Scribd
Upload
118 views

Tk10 Admin PDF

Uploaded by

neochiu
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
118 views

Tk10 Admin PDF

Uploaded by

neochiu
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 80

Tivoli Key Lifecycle Manager

Version 1 Release 0.0.3

Administering

Tivoli Key Lifecycle Manager

Version 1 Release 0.0.3

Administering

Note Before using this information and the product it supports, read the information in Notices on page 65.

October 2010 This edition applies to version 1.0.0.3 of Tivoli Key Lifecycle Manager (product number 5724-T60) and to all subsequent releases and modifications. Copyright International Business Machines Corporation 2008, 2009. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents
Tables . . . . . . . . . . . . . . . v Administering . . . . . . . . . . . . 1
| | |
Specifying the keystore . . . . . . . . . . Copying ICSF protected device certificates between z/OS systems using the tklmKeyStoreEntryMetaDataCreate command . . Configuration settings . . . . . . . . . . Specifying levels of audit information . . . . Specifying port and timeout settings . . . . Specifying certificate settings . . . . . . Specifying SSL certificates for key serving . . LTO tape drive administration . . . . . . . Guided steps to create key groups and drives . Administering keys, key groups, and drives . 3592 tape drive administration . . . . . . . Guided steps to create certificates and drives . Administering certificates and drives . . . . DS8000 storage image administration . . . . . . 1 Guided steps to create storage images and image certificates . . . . . . . . . . . . . . Administering DS8000 storage images . . . . Backup and restore . . . . . . . . . . . . Backup and restore runtime requirements . . . Backing up critical files . . . . . . . . . Restoring a backup file . . . . . . . . . Starting and stopping the Tivoli Key Lifecycle Manager server on distributed systems . . . . Starting and stopping the Tivoli Key Lifecycle Manager server on z/OS systems . . . . . . Deleting a backup file . . . . . . . . . . Additional backup and restore tasks on the command line interface . . . . . . . . . 43 46 55 56 56 57 59 60 62 62

. 3 . 8 . 9 . 10 . 12 . 13 . 15 . 15 . 18 . 29 . 30 . 33 . 43

Notices . . . . . . . . . . . . . . 65
Trademarks . . . . . . . . . . . . . . 66

Index . . . . . . . . . . . . . . . 69

Copyright IBM Corp. 2008, 2009

iii

iv

IBM Tivoli Key Lifecycle Manager: Administering

Tables
1. 2. Status icons and their meanings. Status icons and their meanings. . . . . . . . . . 19 . 33 3. Status icons and their meanings. . . . . . 46

Copyright IBM Corp. 2008, 2009

vi

IBM Tivoli Key Lifecycle Manager: Administering

Administering
Administration is the set of tasks by which you prepare and then monitor the Tivoli Key Lifecycle Manager environment.

Specifying the keystore


Your first task is to use the graphical user interface to specify the keystore that Tivoli Key Lifecycle Manager uses.

About this task


If no keystore exists, use the Keystore page in the graphical user interface to specify the keystore. Before you begin, determine the type of keystore to use: v JCEKS (JCE software provider) Use this keystore type if you are using only Java software. For all operating systems and a 3592 tape drive, LTO tape drive, or DS8000 Turbo drive. Ensure that the flat file JCEKS keystore resides in a restricted area of the file system on the Tivoli Key Lifecycle Manager system. Use a JCEKS keystore for all operating systems other than z/OS. You might also use this keystore type on a z/OS system if you want to use JCE software and a flat file to store keys. v JCERACFKS (JCE software provider) Use this keystore type to store key material in your RACF keyring that is not using Integrated Cryptographic Services Facility (ICSF). For a z/OS operating system with a 3592 tape drive or DS8000 Turbo drive. If you use a RACF keyring for the master keystore, you may need to give the SSRECFG and the SSRE_USERID started task ID user access to that RACF keyring before you select and configure the RACF keyring using a JCERACFKS or JCECCARACFKS keystore type. A RACF keyring is not used with an LTO tape drive. v JCECCARACFKS (IBMJCECCA provider) The hardware JCE provider must be set in the Java security properties file. Use this keystore type to store key material in your RACF keyring that is using ICSF. For a z/OS operating system with a 3592 tape drive or DS8000 Turbo drive. If you use a RACF keyring for the master keystore, you may need to give the SSRECFG and the SSRE_USERID started task ID user access to that RACF keyring before you select and configure the RACF keyring using a JCERACFKS or JCECCARACFKS keystore type. A RACF keyring is not used with an LTO tape drive. v JCECCAKS (IBMJCECCA provider) The hardware JCE provider must be set in the Java security properties file. Use this keystore type when using a file-based keystore that leverages Integrated Cryptographic Services Facility. Ensure that a flat file JCECCAKS keystore resides in a restricted area of the file system on the Tivoli Key Lifecycle Manager system. When Tivoli Key Lifecycle Manager is configured to use hardware protection, key material will be stored within ICSFs CKDS and PKDS. When Tivoli Key Lifecycle Manager is configured not to use hardware protection, key

Copyright IBM Corp. 2008, 2009

material will be stored within the flat file-based JCECCAKS keystore. For a z/OS operating system with a 3592 tape drive, LTO tape drive, or DS8000 Turbo drive. The JCE provider setting is configurable in the Java security properties file, JAV A_HOME/lib/security/java.security. If you use the hardware provider to generate keys, you must use the JCECCAKS or JCECCARACFKS keystore type. Procedure 1. Navigate to the keystore page. If no keystore exists: a. Log on to the graphical user interface. b. On the Welcome page, select First, you must create the master keystore. For a file-based keystore: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Keystore. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Specify the keystore information: v Graphical user interface: a. In the Keystore window, select the keystore type, and type the keystore name in the Keystore name field. b. Complete the remaining, necessary information, and then click OK. v Command line interface: To add a file-based keystore, use the tklmKeyStoreAdd command. For example, type:
print AdminTask.tklmKeyStoreAdd ('[-storeName tklmNewKeystore -storeFileName TKLM_HOME/keymanager/test.jceks -storeType jceks -storePassword password]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: On the Success page, under Next Steps, click a related task that you want to perform. v Command line interface: A completion message indicates success. 4. Back up the new keystore.

IBM Tivoli Key Lifecycle Manager: Administering

What to do next
You might define an SSL certificate for communication with Tivoli Key Lifecycle Manager on the SSL port and review other configuration data. Alternatively, you might configure the drive types, and keys or certificates that your organization requires, using the new keystore. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Copying ICSF protected device certificates between z/OS systems using the tklmKeyStoreEntryMetaDataCreate command
You might want to replicate ICSF protected device certificates across separate instances of Tivoli Key Lifecycle Manager for z/OS systems that do NOT share any of the following resources: RACF, ICSF and DB2. The tklmKeyStoreEntryMetaDataCreate command allows you to copy ICSF protected device certificates (that is, with Tivoli Key Lifecycle Manager set up using JCECCARACFKS) to another Tivoli Key Lifecycle Manager system that is not sharing RACF, ICSF and DB2 resources. To successfully copy ICSF protected device certificates between separate instances of Tivoli Key Lifecycle Manager, complete these tasks in RACF, ICSF, and Tivoli Key Lifecycle Manager:

Confirm ICSF and Tivoli Key Lifecycle Manager settings


Ensure that your Tivoli Key Lifecycle Manager and system setups meet these criteria: v Both ICSF instances are set up with the exact same set of Master Keys. Otherwise, the private key material is not importable to the secondary instance of Tivoli Key Lifecycle Manager. v All instances of Tivoli Key Lifecycle Manager have these keystore settings: JCECCARACFKS is the keystore type. Keyring and Keyring Owner are defined. You selected the setting Enable protection of encryption keys by ICSF if z/OS hardware-assisted cryptography is being used.. To verify these settings on the graphical user interface, click Tivoli Key Lifecycle Manager > Settings > Keystore

Create and list the device certificate


Create a new device certificate and list the device certificate. 1. If a device certificate does not already exist, use the Tivoli Key Lifecycle Manager graphical user or command line interface to create a new device certificate on your primary Tivoli Key Lifecycle Manager instance. For this example, the alias/label of the device certificate is ds8k.cert1. This assumes that the Tivoli Key Lifecycle Manager keystore is configured and conforms to the setup requirements that you previously confirmed. In this example, the keystore settings are: v Keystore type: JCECCARACFKS v Keystore name: Tivoli Key Lifecycle Manager Keystore v Keyring: TKLMKeyStore v User ID: ssrecfg
Administering

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

v You selected the checkbox for Enable protection of encryption keys by ICSF if z/OS hardware-assisted cryptography is being used. 2. Open an ISPF command shell and issue the following RACDCERT command to list the certificate details. This example uses SSRECFG in the ID field as the user that owns this RACF keyring. If you configured your keyring to be owned by a different user ID, substitute that user ID in the ID field.
racdcert list(label('ds8k.cert1')) id(ssrecfg)

The following display should occur:


Label:ds8k.cert1 Certificate ID:2QfjwdfF0tTihKL4kqmpqaOFoqNA Status:TRUST Start Date:2009/09/21 15:37:53 End Date: 2012/09/20 15:37:53 Serial Number:11658BE1D4E5B6F0 Issuer's Name:CN=ds8k cert.OU=.O=.L=.SP=.C= Subject's Name:CN=ds8k cert.OU=.O=.L=.SP=.C= Private Key Type:PCICC Private Key Size:2048 PKDS Label:IBM47582.30097670.51194776.68948079.21097733.43298099.8083 Ring Associations: Ring Owner:SSRECFG Ring:TKLMKeyStore

Export the ICSF protected device certificate


All Tivoli Key Lifecycle Manager instances that are configured with a keystore type of JCECCARACFKS produce device certificates which store public information in RACF and private information in ICSF. Complete these steps to export the information from both places: 1. To export the public information for the ds8k.cert1 device certificate to a dataset, issue the RACDCERT EXPORT command from the ISPF command shell. For example:
RACDCERT ID(SSRECFG) EXPORT (LABEL('ds8k.cert1')) DSN('TKLM.DS8K.CERT1') FORMAT(CERTDER)

Alternatively, you can create a JCL job to export the certificate. The JCL job might be convenient if you have multiple certificates that need to be exported, or if you intend to export certificates in the future. For example:
//CERTEXPT JOB <JOB CARD PARAMETERS> //* CAUTION: This is neither a JCL procedure nor a complete JOB. //* Before using this JOB step, you will have to make the following //* modifications: //* //* 1) Add the job parameters to meet your system requirements. //******************************************************************* //* Batch job that will export certificate material * //* for a given userid into a dataset. * //************************************************************* //* //REXX EXEC PGM=IKJEFT01 //* //SYSTSPRT DD SYSOUT=* //*-----------------------------------------------------------* //SYSTSIN DD DATA RACDCERT ID(SSRECFG) + EXPORT(LABEL('ds8k.cert1')) + DSN('TKLM.DS8K.CERT1') + FORMAT(CERTDER) /* //* * * * * *

IBM Tivoli Key Lifecycle Manager: Administering

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

2. Transmit your output dataset from the previous step over to your secondary Tivoli Key Lifecycle Manager system. For example, use XMIT to send the TKLM.DS8K.CERT1 dataset to the secondary Tivoli Key Lifecycle Manager instance. 3. Export the private key material from the primary ICSF PKDS, using the KEYXFER utility that is downloaded from the z/OS UNIX tools website: http://www.ibm.com/servers/eserver/zseries/zos/unix/bpxa1ty2.html Review the KEYXFER README.TXT document for tool pre-requisites and usage. The README.TXT can be downloaded from this website: ftp://ftp.software.ibm.com/s390/zos/tools/keyxfer/keyxfer.readme.txt Note that the KEYXFER utility needs to be accessible by both your primary and secondary ICSF systems. On your primary Tivoli Key Lifecycle Manager system, update the KEYXFER job to perform a WRITE operation with the PKDS Label from the previous RACDCERT LIST command. For example:
KEYXFER WRITE,IBM47582.30097670.51194776.68948079.21097733.43298099.8083,TKLM.KEYXFER.OUTPUT(PRVKEY)

Optionally run this as a batch job. For example:


//KEYXFERW JOB <JOB CARD PARAMETERS> //* CAUTION: This is neither a JCL procedure nor a complete JOB. //* Before using this JOB step, you will have to make the following //* modifications: //* //* 1) Add the job parameters to meet your system requirements. //******************************************************************* //* INVOKES THE ICSF KEYXFER TOOL TO * //* COPY THE PRIVATE PORTION OF AN ICSF * //* KEY TO A DATASET. * //* KEYXFER REQUIRES THE OUTPUT * //* DATASET TO BE PREALLOCATED. * //* ADDITIONALLY, THE //SYSEXEC DD DSN= STATEMENT * //* NEEDS TO BE MODIFIED TO POINT TO THE DATASET * //* WHERE THE KEYXFER EXEC WAS PLACED. * //******************************************************************* //* //REXX EXEC PGM=IKJEFT01 //* //SYSEXEC DD DSN=USERID.REXX,DISP=SHR //SYSTSPRT DD SYSOUT=* //*-----------------------------------------------------------------* //* DUMP THE LABELS/CERTS CREATED * //*-----------------------------------------------------------------* //SYSTSIN DD DATA KEYXFER WRITE, + IBM47582.30097670.51194776.68948079.21097733.43298099.8083, + TKLM.KEYXFER.OUTPUT(PRVKEY) /* //* * * * * *

4. Transmit the output dataset containing your private key TKLM.KEYXFER.OUTPUT(PRVKEY) to your secondary Tivoli Key Lifecycle Manager system. The output dataset will have your private key wrapped under the ICSF master key, rather than in the clear. Note that your secondary Tivoli Key Lifecycle Manager system must be set up with the same ICSF master key to enable the KEYXFER utility to import your private key into the secondary ICSF PKDS.

