manager system.

Run the tklmKeyStoreEntryMetaDataCreate command

Run the tklmKeyStoreEntryMetaDataCreate command to create the devicecertificate Tivoli Key Lifecycle Manager metadata. Complete these steps:

1. On one of the secondary Tivoli Key Lifecycle Manager instances, go to anOMVS shell and switch the user to the SSRE configuration user ID, ssrecfg:

su ssrecfg

At the prompt, enter the password of the SSRECFG user ID.

2. Start a wsadmin command prompt in Jython mode by issuing the followingcommand on one line, where SSRE_APPSERVER_HOME is the location of yourSystem Services Runtime Environment instances AppServer directory. Be sureto specify the password of the SSRECFG user ID.

SSRE_APPSERVER_HOME/bin/wsadmin.sh -username ssrecfg-password ssrepass -lang jython

3. Enter the tklmKeyStoreEntryMetaDataCreate command on one line, specifyingthe alias and keystore name and optionally the usage. For example:

print AdminTask.tklmKeyStoreEntryMetaDataCreate('[-alias ds8k.cert1 -type privatekey -usage ds8k-keyStoreName "Tivoli Key Lifecycle Manager Keystore"]')

Note: There are various options that you can use with thetklmKeyStoreEntryMetaDataCreate command. For more information, refer tothe command reference in the IBM Tivoli Key Lifecycle Manager InformationCenter.

Optionally, you might copy the command into a Jython script(tklmKeyStoreEntryMetaDataCreate.jython). Then, invoke the script at wsadminstartup by specifying the f flag. For example:

SSRE_APPSERVER_HOME/bin/wsadmin.sh -username ssrecfg

-password ssrepass -lang jython-f ./tklmKeyStoreEntryMetaDataCreate.jython

You might also paste this example into a shell script file(tklmKeyStoreEntryMetaDataCreate.sh) to use at wsadmin startup to invoke thetklmKeyStoreEntryMetaDataCreate command.

4. Verify that the device certificate now appears in the Tivoli Key LifecycleManager graphical user interface pages.

5. If more than one Tivoli Key Lifecycle Manager instance shares DB2 on yoursecondary system, use the backup/restore function that Tivoli Key LifecycleManager provides to copy the updated configuration to the other Tivoli KeyLifecycle Manager instances. After the restore on each Tivoli Key LifecycleManager, verify that the device certificate appears in the Tivoli Key Lifecycle

Manager graphical user interface pages.

Configuration settings

Tivoli Key Lifecycle Manager provides a set of operations to change the Tivoli KeyLifecycle Manager configuration.

For example, you might change port or timeout values for TCP and SSLcommunication, or the Tivoli Key Lifecycle Manager audit level that providesadditional log information.


|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

||

|

|

|

|

|

|

|

|

|

|

|

|


17/80

Specifying levels of audit informationYou might change the default setting that Tivoli Key Lifecycle Manager uses tocollect audit information.

About this task

You can use the Audit page to change information levels written to the audit log,or you can use the tklmConfigGetEntry and tklmConfigUpdateEntry commandsto list or change the Audit.event.types property in the TKLMgrConfig.propertiesfile.

Procedure

1. Navigate to the appropriate page or directory:


Log on to the graphical user interface. From the navigation tree, select TivoliKey Lifecycle Manager > Settings > Configuration > Audit.


In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,

log on to wsadmin with an authorized user ID, such as the TKLMAdminuser ID. For example, on Windows systems, navigate to the directorydrive:\Program Files\IBM\tivoli\tip\bin and type:

Windows systems:




z/OS systems:


b. Type:

wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Change the value for the audit information level:

v In the graphical user interface, select a low, medium, or high value for theAudit setting, then click OK.

Low Stores minimal audit records.

Selecting low sets the following property values in theTKLMgrConfig.properties file:

Audit.event.types = runtime, authorization,authorization_terminate, resource_management, key_management

Audit.event.outcome = failure

Medium (default)

Stores an intermediate amount of audit records.Selecting medium sets the following property values in theTKLMgrConfig.properties file:

Audit.event.types = runtime,authorization,authorization_terminate,resource_management, key_management

Audit.event.outcome = success,failure

High Stores the maximum amount of audit records.

Selecting high sets the following property values in theTKLMgrConfig.properties file:

Administering 9


18/80

Audit.event.types = all

Audit.event.outcome = success,failure


a. Type the tklmConfigGetEntry command on one line to get the currentvalue of the target property in the TKLMgrConfig.properties file. Forexample, to determine which event types are included in the audit log,

type on one line:wsadmin>print AdminTask.tklmConfigGetEntry

('[-name Audit.event.types]')

An example response might be:

All

b. Specify the required change. For example, to limit the selection to twoevent types to store in the audit log, type on one line:

print AdminTask.tklmConfigUpdateEntry('[-name Audit.event.types -value runtime,audit_management]')


v Graphical user interface


v Command line interface


What to do next

You might rerun an operation that previously returned an error. Then, examine theaudit log for additional information.

Specifying port and timeout settingsYou might change the default port and timeout settings that Tivoli Key Lifecycle

Manager provides.

About this task

You can use the Key Serving Parameters page to change port and timeout settings,or you can use the tklmConfigGetEntry and tklmConfigUpdateEntry commandsto list and change the appropriate properties in the TKLMgrConfig.properties file.