Administering

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Import the ICSF protected device certificate


Import the ICSF protected device certificate. In this example, the keystore settings for the secondary Tivoli Key Lifecycle Manager are the same as for the primary Tivoli Key Lifecycle Manager: v v v v v Keystore type: JCECCARACFKS Keystore name: Tivoli Key Lifecycle Manager Keystore Keyring: TKLMKeyStore User ID: ssrecfg You selected the checkbox for Enable protection of encryption keys by ICSF if z/OS hardware-assisted cryptography is being used.

Complete these steps: 1. On the secondary Tivoli Key Lifecycle Manager instance, receive both the certificate file TKLM.DS8K.CERT1 and the output private key dataset from KEYXFER TKLM.KEYXFER.OUTPUT(PRVKEY). 2. Stop all Tivoli Key Lifecycle Manager servers that are running on your secondary system. You can do this by stopping all System Services Runtime Environment instances which will in turn stop all Tivoli Key Lifecycle Manager instances. 3. Import the private key into the PKDS by running the KEYXFER job that is updated to do a READ operation with the same PKDS label that was used in the export. For example:
KEYXFER READ,IBM47582.30097670.51194776.68948079.21097733.43298099.8083,TKLM.KEYXFER.OUTPUT(PRVKEY), OVERWRITE

Optionally, you might run a batch REXX job. For example:


//KEYXFERW JOB <JOB CARD PARAMETERS> //* CAUTION: This is neither a JCL procedure nor a complete JOB. //* Before using this JOB step, you will have to make the following //* modifications: //* //* 1) Add the job parameters to meet your system requirements. //******************************************************************* //* INVOKES THE ICSF KEYXFER TOOL TO * //* READ THE INPUT DATASET AND WRITE A * //* TOKEN TO THE PKDS * //******************************************************************* //* //REXX EXEC PGM=IKJEFT01 //* //SYSEXEC DD DSN=USERID.REXX,DISP=SHR //******************************************************************* //* ADDITIONALLY, THE //SYSEXEC DD DSN= STATEMENT * //* NEEDS TO BE MODIFIED TO POINT TO THE DATASET * //* WHERE THE KEYXFER EXEC WAS PLACED. * //******************************************************************* //SYSTSPRT DD SYSOUT=* //SYSTSIN DD DATA KEYXFER READ, + IBM47582.30097670.51194776.68948079.21097733.43298099.8083, + TKLM.KEYXFER.OUTPUT(PRVKEY), OVERWRITE /* //* * * * * *

The overwrite option will overwrite an existing PKDS record with this label name. Ensure that you are not using an existing PKDS record with this label name before performing this step.

IBM Tivoli Key Lifecycle Manager: Administering

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

4. The private key should now be in PKDS on your secondary Tivoli Key Lifecycle Manager instance. To verify this, issue REPROOUT. 5. Import the certificate into RACF and associate the certificate with the PKDS label of the private key that you imported on your secondary Tivoli Key Lifecycle Manager instance. Then connect the certificate to the keyring of your secondary Tivoli Key Lifecycle Manager. To do this, issue the following commands:
RACDCERT ID(SSRECFG) add('TKLM.DS8K.CERT1') TRUST WITHLABEL('ds8k.cert1') PCICC(IBM47582.30097670.51194776.68948079.21097733.43298099.8083) SETROPTS RACLIST (DIGTCERT) REFRESH RACDCERT ID(SSRECFG) CONNECT(LABEL('ds8k.cert1') RING(TKLMKeyStore))

Optionally, run a JCL job. For example:


//CERTIMP JOB <JOB CARD PARAMETERS> //* CAUTION: This is neither a JCL procedure nor a complete JOB. //* Before using this JOB step, you will have to make the following //* modifications: //* //* 1) Add the job parameters to meet your system requirements. //*-----------------------------------------------------------* //* Run this job to import cert entries under * //* your userid. * //* Note: The PKDS label shown in the PCICC(...) * //* keyword was obtained from Step 2 on page 4 of * //* Create and list the device certificate on page 3 * //*-----------------------------------------------------------* //STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=20,REGION=0M //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT ADD('TKLM.DS8K.CERT1') TRUST + WITHLABEL('ds8k.cert1') + PCICC(IBM47582.30097670.51194776.68948079.21097733.43298099.8083) SETROPTS RACLIST(DIGTCERT) REFRESH RACDCERT CONNECT(ID(SSRECFG) + LABEL('ds8k.cert1') + RING(TKLMKeyStore)) /* // * * * * *

6. A RACF display of the certificate under the SSRECFG ID on your secondary Tivoli Key Lifecycle Manager instance should be similar to this:
racdcert list(label('ds8k.cert1')) id(ssrecfg) Label:ds8k.cert1 Certificate ID:2QfjwdfF0tTihKL4kqmpqaOFoqNA Status:TRUST Start Date:2009/09/21 15:37:53 End Date: 2012/09/20 15:37:53 Serial Number:11658BE1D4E5B6F0 Issuer's Name:CN=ds8k cert.OU=.O=.L=.SP=.C= Subject's Name:CN=ds8k cert.OU=.O=.L=.SP=.C= Private Key Type:PCICC Private Key Size:2048 PKDS Label:IBM47582.30097670.51194776.68948079.21097733.43298099.8083 Ring Associations: Ring Owner:SSRECFG Ring:TKLMKeyStore

7. At this point the device certificates key material has successfully been added to the secondary ICSF and RACF key repositories. The next steps will be to add the necessary device certificate DB2 metadata to the secondary Tivoli Key Lifecycle Manager instances.

Administering

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

First you must start the Tivoli Key Lifecycle Manager servers on your secondary Tivoli Key Lifecycle Manager system.

Run the tklmKeyStoreEntryMetaDataCreate command


Run the tklmKeyStoreEntryMetaDataCreate command to create the device certificate Tivoli Key Lifecycle Manager metadata. Complete these steps: 1. On one of the secondary Tivoli Key Lifecycle Manager instances, go to an OMVS shell and switch the user to the SSRE configuration user ID, ssrecfg:
su ssrecfg

At the prompt, enter the password of the SSRECFG user ID. 2. Start a wsadmin command prompt in Jython mode by issuing the following command on one line, where SSRE_APPSERVER_HOME is the location of your System Services Runtime Environment instances AppServer directory. Be sure to specify the password of the SSRECFG user ID.
SSRE_APPSERVER_HOME/bin/wsadmin.sh -username ssrecfg -password ssrepass -lang jython

3. Enter the tklmKeyStoreEntryMetaDataCreate command on one line, specifying the alias and keystore name and optionally the usage. For example:
print AdminTask.tklmKeyStoreEntryMetaDataCreate ('[-alias ds8k.cert1 -type privatekey -usage ds8k -keyStoreName "Tivoli Key Lifecycle Manager Keystore"]')

Note: There are various options that you can use with the tklmKeyStoreEntryMetaDataCreate command. For more information, refer to the command reference in the IBM Tivoli Key Lifecycle Manager Information Center. Optionally, you might copy the command into a Jython script (tklmKeyStoreEntryMetaDataCreate.jython). Then, invoke the script at wsadmin startup by specifying the f flag. For example:
SSRE_APPSERVER_HOME/bin/wsadmin.sh -username ssrecfg -password ssrepass -lang jython -f ./tklmKeyStoreEntryMetaDataCreate.jython

You might also paste this example into a shell script file (tklmKeyStoreEntryMetaDataCreate.sh) to use at wsadmin startup to invoke the tklmKeyStoreEntryMetaDataCreate command. 4. Verify that the device certificate now appears in the Tivoli Key Lifecycle Manager graphical user interface pages. 5. If more than one Tivoli Key Lifecycle Manager instance shares DB2 on your secondary system, use the backup/restore function that Tivoli Key Lifecycle Manager provides to copy the updated configuration to the other Tivoli Key Lifecycle Manager instances. After the restore on each Tivoli Key Lifecycle Manager, verify that the device certificate appears in the Tivoli Key Lifecycle Manager graphical user interface pages.

Configuration settings
Tivoli Key Lifecycle Manager provides a set of operations to change the Tivoli Key Lifecycle Manager configuration. For example, you might change port or timeout values for TCP and SSL communication, or the Tivoli Key Lifecycle Manager audit level that provides additional log information.

IBM Tivoli Key Lifecycle Manager: Administering

Specifying levels of audit information


You might change the default setting that Tivoli Key Lifecycle Manager uses to collect audit information.

About this task


You can use the Audit page to change information levels written to the audit log, or you can use the tklmConfigGetEntry and tklmConfigUpdateEntry commands to list or change the Audit.event.types property in the TKLMgrConfig.properties file. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Configuration > Audit. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Change the value for the audit information level: v In the graphical user interface, select a low, medium, or high value for the Audit setting, then click OK. Low Stores minimal audit records. Selecting low sets the following property values in the TKLMgrConfig.properties file: Audit.event.types = runtime, authorization, authorization_terminate, resource_management, key_management Audit.event.outcome = failure Medium (default) Stores an intermediate amount of audit records. Selecting medium sets the following property values in the TKLMgrConfig.properties file: Audit.event.types = runtime,authorization,authorization_terminate, resource_management, key_management Audit.event.outcome = success,failure High Stores the maximum amount of audit records. Selecting high sets the following property values in the TKLMgrConfig.properties file:
Administering

Audit.event.types = all Audit.event.outcome = success,failure v Command line interface: a. Type the tklmConfigGetEntry command on one line to get the current value of the target property in the TKLMgrConfig.properties file. For example, to determine which event types are included in the audit log, type on one line:
wsadmin>print AdminTask.tklmConfigGetEntry ('[-name Audit.event.types]')

An example response might be:


All

b. Specify the required change. For example, to limit the selection to two event types to store in the audit log, type on one line:
print AdminTask.tklmConfigUpdateEntry ('[-name Audit.event.types -value runtime,audit_management]')

3. A success indicator will vary, depending on the interface: v Graphical user interface On the Success page, under Next Steps, click a related task that you want to perform. v Command line interface A completion message indicates success.

What to do next
You might rerun an operation that previously returned an error. Then, examine the audit log for additional information.

Specifying port and timeout settings


You might change the default port and timeout settings that Tivoli Key Lifecycle Manager provides.

About this task


You can use the Key Serving Parameters page to change port and timeout settings, or you can use the tklmConfigGetEntry and tklmConfigUpdateEntry commands to list and change the appropriate properties in the TKLMgrConfig.properties file. Before you begin, determine whether there are port or timeout conflicts at your site that prevent using the Tivoli Key Lifecycle Manager default values. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Configuration > Key Serving Parameters. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type:

10

IBM Tivoli Key Lifecycle Manager: Administering

Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Change the value for the port or timeout settings: v In the graphical user interface, change one or more of these settings, and then click OK: TCP port Tivoli Key Lifecycle Manager uses default port 3801. Values can range from 1 to 65535. The value you set also changes the value of the TransportListener.tcp.port property in the TKLMgrConfig.properties file. TCP timeout (in minutes) Tivoli Key Lifecycle Manager uses a default timeout value of 10 minutes. Values can range from 0 to 120. A value of 0 (zero) means never timeout. The value that you set also changes the value of the TransportListener.tcp.timeout property in the TKLMgrConfig.properties file. SSL port Tivoli Key Lifecycle Manager uses default port 441. Values can range from 1 to 65535. The value you set also changes the value of the TransportListener.ssl.port property in the TKLMgrConfig.properties file. SSL timeout (in minutes) Tivoli Key Lifecycle Manager uses a default timeout value of 10 minutes. Values can range from 0 to 120. A value of 0 (zero) means never timeout. The value that you set also changes the value of the TransportListener.ssl.timeout property in the TKLMgrConfig.properties file. v Command line interface: a. Type the tklmConfigGetEntry command on one line to get the current value of the target property in the TKLMgrConfig.properties file. For example, type on one line:
wsadmin>print AdminTask.tklmConfigGetEntry ('[-name TransportListener.tcp.port]')

An example response might be:


3801

b. Specify the required change. For example, to specify a different TCP port number, type on one line:
print AdminTask.tklmConfigUpdateEntry ('[-name TransportListener.tcp.port -value 3802]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: A Configuration Update Successful page displays the information that you entered. v Command line interface:
Administering

11

A completion message indicates success.

What to do next
To put a change such as a port number into effect, restart the Tivoli Key Lifecycle Manager server.

Specifying certificate settings


You might change the default certificate settings that Tivoli Key Lifecycle Manager provides.

About this task


Use the Key Serving Parameters page to change certificate settings, or use the tklmConfigGetEntry and tklmConfigUpdateEntry commands to list or change the appropriate properties in the TKLMgrConfig.properties file. Before you begin, determine whether: v z/OS systems are at or below Integrated Cryptographic Services Facility version 7740, if you plan to exchange tapes between z/OS and non-z/OS systems. v To perform certificate date validation before serving a key. Validation confirms that the certificate is valid, and has not expired. v To identify certificates by using the subject key identifier that is stored in the certificate. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Configuration > Key Serving Parameters. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Change the value for one or more certificate settings: v In the graphical user interface, change one or more of the following settings, and then click OK: Enable z/OS key and certificate compatibility. Create keys and certificates for use with z/OS systems at or below Integrated Cryptographic Services Facility version 7740. Use this option if you plan to exchange tapes between z/OS running ICSF

12

IBM Tivoli Key Lifecycle Manager: Administering

7740 or lower. The value you set also changes the value of the zOSCompatibility property in the TKLMgrConfig.properties file. Do not use expired certificates for write requests or data writes. Before serving a key, validate that the expiration date has not passed for the certificate or certificates that will wrap this key. Expired certificates are used only for read requests. When this is selected, expired certificates are not used for write requests. Selecting this checkbox changes the value of the cert.valiDATE property to true in the TKLMgrConfig.properties file. Identify certificates by certificate name. Identify certificates using the certificate name stored in the certificate, rather than using a subject key identifier. You specify the certificate name when you create a certificate. This function is used when decrypting data that was written to a device. The unchecked state uses the Subject Key Identifier to determine the certificate to be used when reading data on a cartridge or other device. Using the Subject Key Identifier also sets the value of the useSKIDefaultLabels property in the TKLMgrConfig.properties file. v Command line interface: a. Type the tklmConfigGetEntry command on one line to get the current value of the target property in the TKLMgrConfig.properties file. For example, type:
wsadmin>print AdminTask.tklmConfigGetEntry ('[-name zOSCompatibility]')

An example response might be:


False

b. Specify the required change. For example, to select change the value of the zOSCompatibility property to true, type on one line:
print AdminTask.tklmConfigUpdateEntry ('[-name zOSCompatibility -value true]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: On the Success page, under Next Steps, click a related task that you want to perform. v Command line interface: A completion message indicates success.

What to do next
Changes to certificate settings occur dynamically. Next, you might create the necessary certificates and associate them with specific devices.

Specifying SSL certificates for key serving


You might specify that self-signed certificates are used for key serving. Alternatively, you might create requests for certificates that are issued by a Certificate Authority (CA).

About this task


You can use the SSL for Key Serving page to specify the type of certificates that Tivoli Key Lifecycle Manager uses, or you can use the tklmCertCreate or the tklmCertGenRequest command.
Administering

13

Before you begin, determine: v Whether your site policies allow using self-signed certificates during a phase in your project such as a test phase. v The time interval needed to receive a CA-issued certificate after a request is sent. You must manually send a certificate request to the issuing authority. v Whether your site requires partner certificates for use with business partners, vendors, or for disaster recovery purposes. v The customary setting in days for a certificate validity interval. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Configuration > SSL for Key Serving. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create one or more certificates or certificate requests: v In the graphical user interface, select whether to generate a self-signed certificate, or request a certificate from a third-party provider. There is also an option for the SSL certificate to use an existing certificate from the keystore. Complete the required and optional fields, and then click OK. v Command line interface: a. Type the tklmCertCreate command on one line. For example, to create a new self-signed certificate, type:
print AdminTask.tklmCertCreate ('[-type selfsigned -alias tklmSSLCertificate -cn tklmssl -ou accounting -o myCompanyName -country myCountry -keyStoreName TESTKS_001 -usage "SSL server" -validity 999]')

You might alternatively request a certificate from a Certificate Authority. For example, type:
AdminTask.tklmCertGenRequest('[-alias tklmSSLCertificate1 -cn tklm -ou sales -o myCompanyName -locality myLocation -country myCountry -validity 999 -keyStoreName test -fileName mySSLCertRequest1.crt -usage "SSL server"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: On the Success page, under Next Steps, click a related task that you want to perform. v Command line interface:

14

IBM Tivoli Key Lifecycle Manager: Administering

A completion message indicates success.

What to do next
Go to the Welcome page and configure the drive types, and keys or certificates that your organization requires, using the new keystore.

LTO tape drive administration


You can administer keys, key groups, and LTO tape drives using Tivoli Key Lifecycle Manager.

Guided steps to create key groups and drives


When you first create key groups and drives, and later when you add additional key groups or drives, Tivoli Key Lifecycle Manager provides a guided set of steps to complete the task. Descriptions of some steps might mention command line alternatives to do the same task. In a guided set of tasks, use the graphical user interface to complete the tasks.

Creating a key group


As a first activity, you might create keys and key groups for Tivoli Key Lifecycle Manager.

About this task


You can use the Create Key Group dialog. Alternatively, you might first use the tklmGroupCreate to create a group to which you want to add keys, and then use the tklmSecretKeyCreate commands to create one or more symmetric keys in the existing group. Before you begin, determine the quantity of keys and the purpose of individual key groups that your organization requires. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Welcome. Scroll down the Welcome to Key Lifecycle Manager page to the Key Administration section. In the Configure keys to be served to: menu, select LTO. Then, click Go. You will be taken to the LTO Drive page which provides a guided set of configuration steps. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems:
Administering

15

a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create a key group: v Graphical user interface: a. On Step 1: Create Key Groups page, there is a Key Groups table. On the Key Groups table, click Create. b. On the Create Key Group dialog, specify values for the required and optional parameters. For example, you might create a key group containing 100 keys. Then, click Create Key Group. v Command line interface: a. First, create a group to which you might add keys. Type tklmGroupCreate to create a group. For example, type:
print AdminTask.tklmGroupCreate ('[-name GROUP-myKeyGroup -type keygroup]')

b. Next, use the tklmGroupList command obtain the value of the uuid for the group that you created. For example, type:
print AdminTask.tklmGroupList ('[-name GROUP-myKeyGroup -type keygroup -v y]')

c. Then, create a group of keys and store them in the group. For example, type:
print AdminTask.tklmSecretKeyCreate ('[-alias abc -keyStoreName test -numOfKeys 10 -usage LTO -keyGroupUuid GROUP-aadd1dd9-6745-47c1-9ac9-3d7d19d8e331]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The key group appears as an item in the Key Groups table. v Command line interface: A completion message indicates success.

What to do next
Next, you might go the next guided step to define specific devices, and associate key groups with the devices. To do this, select Step 2: Identify Drives.

Identifying drives
You might identify an LTO tape drive for use with Tivoli Key Lifecycle Manager.

About this task


You can use the Add Tape Drives dialog or you can use the tklmDeviceAdd command to add a device. Before you begin, create the key groups that you need to associate with tape drives that you identify. Additionally, determine whether you want Tivoli Key Lifecycle Manager to accept requests from all IBM drives. For greater security, after all drives have been discovered, you might turn off this option for a production environment. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface:

16

IBM Tivoli Key Lifecycle Manager: Administering

Log on to the graphical user interface. From the navigation tree, click Welcome. Scroll down the Welcome to Key Lifecycle Manager page to the Key Administration section. In the Configure keys to be served to: menu, select LTO. Then, click Go. You will be taken to the LTO Drive page which provides a guided set of configuration steps. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Skip the Create Key Groups page. Select Step 2: Identify Drives or click Go to Next Step. 3. You might specify that Tivoli Key Lifecycle Manager accepts requests from all IBM drives. v Graphical user interface: Select Accept requests from all IBM drives. v Command line interface: Use the tklmConfigUpdateEntry command to set the value of the drive.acceptUnknownDrives and symmetricKeySet properties. For example, type:
print AdminTask.tklmConfigUpdateEntry ('[-name drive.acceptUnknownDrives -value true]') print AdminTask.tklmConfigUpdateEntry ('[-name symmetricKeySet -value "{Group-myKeyGroup}"]')

4. Add a device: v Graphical user interface: a. On the Step 2: Identify Drives page, in the Tape Drives table, click Add. b. On the Add Tape Drive dialog, type the required and optional information. Then, click Add Tape Drive. v Command line interface: Type tklmDeviceAdd to add a device. You must specify the device type and serial number. For example, type:
print AdminTask.tklmDeviceAdd ('[-type LTO -serialNumber FAA49403AQJF -attributes "{worldwideName 12345678} {description salesDivisionDrive} {symAlias ltoKeyGroup1}"]')

5. A success indicator will vary, depending on the interface: v Graphical user interface: The device is added to the Tape Drives table. v Command line interface: A completion message indicates success.

Administering

17

What to do next
Next, you might use the LTO key administration panel to view all key groups and devices.

Administering keys, key groups, and drives


To administer keys, key groups, and devices, you might need to determine the current key serving status of the Tivoli Key Lifecycle Manager server. You might also map key groups to drives by adding, modifying, or deleting specific keys, key groups, or devices.

About this task


Use the Key Administration for LTO Tape Drives page to determine the current key serving status of the Tivoli Key Lifecycle Manager server. You might also map key groups to drives by adding, modifying, or deleting specific keys, key groups, or devices. To change the view of information on this page, select: View Key Groups and Drives View the key group names and drive serial numbers. Additionally, this view lists whether a key group serves any IBM drives as a default and lists the key group, key, or system default that a drive uses. View Keys, Key Group Membership and Drives View the keys and key membership in key groups. Additionally, this view lists drive serial numbers and the key group, key, or system default that a drive uses. Before you begin, examine the columns on the Key Administration for LTO Tape Drives page, which provides buttons to add, modify, or delete a table item. To sort information, click a column header. Alternatively, type information about a target in the filter field for keys or key groups or in the filter field for drives. Then, press Enter. The table is organized in these areas: v In left columns, information about keys or key groups, depending on the view Indicates the key or key group. For a key, indicates in which key group the key is a member. For a key group, indicates whether the key group is used as the default, and the number of keys in the group. v In right columns, information about drives Indicates the drive serial number and the key group or specific key that the drive uses. For example, a drive might use the System Default key group. v Additional choices and status indicators, below the table Accept requests from all IBM drives. Click to allow any drive that contacts Tivoli Key Lifecycle Manager to be served keys from the default key group. You might use this option to populate the list of available drives, and then turn off the option when the drives have been added. Key Serving Status: and If devices and the default set of keys are configured, a green icon message appears, such as Configured to serve keys to LTO drives. v Status icons

18

IBM Tivoli Key Lifecycle Manager: Administering

Status icons indicate the current key serving status of the Tivoli Key Lifecycle Manager server.
Table 1. Status icons and their meanings Icon Description The Tivoli Key Lifecycle Manager server is enabled to serve keys. Defaults for this device type have not been configured. A symmetric key A set of symmetric keys. A key group is a set of symmetric keys.

Procedure 1. Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. Descriptions of some steps describe alternatives in using either the graphical user interface, or the command line interface. For any one work session for tasks that are available on the graphical user interface, do not switch between interfaces during the session. Descriptions of some tasks might mention task-related properties in the TKLMgrConfig.properties. Use the graphical user interface or the command line interface to change these properties. 2. On the Key Administration for LTO Tape Drives page, you can add, modify, or delete a key, a key group, or drive. Additionally, you can specify whether a key group accepts requests from all IBM drives, and monitor the current key serving status of the Tivoli Key Lifecycle Manager server. You might do these administrative tasks: v Refresh the list. to refresh items in the table. Click the refresh icon v Add Click Add. Alternatively, you can select a step-by-step process to create key groups, and drives. Key group On the Create Key Group dialog, specify the required information such as the key group name. You might also specify that this group serves keys as the default key group. There can be only one default key group. Then, click Create Key Group. Tape drive On the Add Tape Drive dialog, type the drive serial number and other information. Then, click Add Tape Drive. Use step by step process for key group and drive creation On the Step1: Create Key Groups and Step2: Identify Drives pages, enter the necessary information and click the appropriate button to complete the task. A success indicator will vary, showing a key group or device. v Modify

Administering

19

To change a key group, key, or drive, select a key group, key, or drive, and then click Modify. Alternatively, right-click the selected key group, key, or drive. Then, click Modify. Key Group Specify changes on the Modify Key Group dialog. Then, click Modify Key Group. Key Specify changes on the Modify Key Membership dialog. Then, click Modify Key Membership. Tape drive Specify changes on the Modify Tape Drive dialog. Then, click Modify Tape Drive. A success indicator will vary, showing a change in a column for the key group, key, or device. Changes to optional information such as the value of a drive description might not be provided in the table. v Delete To delete a key group, key, or drive, select a key group or drive, and then click Delete. Alternatively, right-click the selected key group, key, or drive. Then, click Delete. Key group You cannot delete a key group that is associated with a device, or a key group that is marked as default. Deleting a populated key group also deletes all the keys in the key group. To confirm deletion, click OK. Key Deleting a key removes the key from any key group with which the key is associated. To confirm deletion, click OK. Tape drive Metadata for the drive that you delete, such as the drive serial number, is removed from the Tivoli Key Lifecycle Manager database. To confirm deletion, click OK. A success indicator is the deletion of the key group, key, or device from the administration table.

Adding a key or key group


You might add more keys or key groups for use with Tivoli Key Lifecycle Manager.

About this task


You can use the Create Key Group dialog. Alternatively, you might first use the tklmGroupCreate to create a group to which you want to add keys, and then use the tklmSecretKeyCreate commands to create one or more symmetric keys in the existing group. Before you begin, determine your site policy on the default key groups and naming for key prefixes. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface:

20

IBM Tivoli Key Lifecycle Manager: Administering

Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. On the Key Administration for LTO Tape Drives page, click Add from the menu bar and then select Key Group. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create a key or key group: v Graphical user interface On the Create Key Group dialog, specify values for the required and optional parameters. For example, you might optionally specify whether this is the default key group. Then, click Create Key Group. v Command line interface: a. First, create a group to which you might add keys. Type tklmGroupCreate to create a group of that has a type of keygroup. For example, type:
print AdminTask.tklmGroupCreate ('[-name GROUP-myKeyGroup -type keygroup]')

b. Next, use the tklmGroupList command obtain the value of the uuid for the group that you created. For example, type:
print AdminTask.tklmGroupList ('[-name GROUP-myKeyGroup -type keygroup -v y]')

c. Then, create a group of keys and store them in the group. For example, type:
print AdminTask.tklmSecretKeyCreate ('[-alias abc -keyStoreName test -numOfKeys 10 -usage LTO -keyGroupUuid GROUP-aadd1dd9-6745-47c1-9ac9-3d7d19d8e331]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The key group appears as an item in the Key Groups listing. v Command line interface: Completion messages indicate success.