Before you begin, determine whether there are port or timeout conflicts at your sitethat prevent using the Tivoli Key Lifecycle Manager default values.

Procedure



Log on to the graphical user interface. From the navigation tree, select TivoliKey Lifecycle Manager > Settings > Configuration > Key ServingParameters.





19/80

Windows systems:




z/OS systems:


b. Type:


2. Change the value for the port or timeout settings:

v In the graphical user interface, change one or more of these settings, andthen click OK:

TCP portTivoli Key Lifecycle Manager uses default port 3801. Values canrange from 1 to 65535. The value you set also changes the value ofthe TransportListener.tcp.port property in theTKLMgrConfig.properties file.

TCP timeout (in minutes)

Tivoli Key Lifecycle Manager uses a default timeout value of 10minutes. Values can range from 0 to 120. A value of 0 (zero) meansnever timeout. The value that you set also changes the value of theTransportListener.tcp.timeout property in theTKLMgrConfig.properties file.

SSL portTivoli Key Lifecycle Manager uses default port 441. Values can rangefrom 1 to 65535. The value you set also changes the value of theTransportListener.ssl.port property in the TKLMgrConfig.propertiesfile.

SSL timeout (in minutes)

Tivoli Key Lifecycle Manager uses a default timeout value of 10minutes. Values can range from 0 to 120. A value of 0 (zero) meansnever timeout. The value that you set also changes the value of theTransportListener.ssl.timeout property in theTKLMgrConfig.properties file.


a. Type the tklmConfigGetEntry command on one line to get the currentvalue of the target property in the TKLMgrConfig.properties file. Forexample, type on one line:

wsadmin>print AdminTask.tklmConfigGetEntry('[-name TransportListener.tcp.port]')


3801b. Specify the required change. For example, to specify a different TCP port

number, type on one line:

print AdminTask.tklmConfigUpdateEntry('[-name TransportListener.tcp.port -value 3802]')



A Configuration Update Successful page displays the information that youentered.


Administering 11


20/80


What to do next

To put a change such as a port number into effect, restart the Tivoli Key LifecycleManager server.

Specifying certificate settingsYou might change the default certificate settings that Tivoli Key Lifecycle Managerprovides.

About this task

Use the Key Serving Parameters page to change certificate settings, or use thetklmConfigGetEntry and tklmConfigUpdateEntry commands to list or change theappropriate properties in the TKLMgrConfig.properties file.

Before you begin, determine whether:

v z/OS systems are at or below Integrated Cryptographic Services Facility version

7740, if you plan to exchange tapes between z/OS and non-z/OS systems.v To perform certificate date validation before serving a key. Validation confirms

that the certificate is valid, and has not expired.

v To identify certificates by using the subject key identifier that is stored in thecertificate.

Procedure



Log on to the graphical user interface. From the navigation tree, select TivoliKey Lifecycle Manager > Settings > Configuration > Key Serving

Parameters.v Command line interface:


Windows systems:




z/OS systems:

a.Change to the SSRE_APPSERVER_HOME/bin directory.

b. Type:


2. Change the value for one or more certificate settings:

v In the graphical user interface, change one or more of the following settings,and then click OK:

Enable z/OS key and certificate compatibility.Create keys and certificates for use with z/OS systems at or belowIntegrated Cryptographic Services Facility version 7740. Use thisoption if you plan to exchange tapes between z/OS running ICSF



21/80

7740 or lower. The value you set also changes the value of thezOSCompatibility property in the TKLMgrConfig.properties file.

Do not use expired certificates for write requests or data writes.Before serving a key, validate that the expiration date has not passedfor the certificate or certificates that will wrap this key. Expiredcertificates are used only for read requests. When this is selected,

expired certificates are not used for write requests. Selecting thischeckbox changes the value of the cert.valiDATE property to true inthe TKLMgrConfig.properties file.

Identify certificates by certificate name.Identify certificates using the certificate name stored in the certificate,rather than using a subject key identifier. You specify the certificatename when you create a certificate. This function is used whendecrypting data that was written to a device.

The unchecked state uses the Subject Key Identifier to determine thecertificate to be used when reading data on a cartridge or otherdevice. Using the Subject Key Identifier also sets the value of theuseSKIDefaultLabels property in the TKLMgrConfig.properties file.

v Command line interface:a. Type the tklmConfigGetEntry command on one line to get the current

value of the target property in the TKLMgrConfig.properties file. Forexample, type:

wsadmin>print AdminTask.tklmConfigGetEntry('[-name zOSCompatibility]')


False

b. Specify the required change. For example, to select change the value ofthe zOSCompatibility property to true, type on one line:

print AdminTask.tklmConfigUpdateEntry('[-name zOSCompatibility -value true]')






What to do next

Changes to certificate settings occur dynamically. Next, you might create thenecessary certificates and associate them with specific devices.

Specifying SSL certificates for key servingYou might specify that self-signed certificates are used for key serving.Alternatively, you might create requests for certificates that are issued by aCertificate Authority (CA).

About this task

You can use the SSL for Key Serving page to specify the type of certificates thatTivoli Key Lifecycle Manager uses, or you can use the tklmCertCreate or thetklmCertGenRequest command.