What to do next
Next, you might associate key groups with specific devices. Additionally, you might specify whether a key group will accept requests from all IBM drives by identifying it as the default key group.

Specifying a rollover key group


You might specify a key group for future use as the system default.
Administering

21

About this task


You can use the Manage Key Group Default Rollover - LTO Drives page. Procedure 1. Navigate to the appropriate page or directory: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > Manage Default Rollover > LTO Key Group. Alternatively, start by clicking Tivoli Key Lifecycle Manager > Key Administration > LTO. Then, on the Key Administration for LTO Tape . Drives page, click the rollover icon 2. Specify an existing key group to be a future system default. On the Manage Key Group Default Rollover - LTO Drives page, click Add and specify the required information. Note: v Do not specify two defaults for the same rollover date. v If a key group does not exist at the time of rollover, Tivoli Key Lifecycle Manager continues to use the current default key group. v You can add or delete table entries, but cannot modify an entry. 3. A success indicator is that the key group appears in the table of rollover key groups on the Manage Key Group Default Rollover - LTO Drives page. 4. To delete a key group from the rollover table, select a key group and click Delete.

Specifying that keys are used only once


You might specify that keys in a key group are used only once. For security reasons, for example, you might prevent additional use of previously-used keys defined for a key group.

About this task


You can use the command line interface and the stopRoundRobinKeyGrps property in the TKLMgrConfig.properties file. This property is not initially present in the property file unless you set its value to true. This property can only be set using the command line interface. Important: v Turning on this flag can cause key serving to stop if a key group is in use and the last key from the key group is served. Additional requests for a key from this group on a key serving write request will cause an error and send an error code of 0xEE34 (NO_KEY_TO_SERVE) to the device. To enable successful processing of new key serving write requests, add new keys to the key group. Alternatively, you might specify use of a different key group that has available keys. Key serving read requests will always succeed as long as the requested key exists. v This property should be used in an environment of strict government compliance and in conjunction with FIPS 140. With the property on, you must actively monitor your key groups to ensure that a group does not run out of keys, which would cause the server to stop serving keys and the tape write request to fail.

22

IBM Tivoli Key Lifecycle Manager: Administering

v If you turn this flag on, do not turn the flag off. For example, if you turn on the flag, a key group will not serve previously used keys. If you then turn off the flag, the next key in the group is served. After the last key in the group is served, the next key to be served is the first key in the group. v When this option is set, do not separately assign individual key aliases that belong to a key group to devices. Procedure 1. Navigate to the appropriate directory: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: v Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

v Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

v z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. First, determine the current state of the property in the TKLMgrConfig.properties file. This property is not initially present in the property file unless you set its value to true. At a wsadmin prompt, type this Jython-formatted command:
print AdminTask.tklmConfigGetEntry ('[-name stopRoundRobinKeyGrps]')

3. Change the state of the stopRoundRobinKeyGrps property to a value of true in the TKLMgrConfig.properties file. Type this Jython-formatted command:
print AdminTask.tklmConfigUpdateEntry ('[-name stopRoundRobinKeyGrps -value true]')

4. To determine success, retype the tklmConfigGetEntry command. Additionally, on the Welcome page in the graphical user interface, you might observe a Low Key Count Warning table in the Action Items section that lists key groups with 10 percent or fewer available keys. Double click an entry in this table to access the Modify Key Groups dialog, where you can add additional keys for use by the group. There is no other warning. The low key count warning applies to all key groups, including the key group specified as the default.

Modifying a key group


You might modify information about objects in a key group in the Tivoli Key Lifecycle Manager database.

About this task


You can use the Modify Key Group dialog or you can use either or both of the tklmGroupEntryDelete and tklmGroupEntryAdd commands to modify objects in a key group in the Tivoli Key Lifecycle Manager database. Before you begin, determine the changed information for the group, such as the number of additional keys that you want to add to the group.
Administering

23

Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. On the Key Administration for LTO Tape Drives page, select the key group in the Key Groups column. Then, click Modify. Alternatively, right-click a key group and then select Modify, or double click the key group entry. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Modify the key group information: v Graphical user interface: On the Modify Key Group dialog, change the appropriate fields. Then, click Modify Key Group. v Command line interface: You might delete an object in a group, or add an object to a group. Delete a key from the group. For example, type:
print AdminTask.tklmGroupEntryDelete ('[-entry "{type key} {uuid KEY-a3ce9230-bef9-42bd-86b7-6d208ec119cf}" -name GROUP-myKeyGroup -type keygroup]')

Add the same key back into the group again. For example, type:
print AdminTask.tklmGroupEntryAdd('[-name GROUP-myKeyGroup -type keygroup -entry "{type key} {alias aaa000000000000000000} {keyStoreName tklmKeyStore}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: For required fields, a column displays changed data. For optional fields, you might need to reopen the Modify Key Group dialog to see the changed values, and then click Cancel. v Command line interface: A completion message indicates success.

What to do next
Next, you might use the Key Administration for LTO Tape Drives page to associate the key group with specific devices.

24

IBM Tivoli Key Lifecycle Manager: Administering

Deleting a key or key group


You might delete a selected key or key group. You cannot delete a key or a key group that is associated with a device, or a key group that is marked as the default key group.

About this task


You can use the Delete menu item, or you can use the tklmKeyDelete command to delete a key, or the tklmGroupDelete command to delete the key group. Before you begin: v Key Ensure that a backup exists of the keystore containing the key that you intend to delete. v Key group If you use the command line interface, obtain the uuid of the key group that you intend to delete. Verify that the key group is not currently associated with a device, and is not marked as a default key group. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. On the Key Administration for LTO Tape Drives page, select either the key or the key group. Then, click Delete from the menu bar. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Delete the key or key group: v Graphical user interface: On the Confirm dialog, read the confirmation message before you delete the key or key group to verify that the correct key or key group was selected. For example, you might delete an empty key group. Deleting a populated key group also deletes all the keys in the key group. Deleting a key that belongs to a key group will also remove the key from the group. Then, click OK. v Command line interface: Key

Administering

25

Type tklmKeyDelete to delete a key. For example, to delete a key that is not currently associated with a device, first locate the key. You might use the tklmKeyList command to find the key that you want to delete. For example, type:
print AdminTask.tklmKeyList ('[-attributes "{state active}" -v y]')

Then, delete the key. For example, type:


print AdminTask.tklmKeyDelete ('[-alias aaa000000000000000000 -keyStoreName test]')

The key is marked as destroyed in the database, and the key material is deleted from the keystore. Key group Type tklmGroupDelete to delete a key group. For example, you might delete an empty key group. Deleting a populated key group also deletes all the keys in the key group. For example, to delete a key group that is not currently associated with a device, type:
print AdminTask.tklmGroupDelete ('[-uuid GROUP-7d588437-e725-48bf-a836-00a47df64e78]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The key or key group is removed from the table. The key material is deleted from the keystore. v Command line interface: A completion message indicates success.

What to do next
Refresh the table to ensure that the key or key group is deleted. Back up the keystore to accurately reflect the change in keys. Back up the database to reflect the change in key groups.

Adding a drive
You might add a device such as a tape drive to the Tivoli Key Lifecycle Manager database.

About this task


You can use the Add Drives dialog or you can use the tklmDeviceAdd command to add a device. Before you begin, create the keys and key groups that you need to associate with the devices that you are about to identify. Additionally, obtain the tape drive serial number, and other description information. Determine whether the drive will use a specific key group, or a system default key group. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. On the Key Administration for LTO Tape Drives page, on the menu bar, click Add and then select Tape Drive. v Command line interface:

26

IBM Tivoli Key Lifecycle Manager: Administering

In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Add a device: v Graphical user interface: On the Add Tape Drive dialog, type the required and optional information. Then, click Add Tape Drive. v Command line interface: Type tklmDeviceAdd to add a device. You must specify the device type and serial number. For example, type:
print AdminTask.tklmDeviceAdd ('[-type LTO -serialNumber FAA49403AQJF -attributes "{worldwideName 12345678} {description salesDivisionDrive} {symAlias ltoKeyGroup1}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The device is added to the Tape Drives table. v Command line interface: A completion message indicates success.

What to do next
Next, you might determine the current status of the drive that you added.

Modifying a drive
You might modify information about a device such as a tape drive in the Tivoli Key Lifecycle Manager database. For example, you might update the description of the drive.

About this task


You can use the Modify Tape Drive dialog or you can use the tklmDeviceUpdate command to update a device. Before you begin, create the keys and key groups that you need to associate with the devices that you are about to modify. If you use the command line interface, obtain the value of the uuid for the device that you intend to update. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. On the Key
Administering

27

Administration for LTO Tape Drives page, select a device. Then, click Modify. Alternatively, you can right-click a device and then select Modify or you can double-click on the device entry. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Modify a device: v Graphical user interface: On the Modify Tape Drive dialog, type the required and optional information. Then, click Modify Tape Drive. v Command line interface: Type tklmDeviceUpdate to update a device. You must specify the device uuid and the attributes that change. For example, type:
print AdminTask.tklmDeviceUpdate ('[-uuid DEVICE-44b123ad-5ed8-4934-8c84-64cb9e11d990 -attributes "{symAlias ltoExistingKey} {description myLTOdrive}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The device information is changed in the Tape Drives table. v Command line interface: A completion message indicates success.

What to do next
Next, you might verify that the changes are made. For optional fields, such as the description, you might need to run the tklmDeviceList command to determine whether the value has changed, or reopen the Modify Tape Drive dialog.

Deleting a drive
You might delete a device such as a tape drive. Metadata for the drive that you delete, such as the drive serial number, is removed from the Tivoli Key Lifecycle Manager database.

About this task


You can use the Delete menu item or you can use the tklmDeviceDelete command to delete a device. Before you begin, ensure that a current backup exists for the Tivoli Key Lifecycle Manager database. If you use the command line interface, obtain the uuid of the device that you intend to delete.

28

IBM Tivoli Key Lifecycle Manager: Administering

Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > LTO. On the Key Administration for LTO Tape Drives page, select a device. Then, click Delete. Alternatively, you can right-click a device and then select Delete. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Delete the device: v Graphical user interface: On the Confirm dialog, read the confirmation message before you delete the device. Metadata for the drive that you delete, such as the drive serial number, is removed from the Tivoli Key Lifecycle Manager database. Then, click OK. v Command line interface: Type tklmDeviceDelete to delete a device. You must specify the uuid. For example, type:
print AdminTask.tklmDeviceDelete ('[-uuid DEVICE-74386920-148c-47b2-a1e2-d19194b315cf]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The device is removed from the table. v Command line interface: A completion message indicates success.

3592 tape drive administration


You can administer certificates and 3592 tape drives using Tivoli Key Lifecycle Manager. Descriptions of some steps describe alternatives in using either the graphical user interface, or the command line interface. For any one work session for tasks that are available on the graphical user interface, do not switch between interfaces during the session. Descriptions of some tasks might mention task-related properties in the TKLMgrConfig.properties. Use the graphical user interface or the command line interface to change these properties.
Administering

29

Guided steps to create certificates and drives


When you first create certificates and drives, and later when you add additional certificates or drives, Tivoli Key Lifecycle Manager provides a guided set of steps to complete the task. Descriptions of some steps might mention command line alternatives to do the same task. In a guided set of tasks, use the graphical user interface to complete the tasks.

Creating a certificate or certificate request


As a first activity, you might create certificates or certificate requests for Tivoli Key Lifecycle Manager.

About this task


You can use the Create Certificate dialog or you can use the tklmCertCreate or the tklmCertGenRequest commands to create certificates or certificate requests. Note: If you additionally want to specify that a newly-created certificate is used as the system default or partner certificate, you must subsequently run the tklmConfigUpdateEntry command to set the values for the drive.default.alias1 (for system default) or drive.default.alias2 (for system partner) properties. Before you begin, determine your organizations policy on the use of self-signed and certificates issued by a Certificate Authority (CA). You might need to create self-signed certificates for the test phase of your project. In advance, you might also request certificates from a Certificate Authority for the production phase. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Welcome. Scroll down the Welcome to Key Lifecycle Manager page to the Key Administration section. In the Configure keys to be served to menu, select 3592. Then, click Go. You will be taken to the 3592 Drive page which provides a guided set of configuration steps. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create a certificate or request a certificate: v Graphical user interface:

30

IBM Tivoli Key Lifecycle Manager: Administering

a. On the Step 1: Create Certificates page there is a Certificates table. On the Certificates table, click Create. b. On the Create Certificate dialog, select either a self-signed certificate, or a certificate request for a third-party provider. c. Specify values for the required and optional parameters. For example, you might optionally specify whether this is the default or the partner certificate. Then, click Create Certificate. v Command line interface: Certificate Type tklmCertCreate to create a certificate and a public and private key pair, and store the certificate in an existing keystore. For example, type:
print AdminTask.tklmCertCreate ('[-type selfsigned -alias tklmCertificate -cn tklm -ou sales -o myCompanyName -country myCountry -keyStoreName TESTKS_001 -usage 3592 -validity 999]')

Certificate request Type tklmCertGenRequest to create a PKCS #10 certificate request file. For example, type:
AdminTask.tklmCertGenRequest('[-alias tklmSSLCertificate1 -cn tklm -ou sales -o myCompanyName -locality myLocation -country myCountry -validity 999 -keyStoreName test -fileName mySSLCertRequest1.crt -usage "SSL server"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The certificate or certificate request appears as an item in the Certificates table. v Command line interface: A completion message indicates success.

What to do next
Next, you might go the next step to define specific devices, and associate certificates with the devices. To do this, select Step 2: Identify Drives. Additionally, you might specify to accept requests from all IBM drives.

Identifying drives
You might identify a 3592 tape drive for use with Tivoli Key Lifecycle Manager.

About this task


You can use the Add Tape Drives dialog or you can use the tklmDeviceAdd command to add a device. Before you begin, create the certificates that you need to associate with the devices that you are about to identify. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Welcome. Scroll down the Welcome to Key Lifecycle Manager page to the Key Administration section. In the Configure keys to be served to menu,

Administering

31

select 3592 Tape Drive. Then, click Go. You will be taken to the 3592 Drive page which provides a guided set of configuration steps. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Skip Step 1: Create Certificates. Click Go to Next Step or Step 2: Identify Drives. 3. You might specify that Tivoli Key Lifecycle Manager accepts requests from all IBM drives. v Graphical user interface: Select Accept requests from all IBM drives. v Command line interface: Use the tklmConfigUpdateEntry command to set the value of the drive.acceptUnknownDrives property. For example, type:
print AdminTask.tklmConfigUpdateEntry ('[-name drive.acceptUnknownDrives -value true]')

4. Add a device: v Graphical user interface: a. On the Step 2: Identify Drives page, in the Tape Drives table, click Add. b. On the Add Tape Drive dialog, type the required and optional information. Then, click Add Tape Drive. v Command line interface: Type tklmDeviceAdd to add a device. You must specify the device type and serial number. For example, type:
print AdminTask.tklmDeviceAdd ('[-type 3592 -serialNumber CDA39403AQJF -attributes "{worldwideName 50050} {description marketingDivisionDrive} {aliasOne encryption_cert}"]')

5. A success indicator will vary, depending on the interface: v Graphical user interface: The device is added to the Tape Drives table. v Command line interface: A completion message indicates success.

What to do next
Next, you might use the 3592 key administration panel to view all certificates and devices.

32

IBM Tivoli Key Lifecycle Manager: Administering

Administering certificates and drives


To administer certificates and devices, you might need to determine their current status, or map their association, or add, modify, or delete specific certificates or devices.

About this task


Use the Key Administration for 3592 Tape Drives page to map certificates to devices, to determine current status of items in the table, and to add, modify, or delete certificates or devices. Before you begin, examine the columns on the Key Administration for 3592 Tape Drives page, which provides buttons to add, modify, or delete a table item. To sort information, click a column header. Alternatively, type information about a target in the Filter field for certificates or in the Filter field for drives. Then, press Enter. The table is organized in these areas: v In left columns, information about certificates Indicates the certificate name, whether the certificate is used as a system default or system partner. Also indicates the expiration date and current status of the certificate. v In right columns, information about drives Indicates the drive name and whether the drive uses a system default as its default or partner certificate. v Additional choices and status indicators, below the table Accept requests from all IBM drives. Click to allow any drive that contacts Tivoli Key Lifecycle Manager to use the system default and partner certificates. You might use this option to populate the list of available drives, and then turn off the option when the drives have been added. Key Serving Status: If a system default certificate, system partner certificate, and devices are and message appears, such as Configured to configured, a green icon serve keys to 3592 drives. v Status icons Status icons indicate either the current status of a certificate, or the key serving status of the Tivoli Key Lifecycle Manager server.
Table 2. Status icons and their meanings Icon Description Certificate is in an active state. v Certificate will expire soon. v Defaults for this device type have not been configured. The status remains yellow until a system default certificate and system partner certificate have been identified. Certificate is in an expired state. Certificate is in an inactive state.

Administering

33

Table 2. Status icons and their meanings (continued) Icon Description The Tivoli Key Lifecycle Manager server is enabled to serve keys. Tivoli Key Lifecycle Manager has third-party certificate requests that are waiting to be signed and imported.

Procedure 1. Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. Descriptions of some steps describe alternatives in using either the graphical user interface, or the command line interface. For any one work session for tasks that are available on the graphical user interface, do not switch between interfaces during the session. Descriptions of some tasks might mention task-related properties in the TKLMgrConfig.properties. Use the graphical user interface or the command line interface to change these properties. 2. On the Key Administration for 3592 Tape Drives page, you can add, modify, or delete a certificate or drive. Additionally, you can specify whether a certificate accepts requests from all IBM drives, and monitor the current status of both certificates and the Tivoli Key Lifecycle Manager server. You might do these administrative tasks: v Add Click Add. Alternatively, you can select a step-by-step process to create certificates and drives. Certificate On the Create Certificate dialog, select the certificate type as either self-signed or from a third-party provider, and complete the required information. Then, click Create Certificate. Tape drive On the Add Tape Drive dialog, type the drive information. Then, click Add Tape Drive. Use step by step process for certificate and drive creation On the Step1: Create Certificates and Step2: Identify Drives pages, enter the necessary information. A success indicator will vary, showing a change in a column for the certificate or device. v Modify To change or delete a certificate or drive, select a certificate or drive, and then click Modify. Alternatively, right-click the selected certificate or drive. Then, click Modify, or double-click on a certificate or device entry in the list. Certificate Specify changes in the Modify Certificate dialog. Then, click Modify Certificate. Tape drive Specify changes in the Modify Tape Drive dialog. Then, click Modify Tape Drive.

34

IBM Tivoli Key Lifecycle Manager: Administering

A success indicator will vary, showing a change in a column for the certificate or device. Changes to some information, such as optional fields, might not be provided in the table. v Delete To delete a certificate or drive, highlight the entry in the table and click Delete. Alternatively, right-click the selected certificate or drive. Then, click Delete. Certificate Ensure that you have a current backup of the keystore before deleting a certificate. Any tapes written using this certificate become non-readable after the certificate is deleted. The certificate to be deleted can be in any state, such as active. Regardless of its state, you cannot delete a certificate that is associated with a device, or a certificate that is marked as either default or partner. The certificate is marked as destroyed in the database and the material is deleted from the keystore. To confirm deletion, click OK. Tape drive Metadata for the drive that you delete, such as the drive serial number, is removed from the Tivoli Key Lifecycle Manager database. To confirm deletion, click OK. A success indicator is that the certificate or device is removed from the administration table.

Adding a certificate or certificate request


You might add more certificates or certificate requests for use with Tivoli Key Lifecycle Manager.

About this task


You can use the Create Certificate dialog or you can use the tklmCertCreate or the tklmCertGenRequest commands to create certificates or certificate requests. Before you begin, determine your site policy on the use of self-signed and CA certificates. You might need to create self-signed certificates for the test phase of your project. In advance, you might also request certificates from a Certificate Authority for the production phase. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. On the Key Administration for 3592 Tape Drives page, on the menu bar, click Add and then select Certificate. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython
Administering

35

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create a certificate or request a certificate: v Graphical user interface: a. On the Create Certificate dialog, select either a self-signed certificate, or a certificate request for a third-party provider. b. Specify values for the required and optional parameters. For example, you might optionally specify whether this is the default or the partner certificate. Then, click Create Certificate. v Command line interface: Certificate: Type tklmCertCreate to create a certificate and a public and private key pair, and store the certificate in an existing keystore. For example, type:
print AdminTask.tklmCertCreate ('[-type selfsigned -alias tklmCertificate -cn tklm -ou sales -o myCompanyName -country myCountry -keyStoreName TESTKS_001 -usage 3592 -validity 999]')

Certificate request: Type tklmCertGenRequest to create a PKCS #10 certificate request file. For example, type:
AdminTask.tklmCertGenRequest('[-alias tklmSSLCertificate1 -cn tklm -ou sales -o myCompanyName -locality myLocation -country myCountry -validity 999 -keyStoreName test -fileName mySSLCertRequest1.crt -usage "SSL server"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The certificate or certificate request appears as an item in the Certificates listing. v Command line interface: A completion message indicates success.

What to do next
Your next action depends on whether you created a certificate or a certificate request. v Certificate: You might associate a certificate with a specific device. Additionally, you might specify whether a certificate will accept requests from all IBM drives. v Certificate request: Manually send the certificate request to a Certificate Authority. When the signed certificate returns, import the certificate by using a pending action item on the Welcome panel, or by using the tklmCertImport command.

Specifying a rollover certificate


You might specify a certificate for future use as the system default or system partner certificate.

36

IBM Tivoli Key Lifecycle Manager: Administering

About this task


You can use the Manage Certificate Default Rollover - 3592 Drives page. Procedure 1. Navigate to the appropriate page or directory: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > Manage Default Rollover > 3592 Certificate. Alternatively, start by clicking Tivoli Key Lifecycle Manager > Key Administration > 3592. Then, on the Key Administration for 3592 Tape . Drives page, click the rollover icon 2. Specify an existing certificate for future use as a system default or system partner certificate. On the Manage Certificate Default Rollover - 3592 Drives page, click Add and specify the required information. Note: v Do not specify two defaults for the same rollover date. v No validation occurs on whether the selected certificate is expired or will expire at the time of the rollover. v If a certificate does not exist at the time of rollover, Tivoli Key Lifecycle Manager continues to use the current default certificate. v You can add or delete table entries, but cannot modify an entry. 3. A success indicator is that the certificate appears in the table of rollover certificates on the Manage Certificate Default Rollover - 3592 Drives page. 4. To delete a certificate from the rollover table, select a certificate and click Delete.

Modifying a certificate
You might modify whether a certificate is used as the system default or system partner certificate.

About this task


You can use the Modify Certificate dialog or you can use the tklmCertUpdate command to modify certificates or certificate requests. Before you begin, determine the changed information for the certificate, such as a description, or whether or not you wish to make the certificate the system default or system partner certificate. If you use the command line interface, obtain the value of the uuid for the certificate. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. On the Key Administration for 3592 Tape Drives page, select the certificate in the Certificates column. Then, click Modify. Alternatively, right-click a certificate and then select Modify, or double-click on a certificate entry. v Command line interface:

Administering

37

In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Modify the certificate information: v Graphical user interface: On the Modify Certificate dialog, change the appropriate fields. v Command line interface: Type tklmCertUpdate to update a certificate. You must specify the uuid of the certificate and the changed attribute. For example, to change the description, type:
print AdminTask.tklmCertUpdate ('[-uuid CERTIFICATE-33fc26e-5fb5a0e66143 -attributes "{information {new information}}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: If you modified the system default or system partner setting, the change appears in the System Default/Partner column of the Certificates table. v Command line interface: A completion message indicates success.

What to do next
Next, you might use the Key Administration for 3592 Tape Drives page to associate certificates with specific devices.

Deleting a certificate
You might delete a selected certificate, which can be in any state, such as active. You cannot delete a certificate that is associated with a device, or a certificate that is marked as either a default or partner certificate. For example, you might delete an expired certificate.

About this task


You can use the Delete menu item or the tklmCertDelete command to delete a certificate. Before you begin, ensure that a backup exists of the keystore containing the certificate that you intend to delete. Verify that the certificate is not currently associated with a device, and that the certificate is not marked as either a default or partner certificate. Determine the current state of the certificate, and ensure that deleting a certificate in this state will conform with your site policies.

38

IBM Tivoli Key Lifecycle Manager: Administering

The certificate is marked as destroyed in the database and the material is deleted from the keystore. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. On the Key Administration for 3592 Tape Drives page, select the certificate in the Certificates column. Then, click Delete. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Delete the certificate: v Graphical user interface: On the Confirm dialog, read the confirmation message to verify that the correct certificate was selected before you delete the certificate. Then, click OK. v Command line interface: Type tklmCertDelete to delete a certificate. You must specify the certificate alias and the keystore name. For example, to delete an expired certificate that is not currently associated with a device, type:
print AdminTask.tklmCertDelete ('[-alias mycertalias -keyStoreName myExistingKeystore]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The certificate is removed from the Certificate table. v Command line interface: A completion message indicates success.

What to do next
Next, you might back up the keystore again to accurately reflect the change in certificates.

Adding a drive
You might add a device such as a tape drive to the Tivoli Key Lifecycle Manager database.

Administering

39

About this task


You can use the Add Drives dialog or you can use the tklmDeviceAdd command to add a device. Before you begin, create the certificates that you need to associate with the devices that you are about to identify. Additionally, obtain the tape drive serial number, and other description information. Determine whether the drive will use a specific certificate, or a system default certificate. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. On the Key Administration for 3592 Tape Drives page, in the menu bar, click Add and then select Tape Drive. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Add a device: v Graphical user interface: On the Add Tape Drive dialog, type the required and optional information. Then, click Add Tape Drive. v Command line interface: Type tklmDeviceAdd to add a device. You must specify the device type and serial number. For example, type:
print AdminTask.tklmDeviceAdd ('[-type 3592 -serialNumber CDA39403AQJF -attributes "{worldwideName 50050} {description marketingDivisionDrive} {aliasOne encryption_cert}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The device is added to the Tape Drives table. v Command line interface: A completion message indicates success.

What to do next
Next, you might determine the current status of the drive that you added.