Administering 13


22/80

Before you begin, determine:

v Whether your site policies allow using self-signed certificates during a phase inyour project such as a test phase.

v The time interval needed to receive a CA-issued certificate after a request is sent.You must manually send a certificate request to the issuing authority.

v Whether your site requires partner certificates for use with business partners,

vendors, or for disaster recovery purposes.v The customary setting in days for a certificate validity interval.

Procedure



Log on to the graphical user interface. From the navigation tree, select TivoliKey Lifecycle Manager > Settings > Configuration > SSL for Key Serving .


In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,log on to wsadmin with an authorized user ID, such as the TKLMAdmin

user ID. For example, on Windows systems, navigate to the directorydrive:\Program Files\IBM\tivoli\tip\bin and type:

Windows systems:




z/OS systems:


b. Type:


2. Create one or more certificates or certificate requests:

v In the graphical user interface, select whether to generate a self-signedcertificate, or request a certificate from a third-party provider. There is alsoan option for the SSL certificate to use an existing certificate from thekeystore. Complete the required and optional fields, and then click OK.


a. Type the tklmCertCreate command on one line. For example, to create anew self-signed certificate, type:

print AdminTask.tklmCertCreate ('[-type selfsigned-alias tklmSSLCertificate -cn tklmssl -ou accounting -o myCompanyName

-country myCountry -keyStoreName TESTKS_001-usage "SSL server" -validity 999]')

You might alternatively request a certificate from a Certificate Authority.

For example, type:AdminTask.tklmCertGenRequest('[-alias tklmSSLCertificate1

-cn tklm -ou sales -o myCompanyName -locality myLocation-country myCountry -validity 999 -keyStoreName test

-fileName mySSLCertRequest1.crt -usage "SSL server"]')







23/80


What to do next

Go to the Welcome page and configure the drive types, and keys or certificates thatyour organization requires, using the new keystore.

LTO tape drive administration

You can administer keys, key groups, and LTO tape drives using Tivoli KeyLifecycle Manager.

Guided steps to create key groups and drivesWhen you first create key groups and drives, and later when you add additionalkey groups or drives, Tivoli Key Lifecycle Manager provides a guided set of stepsto complete the task.

Descriptions of some steps might mention command line alternatives to do thesame task. In a guided set of tasks, use the graphical user interface to complete the

tasks.

Creating a key groupAs a first activity, you might create keys and key groups for Tivoli Key LifecycleManager.

About this task

You can use the Create Key Group dialog. Alternatively, you might first use thetklmGroupCreate to create a group to which you want to add keys, and then usethe tklmSecretKeyCreate commands to create one or more symmetric keys in theexisting group.

Before you begin, determine the quantity of keys and the purpose of individualkey groups that your organization requires.

Procedure



Log on to the graphical user interface. From the navigation tree, clickWelcome. Scroll down the Welcome to Key Lifecycle Manager page to theKey Administration section. In the Configure keys to be served to: menu,select LTO. Then, click Go. You will be taken to the LTO Drive page whichprovides a guided set of configuration steps.



Windows systems:




z/OS systems:

Administering 15


24/80


b. Type:


2. Create a key group:


a. On Step 1: Create Key Groups page, there is a Key Groups table. On the

Key Groups table, click Create.

b. On the Create Key Group dialog, specify values for the required andoptional parameters. For example, you might create a key groupcontaining 100 keys. Then, click Create Key Group.


a. First, create a group to which you might add keys.

Type tklmGroupCreate to create a group. For example, type:

print AdminTask.tklmGroupCreate('[-name GROUP-myKeyGroup -type keygroup]')

b. Next, use the tklmGroupList command obtain the value of the uuid forthe group that you created. For example, type:

print AdminTask.tklmGroupList('[-name GROUP-myKeyGroup -type keygroup -v y]')

c. Then, create a group of keys and store them in the group. For example,type:

print AdminTask.tklmSecretKeyCreate ('[-alias abc -keyStoreName test-numOfKeys 10 -usage LTO

-keyGroupUuid GROUP-aadd1dd9-6745-47c1-9ac9-3d7d19d8e331]')



The key group appears as an item in the Key Groups table.



What to do next

Next, you might go the next guided step to define specific devices, and associatekey groups with the devices. To do this, select Step 2: Identify Drives.

Identifying drivesYou might identify an LTO tape drive for use with Tivoli Key Lifecycle Manager.

About this task

You can use the Add Tape Drives dialog or you can use the tklmDeviceAddcommand to add a device.

Before you begin, create the key groups that you need to associate with tape drivesthat you identify. Additionally, determine whether you want Tivoli Key LifecycleManager to accept requests from all IBM drives. For greater security, after alldrives have been discovered, you might turn off this option for a productionenvironment.

Procedure





25/80

Log on to the graphical user interface. From the navigation tree, clickWelcome. Scroll down the Welcome to Key Lifecycle Manager page to theKey Administration section. In the Configure keys to be served to: menu,select LTO. Then, click Go. You will be taken to the LTO Drive page whichprovides a guided set of configuration steps.



Windows systems:




z/OS systems:


b. Type:

wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython2. Skip the Create Key Groups page. Select Step 2: Identify Drives or click Go to

Next Step.