40

IBM Tivoli Key Lifecycle Manager: Administering

Modifying a drive
You might modify information about a device such as a tape drive in the Tivoli Key Lifecycle Manager database. For example, you might update the specification for a partner certificate that the drive uses.

About this task


You can use the Modify Tape Drive dialog or you can use the tklmDeviceUpdate command to update a device. Before you begin, create the certificates that you need to associate with the devices that you are about to modify. If you use the command line interface, obtain the value of the uuid for the device that you intend to update and the alias of any certificate associated with the drive. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. On the Key Administration for 3592 Tape Drives page, select a device. Then, click Modify. Alternatively, you can right-click a device and then select Modify, or double-click on a tape drive entry. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Modify a device: v Graphical user interface: In the Modify Tape Drive dialog, type the required and optional information. Then, click Modify Tape Drive. v Command line interface: Type tklmDeviceUpdate to update a device. You must specify the device uuid and the attributes that change. For example, type:
print AdminTask.tklmDeviceUpdate ('[-uuid DEVICE-64c588ad-5ed8-4934-8c84-64cb9e11d990 -attributes "{aliasTwo myPartner99}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The device information is changed in the Tape Drives table. v Command line interface:
Administering

41

A completion message indicates success.

What to do next
Next, you might verify that the changes are made. For optional fields, such as the description, you might need to run the tklmDeviceList command to determine whether the value has changed, or reopen the Modify Tape Drive dialog.

Deleting a drive
You might delete a device such as a tape drive. Metadata for the drive that you delete, such as the drive serial number, is removed from the Tivoli Key Lifecycle Manager database.

About this task


You can use the Delete menu item or the tklmDeviceDelete command to delete a device. Before you begin, ensure that a current backup exists for the certificates and devices at your site. Obtain the uuid of the device you intend to delete. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > 3592. On the Key Administration for 3592 Tape Drives page, select a device. Then, click Delete. Alternatively, you can right-click a device and then select Delete. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Delete the device: v Graphical user interface: On the Confirm dialog, read the confirmation message to verify that the correct device was selected before you delete the device. Metadata for the drive that you delete, such as the drive serial number, is removed from the Tivoli Key Lifecycle Manager database. Then, click OK. v Command line interface: Type tklmDeviceDelete to delete a device. You must specify the uuid. For example, type:

42

IBM Tivoli Key Lifecycle Manager: Administering

print AdminTask.tklmDeviceDelete ('[-uuid DEVICE-74386920-148c-47b2-a1e2-d19194b315cf]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The device is removed from the Tape Drives table. v Command line interface: A completion message indicates success.

DS8000 storage image administration


You can administer DS8000 storage images and image certificates using Tivoli Key Lifecycle Manager. Descriptions of some steps describe alternatives in using either the graphical user interface, or the command line interface. For any one work session for tasks that are available on the graphical user interface, do not switch between interfaces during the session. Descriptions of some tasks might mention task-related properties in the TKLMgrConfig.properties. Use the graphical user interface or the command line interface to change these properties.

Guided steps to create storage images and image certificates


When you first create storage images and image certificates, and later when you add additional storage images or certificates, Tivoli Key Lifecycle Manager provides a guided set of steps to complete the task. Descriptions of some steps might mention command line alternatives to do the same task. In a guided set of tasks, use the graphical user interface to complete the tasks.

Creating an image certificate or certificate request


As a first activity, you might create image certificates or certificate requests for Tivoli Key Lifecycle Manager.

About this task


You can use the Create Certificate dialog or you can use the tklmCertCreate or the tklmCertGenRequest commands to create certificates or certificate requests. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Welcome. Scroll down the Welcome to Key Lifecycle Manager page to the Key Administration section. In the Configure keys to be served to field, select DS8000. Then, click Go. You will be taken to the DS8000 Drive page which provides a guided set of configuration steps. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type:
Administering

43

Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create an image certificate or request a certificate: v Graphical user interface: a. On Step 1: Create Certificates page, there is a Certificates table. On the Certificates table, click Create. b. On the Create Certificate dialog, select either a self-signed certificate, or a certificate request for a third-party provider. c. Specify values for the required and optional parameters. Then, click Create Certificate. v Command line interface: Certificate Type tklmCertCreate to create a certificate and a public and private key pair, and store the certificate in an existing keystore. For example, type:
print AdminTask.tklmCertCreate ('[-type selfsigned -alias tklmCertificate -cn tklm -ou sales -o myCompanyName -country myCountry -keyStoreName TESTKS_001 -usage DS8K -validity 999]')

Certificate request Type tklmCertGenRequest to create a PKCS #10 certificate request file. For example, type:
AdminTask.tklmCertGenRequest('[-alias tklmDS8KCertificate3 -cn tklm -ou sales -o myCompanyName -locality myLocation -country myCountry -validity 999 -keyStoreName test -fileName myDS8KCertRequest3.crt -usage "DS8K"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The certificate or certificate request appears as an item in the Certificates table. v Command line interface: A completion message indicates success.

What to do next
Next, you might go the next step to define specific storage images, and associate certificates with the storage images. Additionally, you might specify whether to accept requests from all DS8000 Turbo drives.

Identifying storage images


You might identify a storage image (device) for use with Tivoli Key Lifecycle Manager.

44

IBM Tivoli Key Lifecycle Manager: Administering

About this task


You can use the Add Storage Image dialog or you can use the tklmDeviceAdd command to add a storage image. Before you begin, create the image certificates that you need to associate with the storage images that you are about to identify. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Welcome. Scroll down the Welcome to Key Lifecycle Manager page to the Key Administration section. In the Configure keys to be served to field, select DS8000. Then, click Go. You will be taken to the DS8000 Drive page which provides a guided set of configuration steps. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Skip Step 1: Create Certificates. Click Go to Next Step or Step 2: Identify Images. 3. You might specify that Tivoli Key Lifecycle Manager accepts requests from all DS8000 drives. v Graphical user interface: Select Accept requests from any DS8000 drive. v Command line interface: Use the tklmConfigUpdateEntry command to set the value of the ds8k.acceptUnknownDrives property. For example, type:
print AdminTask.tklmConfigUpdateEntry ('[-name ds8k.acceptUnknownDrives -value true]')

4. Add a storage image: v Graphical user interface: a. On the Step 2: Identify Images page, in the table, click Add. b. On the Add Storage Image dialog, type the required and optional information. Then, click Add Storage Image. v Command line interface: Type tklmDeviceAdd to add a storage image. You must specify the storage image type, the serial number, and an image certificate. For example, type:

Administering

45

print AdminTask.tklmDeviceAdd ('[-type DS8K -serialNumber CCCB31403AFF -attributes "{worldwideName 61041} {description salesDivisionDrive} {aliasOne myDS8Kimagecertificate}"]')

5. A success indicator will vary, depending on the interface: v Graphical user interface: The storage image is added to the table. v Command line interface: A completion message indicates success.

What to do next
Next, you might use the key administration panel to view all storage images and image certificates.

Administering DS8000 storage images


To administer storage images and image certificates, you might need to determine their current status, or map their association, or add, modify, or delete specific certificates or storage images.

About this task


Use the Key Administration for DS8000 Drives page to map image certificates to storage images, to determine current status of items in the table, and to add, modify, or delete image certificates or storage images. Before you begin, examine the columns on the Key Administration for DS8000 Drives page, which provides buttons to add, modify, or delete a table item. To sort information, click a column header. Alternatively, type information about a target in the appropriate filter field. Then, press Enter. The table is organized in these areas: v In left columns, information about certificates Indicates the certificate name, the expiration date, and current status of the certificate. v In right columns, information about storage images Indicates the storage image name and associated image certificate. v Additional choices and status indicators, below the table Accept requests from any DS8000 drive. Click to accept requests from all DS8000 storage images. Key Serving Status: and If certificates and storage images are configured, a green icon message appears, such as Configured to serve keys to DS8000 drives. v Status icons Status icons indicate either the current status of a certificate, or the key serving status of the Tivoli Key Lifecycle Manager server.
Table 3. Status icons and their meanings Icon Description Certificate is in an active state.

46

IBM Tivoli Key Lifecycle Manager: Administering

Table 3. Status icons and their meanings (continued) Icon Description v Certificate will expire soon. v The status is yellow until a storage image is defined. Certificate is in an expired state. Certificate is in an inactive state. The Tivoli Key Lifecycle Manager server is enabled to serve keys. Tivoli Key Lifecycle Manager has third-party certificate requests that are waiting to be signed and imported.

Procedure 1. Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. Descriptions of some steps describe alternatives in using either the graphical user interface, or the command line interface. For any one work session for tasks that are available on the graphical user interface, do not switch between interfaces during the session. Descriptions of some tasks might mention task-related properties in the TKLMgrConfig.properties. Use the graphical user interface or the command line interface to change these properties. 2. On the Key Administration for DS8000 Drives page, you can add, modify, or delete a storage image or image certificate. Additionally, you can specify whether a certificate accepts requests from all DS8000 drives, and monitor the current status of both certificates and the Tivoli Key Lifecycle Manager server. You might do these administrative tasks: v Add Click Add. Alternatively, you can select a step-by-step process to create certificates and storage images. Certificate On the Create Certificate page, select the certificate type as either self-signed or a request from a third-party provider, and complete the required information. Then, click Create Certificate. Storage image On the Add Storage Image page, type the storage image information. Then, click Add Storage Image. Use step by step process for certificate and storage image creation On the Step1: Create Certificates and Step2: Identify Images pages, enter the necessary information. A success indicator will vary, showing a change in a column for the certificate or storage image. v Modify To change information about a storage image or view information about a certificate, select a certificate or storage image, and then click Modify. Alternatively, right-click the selected certificate or storage image. Then, click Modify, or double-click the certificate or storage image entry. Certificate
Administering

47

View read-only information in the Modify Certificate page. Storage image Specify changes in the Modify Storage Image page. Then, click Modify Storage Image. A success indicator will vary, showing a change in a column for the certificate or storage image. Changes to some information, such as optional fields, might not be provided in the table. v Delete To delete a certificate or storage image, verify that the correct certificate or storage image was selected, and then click Delete. Alternatively, right-click the selected certificate or storage image. Then, click Delete. Certificate Ensure that you have a current backup of the keystore before deleting a certificate. Any storage image written using this certificate become non-readable after the certificate is deleted. The certificate to be deleted can be in any state, such as active. Regardless of its state, you cannot delete a certificate that is associated with a storage image, or a certificate that a 3592 tape drive has marked as a system default or partner certificate. The certificate is marked as destroyed in the database and the material is deleted from the keystore. To confirm deletion, click OK. Storage image Metadata for the storage image that you delete, such as the serial number, is removed from the Tivoli Key Lifecycle Manager database. To confirm deletion, click OK. A success indicator is deletion of the certificate or storage image from the administration table.

Adding an image certificate or certificate request


You might add more image certificates or certificate requests for use with Tivoli Key Lifecycle Manager.

About this task


You can use the Create Certificate dialog or you can use the tklmCertCreate or the tklmCertGenRequest commands to create certificates or certificate requests. Before you begin, determine your site policy on the use of certificates. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. On the Key Administration for DS8000 Drives page, on the menu bar, click Add and then select Certificate. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type:

48

IBM Tivoli Key Lifecycle Manager: Administering

Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create a certificate or request a certificate: v Graphical user interface: a. On the Create Certificate page, select either a self-signed certificate, or a certificate request for a third-party provider. b. Specify values for the required and optional parameters. Then, click Create Certificate. v Command line interface: Certificate: Type tklmCertCreate to create a certificate and a public and private key pair, and store the certificate in an existing keystore. For example, type:
print AdminTask.tklmCertCreate ('[-type selfsigned -alias tklmCertificate -cn tklm -ou sales -o myCompanyName -country myCountry -keyStoreName TESTKS_001 -usage DS8K -validity 999]')

Certificate request: Type tklmCertGenRequest to create a PKCS #10 certificate request file. For example, type:
AdminTask.tklmCertGenRequest('[-alias tklmDS8KCertificate3 -cn tklm -ou sales -o myCompanyName -locality myLocation -country myCountry -validity 999 -keyStoreName test -fileName myDS8KCertRequest3.crt -usage "DS8K"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The certificate or certificate request appears as an item in the Certificates listing. v Command line interface: A completion message indicates success.

What to do next
Your next action depends on whether you created a certificate or a certificate request. v Certificate: You might associate a certificate with a specific storage image. v Certificate request: Manually send the certificate request to a Certificate Authority. When the signed certificate returns, import the certificate by using a pending action item on the Welcome panel, or by using the tklmCertImport command.

Modifying an image certificate


You might use the graphical user interface to view information about an image certificate in the Tivoli Key Lifecycle Manager database. Using the command line interface, you can change a limited number of attributes.
Administering

49

About this task


You can use the Modify Certificate dialog to view information, or you can use the tklmCertUpdate command to modify information or other attributes for certificates or certificate requests. Before you begin, determine the changed information for the certificate. If you use the command line interface, obtain the value of the uuid for the certificate. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. On the Key Administration for DS8000 Drives page, select the certificate in the Certificates column. Then, click Modify. Alternatively, right-click a certificate and then select Modify, or double-click the certificate entry. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. View the certificate information: v Graphical user interface: On the Modify Certificate dialog, view the read-only fields. v Command line interface: Type tklmCertUpdate to update a certificate. You must specify the uuid of the certificate and the changed attribute. For example, to change the information, type:
print AdminTask.tklmCertUpdate ('[-uuid CERTIFICATE-33fc26e-5fb5a0e66143 -attributes "{information {new information}}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: A column displays read-only data. v Command line interface: A completion message indicates success.