3. You might specify that Tivoli Key Lifecycle Manager accepts requests from allIBM drives.


Select Accept requests from all IBM drives.


Use the tklmConfigUpdateEntry command to set the value of thedrive.acceptUnknownDrives and symmetricKeySet properties. For example,type:

print AdminTask.tklmConfigUpdateEntry ('[-name drive.acceptUnknownDrives-value true]')

print AdminTask.tklmConfigUpdateEntry ('[-name symmetricKeySet-value "{Group-myKeyGroup}"]')

4. Add a device:


a. On the Step 2: Identify Drives page, in the Tape Drives table, click Add.

b. On the Add Tape Drive dialog, type the required and optionalinformation. Then, click Add Tape Drive.


Type tklmDeviceAdd to add a device. You must specify the device type andserial number. For example, type:

print AdminTask.tklmDeviceAdd ('[-type LTO -serialNumber FAA49403AQJF-attributes "{worldwideName 12345678}{description salesDivisionDrive} {symAlias ltoKeyGroup1}"]')



The device is added to the Tape Drives table.



Administering 17


26/80

What to do next

Next, you might use the LTO key administration panel to view all key groups anddevices.

Administering keys, key groups, and drives

To administer keys, key groups, and devices, you might need to determine thecurrent key serving status of the Tivoli Key Lifecycle Manager server. You mightalso map key groups to drives by adding, modifying, or deleting specific keys, keygroups, or devices.

About this task

Use the Key Administration for LTO Tape Drives page to determine the currentkey serving status of the Tivoli Key Lifecycle Manager server. You might also mapkey groups to drives by adding, modifying, or deleting specific keys, key groups,or devices.

To change the view of information on this page, select:

View Key Groups and DrivesView the key group names and drive serial numbers. Additionally, thisview lists whether a key group serves any IBM drives as a default and liststhe key group, key, or system default that a drive uses.

View Keys, Key Group Membership and DrivesView the keys and key membership in key groups. Additionally, this viewlists drive serial numbers and the key group, key, or system default that adrive uses.

Before you begin, examine the columns on the Key Administration for LTO TapeDrives page, which provides buttons to add, modify, or delete a table item. To sortinformation, click a column header. Alternatively, type information about a target

in the filter field for keys or key groups or in the filter field for drives. Then, pressEnter.

The table is organized in these areas:

v In left columns, information about keys or key groups, depending on the view

Indicates the key or key group. For a key, indicates in which key group the keyis a member. For a key group, indicates whether the key group is used as thedefault, and the number of keys in the group.

v In right columns, information about drives

Indicates the drive serial number and the key group or specific key that thedrive uses. For example, a drive might use the System Default key group.

v

Additional choices and status indicators, below the table Accept requests from all IBM drives.

Click to allow any drive that contacts Tivoli Key Lifecycle Manager to beserved keys from the default key group. You might use this option topopulate the list of available drives, and then turn off the option when thedrives have been added.

Key Serving Status:

If devices and the default set of keys are configured, a green icon andmessage appears, such as Configured to serve keys to LTO drives.

v Status icons



27/80

Status icons indicate the current key serving status of the Tivoli Key LifecycleManager server.

Table 1. Status icons and their meanings

Icon Description

The Tivoli Key Lifecycle Manager server is enabled to servekeys.

Defaults for this device type have not been configured.

A symmetric key

A set of symmetric keys. A key group is a set of symmetrickeys.

Procedure

1. Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO.

Descriptions of some steps describe alternatives in using either the graphicaluser interface, or the command line interface. For any one work session fortasks that are available on the graphical user interface, do not switch betweeninterfaces during the session.

Descriptions of some tasks might mention task-related properties in theTKLMgrConfig.properties. Use the graphical user interface or the commandline interface to change these properties.

2. On the Key Administration for LTO Tape Drives page, you can add, modify, ordelete a key, a key group, or drive. Additionally, you can specify whether a keygroup accepts requests from all IBM drives, and monitor the current keyserving status of the Tivoli Key Lifecycle Manager server.

You might do these administrative tasks:

v Refresh the list.

Click the refresh icon to refresh items in the table.

v Add

Click Add. Alternatively, you can select a step-by-step process to create keygroups, and drives.

Key group

On the Create Key Group dialog, specify the required information such asthe key group name. You might also specify that this group serves keys asthe default key group. There can be only one default key group. Then,click Create Key Group.

Tape drive

On the Add Tape Drive dialog, type the drive serial number and otherinformation. Then, click Add Tape Drive.

Use step by step process for key group and drive creation

On the Step1: Create Key Groups and Step2: Identify Drives pages, enterthe necessary information and click the appropriate button to complete thetask.

A success indicator will vary, showing a key group or device.

v Modify

Administering 19


28/80

To change a key group, key, or drive, select a key group, key, or drive, andthen click Modify. Alternatively, right-click the selected key group, key, ordrive. Then, click Modify.

Key Group

Specify changes on the Modify Key Group dialog. Then, click Modify KeyGroup.

KeySpecify changes on the Modify Key Membership dialog. Then, clickModify Key Membership.

Tape drive

Specify changes on the Modify Tape Drive dialog. Then, click ModifyTape Drive.

A success indicator will vary, showing a change in a column for the keygroup, key, or device. Changes to optional information such as the value of adrive description might not be provided in the table.

v Delete

To delete a key group, key, or drive, select a key group or drive, and then

click Delete. Alternatively, right-click the selected key group, key, or drive.Then, click Delete.

Key group

You cannot delete a key group that is associated with a device, or a keygroup that is marked as default. Deleting a populated key group alsodeletes all the keys in the key group.

To confirm deletion, click OK.

Key

Deleting a key removes the key from any key group with which the key isassociated. To confirm deletion, click OK.

Tape drive

Metadata for the drive that you delete, such as the drive serial number, isremoved from the Tivoli Key Lifecycle Manager database. To confirmdeletion, click OK.

A success indicator is the deletion of the key group, key, or device from theadministration table.

Adding a key or key groupYou might add more keys or key groups for use with Tivoli Key LifecycleManager.

About this task

You can use the Create Key Group dialog. Alternatively, you might first use the

tklmGroupCreate to create a group to which you want to add keys, and then usethe tklmSecretKeyCreate commands to create one or more symmetric keys in theexisting group.

Before you begin, determine your site policy on the default key groups andnaming for key prefixes.

Procedure





29/80

Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO. On the KeyAdministration for LTO Tape Drives page, click Add from the menu bar andthen select Key Group.


In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,

log on to wsadmin with an authorized user ID, such as the TKLMAdminuser ID. For example, on Windows systems, navigate to the directorydrive:\Program Files\IBM\tivoli\tip\bin and type:

Windows systems:




z/OS systems:


b. Type:


2. Create a key or key group:v Graphical user interface

On the Create Key Group dialog, specify values for the required and optionalparameters. For example, you might optionally specify whether this is thedefault key group. Then, click Create Key Group.


a. First, create a group to which you might add keys.

Type tklmGroupCreate to create a group of that has a type of keygroup.For example, type:

print AdminTask.tklmGroupCreate('[-name GROUP-myKeyGroup -type keygroup]')

b.

Next, use the tklmGroupList command obtain the value of the uuid forthe group that you created. For example, type:

print AdminTask.tklmGroupList('[-name GROUP-myKeyGroup -type keygroup -v y]')

c. Then, create a group of keys and store them in the group. For example,type:

print AdminTask.tklmSecretKeyCreate ('[-alias abc -keyStoreName test-numOfKeys 10 -usage LTO

-keyGroupUuid GROUP-aadd1dd9-6745-47c1-9ac9-3d7d19d8e331]')



The key group appears as an item in the Key Groups listing.

vCommand line interface:Completion messages indicate success.

What to do next

Next, you might associate key groups with specific devices. Additionally, youmight specify whether a key group will accept requests from all IBM drives byidentifying it as the default key group.

Specifying a rollover key groupYou might specify a key group for future use as the system default.

Administering 21


30/80

About this task

You can use the Manage Key Group Default Rollover - LTO Drives page.

Procedure


Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > Manage Default Rollover >LTO Key Group. Alternatively, start by clicking Tivoli Key Lifecycle Manager> Key Administration > LTO. Then, on the Key Administration for LTO Tape

Drives page, click the rollover icon .

2. Specify an existing key group to be a future system default.

On the Manage Key Group Default Rollover - LTO Drives page, click Add andspecify the required information.

Note:

v Do not specify two defaults for the same rollover date.

v If a key group does not exist at the time of rollover, Tivoli Key LifecycleManager continues to use the current default key group.

v You can add or delete table entries, but cannot modify an entry.

3. A success indicator is that the key group appears in the table of rollover keygroups on the Manage Key Group Default Rollover - LTO Drives page.

4. To delete a key group from the rollover table, select a key group and clickDelete.

Specifying that keys are used only onceYou might specify that keys in a key group are used only once. For securityreasons, for example, you might prevent additional use of previously-used keysdefined for a key group.

About this task

You can use the command line interface and the stopRoundRobinKeyGrpsproperty in the TKLMgrConfig.properties file. This property is not initially presentin the property file unless you set its value to true. This property can only be setusing the command line interface.

Important:

v Turning on this flag can cause key serving to stop if a key group is in use andthe last key from the key group is served. Additional requests for a key fromthis group on a key serving write request will cause an error and send an errorcode of 0xEE34 (NO_KEY_TO_SERVE) to the device. To enable successful

processing of new key serving write requests, add new keys to the key group.Alternatively, you might specify use of a different key group that has availablekeys. Key serving read requests will always succeed as long as the requested keyexists.

v This property should be used in an environment of strict governmentcompliance and in conjunction with FIPS 140. With the property on, you mustactively monitor your key groups to ensure that a group does not run out ofkeys, which would cause the server to stop serving keys and the tape writerequest to fail.



31/80

v If you turn this flag on, do not turn the flag off. For example, if you turn on theflag, a key group will not serve previously used keys. If you then turn off theflag, the next key in the group is served. After the last key in the group isserved, the next key to be served is the first key in the group.

v When this option is set, do not separately assign individual key aliases thatbelong to a key group to devices.