What to do next
Next, you might use the Key Administration for DS8000 Drives page to associate image certificates with specific storage images.

50

IBM Tivoli Key Lifecycle Manager: Administering

Deleting an image certificate


You might delete a selected image certificate, which can be in any state, such as active. You cannot delete a certificate that is associated with a storage image or that is identified as the system default or system partner certificate for 3592 devices. For example, you might delete an expired certificate.

About this task


You can use the Delete menu item or you can use the tklmCertDelete command to delete a selected image certificate. Before you begin, ensure that a backup exists of the keystore containing the image certificate that you intend to delete. Verify that the certificate is not currently associated with a storage image. Determine the current state of the certificate, and ensure that deleting a certificate in this state will conform with your site policies. The certificate is marked as destroyed in the database and the material is deleted from the keystore. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. On the Key Administration for DS8000 Drives page, select the certificate in the Certificates column. Then, click Delete. Alternatively, right click the certificate, and then click Delete. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Delete the certificate: v Graphical user interface: On the Confirm dialog, read the confirmation message to verify that the correct certificate was selected before you delete the certificate. Then, click OK. v Command line interface: Type tklmCertDelete to delete a certificate. You must specify the certificate alias and the keystore name. For example, to delete an expired certificate that is not currently associated with a storage image, type:
print AdminTask.tklmCertDelete ('[-alias mycertalias -keyStoreName myExistingKeystore]')

Administering

51

3. A success indicator will vary, depending on the interface: v Graphical user interface: The certificate is removed from the Certificate table. v Command line interface: A completion message indicates success.

What to do next
Next, you might back up the keystore again to accurately reflect the change in certificates.

Adding a storage image


You might add a storage image to the Tivoli Key Lifecycle Manager database.

About this task


You can use the Add Storage Image dialog or you can use the tklmDeviceAdd command to add a storage image. Before you begin, create the certificates that you need to associate with the storage images that you are about to identify. Additionally, obtain the storage image serial number, and other description information. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. On the Key Administration for DS8000 Drives page, in the menu bar, click Add and then select Storage Image. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Add a storage image: v Graphical user interface: On the Add Storage Image dialog, type the required and optional information. Then, click Add Storage Image. v Command line interface: Type tklmDeviceAdd to add a storage image. You must specify the storage image type, the serial number, and an image certificate. For example, type:

52

IBM Tivoli Key Lifecycle Manager: Administering

print AdminTask.tklmDeviceAdd ('[-type DS8K -serialNumber CCCB31403AFF -attributes "{worldwideName 61041} {description salesDivisionDrive} {aliasOne myDS8Kimagecertificate}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The storage image is added to the table. v Command line interface: A completion message indicates success.

What to do next
Next, you might determine the current status of the storage image that you added.

Modifying a storage image


You might modify information about a storage image in the Tivoli Key Lifecycle Manager database. For example, you might update the storage image description.

About this task


You can use the Modify Storage Image dialog or you can use the tklmDeviceUpdate command to update a storage image. Before you begin, create the certificates that you need to associate with the storage images that you are about to modify. If you use the command line interface, obtain the value of the uuid for the storage image that you intend to update and the alias of any certificate associated with the storage image. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. On the Key Administration for DS8000 Drives page, select a storage image. Then, click Modify. Alternatively, you can right-click a storage image and then select Modify, or double-click on a storage image entry. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Modify a storage image: v Graphical user interface:

Administering

53

In the Modify Storage Image dialog, type the required and optional information. Then, click Modify Storage Image. v Command line interface: Type tklmDeviceUpdate to update a storage image. You must specify the storage image uuid and the attributes that change. For example, type:
print AdminTask.tklmDeviceUpdate ('[-uuid DEVICE-15d499ad-3ad8-3333-8c84-64cb9e11d990 -attributes "{description myDiskDrive}"]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The storage image information is changed in the table. v Command line interface: A completion message indicates success.

Deleting a storage image


You might delete a storage image. Metadata for the storage image that you delete, such as the serial number, is removed from the Tivoli Key Lifecycle Manager database.

About this task


You can use the Delete menu item or you can use the tklmDeviceDelete command to delete a storage image. Before you begin, ensure that a current backup exists for the certificates and storage images at your site. If you use the command line interface, obtain the uuid of the storage image that you intend to delete. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, click Tivoli Key Lifecycle Manager > Key Administration > DS8000. On the Key Administration for DS8000 Drives page, select a storage image. Then, click Delete. Alternatively, you can right-click a storage image and then select Delete. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Delete the storage image: v Graphical user interface:

54

IBM Tivoli Key Lifecycle Manager: Administering

On the Confirm page, read the confirmation message to verify that the correct storage image was selected before you delete the storage image. Metadata for the storage image that you delete, such as the serial number, is removed from the Tivoli Key Lifecycle Manager database. Then, click OK. v Command line interface: Type tklmDeviceDelete to delete a storage image. You must specify the uuid. For example, type:
print AdminTask.tklmDeviceDelete ('[-uuid DEVICE-74386920-148c-47b2-a1e2-d19194b315cf]')

3. A success indicator will vary, depending on the interface: v Graphical user interface: The storage image is removed from the table. v Command line interface: A completion message indicates success.

Backup and restore


Tivoli Key Lifecycle Manager provides a set of operations to backup and restore current, active files and data. For example, data that is backed up includes tables in the Tivoli Key Lifecycle Manager database, all keys and certificates in a keystore, and also the Tivoli Key Lifecycle Manager configuration files. On a z/OS system, the database tables and SAF-based keystores are not included in the backup or restore processes. You must backup and restore the database tables outside the scope of Tivoli Key Lifecycle Manager. You must also ensure that the SAF-based keystores are current. Note: v Tivoli Key Lifecycle Manager backup and restore operations on z/OS will not automatically back up and restore your Tivoli Key Lifecycle Manager database in DB2 Database. v When you perform backup and restore tasks on z/OS, you must coordinate with your DB2 administrator in order to fully back up and restore both Tivoli Key Lifecycle Manager and the Tivoli Key Lifecycle Manager database in DB2. In addition, you must coordinate with your security administrator to backup the keyring and certificate information in IBM Resource Access Control Facility if you use a RACF-based keystore, as well as the key information in Integrated Cryptographic Services Facility if you use hardware protection. v On z/OS systems, after you have applied the Tivoli Key Lifecycle Manager fix pack for z/OS, you will be able to successfully restore backup files created prior to your application of the fix pack. For more information on backup and restore if you run z/OS in a sysplex environment, refer to installation topics for Parallel Sysplex systems in the IBM Tivoli Key Lifecycle Manager Installation and Configuration Guide. Note that a backup and restore must be done on each Sysplex member. Failure to back up your keystore and other critical data properly might result in unrecoverable loss of all access to your encrypted data. Do not encrypt your

Administering

55

backup file, or store a backup file on an encrypting device. Failure to back up data might also result in subsequent inconsistency of the key manager and potential data loss on the storage device.

Backup and restore runtime requirements


Backing up and restoring data from backup files for Tivoli Key Lifecycle Manager have several runtime requirements. Before you begin, you might prevent timeout failure by increasing the time interval allowed for backup and restore transactions for large key populations. Specify a larger value for the totalTranLifetimeTimeout setting in this file: v Distributed systems: TIP_HOME/profiles/TIPProfile/config/cells/TIPCell/ nodes/TIPNode/servers/server1/server.xml v z/OS systems: SSRE_APPSERVER_HOME/profiles/default/config/cells/ cellname/nodes/node1/servers/server1/server.xml To locate this setting in the WebSphere Application Server Administrative Console: 1. In the left navigation pane, click Servers > Application Servers. 2. On the main panel, click Container Services > Transaction Service. 3. On the Configuration tab, update the values for Total transaction lifetime timeout and Maximum transaction timeout. 4. Save the changes to the master configuration. To have the settings take effect immediately, update the Runtime tab. Additionally, these conditions must be true: v Ensure that the task occurs during a time interval that allows a halt to key serving activity. v For a backup task, the Tivoli Key Lifecycle Manager server must be running in a normal operational state. The Tivoli Key Lifecycle Manager database instance must be available. v For a restore task, the Tivoli Key Lifecycle Manager database instance must be accessible through the Tivoli Key Lifecycle Manager datasource. Before you start a restore task, ensure that you have the password that was used when the backup file was created. Restored files must be written to the same Tivoli Key Lifecycle Manager server from which the data was previously backed up, or to an identical, replica computer. On z/OS systems, when Tivoli Key Lifecycle Manager is configured with a file-based keystore such as JCEKS or JCECCAKS, only the keystore location must be identical between the primary and replica Tivoli Key Lifecycle Manager server. v Ensure that directories exist that are associated with the tklm.backup.dir and tklm.db2.backup.dir properties. System and Tivoli Key Lifecycle Manager administrator accounts under which the Tivoli Key Lifecycle Manager server and the DB2 server run must have read and write access to these directories respectively.

Backing up critical files


Use the graphical user interface or command line interface to back up critical files for Tivoli Key Lifecycle Manager.

56

IBM Tivoli Key Lifecycle Manager: Administering

About this task


You can use the Backup and Restore page to back up critical data. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Backup and Restore. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Create a backup file. Only one backup or restore task can run at a given time. v Graphical user interface: a. On the Backup and Restore table, click Create Backup. b. On the Create Backup page, specify required information such as the path and a value for the encryption password. Then, click Create Backup. v Command line interface: Type tklmBackupRun and specify the required values to create a backup file. For example, type: | |
print AdminTask.tklmBackupRun ('[-backupDirectory C:\\tipbak1\\tklmbackup1 -password myBackupPwd]')

3. A message indicates that the backup file was created, or that the backup operation succeeded. On a z/OS system, you must back up the DB2 database at this time, before making any changes in the Tivoli Key Lifecycle Manager application.

What to do next
Review the directory that contains the backup files to ensure that the backup file exists. Do not edit a file in the backup jar file. The file that you attempt to edit will become unreadable.

Restoring a backup file


Use the graphical user interface or command line interface to restore a backup file for Tivoli Key Lifecycle Manager.

Administering

57

About this task


You can use the Backup and Restore page to restore a backup file, or you can use the tklmBackupRunRestore command to restore the file. Procedure 1. Navigate to the appropriate page or directory: v Graphical user interface: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Backup and Restore. v Command line interface: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Restore a selected backup file. Only one backup or restore task can run at a given time. If you restore a file to a replica computer, copy the file to that computer using media such as a disk, or electronic transmission. v Graphical user interface: a. On the Backup and Restore table, select a backup file that is listed in the table. Then, click Restore from Backup. Note: On distributed systems, if you have applied a fix pack such as Fix Pack 1.0.0.1, do not attempt to restore the backup files that were created prior to your application of the fix pack. On z/OS systems, after you have applied the Tivoli Key Lifecycle Manager fix pack for z/OS, you will be able to successfully restore backup files created prior to your application of the fix pack. b. On the Restore Backup page, specify the encryption password that was used to create the backup file. Then, click Restore Backup. v Command line interface: Type tklmBackupRunRestore and specify the required information such as the path and backup file name. Specify the encryption password that was used to create the backup file. For example, type:
print AdminTask.tklmBackupRunRestore ('[-backupFilePath /opt/tklm/tklm_v1.0_20081012074433_backup.jar -password myBackupPwd]')

3. A message indicates that the restore operation succeeded. On a z/OS system, you must restore the DB2 database at this time, and must also update any SAF-based keystores. Note:

58

IBM Tivoli Key Lifecycle Manager: Administering

v Tivoli Key Lifecycle Manager backup and restore operations on z/OS will not automatically back up and restore your Tivoli Key Lifecycle Manager database in DB2 Database. v When you perform backup and restore tasks on z/OS, you must coordinate with your DB2 administrator in order to fully back up and restore both Tivoli Key Lifecycle Manager and the Tivoli Key Lifecycle Manager database in DB2. In addition, you must coordinate with your security administrator to backup the keyring and certificate information in IBM Resource Access Control Facility if you use a RACF-based keystore, as well as the key information in Integrated Cryptographic Services Facility if you use hardware protection. v On z/OS systems, after you have applied the Tivoli Key Lifecycle Manager fix pack for z/OS, you will be able to successfully restore backup files created prior to your application of the fix pack. For more information on backup and restore if you run z/OS in a sysplex environment, refer to installation topics for Parallel Sysplex systems in the IBM Tivoli Key Lifecycle Manager Installation and Configuration Guide. Note that a backup and restore must be done on each Sysplex member.

What to do next
Manually restart the Tivoli Key Lifecycle Manager server. Then, determine whether the server is at the expected state. For example, you might examine the keystore to see whether a certificate that had problems prior to restoring the backup file is now available for use.

Starting and stopping the Tivoli Key Lifecycle Manager server on distributed systems
You might need to use the startServer or stopServer command to start or stop the Tivoli Key Lifecycle Manager server. For example, after a restore task completes, restart the Tivoli Key Lifecycle Manager server.

About this task


Scripts to start and stop the Tivoli Key Lifecycle Manager server are in the TIP_HOME/bin directory: Procedure 1. Navigate to the TIP_HOME/bin directory. 2. Start or stop the server. v Start On Windows systems:
startServer.bat server1

On systems such as Linux or AIX:


./startServer.sh server1

v Stop On Windows systems:


stopServer.bat server1

On systems such as Linux or AIX:


./stopServer.sh server1

Administering

59

If global security is enabled, enter the user ID and password of the Tivoli Integrated Portal administrator as parameters to the stopServer script. The script will prompt for these parameters if they are omitted, but you can specify them on the command line: On Windows systems:
stopServer.bat server1 -username TipAdminId -password mypwd

On systems such as Linux or AIX:


./stopServer.sh server1 -username TipAdminId -password mypwd

What to do next
Determine whether Tivoli Key Lifecycle Manager is running. For example, open Tivoli Key Lifecycle Manager in a Web browser and log in.