Procedure

1. Navigate to the appropriate directory:

In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,log on to wsadmin with an authorized user ID, such as the TKLMAdmin userID. For example, on Windows systems, navigate to the directory drive:\ProgramFiles\IBM\tivoli\tip\bin and type:

v Windows systems:


v Systems such as AIX or Linux:


v z/OS systems:


b. Type:


2. First, determine the current state of the property in theTKLMgrConfig.properties file. This property is not initially present in theproperty file unless you set its value to true. At a wsadmin prompt, type this

Jython-formatted command:

print AdminTask.tklmConfigGetEntry('[-name stopRoundRobinKeyGrps]')

3. Change the state of the stopRoundRobinKeyGrps property to a value of true inthe TKLMgrConfig.properties file. Type this Jython-formatted command:

print AdminTask.tklmConfigUpdateEntry ('[-name stopRoundRobinKeyGrps-value true]')

4. To determine success, retype the tklmConfigGetEntry command.

Additionally, on the Welcome page in the graphical user interface, you mightobserve a Low Key Count Warning table in the Action Items section that listskey groups with 10 percent or fewer available keys. Double click an entry inthis table to access the Modify Key Groups dialog, where you can addadditional keys for use by the group.

There is no other warning. The low key count warning applies to all keygroups, including the key group specified as the default.

Modifying a key groupYou might modify information about objects in a key group in the Tivoli KeyLifecycle Manager database.

About this task

You can use the Modify Key Group dialog or you can use either or both of thetklmGroupEntryDelete and tklmGroupEntryAdd commands to modify objects ina key group in the Tivoli Key Lifecycle Manager database.

Before you begin, determine the changed information for the group, such as thenumber of additional keys that you want to add to the group.

Administering 23


32/80

Procedure



Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO. On the KeyAdministration for LTO Tape Drives page, select the key group in the Key

Groups column. Then, click Modify. Alternatively, right-click a key groupand then select Modify, or double click the key group entry.



Windows systems:




z/OS systems:a. Change to the SSRE_APPSERVER_HOME/bin directory.

b. Type:


2. Modify the key group information:


On the Modify Key Group dialog, change the appropriate fields. Then, clickModify Key Group.


You might delete an object in a group, or add an object to a group.

Delete a key from the group. For example, type:

print AdminTask.tklmGroupEntryDelete ('[-entry "{type key}{uuid KEY-a3ce9230-bef9-42bd-86b7-6d208ec119cf}"

-name GROUP-myKeyGroup -type keygroup]')

Add the same key back into the group again. For example, type:

print AdminTask.tklmGroupEntryAdd('[-name GROUP-myKeyGroup-type keygroup -entry "{type key}

{alias aaa000000000000000000}{keyStoreName tklmKeyStore}"]')



For required fields, a column displays changed data. For optional fields, youmight need to reopen the Modify Key Group dialog to see the changed

values, and then click Cancel.v Command line interface:


What to do next

Next, you might use the Key Administration for LTO Tape Drives page to associatethe key group with specific devices.



33/80

Deleting a key or key groupYou might delete a selected key or key group. You cannot delete a key or a keygroup that is associated with a device, or a key group that is marked as the defaultkey group.

About this task

You can use the Delete menu item, or you can use the tklmKeyDelete command todelete a key, or the tklmGroupDelete command to delete the key group.

Before you begin:

v Key

Ensure that a backup exists of the keystore containing the key that you intend todelete.

v Key group

If you use the command line interface, obtain the uuid of the key group that youintend to delete. Verify that the key group is not currently associated with adevice, and is not marked as a default key group.

Procedure



Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO. On the KeyAdministration for LTO Tape Drives page, select either the key or the keygroup. Then, click Delete from the menu bar.


In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,log on to wsadmin with an authorized user ID, such as the TKLMAdminuser ID. For example, on Windows systems, navigate to the directory

drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:




z/OS systems:


b. Type:


2. Delete the key or key group:


On the Confirm dialog, read the confirmation message before you delete thekey or key group to verify that the correct key or key group was selected.For example, you might delete an empty key group. Deleting a populatedkey group also deletes all the keys in the key group. Deleting a key that

belongs to a key group will also remove the key from the group. Then, clickOK.


Key

Administering 25


34/80

Type tklmKeyDelete to delete a key. For example, to delete a key that isnot currently associated with a device, first locate the key. You might usethe tklmKeyList command to find the key that you want to delete. Forexample, type:

print AdminTask.tklmKeyList ('[-attributes "{state active}" -v y]')

Then, delete the key. For example, type:

print AdminTask.tklmKeyDelete ('[-alias aaa000000000000000000-keyStoreName test]')

The key is marked as destroyed in the database, and the key material isdeleted from the keystore.

Key group

Type tklmGroupDelete to delete a key group. For example, you mightdelete an empty key group. Deleting a populated key group also deletes allthe keys in the key group. For example, to delete a key group that is notcurrently associated with a device, type:

print AdminTask.tklmGroupDelete('[-uuid GROUP-7d588437-e725-48bf-a836-00a47df64e78]')


v Graphical user interface:The key or key group is removed from the table. The key material is deletedfrom the keystore.



What to do next

Refresh the table to ensure that the key or key group is deleted. Back up thekeystore to accurately reflect the change in keys. Back up the database to reflect thechange in key groups.

Adding a driveYou might add a device such as a tape drive to the Tivoli Key Lifecycle Managerdatabase.

About this task

You can use the Add Drives dialog or you can use the tklmDeviceAdd commandto add a device.

Before you begin, create the keys and key groups that you need to associate withthe devices that you are about to identify. Additionally, obtain the tape drive serialnumber, and other description information. Determine whether the drive will use aspecific key group, or a system default key group.

Procedure



Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO. On the KeyAdministration for LTO Tape Drives page, on the menu bar, click Add andthen select Tape Drive.




35/80


Windows systems:


Systems such as AIX or Linux:./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems:


b. Type:


2. Add a device:


On the Add Tape Drive dialog, type the required and optional information.Then, click Add Tape Drive.



print AdminTask.tklmDeviceAdd ('[-type LTO -serialNumber FAA49403AQJF-attributes "{worldwideName 12345678}{description salesDivisionDrive} {symAlias ltoKeyGroup1}"]')






What to do next

Next, you might determine the current status of the drive that you added.

Modifying a driveYou might modify information about a device such as a tape drive in the TivoliKey Lifecycle Manager database. For example, you might update the description ofthe drive.

About this task

You can use the Modify Tape Drive dialog or you can use the tklmDeviceUpdatecommand to update a device.

Before you begin, create the keys and key groups that you need to associate withthe devices that you are about to modify. If you use the command line interface,obtain the value of the uuid for the device that you intend to update.

Procedure



Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO. On the Key

Administering 27


36/80

Administration for LTO Tape Drives page, select a device. Then, clickModify. Alternatively, you can right-click a device and then select Modify oryou can double-click on the device entry.


In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,log on to wsadmin with an authorized user ID, such as the TKLMAdmin

user ID. For example, on Windows systems, navigate to the directorydrive:\Program Files\IBM\tivoli\tip\bin and type:

Windows systems:




z/OS systems:


b. Type:


2. Modify a device:

v Graphical user interface:On the Modify Tape Drive dialog, type the required and optionalinformation. Then, click Modify Tape Drive.


Type tklmDeviceUpdate to update a device. You must specify the device uuidand the attributes that change. For example, type:

print AdminTask.tklmDeviceUpdate('[-uuid DEVICE-44b123ad-5ed8-4934-8c84-64cb9e11d990

-attributes "{symAlias ltoExistingKey} {description myLTOdrive}"]')



The device information is changed in the Tape Drives table.v Command line interface:


What to do next

Next, you might verify that the changes are made. For optional fields, such as thedescription, you might need to run the tklmDeviceList command to determinewhether the value has changed, or reopen the Modify Tape Drive dialog.

Deleting a driveYou might delete a device such as a tape drive. Metadata for the drive that youdelete, such as the drive serial number, is removed from the Tivoli Key LifecycleManager database.

About this task

You can use the Delete menu item or you can use the tklmDeviceDelete commandto delete a device.

Before you begin, ensure that a current backup exists for the Tivoli Key LifecycleManager database. If you use the command line interface, obtain the uuid of thedevice that you intend to delete.



37/80

Procedure



Log on to the graphical user interface. From the navigation tree, click TivoliKey Lifecycle Manager > Key Administration > LTO. On the KeyAdministration for LTO Tape Drives page, select a device. Then, click Delete.

Alternatively, you can right-click a device and then select Delete.v Command line interface:


Windows systems:




z/OS systems:

a. Change to the SSRE_APPSERVER_HOME/bin directory.b. Type:


2. Delete the device:


On the Confirm dialog, read the confirmation message before you delete thedevice. Metadata for the drive that you delete, such as the drive serialnumber, is removed from the Tivoli Key Lifecycle Manager database.

Then, click OK.


Type tklmDeviceDelete to delete a device. You must specify the uuid. For

example, type:print AdminTask.tklmDeviceDelete

('[-uuid DEVICE-74386920-148c-47b2-a1e2-d19194b315cf]')



The device is removed from the table.



3592 tape drive administration

You can administer certificates and 3592 tape drives using Tivoli Key LifecycleManager.

Descriptions of some steps describe alternatives in using either the graphical userinterface, or the command line interface. For any one work session for tasks thatare available on the graphical user interface, do not switch between interfacesduring the session.

Descriptions of some tasks might mention task-related properties in theTKLMgrConfig.properties. Use the graphical user interface or the command lineinterface to change these properties.

Administering 29


38/80

Guided steps to create certificates and drivesWhen you first create certificates and drives, and later when you add additionalcertificates or drives, Tivoli Key Lifecycle Manager provides a guided set of stepsto complete the task.

Descriptions of some steps might mention command line alternatives to do the

same task. In a guided set of tasks, use the graphical user interface to complete thetasks.

Creating a certificate or certificate requestAs a first activity, you might create certificates or certificate requests for Tivoli KeyLifecycle Manager.

About this task

You can use the Create Certificate dialog or you can use the tklmCertCreate or thetklmCertGenRequest commands to create certificates or certificate requests.

Note: If you additionally want to specify that a newly-created certificate is used as

the system default or partner certificate, you must subsequently run thetklmConfigUpdateEntry command to set the values for the drive.default.alias1 (forsystem default) or drive.default.alias2 (for system partner) properties.

Before you begin, determine your organizations policy on the use of self-signedand certificates issued by a Certificate Authority (CA). You might need to createself-signed certificates for the test phase of your project. In advance, you mightalso request certificates from a Certificate Authority for the production phase.