Starting and stopping the Tivoli Key Lifecycle Manager server on z/OS systems
You might need to start or stop the Tivoli Key Lifecycle Manager server. For example, after a restore task completes, restart the Tivoli Key Lifecycle Manager server.

About this task


On z/OS systems, scripts to start and stop the Tivoli Key Lifecycle Manager server are in the SSRE_APPSERVER_HOME/bin directory. You can optionally start and stop Tivoli Key Lifecycle Manager and System Services Runtime Environment using the operators console. Procedure 1. Navigate to the SSRE_APPSERVER_HOME/bin directory. 2. Start or stop the server. v Start Use one of these choices: Start the System Services Runtime Environment address space: The generic start command (on one line) is:
START appserver_proc_name,JOBNAME=server_short_name, ENV=cell_short_name.node_short_name.server_short_name

where appserver_proc_name and server_short_name are specified in the configuration file as _SSRE_PROC_PREFIX_, and cell_short_name is specified in the configuration file as _SSRE_CELL_NAME_. The value of node_short_name is always NODE1. For example:
S SSRE,JOBNAME=SSRE,ENV=SSRE.NODE1.SSRE

The following is an example of what you would see on the z/OS console, after System Services Runtime Environment has started:
SY1 BBOO0247I INITIALIZATION COMPLETE FOR WEBSPHERE FOR Z/OS CONTROL PROCESS SSRE/NODE1/SSRE/SSRE. SY1 +BBOO0248I INITIALIZATION COMPLETE FOR WEBSPHERE FOR Z/OS SERVANT PROCESS SSRE/NODE1/SSRE/SSRE.

Alternatively, start an OMVS session: a. Switch user to the SSRECFG user ID that was set up during the System Services Runtime Environment installation. You will be prompted for the SSRECFG password.

60

IBM Tivoli Key Lifecycle Manager: Administering

su SSRECFG

b. Start the server. Type:


startServer.sh server1 -username SSRECFG -password Password

v Stop Use one of these choices: Stop Tivoli Key Lifecycle Manager and System Services Runtime Environment from your z/OS operators console: a. Stop all AppServers by issuing this command:
STOP appserver_proc_name

For example:
STOP SSRE

Alternatively, you can issue:


P SSRE

b. After all AppServers are stopped, stop the daemon by issuing this command:
STOP daemon_proc_name

For example:
STOP SSRED

Alternatively, you can issue:


P SSRED

If the AppServer does not respond to a STOP command, use the CANCEL command instead:
F appserver_proc_name,CANCEL F daemon_proc_name,CANCEL

For example:
F SSRE,CANCEL F SSRED,CANCEL

Use the CANCEL appserver_proc_name command only in cases in which the STOP appserver_proc_name command fails. When a server is started, a new temp directory is created off of the servant process token, such as profile_root/default/temp/node_name/server_name. When the server is stopped in a clean manner (for example, by using the STOP command), these temp directories are removed. However, if the server is not stopped in a clean manner (for example, when using the CANCEL command), these temp directories are not removed and the HFS used for these temp directories will eventually become full. Alternatively, start an OMVS session and switch user to the SSRECFG user ID that was set up during the System Services Runtime Environment installation. a. You will be prompted for the SSRECFG password.
su SSRECFG

b. Stop the server. Type:


stopServer.sh server1 -username SSRECFG -password Password

If global security is enabled, enter the user ID and password of the System Services Runtime Environment administrator as parameters to the stopServer script. The script will prompt for these parameters if they are omitted, but you can specify them on the command line, as specified above.

What to do next
Determine whether Tivoli Key Lifecycle Manager is running. For example, open Tivoli Key Lifecycle Manager in a Web browser and log in.
Administering

61

Deleting a backup file


Use the graphical user interface or command line interface to delete a backup file for Tivoli Key Lifecycle Manager. For example, you might delete a backup file for which a business use no longer exists.

About this task


You can use the Backup and Restore page to restore a backup file. Procedure 1. Navigate to the appropriate page or directory: Log on to the graphical user interface. From the navigation tree, select Tivoli Key Lifecycle Manager > Settings > Backup and Restore. 2. Delete a selected backup file. On the Backup and Restore table, select a backup file that is listed in the table. Click Delete Backup and confirm that you want to delete the file.

What to do next
Examine the directory in which the backup files are stored, to determine whether the specified file was deleted.

Additional backup and restore tasks on the command line interface


You might use the command line interface for additional backup and restore tasks that are not available on the graphical user interface.

About this task


Before you begin, obtain the password Procedure 1. Navigate to the appropriate directory and log on: In the TIP_HOME/bin directory, start a wsadmin session using Jython. Then, log on to wsadmin with an authorized user ID, such as the TKLMAdmin user ID. For example, on Windows systems, navigate to the directory drive:\Program Files\IBM\tivoli\tip\bin and type: v Windows systems:
wsadmin -username TKLMAdmin -password password -lang jython

v Systems such as AIX or Linux:


./wsadmin.sh -username TKLMAdmin -password password -lang jython

v z/OS systems: a. Change to the SSRE_APPSERVER_HOME/bin directory. b. Type:


wsadmin.sh -username SSRECFG -password ssrecfgpass -lang jython

2. Complete the task: tklmBackupGetProgress Type tklmBackupGetProgress to determine the current phase of a backup task that is running. For example, type:
print AdminTask.tklmBackupGetProgress ()

62

IBM Tivoli Key Lifecycle Manager: Administering

tklmBackupGetRestoreProgress Type tklmBackupGetRestoreProgress to determine the current phase of a restore task that is running. For example, type:
print AdminTask.tklmBackupGetRestoreProgress ()

tklmBackupGetRestoreResult Type tklmBackupGetRestoreResult to determine the success or failure of a completed restore task. For example, type:
print AdminTask.tklmBackupGetRestoreResult ()

tklmBackupGetResult Type tklmBackupGetResult to determine the success or failure of a completed backup task. For example, type:
print AdminTask.tklmBackupGetResult ()

tklmBackupIsRestoreRunning Type tklmBackupIsRestoreRunning to determine whether the restore task is currently running. For example, type:
print AdminTask.tklmBackupIsRestoreRunning ()

tklmBackupIsRunning Type tklmBackupIsRunning to determine whether the backup task is currently running. For example, type:
print AdminTask.tklmBackupIsRunning ()

tklmBackupList Type tklmBackupList to list the backup files in a given directory. For example, type: | |
print AdminTask.tklmBackupList ('[-backupDirectory C:\\tipbak1\\tklmbackup1 -v y]')

A completion message indicates success.

Administering

63

64

IBM Tivoli Key Lifecycle Manager: Administering

Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Copyright IBM Corp. 2008, 2009

65

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 USA Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBMs future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Adobe, Acrobat, and Portable Document Format (PDF) are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

66

IBM Tivoli Key Lifecycle Manager: Administering

Intel is a trademark of Intel Corporation in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

Notices

67

68

IBM Tivoli Key Lifecycle Manager: Administering

Index Numerics
3592 tape drive drive.acceptUnknownDrives property 31 tklmConfigUpdateEntry command 31 tklmDeviceAdd command 31, 40 tklmDeviceDelete command 42 tklmDeviceList command 41 tklmDeviceUpdate command 41

C
cert.valiDATE administering 12 certificate 12 certificate cert.valiDATE property 12 default 12 rollover 37 ssl 13 tklmCertCreate command 13, 30, 35 tklmCertDelete command 38 tklmCertGenRequest command 13 tklmCertImport command 35 tklmCertUpdate command 37 tklmConfigGetEntry command 12 tklmConfigUpdateEntry command 12 useSKIDefaultLabels property 12 zOSCompatibility property 12 certificate request tklmCertGenRequest command 30, 35, 43, 48 tklmCertUpdate command 37, 50 command startServer 59 stopServer 59 commands tklmKeyStoreEntryMetaDataCreate 3 9

K
key tklmKeyDelete command 25 tklmKeyList command 25 key group rollover 22 stopRoundRobinKeyGrps property 22 tklmGroupCreate command 15, 20 tklmGroupDelete command 25 tklmGroupEntryAdd command 23 tklmGroupEntryDelete command 23 tklmGroupList command 15, 20 tklmSecretKeyCreate command 20 keystore add 1 tklmKeyStoreAdd command 1 types 1

A
administering 3592 tape drive 29 audit 9 backup and restore 55 certificate 12 DS8000 Turbo drive 43 keystore 1 LTO tape drive 15 port 10 ssl certificate 13 audit Audit.event.outcome property 9 Audit.event.types property 9 level 9 tklmConfigGetEntry command 9 tklmConfigUpdateEntry command

L
LTO tape drive drive.acceptUnknownDrives property 16 symmetricKeySet property 16 tklmConfigUpdateEntry command 16 tklmDeviceAdd command 16, 26 tklmDeviceDelete command 28 tklmDeviceList command 27 tklmDeviceUpdate command 27

D B
backup and restore backup file, deleting 62 jar file 57 replica computer 56 runtime requirements backup task 56 restore task 56 tklm.backup.dir property 56 tklm.db2.backup.dir property 56 tklmBackupGetProgress command 62 tklmBackupGetRestoreProgress command 62 tklmBackupGetRestoreResult command 62 tklmBackupGetResult command 62 tklmBackupIsRestoreRunning command 62 tklmBackupList command 62 tklmBackupRun command 57 tklmBackupRunRestore command 58 backup task database accessible 56 Tivoli Key Lifecycle Manager running 56 drive.acceptUnknownDrives 3592 tape drive 31 LTO tape drive 16 DS8000 Turbo drive ds8k.acceptUnknownDrives property 45 tklmConfigUpdateEntry command 45 tklmDeviceAdd command 45, 52 tklmDeviceDelete command 54 tklmDeviceList command 53 tklmDeviceUpdate command 53 ds8k.acceptUnknownDrives, DS8000 Turbo drive 45

P
port default 10 ssl 10 tcp 10 timeout 10 tklmConfigGetEntry command tklmConfigUpdateEntry command 10 TransportListener.ssl.port property 10 TransportListener.ssl.timeout property 10 TransportListener.tcp.port property 10 TransportListener.tcp.timeout property 10

10

I
image certificate tklmCertCreate command 43, 48 tklmCertDelete command 51 tklmCertImport command 48 tklmCertUpdate command 50

R
restore task database accessible 56 password requirement 56 to primary computer 56 rollover, certificate 37 rollover, key group 22

J
jar file, backup and restore 57

Copyright IBM Corp. 2008, 2009

69

S
startServer, command 59 stopRoundRobinKeyGrps, property 22 stopServer, command 59 storage image tklmDeviceAdd command 52 tklmDeviceDelete command 54 symmetric key tklmSecretKeyCreate command 15 symmetricKeySet LTO tape drive 16

T
tklm.backup.dir, backup and restore 56 tklm.db2.backup.dir, backup and restore 56 tklmBackupGetProgress, backup and restore 62 tklmBackupGetRestoreProgress, backup and restore 62 tklmBackupGetRestoreResult, backup and restore 62 tklmBackupGetResult, backup and restore 62 tklmBackupIsRestoreRunning, backup and restore 62 tklmBackupList, backup and restore 62 tklmBackupRun, backup and restore 57 tklmBackupRunRestore, backup and restore 58 tklmCertCreate certificate 13, 30, 35 image certificate 43, 48 tklmCertDelete certificate 38 image certificate 51 tklmCertGenRequest certificate 13 certificate request 30, 35, 43, 48 tklmCertImport certificate 35 image certificate 48 tklmCertUpdate certificate 37 certificate request 37, 50 image certificate 50 tklmConfigGetEntry audit 9 certificate 12 port 10 tklmConfigUpdateEntry 3592 tape drive 31 audit 9 certificate 12 DS8000 Turbo drive 45 LTO tape drive 16 port 10 tklmDeviceAdd 3592 tape drive 31, 40 DS8000 Turbo drive 45, 52 LTO tape drive 16, 26 storage image 52 tklmDeviceDelete 3592 tape drive 42 DS8000 Turbo drive 54

tklmDeviceDelete (continued) LTO tape drive 28 storage image 54 tklmDeviceList 3592 tape drive 41 DS8000 Turbo drive 53 LTO tape drive 27 tklmDeviceUpdate 3592 tape drive 41 DS8000 Turbo drive 53 LTO tape drive 27 tklmGroupCreate key group 15, 20 tklmGroupDelete key group 25 tklmGroupEntryAdd key group 23 tklmGroupEntryDelete key group 23 tklmGroupList key group 15, 20 tklmKeyDelete key 25 tklmKeyList key 25 tklmKeyStoreAdd, add keystore 1 tklmKeyStoreEntryMetaDataCreate, command 3 tklmSecretKeyCreate key group 20 symmetric key 15 TransportListener.ssl.port administering 10 TransportListener.ssl.timeout administering 10 TransportListener.tcp.port administering 10 TransportListener.tcp.timeout administering 10

U
useSKIDefaultLabels administering 12 certificate 12

Z
zOSCompatibility administering 12 certificate 12

70

IBM Tivoli Key Lifecycle Manager: Administering

Printed in USA

You might also like