Procedure



Log on to the graphical user interface. From the navigation tree, clickWelcome. Scroll down the Welcome to Key Lifecycle Manager page to theKey Administration section. In the Configure keys to be served to menu,select 3592. Then, click Go. You will be taken to the 3592 Drive page whichprovides a guided set of configuration steps.



Windows systems:


Systems such as AIX or Linux:./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems:


b. Type:


2. Create a certificate or request a certificate:




39/80

a. On the Step 1: Create Certificates page there is a Certificates table. Onthe Certificates table, click Create.

b. On the Create Certificate dialog, select either a self-signed certificate, or acertificate request for a third-party provider.

c. Specify values for the required and optional parameters. For example,you might optionally specify whether this is the default or the partner

certificate. Then, click Create Certificate.v Command line interface:

Certificate

Type tklmCertCreate to create a certificate and a public and private keypair, and store the certificate in an existing keystore. For example, type:

print AdminTask.tklmCertCreate ('[-type selfsigned-alias tklmCertificate -cn tklm -ou sales -o myCompanyName

-country myCountry -keyStoreName TESTKS_001-usage 3592 -validity 999]')

Certificate request

Type tklmCertGenRequest to create a PKCS #10 certificate request file. Forexample, type:

AdminTask.tklmCertGenRequest('[-alias tklmSSLCertificate1-cn tklm -ou sales -o myCompanyName -locality myLocation

-country myCountry -validity 999 -keyStoreName test-fileName mySSLCertRequest1.crt -usage "SSL server"]')



The certificate or certificate request appears as an item in the Certificatestable.



What to do next

Next, you might go the next step to define specific devices, and associatecertificates with the devices. To do this, select Step 2: Identify Drives.Additionally, you might specify to accept requests from all IBM drives.

Identifying drivesYou might identify a 3592 tape drive for use with Tivoli Key Lifecycle Manager.

About this task

You can use the Add Tape Drives dialog or you can use the tklmDeviceAddcommand to add a device.

Before you begin, create the certificates that you need to associate with the devicesthat you are about to identify.

Procedure



Log on to the graphical user interface. From the navigation tree, clickWelcome. Scroll down the Welcome to Key Lifecycle Manager page to theKey Administration section. In the Configure keys to be served to menu,

Administering 31


40/80

select 3592 Tape Drive. Then, click Go. You will be taken to the 3592 Drivepage which provides a guided set of configuration steps.


In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then,log on to wsadmin with an authorized user ID, such as the TKLMAdminuser ID. For example, on Windows systems, navigate to the directory

drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:




z/OS systems:


b. Type:


2. Skip Step 1: Create Certificates. Click Go to Next Step or Step 2: IdentifyDrives.

3. You might specify that Tivoli Key Lifecycle Manager accepts requests from allIBM drives.


Select Accept requests from all IBM drives.


Use the tklmConfigUpdateEntry command to set the value of thedrive.acceptUnknownDrives property. For example, type:

print AdminTask.tklmConfigUpdateEntry ('[-name drive.acceptUnknownDrives-value true]')

4. Add a device:


a. On the Step 2: Identify Drives page, in the Tape Drives table, click Add.b. On the Add Tape Drive dialog, type the required and optional

information. Then, click Add Tape Drive.



print AdminTask.tklmDeviceAdd ('[-type 3592 -serialNumber CDA39403AQJF-attributes "{worldwideName 50050}{description marketingDivisionDrive}

{aliasOne encryption_cert}"]')






What to do next

Next, you might use the 3592 key administration panel to view all certificates anddevices.



41/80

Administering certificates and drivesTo administer certificates and devices, you might need to determine their currentstatus, or map their association, or add, modify, or delete specific certificates ordevices.

About this task

Use the Key Administration for 3592 Tape Drives page to map certificates todevices, to determine current status of items in the table, and to add, modify, ordelete certificates or devices.

Before you begin, examine the columns on the Key Administration for 3592 TapeDrives page, which provides buttons to add, modify, or delete a table item. To sortinformation, click a column header. Alternatively, type information about a targetin the Filter field for certificates or in the Filter field for drives. Then, press Enter.

The table is organized in these areas:

v In left columns, information about certificates

Indicates the certificate name, whether the certificate is used as a system defaultor system partner. Also indicates the expiration date and current status of thecertificate.

v In right columns, information about drives

Indicates the drive name and whether the drive uses a system default as itsdefault or partner certificate.

v Additional choices and status indicators, below the table

Accept requests from all IBM drives.

Click to allow any drive that contacts Tivoli Key Lifecycle Manager to use thesystem default and partner certificates. You might use this option to populatethe list of available drives, and then turn off the option when the drives have

been added.

Key Serving Status:If a system default certificate, system partner certificate, and devices are

configured, a green icon and message appears, such as Configured toserve keys to 3592 drives.

v Status icons

Status icons indicate either the current status of a certificate, or the key servingstatus of the Tivoli Key Lifecycle Manager server.

Table 2. Status icons and their meanings

Icon Description

Certificate is in an active state.

v Certificate will expire soon.

v Defaults for this device type have not been configured. Thestatus remains yellow until a system default certificate andsystem partner certificate have been identified.

Certificate is in an expired state.

Certificate is in an inactive state.

A

Documents

Tk10 Admin PDF